{
    "summary": {
        "snap": {
            "added": [],
            "removed": [],
            "diff": [
                "snapd"
            ]
        },
        "deb": {
            "added": [
                "linux-headers-6.8.0-134-generic",
                "linux-image-6.8.0-134-generic",
                "linux-modules-6.8.0-134-generic",
                "linux-riscv-6.8-headers-6.8.0-134"
            ],
            "removed": [
                "linux-headers-6.8.0-124-generic",
                "linux-image-6.8.0-124-generic",
                "linux-modules-6.8.0-124-generic",
                "linux-riscv-6.8-headers-6.8.0-124"
            ],
            "diff": [
                "curl",
                "iproute2",
                "libcurl3-gnutls:riscv64",
                "libcurl4:riscv64",
                "libnghttp2-14:riscv64",
                "libnss3:riscv64",
                "libsqlite3-0:riscv64",
                "linux-headers-generic",
                "linux-headers-virtual",
                "linux-image-virtual",
                "linux-virtual",
                "ncurses-base",
                "ncurses-term",
                "vim",
                "vim-common",
                "vim-runtime",
                "vim-tiny",
                "xxd"
            ]
        }
    },
    "diff": {
        "deb": [
            {
                "name": "curl",
                "from_version": {
                    "source_package_name": "curl",
                    "source_package_version": "7.81.0-1ubuntu1.24",
                    "version": "7.81.0-1ubuntu1.24"
                },
                "to_version": {
                    "source_package_name": "curl",
                    "source_package_version": "7.81.0-1ubuntu1.25",
                    "version": "7.81.0-1ubuntu1.25"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-8286",
                        "url": "https://ubuntu.com/security/CVE-2026-8286",
                        "cve_description": "A vulnerability exists where a new transfer that uses STARTTLS to upgrade the connection might reuse an existing live connection even though the TLS configuration mismatches so it should not.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-06-24 14:00:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-8458",
                        "url": "https://ubuntu.com/security/CVE-2026-8458",
                        "cve_description": "libcurl might in some circumstances reuse the wrong connection when asked to do Negotiate-authenticated ones, even when they are set to use different \"services\". libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criteria must be met. Due to a logical error in the code, a request that was issued by an application could wrongfully reuse an existing connection to the same server that was authenticated using different services.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-06-24 14:00:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-8924",
                        "url": "https://ubuntu.com/security/CVE-2026-8924",
                        "cve_description": "A flaw in curl's cookie parsing logic allows a malicious HTTP server to set \"super cookies\" that bypass the Public Suffix List check. This enables an attacker-controlled origin to inject cookies that curl will subsequently scope and transmit to unrelated third-party domains.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-06-24 14:00:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-8925",
                        "url": "https://ubuntu.com/security/CVE-2026-8925",
                        "cve_description": "The curl logic that works with SASL authentication could end up cleaning up the GSASL context *twice* without clearing the pointer in between, making it `free()` the same pointer twice.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-24 14:00:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-8927",
                        "url": "https://ubuntu.com/security/CVE-2026-8927",
                        "cve_description": "When reusing a libcurl handle for sequential transfers driven by environment-variable proxy configuration, libcurl fails to clear the proxy authentication state between requests. Specifically, if the initial transfer authenticates against `proxyA` using Digest auth, a subsequent transfer routed through `proxyB` erroneously leaks the `Proxy-Authorization:` header intended solely for `proxyA`.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-24 14:00:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-9547",
                        "url": "https://ubuntu.com/security/CVE-2026-9547",
                        "cve_description": "When a libcurl-based application performs transfers via `SCP://` or `SFTP://` and utilizes the `CURLOPT_SSH_KEYFUNCTION` callback, it may silently accept an untrusted server. This vulnerability occurs when a server presents a host key type that does not match the specific key type already recorded for that host in the `known_hosts` file. Instead of rejecting the mismatch, the callback mechanism fails to properly enforce the restriction, allowing the connection to succeed without warning and risking a potential man-in-the-middle attack.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-06-24 14:00:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-8286",
                                "url": "https://ubuntu.com/security/CVE-2026-8286",
                                "cve_description": "A vulnerability exists where a new transfer that uses STARTTLS to upgrade the connection might reuse an existing live connection even though the TLS configuration mismatches so it should not.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-06-24 14:00:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-8458",
                                "url": "https://ubuntu.com/security/CVE-2026-8458",
                                "cve_description": "libcurl might in some circumstances reuse the wrong connection when asked to do Negotiate-authenticated ones, even when they are set to use different \"services\". libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criteria must be met. Due to a logical error in the code, a request that was issued by an application could wrongfully reuse an existing connection to the same server that was authenticated using different services.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-06-24 14:00:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-8924",
                                "url": "https://ubuntu.com/security/CVE-2026-8924",
                                "cve_description": "A flaw in curl's cookie parsing logic allows a malicious HTTP server to set \"super cookies\" that bypass the Public Suffix List check. This enables an attacker-controlled origin to inject cookies that curl will subsequently scope and transmit to unrelated third-party domains.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-06-24 14:00:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-8925",
                                "url": "https://ubuntu.com/security/CVE-2026-8925",
                                "cve_description": "The curl logic that works with SASL authentication could end up cleaning up the GSASL context *twice* without clearing the pointer in between, making it `free()` the same pointer twice.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-24 14:00:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-8927",
                                "url": "https://ubuntu.com/security/CVE-2026-8927",
                                "cve_description": "When reusing a libcurl handle for sequential transfers driven by environment-variable proxy configuration, libcurl fails to clear the proxy authentication state between requests. Specifically, if the initial transfer authenticates against `proxyA` using Digest auth, a subsequent transfer routed through `proxyB` erroneously leaks the `Proxy-Authorization:` header intended solely for `proxyA`.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-24 14:00:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-9547",
                                "url": "https://ubuntu.com/security/CVE-2026-9547",
                                "cve_description": "When a libcurl-based application performs transfers via `SCP://` or `SFTP://` and utilizes the `CURLOPT_SSH_KEYFUNCTION` callback, it may silently accept an untrusted server. This vulnerability occurs when a server presents a host key type that does not match the specific key type already recorded for that host in the `known_hosts` file. Instead of rejecting the mismatch, the callback mechanism fails to properly enforce the restriction, allowing the connection to succeed without warning and risking a potential man-in-the-middle attack.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-06-24 14:00:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: Connection reuse for starttls protocols.",
                            "    - debian/patches/CVE-2026-8286.patch: When a connection is tested for",
                            "      reuse in a transfer that may upgrade to TLS (commonly via STARTTLS),",
                            "      the SSL configuration must match the existing connection in lib/url.c",
                            "    - CVE-2026-8286",
                            "  * SECURITY UPDATE: Connection reuse in SASL.",
                            "    - debian/patches/CVE-2026-8458.patch: Fix erroneous connection reuse in",
                            "      in lib/curl_sasl.c, lib/http_negotiate.c, lib/http_ntlm.c, lib/imap.c,",
                            "      lib/openldap.c, and lib/pop3.c",
                            "    - CVE-2026-8458",
                            "  * SECURITY UPDATE: Cookie injection in is_public_suffix.",
                            "    - debian/patches/CVE-2026-8924.patch: Trim trailing dots when checking",
                            "      PSL in lib/cookie.c.",
                            "    - CVE-2026-8924",
                            "  * SECURITY UPDATE: Double-free in gsasl.",
                            "    - debian/patches/CVE-2026-8925.patch: Require libgasl 1.6.0 to handle",
                            "      NULL argument in lib/vauth/gsasl.c.",
                            "    - CVE-2026-8925",
                            "  * SECURITY UPDATE: Information disclosure in libcurl",
                            "    - debian/patches/CVE-2026-8927.patch: Detect if proxy is not the same as",
                            "      previous and flush state in lib/url.c and lib/urldata.h.",
                            "    - CVE-2026-8927",
                            "  * SECURITY UPDATE: Man-in-the-middle in libcurl.",
                            "    - debian/patches/CVE-2026-9547.patch: Reject host key mismatches in",
                            "      in lib/vssh/libssh.c",
                            "    - CVE-2026-9547",
                            ""
                        ],
                        "package": "curl",
                        "version": "7.81.0-1ubuntu1.25",
                        "urgency": "medium",
                        "distributions": "jammy-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Kyle Kernick <kyle.kernick@canonical.com>",
                        "date": "Mon, 29 Jun 2026 11:21:28 -0600"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "iproute2",
                "from_version": {
                    "source_package_name": "iproute2",
                    "source_package_version": "5.15.0-1ubuntu2.1",
                    "version": "5.15.0-1ubuntu2.1"
                },
                "to_version": {
                    "source_package_name": "iproute2",
                    "source_package_version": "5.15.0-1ubuntu2.2",
                    "version": "5.15.0-1ubuntu2.2"
                },
                "cves": [],
                "launchpad_bugs_fixed": [
                    2147525
                ],
                "changes": [
                    {
                        "cves": [],
                        "log": [
                            "",
                            "  * Modify tc/tbf and tc/htb to allow 64 bit burst parameter (LP: #2147525)",
                            "    - /d/p/lp2147525-1-tc-tbf-enable-64-bit-burst.patch",
                            "    - /d/p/lp2147525-2-tc-htb-enable-64-bit-burst.patch",
                            ""
                        ],
                        "package": "iproute2",
                        "version": "5.15.0-1ubuntu2.2",
                        "urgency": "medium",
                        "distributions": "jammy",
                        "launchpad_bugs_fixed": [
                            2147525
                        ],
                        "author": "Ioana Lazea <ioana.lazea@canonical.com>",
                        "date": "Wed, 15 Apr 2026 10:15:26 +0300"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "libcurl3-gnutls:riscv64",
                "from_version": {
                    "source_package_name": "curl",
                    "source_package_version": "7.81.0-1ubuntu1.24",
                    "version": "7.81.0-1ubuntu1.24"
                },
                "to_version": {
                    "source_package_name": "curl",
                    "source_package_version": "7.81.0-1ubuntu1.25",
                    "version": "7.81.0-1ubuntu1.25"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-8286",
                        "url": "https://ubuntu.com/security/CVE-2026-8286",
                        "cve_description": "A vulnerability exists where a new transfer that uses STARTTLS to upgrade the connection might reuse an existing live connection even though the TLS configuration mismatches so it should not.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-06-24 14:00:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-8458",
                        "url": "https://ubuntu.com/security/CVE-2026-8458",
                        "cve_description": "libcurl might in some circumstances reuse the wrong connection when asked to do Negotiate-authenticated ones, even when they are set to use different \"services\". libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criteria must be met. Due to a logical error in the code, a request that was issued by an application could wrongfully reuse an existing connection to the same server that was authenticated using different services.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-06-24 14:00:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-8924",
                        "url": "https://ubuntu.com/security/CVE-2026-8924",
                        "cve_description": "A flaw in curl's cookie parsing logic allows a malicious HTTP server to set \"super cookies\" that bypass the Public Suffix List check. This enables an attacker-controlled origin to inject cookies that curl will subsequently scope and transmit to unrelated third-party domains.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-06-24 14:00:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-8925",
                        "url": "https://ubuntu.com/security/CVE-2026-8925",
                        "cve_description": "The curl logic that works with SASL authentication could end up cleaning up the GSASL context *twice* without clearing the pointer in between, making it `free()` the same pointer twice.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-24 14:00:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-8927",
                        "url": "https://ubuntu.com/security/CVE-2026-8927",
                        "cve_description": "When reusing a libcurl handle for sequential transfers driven by environment-variable proxy configuration, libcurl fails to clear the proxy authentication state between requests. Specifically, if the initial transfer authenticates against `proxyA` using Digest auth, a subsequent transfer routed through `proxyB` erroneously leaks the `Proxy-Authorization:` header intended solely for `proxyA`.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-24 14:00:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-9547",
                        "url": "https://ubuntu.com/security/CVE-2026-9547",
                        "cve_description": "When a libcurl-based application performs transfers via `SCP://` or `SFTP://` and utilizes the `CURLOPT_SSH_KEYFUNCTION` callback, it may silently accept an untrusted server. This vulnerability occurs when a server presents a host key type that does not match the specific key type already recorded for that host in the `known_hosts` file. Instead of rejecting the mismatch, the callback mechanism fails to properly enforce the restriction, allowing the connection to succeed without warning and risking a potential man-in-the-middle attack.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-06-24 14:00:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-8286",
                                "url": "https://ubuntu.com/security/CVE-2026-8286",
                                "cve_description": "A vulnerability exists where a new transfer that uses STARTTLS to upgrade the connection might reuse an existing live connection even though the TLS configuration mismatches so it should not.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-06-24 14:00:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-8458",
                                "url": "https://ubuntu.com/security/CVE-2026-8458",
                                "cve_description": "libcurl might in some circumstances reuse the wrong connection when asked to do Negotiate-authenticated ones, even when they are set to use different \"services\". libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criteria must be met. Due to a logical error in the code, a request that was issued by an application could wrongfully reuse an existing connection to the same server that was authenticated using different services.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-06-24 14:00:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-8924",
                                "url": "https://ubuntu.com/security/CVE-2026-8924",
                                "cve_description": "A flaw in curl's cookie parsing logic allows a malicious HTTP server to set \"super cookies\" that bypass the Public Suffix List check. This enables an attacker-controlled origin to inject cookies that curl will subsequently scope and transmit to unrelated third-party domains.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-06-24 14:00:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-8925",
                                "url": "https://ubuntu.com/security/CVE-2026-8925",
                                "cve_description": "The curl logic that works with SASL authentication could end up cleaning up the GSASL context *twice* without clearing the pointer in between, making it `free()` the same pointer twice.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-24 14:00:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-8927",
                                "url": "https://ubuntu.com/security/CVE-2026-8927",
                                "cve_description": "When reusing a libcurl handle for sequential transfers driven by environment-variable proxy configuration, libcurl fails to clear the proxy authentication state between requests. Specifically, if the initial transfer authenticates against `proxyA` using Digest auth, a subsequent transfer routed through `proxyB` erroneously leaks the `Proxy-Authorization:` header intended solely for `proxyA`.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-24 14:00:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-9547",
                                "url": "https://ubuntu.com/security/CVE-2026-9547",
                                "cve_description": "When a libcurl-based application performs transfers via `SCP://` or `SFTP://` and utilizes the `CURLOPT_SSH_KEYFUNCTION` callback, it may silently accept an untrusted server. This vulnerability occurs when a server presents a host key type that does not match the specific key type already recorded for that host in the `known_hosts` file. Instead of rejecting the mismatch, the callback mechanism fails to properly enforce the restriction, allowing the connection to succeed without warning and risking a potential man-in-the-middle attack.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-06-24 14:00:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: Connection reuse for starttls protocols.",
                            "    - debian/patches/CVE-2026-8286.patch: When a connection is tested for",
                            "      reuse in a transfer that may upgrade to TLS (commonly via STARTTLS),",
                            "      the SSL configuration must match the existing connection in lib/url.c",
                            "    - CVE-2026-8286",
                            "  * SECURITY UPDATE: Connection reuse in SASL.",
                            "    - debian/patches/CVE-2026-8458.patch: Fix erroneous connection reuse in",
                            "      in lib/curl_sasl.c, lib/http_negotiate.c, lib/http_ntlm.c, lib/imap.c,",
                            "      lib/openldap.c, and lib/pop3.c",
                            "    - CVE-2026-8458",
                            "  * SECURITY UPDATE: Cookie injection in is_public_suffix.",
                            "    - debian/patches/CVE-2026-8924.patch: Trim trailing dots when checking",
                            "      PSL in lib/cookie.c.",
                            "    - CVE-2026-8924",
                            "  * SECURITY UPDATE: Double-free in gsasl.",
                            "    - debian/patches/CVE-2026-8925.patch: Require libgasl 1.6.0 to handle",
                            "      NULL argument in lib/vauth/gsasl.c.",
                            "    - CVE-2026-8925",
                            "  * SECURITY UPDATE: Information disclosure in libcurl",
                            "    - debian/patches/CVE-2026-8927.patch: Detect if proxy is not the same as",
                            "      previous and flush state in lib/url.c and lib/urldata.h.",
                            "    - CVE-2026-8927",
                            "  * SECURITY UPDATE: Man-in-the-middle in libcurl.",
                            "    - debian/patches/CVE-2026-9547.patch: Reject host key mismatches in",
                            "      in lib/vssh/libssh.c",
                            "    - CVE-2026-9547",
                            ""
                        ],
                        "package": "curl",
                        "version": "7.81.0-1ubuntu1.25",
                        "urgency": "medium",
                        "distributions": "jammy-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Kyle Kernick <kyle.kernick@canonical.com>",
                        "date": "Mon, 29 Jun 2026 11:21:28 -0600"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "libcurl4:riscv64",
                "from_version": {
                    "source_package_name": "curl",
                    "source_package_version": "7.81.0-1ubuntu1.24",
                    "version": "7.81.0-1ubuntu1.24"
                },
                "to_version": {
                    "source_package_name": "curl",
                    "source_package_version": "7.81.0-1ubuntu1.25",
                    "version": "7.81.0-1ubuntu1.25"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-8286",
                        "url": "https://ubuntu.com/security/CVE-2026-8286",
                        "cve_description": "A vulnerability exists where a new transfer that uses STARTTLS to upgrade the connection might reuse an existing live connection even though the TLS configuration mismatches so it should not.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-06-24 14:00:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-8458",
                        "url": "https://ubuntu.com/security/CVE-2026-8458",
                        "cve_description": "libcurl might in some circumstances reuse the wrong connection when asked to do Negotiate-authenticated ones, even when they are set to use different \"services\". libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criteria must be met. Due to a logical error in the code, a request that was issued by an application could wrongfully reuse an existing connection to the same server that was authenticated using different services.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-06-24 14:00:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-8924",
                        "url": "https://ubuntu.com/security/CVE-2026-8924",
                        "cve_description": "A flaw in curl's cookie parsing logic allows a malicious HTTP server to set \"super cookies\" that bypass the Public Suffix List check. This enables an attacker-controlled origin to inject cookies that curl will subsequently scope and transmit to unrelated third-party domains.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-06-24 14:00:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-8925",
                        "url": "https://ubuntu.com/security/CVE-2026-8925",
                        "cve_description": "The curl logic that works with SASL authentication could end up cleaning up the GSASL context *twice* without clearing the pointer in between, making it `free()` the same pointer twice.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-24 14:00:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-8927",
                        "url": "https://ubuntu.com/security/CVE-2026-8927",
                        "cve_description": "When reusing a libcurl handle for sequential transfers driven by environment-variable proxy configuration, libcurl fails to clear the proxy authentication state between requests. Specifically, if the initial transfer authenticates against `proxyA` using Digest auth, a subsequent transfer routed through `proxyB` erroneously leaks the `Proxy-Authorization:` header intended solely for `proxyA`.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-24 14:00:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-9547",
                        "url": "https://ubuntu.com/security/CVE-2026-9547",
                        "cve_description": "When a libcurl-based application performs transfers via `SCP://` or `SFTP://` and utilizes the `CURLOPT_SSH_KEYFUNCTION` callback, it may silently accept an untrusted server. This vulnerability occurs when a server presents a host key type that does not match the specific key type already recorded for that host in the `known_hosts` file. Instead of rejecting the mismatch, the callback mechanism fails to properly enforce the restriction, allowing the connection to succeed without warning and risking a potential man-in-the-middle attack.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-06-24 14:00:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-8286",
                                "url": "https://ubuntu.com/security/CVE-2026-8286",
                                "cve_description": "A vulnerability exists where a new transfer that uses STARTTLS to upgrade the connection might reuse an existing live connection even though the TLS configuration mismatches so it should not.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-06-24 14:00:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-8458",
                                "url": "https://ubuntu.com/security/CVE-2026-8458",
                                "cve_description": "libcurl might in some circumstances reuse the wrong connection when asked to do Negotiate-authenticated ones, even when they are set to use different \"services\". libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criteria must be met. Due to a logical error in the code, a request that was issued by an application could wrongfully reuse an existing connection to the same server that was authenticated using different services.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-06-24 14:00:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-8924",
                                "url": "https://ubuntu.com/security/CVE-2026-8924",
                                "cve_description": "A flaw in curl's cookie parsing logic allows a malicious HTTP server to set \"super cookies\" that bypass the Public Suffix List check. This enables an attacker-controlled origin to inject cookies that curl will subsequently scope and transmit to unrelated third-party domains.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-06-24 14:00:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-8925",
                                "url": "https://ubuntu.com/security/CVE-2026-8925",
                                "cve_description": "The curl logic that works with SASL authentication could end up cleaning up the GSASL context *twice* without clearing the pointer in between, making it `free()` the same pointer twice.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-24 14:00:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-8927",
                                "url": "https://ubuntu.com/security/CVE-2026-8927",
                                "cve_description": "When reusing a libcurl handle for sequential transfers driven by environment-variable proxy configuration, libcurl fails to clear the proxy authentication state between requests. Specifically, if the initial transfer authenticates against `proxyA` using Digest auth, a subsequent transfer routed through `proxyB` erroneously leaks the `Proxy-Authorization:` header intended solely for `proxyA`.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-24 14:00:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-9547",
                                "url": "https://ubuntu.com/security/CVE-2026-9547",
                                "cve_description": "When a libcurl-based application performs transfers via `SCP://` or `SFTP://` and utilizes the `CURLOPT_SSH_KEYFUNCTION` callback, it may silently accept an untrusted server. This vulnerability occurs when a server presents a host key type that does not match the specific key type already recorded for that host in the `known_hosts` file. Instead of rejecting the mismatch, the callback mechanism fails to properly enforce the restriction, allowing the connection to succeed without warning and risking a potential man-in-the-middle attack.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-06-24 14:00:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: Connection reuse for starttls protocols.",
                            "    - debian/patches/CVE-2026-8286.patch: When a connection is tested for",
                            "      reuse in a transfer that may upgrade to TLS (commonly via STARTTLS),",
                            "      the SSL configuration must match the existing connection in lib/url.c",
                            "    - CVE-2026-8286",
                            "  * SECURITY UPDATE: Connection reuse in SASL.",
                            "    - debian/patches/CVE-2026-8458.patch: Fix erroneous connection reuse in",
                            "      in lib/curl_sasl.c, lib/http_negotiate.c, lib/http_ntlm.c, lib/imap.c,",
                            "      lib/openldap.c, and lib/pop3.c",
                            "    - CVE-2026-8458",
                            "  * SECURITY UPDATE: Cookie injection in is_public_suffix.",
                            "    - debian/patches/CVE-2026-8924.patch: Trim trailing dots when checking",
                            "      PSL in lib/cookie.c.",
                            "    - CVE-2026-8924",
                            "  * SECURITY UPDATE: Double-free in gsasl.",
                            "    - debian/patches/CVE-2026-8925.patch: Require libgasl 1.6.0 to handle",
                            "      NULL argument in lib/vauth/gsasl.c.",
                            "    - CVE-2026-8925",
                            "  * SECURITY UPDATE: Information disclosure in libcurl",
                            "    - debian/patches/CVE-2026-8927.patch: Detect if proxy is not the same as",
                            "      previous and flush state in lib/url.c and lib/urldata.h.",
                            "    - CVE-2026-8927",
                            "  * SECURITY UPDATE: Man-in-the-middle in libcurl.",
                            "    - debian/patches/CVE-2026-9547.patch: Reject host key mismatches in",
                            "      in lib/vssh/libssh.c",
                            "    - CVE-2026-9547",
                            ""
                        ],
                        "package": "curl",
                        "version": "7.81.0-1ubuntu1.25",
                        "urgency": "medium",
                        "distributions": "jammy-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Kyle Kernick <kyle.kernick@canonical.com>",
                        "date": "Mon, 29 Jun 2026 11:21:28 -0600"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "libnghttp2-14:riscv64",
                "from_version": {
                    "source_package_name": "nghttp2",
                    "source_package_version": "1.43.0-1ubuntu0.3",
                    "version": "1.43.0-1ubuntu0.3"
                },
                "to_version": {
                    "source_package_name": "nghttp2",
                    "source_package_version": "1.43.0-1ubuntu0.4",
                    "version": "1.43.0-1ubuntu0.4"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-58055",
                        "url": "https://ubuntu.com/security/CVE-2026-58055",
                        "cve_description": "nghttp2's nghttpx proxy through 1.69.0 forwards an HTTP/1.1 Upgrade request that also carries a Content-Length header and body onto reusable keep-alive backend connections, re-adding the Upgrade and Connection headers while passing Content-Length verbatim. A backend that resolves the resulting ambiguous message in the attacker's favor enables HTTP request/response smuggling and cross-client response-queue poisoning.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-28 02:16:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-58055",
                                "url": "https://ubuntu.com/security/CVE-2026-58055",
                                "cve_description": "nghttp2's nghttpx proxy through 1.69.0 forwards an HTTP/1.1 Upgrade request that also carries a Content-Length header and body onto reusable keep-alive backend connections, re-adding the Upgrade and Connection headers while passing Content-Length verbatim. A backend that resolves the resulting ambiguous message in the attacker's favor enables HTTP request/response smuggling and cross-client response-queue poisoning.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-28 02:16:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: HTTP request/response smuggling issue",
                            "    - debian/patches/CVE-2026-58055-pre1.patch: nghttpx: Remove trailing white",
                            "      spaces from HTTP/1.1 fields in src/shrpx-unittest.cc,",
                            "      src/shrpx_downstream.h, src/shrpx_http_downstream_connection.cc,",
                            "      src/shrpx_https_upstream.cc, src/util.cc, src/util.h, src/util_test.cc,",
                            "      src/util_test.h.",
                            "    - debian/patches/CVE-2026-58055-pre2.patch: nghttpx: Stricter transfer-",
                            "      encoding checks in integration-tests/nghttpx_http1_test.go, src/http2.cc,",
                            "      src/http2.h, src/http2_test.cc, src/http2_test.h, src/shrpx-unittest.cc,",
                            "      src/shrpx_downstream.cc, src/shrpx_http_downstream_connection.cc,",
                            "      src/shrpx_https_upstream.cc.",
                            "    - debian/patches/CVE-2026-58055.patch: nghttpx: Tighten up CONNECT and HTTP",
                            "      Upgrade handling in src/shrpx_downstream.cc, src/shrpx_downstream.h,",
                            "      src/shrpx_http2_upstream.cc, src/shrpx_http_downstream_connection.cc,",
                            "      src/shrpx_http_downstream_connection.h, src/shrpx_https_upstream.cc.",
                            "    - CVE-2026-58055",
                            ""
                        ],
                        "package": "nghttp2",
                        "version": "1.43.0-1ubuntu0.4",
                        "urgency": "medium",
                        "distributions": "jammy-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Marc Deslauriers <marc.deslauriers@ubuntu.com>",
                        "date": "Tue, 30 Jun 2026 13:21:48 -0400"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "libnss3:riscv64",
                "from_version": {
                    "source_package_name": "nss",
                    "source_package_version": "2:3.98-0ubuntu0.22.04.3",
                    "version": "2:3.98-0ubuntu0.22.04.3"
                },
                "to_version": {
                    "source_package_name": "nss",
                    "source_package_version": "2:3.98-0ubuntu0.22.04.4",
                    "version": "2:3.98-0ubuntu0.22.04.4"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-12318",
                        "url": "https://ubuntu.com/security/CVE-2026-12318",
                        "cve_description": "Incorrect boundary conditions in the Libraries component in NSS. This vulnerability was fixed in Firefox 152 and Thunderbird 152.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-16 13:16:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-12318",
                                "url": "https://ubuntu.com/security/CVE-2026-12318",
                                "cve_description": "Incorrect boundary conditions in the Libraries component in NSS. This vulnerability was fixed in Firefox 152 and Thunderbird 152.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-16 13:16:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: OOB read in pk11uri_ParseAttributes",
                            "    - debian/patches/CVE-2026-12318.patch: improve handling of escape",
                            "      sequences in nss/lib/util/pkcs11uri.c.",
                            "    - CVE-2026-12318",
                            ""
                        ],
                        "package": "nss",
                        "version": "2:3.98-0ubuntu0.22.04.4",
                        "urgency": "medium",
                        "distributions": "jammy-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Marc Deslauriers <marc.deslauriers@ubuntu.com>",
                        "date": "Thu, 18 Jun 2026 07:26:25 -0400"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "libsqlite3-0:riscv64",
                "from_version": {
                    "source_package_name": "sqlite3",
                    "source_package_version": "3.37.2-2ubuntu0.5",
                    "version": "3.37.2-2ubuntu0.5"
                },
                "to_version": {
                    "source_package_name": "sqlite3",
                    "source_package_version": "3.37.2-2ubuntu0.6",
                    "version": "3.37.2-2ubuntu0.6"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-11822",
                        "url": "https://ubuntu.com/security/CVE-2026-11822",
                        "cve_description": "SQLite before 3.53.2 contains memory corruption vulnerabilities in the FTS5 full-text search extension that allow attackers to cause process crashes, memory exhaustion, or arbitrary code execution by supplying a crafted database with malformed FTS5 page data. Attackers can trigger an out-of-bounds read in fts5LeafSeek() via an attacker-controlled loop bound and a heap buffer overflow write in fts5ChunkIterate() through a crafted continuation page causing an integer underflow, exploitable when an FTS5 MATCH query is executed against the malicious database.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-09 20:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-11824",
                        "url": "https://ubuntu.com/security/CVE-2026-11824",
                        "cve_description": "SQLite before 3.53.2 contains a heap-based buffer overflow vulnerability in the FTS5 full-text search extension that allows attackers to cause a crash or execute arbitrary code by supplying a crafted database with malicious continuation page metadata specifying a szLeaf value smaller than 4. Attackers can trigger an integer underflow in fts5ChunkIterate() causing an inflated remaining byte count during FTS5 MATCH query processing, leading to a heap buffer overflow of attacker-controlled data in applications compiled with SQLITE_ENABLE_FTS5.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-09 20:16:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-11822",
                                "url": "https://ubuntu.com/security/CVE-2026-11822",
                                "cve_description": "SQLite before 3.53.2 contains memory corruption vulnerabilities in the FTS5 full-text search extension that allow attackers to cause process crashes, memory exhaustion, or arbitrary code execution by supplying a crafted database with malformed FTS5 page data. Attackers can trigger an out-of-bounds read in fts5LeafSeek() via an attacker-controlled loop bound and a heap buffer overflow write in fts5ChunkIterate() through a crafted continuation page causing an integer underflow, exploitable when an FTS5 MATCH query is executed against the malicious database.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-09 20:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-11824",
                                "url": "https://ubuntu.com/security/CVE-2026-11824",
                                "cve_description": "SQLite before 3.53.2 contains a heap-based buffer overflow vulnerability in the FTS5 full-text search extension that allows attackers to cause a crash or execute arbitrary code by supplying a crafted database with malicious continuation page metadata specifying a szLeaf value smaller than 4. Attackers can trigger an integer underflow in fts5ChunkIterate() causing an inflated remaining byte count during FTS5 MATCH query processing, leading to a heap buffer overflow of attacker-controlled data in applications compiled with SQLITE_ENABLE_FTS5.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-09 20:16:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: security issues in FTS5 full-text search",
                            "    - debian/patches/CVE-2026-11822_4.patch: Fix logic in ext/fts5/fts5_index.c.",
                            "    - CVE-2026-11822",
                            "    - CVE-2026-11824",
                            ""
                        ],
                        "package": "sqlite3",
                        "version": "3.37.2-2ubuntu0.6",
                        "urgency": "medium",
                        "distributions": "jammy-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Marc Deslauriers <marc.deslauriers@ubuntu.com>",
                        "date": "Tue, 16 Jun 2026 13:53:33 -0400"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "linux-headers-generic",
                "from_version": {
                    "source_package_name": "linux-meta-riscv-6.8",
                    "source_package_version": "6.8.0.124.124~22.04.1",
                    "version": "6.8.0.124.124~22.04.1"
                },
                "to_version": {
                    "source_package_name": "linux-meta-riscv-6.8",
                    "source_package_version": "6.8.0.134.134~22.04.1",
                    "version": "6.8.0.134.134~22.04.1"
                },
                "cves": [],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [],
                        "log": [
                            "",
                            "  * Bump ABI 6.8.0-134.134~22.04",
                            ""
                        ],
                        "package": "linux-meta-riscv-6.8",
                        "version": "6.8.0.134.134~22.04.1",
                        "urgency": "medium",
                        "distributions": "jammy",
                        "launchpad_bugs_fixed": [],
                        "author": "Alessio Faina <alessio.faina@canonical.com>",
                        "date": "Mon, 29 Jun 2026 17:03:14 +0200"
                    },
                    {
                        "cves": [],
                        "log": [
                            "",
                            "  * Bump ABI 6.8.0-131.131~22.04",
                            ""
                        ],
                        "package": "linux-meta-riscv-6.8",
                        "version": "6.8.0.131.131~22.04.1",
                        "urgency": "medium",
                        "distributions": "jammy",
                        "launchpad_bugs_fixed": [],
                        "author": "Alessio Faina <alessio.faina@canonical.com>",
                        "date": "Tue, 23 Jun 2026 10:46:33 +0200"
                    },
                    {
                        "cves": [],
                        "log": [
                            "",
                            "  * Bump ABI 6.8.0-130.130~22.04",
                            ""
                        ],
                        "package": "linux-meta-riscv-6.8",
                        "version": "6.8.0.130.130~22.04.1",
                        "urgency": "medium",
                        "distributions": "jammy",
                        "launchpad_bugs_fixed": [],
                        "author": "Sarah Emery <sarah.emery@canonical.com>",
                        "date": "Wed, 03 Jun 2026 17:29:15 +0200"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "linux-headers-virtual",
                "from_version": {
                    "source_package_name": "linux-meta-riscv-6.8",
                    "source_package_version": "6.8.0.124.124~22.04.1",
                    "version": "6.8.0.124.124~22.04.1"
                },
                "to_version": {
                    "source_package_name": "linux-meta-riscv-6.8",
                    "source_package_version": "6.8.0.134.134~22.04.1",
                    "version": "6.8.0.134.134~22.04.1"
                },
                "cves": [],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [],
                        "log": [
                            "",
                            "  * Bump ABI 6.8.0-134.134~22.04",
                            ""
                        ],
                        "package": "linux-meta-riscv-6.8",
                        "version": "6.8.0.134.134~22.04.1",
                        "urgency": "medium",
                        "distributions": "jammy",
                        "launchpad_bugs_fixed": [],
                        "author": "Alessio Faina <alessio.faina@canonical.com>",
                        "date": "Mon, 29 Jun 2026 17:03:14 +0200"
                    },
                    {
                        "cves": [],
                        "log": [
                            "",
                            "  * Bump ABI 6.8.0-131.131~22.04",
                            ""
                        ],
                        "package": "linux-meta-riscv-6.8",
                        "version": "6.8.0.131.131~22.04.1",
                        "urgency": "medium",
                        "distributions": "jammy",
                        "launchpad_bugs_fixed": [],
                        "author": "Alessio Faina <alessio.faina@canonical.com>",
                        "date": "Tue, 23 Jun 2026 10:46:33 +0200"
                    },
                    {
                        "cves": [],
                        "log": [
                            "",
                            "  * Bump ABI 6.8.0-130.130~22.04",
                            ""
                        ],
                        "package": "linux-meta-riscv-6.8",
                        "version": "6.8.0.130.130~22.04.1",
                        "urgency": "medium",
                        "distributions": "jammy",
                        "launchpad_bugs_fixed": [],
                        "author": "Sarah Emery <sarah.emery@canonical.com>",
                        "date": "Wed, 03 Jun 2026 17:29:15 +0200"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "linux-image-virtual",
                "from_version": {
                    "source_package_name": "linux-meta-riscv-6.8",
                    "source_package_version": "6.8.0.124.124~22.04.1",
                    "version": "6.8.0.124.124~22.04.1"
                },
                "to_version": {
                    "source_package_name": "linux-meta-riscv-6.8",
                    "source_package_version": "6.8.0.134.134~22.04.1",
                    "version": "6.8.0.134.134~22.04.1"
                },
                "cves": [],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [],
                        "log": [
                            "",
                            "  * Bump ABI 6.8.0-134.134~22.04",
                            ""
                        ],
                        "package": "linux-meta-riscv-6.8",
                        "version": "6.8.0.134.134~22.04.1",
                        "urgency": "medium",
                        "distributions": "jammy",
                        "launchpad_bugs_fixed": [],
                        "author": "Alessio Faina <alessio.faina@canonical.com>",
                        "date": "Mon, 29 Jun 2026 17:03:14 +0200"
                    },
                    {
                        "cves": [],
                        "log": [
                            "",
                            "  * Bump ABI 6.8.0-131.131~22.04",
                            ""
                        ],
                        "package": "linux-meta-riscv-6.8",
                        "version": "6.8.0.131.131~22.04.1",
                        "urgency": "medium",
                        "distributions": "jammy",
                        "launchpad_bugs_fixed": [],
                        "author": "Alessio Faina <alessio.faina@canonical.com>",
                        "date": "Tue, 23 Jun 2026 10:46:33 +0200"
                    },
                    {
                        "cves": [],
                        "log": [
                            "",
                            "  * Bump ABI 6.8.0-130.130~22.04",
                            ""
                        ],
                        "package": "linux-meta-riscv-6.8",
                        "version": "6.8.0.130.130~22.04.1",
                        "urgency": "medium",
                        "distributions": "jammy",
                        "launchpad_bugs_fixed": [],
                        "author": "Sarah Emery <sarah.emery@canonical.com>",
                        "date": "Wed, 03 Jun 2026 17:29:15 +0200"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "linux-virtual",
                "from_version": {
                    "source_package_name": "linux-meta-riscv-6.8",
                    "source_package_version": "6.8.0.124.124~22.04.1",
                    "version": "6.8.0.124.124~22.04.1"
                },
                "to_version": {
                    "source_package_name": "linux-meta-riscv-6.8",
                    "source_package_version": "6.8.0.134.134~22.04.1",
                    "version": "6.8.0.134.134~22.04.1"
                },
                "cves": [],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [],
                        "log": [
                            "",
                            "  * Bump ABI 6.8.0-134.134~22.04",
                            ""
                        ],
                        "package": "linux-meta-riscv-6.8",
                        "version": "6.8.0.134.134~22.04.1",
                        "urgency": "medium",
                        "distributions": "jammy",
                        "launchpad_bugs_fixed": [],
                        "author": "Alessio Faina <alessio.faina@canonical.com>",
                        "date": "Mon, 29 Jun 2026 17:03:14 +0200"
                    },
                    {
                        "cves": [],
                        "log": [
                            "",
                            "  * Bump ABI 6.8.0-131.131~22.04",
                            ""
                        ],
                        "package": "linux-meta-riscv-6.8",
                        "version": "6.8.0.131.131~22.04.1",
                        "urgency": "medium",
                        "distributions": "jammy",
                        "launchpad_bugs_fixed": [],
                        "author": "Alessio Faina <alessio.faina@canonical.com>",
                        "date": "Tue, 23 Jun 2026 10:46:33 +0200"
                    },
                    {
                        "cves": [],
                        "log": [
                            "",
                            "  * Bump ABI 6.8.0-130.130~22.04",
                            ""
                        ],
                        "package": "linux-meta-riscv-6.8",
                        "version": "6.8.0.130.130~22.04.1",
                        "urgency": "medium",
                        "distributions": "jammy",
                        "launchpad_bugs_fixed": [],
                        "author": "Sarah Emery <sarah.emery@canonical.com>",
                        "date": "Wed, 03 Jun 2026 17:29:15 +0200"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "ncurses-base",
                "from_version": {
                    "source_package_name": "ncurses",
                    "source_package_version": "6.3-2ubuntu0.1",
                    "version": "6.3-2ubuntu0.1"
                },
                "to_version": {
                    "source_package_name": "ncurses",
                    "source_package_version": "6.3-2ubuntu0.2",
                    "version": "6.3-2ubuntu0.2"
                },
                "cves": [
                    {
                        "cve": "CVE-2025-69720",
                        "url": "https://ubuntu.com/security/CVE-2025-69720",
                        "cve_description": "The infocmp command-line tool in ncurses before 6.5-20251213 has a stack-based buffer overflow in analyze_string in progs/infocmp.c.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-03-19 15:16:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2025-69720",
                                "url": "https://ubuntu.com/security/CVE-2025-69720",
                                "cve_description": "The infocmp command-line tool in ncurses before 6.5-20251213 has a stack-based buffer overflow in analyze_string in progs/infocmp.c.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-03-19 15:16:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: stack-based buffer overflow in infocmp",
                            "    - debian/patches/CVE-2025-69720.patch: clamp length to",
                            "      MAX_TERMINFO_LENGTH before copying into buf2 in analyze_string.",
                            "    - CVE-2025-69720",
                            ""
                        ],
                        "package": "ncurses",
                        "version": "6.3-2ubuntu0.2",
                        "urgency": "medium",
                        "distributions": "jammy-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Paulo Flabiano Smorigo <pfsmorigo@canonical.com>",
                        "date": "Tue, 30 Jun 2026 21:25:30 +0000"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "ncurses-term",
                "from_version": {
                    "source_package_name": "ncurses",
                    "source_package_version": "6.3-2ubuntu0.1",
                    "version": "6.3-2ubuntu0.1"
                },
                "to_version": {
                    "source_package_name": "ncurses",
                    "source_package_version": "6.3-2ubuntu0.2",
                    "version": "6.3-2ubuntu0.2"
                },
                "cves": [
                    {
                        "cve": "CVE-2025-69720",
                        "url": "https://ubuntu.com/security/CVE-2025-69720",
                        "cve_description": "The infocmp command-line tool in ncurses before 6.5-20251213 has a stack-based buffer overflow in analyze_string in progs/infocmp.c.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-03-19 15:16:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2025-69720",
                                "url": "https://ubuntu.com/security/CVE-2025-69720",
                                "cve_description": "The infocmp command-line tool in ncurses before 6.5-20251213 has a stack-based buffer overflow in analyze_string in progs/infocmp.c.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-03-19 15:16:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: stack-based buffer overflow in infocmp",
                            "    - debian/patches/CVE-2025-69720.patch: clamp length to",
                            "      MAX_TERMINFO_LENGTH before copying into buf2 in analyze_string.",
                            "    - CVE-2025-69720",
                            ""
                        ],
                        "package": "ncurses",
                        "version": "6.3-2ubuntu0.2",
                        "urgency": "medium",
                        "distributions": "jammy-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Paulo Flabiano Smorigo <pfsmorigo@canonical.com>",
                        "date": "Tue, 30 Jun 2026 21:25:30 +0000"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "vim",
                "from_version": {
                    "source_package_name": "vim",
                    "source_package_version": "2:8.2.3995-1ubuntu2.32",
                    "version": "2:8.2.3995-1ubuntu2.32"
                },
                "to_version": {
                    "source_package_name": "vim",
                    "source_package_version": "2:8.2.3995-1ubuntu2.33",
                    "version": "2:8.2.3995-1ubuntu2.33"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-35177",
                        "url": "https://ubuntu.com/security/CVE-2026-35177",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0280, a path traversal bypass in Vim's zip.vim plugin allows overwriting of arbitrary files when opening specially crafted zip archives, circumventing the previous fix for CVE-2025-53906. This vulnerability is fixed in 9.2.0280.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-06 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-55693",
                        "url": "https://ubuntu.com/security/CVE-2026-55693",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0653, the tree_count_words() function in src/spellfile.c fills in the word-count fields of a spell-file word trie by walking it iteratively with a depth counter. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (arridx[], curi[], wordcount[]). A crafted .spl/.sug file pair, loaded when the user invokes spell suggestion, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0653.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-55892",
                        "url": "https://ubuntu.com/security/CVE-2026-55892",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0662, the dump_prefixes() function in src/spell.c walks a spell-file prefix trie iteratively with a depth counter while dumping the prefixes that apply to a word. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (prefix[], arridx[], curi[]). A crafted .spl file, loaded when the user dumps the word list, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0662.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-55895",
                        "url": "https://ubuntu.com/security/CVE-2026-55895",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0663, a Vimscript code injection vulnerability exists in s:NetrwLocalRmFile() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when deleting a local file from the browser. A filename derived from the buffer's directory listing is interpolated into an Ex command line passed to :execute with only the backslash character escaped, allowing a crafted filename containing a bar (|) to terminate the intended command and execute arbitrary Vimscript, including shell commands via :call system() and :!. This vulnerability is fixed in 9.2.0663.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-57452",
                        "url": "https://ubuntu.com/security/CVE-2026-57452",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0671, when Vim opens a file encrypted with the VimCrypt~04! or VimCrypt~05! method (xchacha20poly1305, requires the +sodium feature) whose body is shorter than a single libsodium secretstream header, an unsigned length calculation underflows and a subsequent decryption call reads far past the end of the input buffer, crashing Vim. This vulnerability is fixed in 9.2.0671.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-57455",
                        "url": "https://ubuntu.com/security/CVE-2026-57455",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0698, the single-byte branch of spell_soundfold_sofo() in src/spell.c translates a word through a spell file's SOFO (sound-folding) byte map into a caller-owned result buffer. Its copy loop advances the output index ri with no upper bound and terminates only on the input NUL, writing one byte per input byte into the MAXWLEN-element stack buffer the caller provides. A word longer than MAXWLEN, passed to soundfold() (or reached via sound-based spell suggestion) while a SOFO-based spell language is active, therefore writes past the end of that buffer. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0698.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-57456",
                        "url": "https://ubuntu.com/security/CVE-2026-57456",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0699, Vim's Python omni-completion (runtime/autoload/python3complete.vim and the legacy pythoncomplete.vim) executes reconstructed function and class definitions from the current buffer with exec() as part of populating the completion dictionary. When reconstructing that source, each scope's docstring is inserted verbatim between triple quotes with no escaping, so a hostile buffer can break out of the triple-quoted literal and execute attacker-controlled Python during omni-completion. This vulnerability is fixed in 9.2.0699.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-35177",
                                "url": "https://ubuntu.com/security/CVE-2026-35177",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0280, a path traversal bypass in Vim's zip.vim plugin allows overwriting of arbitrary files when opening specially crafted zip archives, circumventing the previous fix for CVE-2025-53906. This vulnerability is fixed in 9.2.0280.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-06 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-55693",
                                "url": "https://ubuntu.com/security/CVE-2026-55693",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0653, the tree_count_words() function in src/spellfile.c fills in the word-count fields of a spell-file word trie by walking it iteratively with a depth counter. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (arridx[], curi[], wordcount[]). A crafted .spl/.sug file pair, loaded when the user invokes spell suggestion, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0653.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-55892",
                                "url": "https://ubuntu.com/security/CVE-2026-55892",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0662, the dump_prefixes() function in src/spell.c walks a spell-file prefix trie iteratively with a depth counter while dumping the prefixes that apply to a word. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (prefix[], arridx[], curi[]). A crafted .spl file, loaded when the user dumps the word list, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0662.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-55895",
                                "url": "https://ubuntu.com/security/CVE-2026-55895",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0663, a Vimscript code injection vulnerability exists in s:NetrwLocalRmFile() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when deleting a local file from the browser. A filename derived from the buffer's directory listing is interpolated into an Ex command line passed to :execute with only the backslash character escaped, allowing a crafted filename containing a bar (|) to terminate the intended command and execute arbitrary Vimscript, including shell commands via :call system() and :!. This vulnerability is fixed in 9.2.0663.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-57452",
                                "url": "https://ubuntu.com/security/CVE-2026-57452",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0671, when Vim opens a file encrypted with the VimCrypt~04! or VimCrypt~05! method (xchacha20poly1305, requires the +sodium feature) whose body is shorter than a single libsodium secretstream header, an unsigned length calculation underflows and a subsequent decryption call reads far past the end of the input buffer, crashing Vim. This vulnerability is fixed in 9.2.0671.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-57455",
                                "url": "https://ubuntu.com/security/CVE-2026-57455",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0698, the single-byte branch of spell_soundfold_sofo() in src/spell.c translates a word through a spell file's SOFO (sound-folding) byte map into a caller-owned result buffer. Its copy loop advances the output index ri with no upper bound and terminates only on the input NUL, writing one byte per input byte into the MAXWLEN-element stack buffer the caller provides. A word longer than MAXWLEN, passed to soundfold() (or reached via sound-based spell suggestion) while a SOFO-based spell language is active, therefore writes past the end of that buffer. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0698.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-57456",
                                "url": "https://ubuntu.com/security/CVE-2026-57456",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0699, Vim's Python omni-completion (runtime/autoload/python3complete.vim and the legacy pythoncomplete.vim) executes reconstructed function and class definitions from the current buffer with exec() as part of populating the completion dictionary. When reconstructing that source, each scope's docstring is inserted verbatim between triple quotes with no escaping, so a hostile buffer can break out of the triple-quoted literal and execute attacker-controlled Python during omni-completion. This vulnerability is fixed in 9.2.0699.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: Path Traversal in zip.vim",
                            "    - debian/patches/CVE-2026-35177.patch: Detect malicious zip files before",
                            "      writing in runtime/autoload/zip.vim",
                            "    - CVE-2026-35177",
                            "  * SECURITY UPDATE: Out-of-bounds write.",
                            "    - debian/patches/CVE-2026-55693.patch: only descend while",
                            "      depth < MAXWLEN - 1 in src/spellfile.c.",
                            "    - debian/patches/CVE-2026-55892.patch: only descend while",
                            "      depth < MAXWLEN - 1 in src/spell.c.",
                            "    - CVE-2026-55693",
                            "    - CVE-2026-55892",
                            "  * SECURITY UPDATE: Code injection in local file deletion.",
                            "    - debian/patches/CVE-2026-55895.patch: Use fnameescape() to escape",
                            "      file name in runtime/autoload/netrw.vim.",
                            "    - CVE-2026-55895",
                            "  * SECURITY UPDATE: Out-of-bounds read with sodium encrypted files.",
                            "    - debian/patches/CVE-2026-57452.patch: Verify that there is enough space",
                            "      before function call in src/crypt.c.",
                            "    - CVE-2026-57452",
                            "  * SECURITY UPDATE: Out-of-bounds write with soundfold().",
                            "    - debian/patches/CVE-2026-57455.patch: Add an abort condition to validate",
                            "      buffer in src/spell.c.",
                            "    - CVE-2026-57455",
                            "  * SECURITY UPDATE: Code execution with python complete.",
                            "    - debian/patches/CVE-2026-57456.patch: Use repr() to quote the doc strings",
                            "      in runtime/autoload/python3complete.vim and ../pythoncomplete.vim.",
                            "    - CVE-2026-57456",
                            ""
                        ],
                        "package": "vim",
                        "version": "2:8.2.3995-1ubuntu2.33",
                        "urgency": "medium",
                        "distributions": "jammy-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Kyle Kernick <kyle.kernick@canonical.com>",
                        "date": "Tue, 30 Jun 2026 11:46:22 -0600"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "vim-common",
                "from_version": {
                    "source_package_name": "vim",
                    "source_package_version": "2:8.2.3995-1ubuntu2.32",
                    "version": "2:8.2.3995-1ubuntu2.32"
                },
                "to_version": {
                    "source_package_name": "vim",
                    "source_package_version": "2:8.2.3995-1ubuntu2.33",
                    "version": "2:8.2.3995-1ubuntu2.33"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-35177",
                        "url": "https://ubuntu.com/security/CVE-2026-35177",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0280, a path traversal bypass in Vim's zip.vim plugin allows overwriting of arbitrary files when opening specially crafted zip archives, circumventing the previous fix for CVE-2025-53906. This vulnerability is fixed in 9.2.0280.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-06 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-55693",
                        "url": "https://ubuntu.com/security/CVE-2026-55693",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0653, the tree_count_words() function in src/spellfile.c fills in the word-count fields of a spell-file word trie by walking it iteratively with a depth counter. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (arridx[], curi[], wordcount[]). A crafted .spl/.sug file pair, loaded when the user invokes spell suggestion, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0653.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-55892",
                        "url": "https://ubuntu.com/security/CVE-2026-55892",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0662, the dump_prefixes() function in src/spell.c walks a spell-file prefix trie iteratively with a depth counter while dumping the prefixes that apply to a word. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (prefix[], arridx[], curi[]). A crafted .spl file, loaded when the user dumps the word list, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0662.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-55895",
                        "url": "https://ubuntu.com/security/CVE-2026-55895",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0663, a Vimscript code injection vulnerability exists in s:NetrwLocalRmFile() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when deleting a local file from the browser. A filename derived from the buffer's directory listing is interpolated into an Ex command line passed to :execute with only the backslash character escaped, allowing a crafted filename containing a bar (|) to terminate the intended command and execute arbitrary Vimscript, including shell commands via :call system() and :!. This vulnerability is fixed in 9.2.0663.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-57452",
                        "url": "https://ubuntu.com/security/CVE-2026-57452",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0671, when Vim opens a file encrypted with the VimCrypt~04! or VimCrypt~05! method (xchacha20poly1305, requires the +sodium feature) whose body is shorter than a single libsodium secretstream header, an unsigned length calculation underflows and a subsequent decryption call reads far past the end of the input buffer, crashing Vim. This vulnerability is fixed in 9.2.0671.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-57455",
                        "url": "https://ubuntu.com/security/CVE-2026-57455",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0698, the single-byte branch of spell_soundfold_sofo() in src/spell.c translates a word through a spell file's SOFO (sound-folding) byte map into a caller-owned result buffer. Its copy loop advances the output index ri with no upper bound and terminates only on the input NUL, writing one byte per input byte into the MAXWLEN-element stack buffer the caller provides. A word longer than MAXWLEN, passed to soundfold() (or reached via sound-based spell suggestion) while a SOFO-based spell language is active, therefore writes past the end of that buffer. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0698.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-57456",
                        "url": "https://ubuntu.com/security/CVE-2026-57456",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0699, Vim's Python omni-completion (runtime/autoload/python3complete.vim and the legacy pythoncomplete.vim) executes reconstructed function and class definitions from the current buffer with exec() as part of populating the completion dictionary. When reconstructing that source, each scope's docstring is inserted verbatim between triple quotes with no escaping, so a hostile buffer can break out of the triple-quoted literal and execute attacker-controlled Python during omni-completion. This vulnerability is fixed in 9.2.0699.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-35177",
                                "url": "https://ubuntu.com/security/CVE-2026-35177",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0280, a path traversal bypass in Vim's zip.vim plugin allows overwriting of arbitrary files when opening specially crafted zip archives, circumventing the previous fix for CVE-2025-53906. This vulnerability is fixed in 9.2.0280.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-06 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-55693",
                                "url": "https://ubuntu.com/security/CVE-2026-55693",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0653, the tree_count_words() function in src/spellfile.c fills in the word-count fields of a spell-file word trie by walking it iteratively with a depth counter. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (arridx[], curi[], wordcount[]). A crafted .spl/.sug file pair, loaded when the user invokes spell suggestion, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0653.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-55892",
                                "url": "https://ubuntu.com/security/CVE-2026-55892",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0662, the dump_prefixes() function in src/spell.c walks a spell-file prefix trie iteratively with a depth counter while dumping the prefixes that apply to a word. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (prefix[], arridx[], curi[]). A crafted .spl file, loaded when the user dumps the word list, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0662.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-55895",
                                "url": "https://ubuntu.com/security/CVE-2026-55895",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0663, a Vimscript code injection vulnerability exists in s:NetrwLocalRmFile() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when deleting a local file from the browser. A filename derived from the buffer's directory listing is interpolated into an Ex command line passed to :execute with only the backslash character escaped, allowing a crafted filename containing a bar (|) to terminate the intended command and execute arbitrary Vimscript, including shell commands via :call system() and :!. This vulnerability is fixed in 9.2.0663.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-57452",
                                "url": "https://ubuntu.com/security/CVE-2026-57452",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0671, when Vim opens a file encrypted with the VimCrypt~04! or VimCrypt~05! method (xchacha20poly1305, requires the +sodium feature) whose body is shorter than a single libsodium secretstream header, an unsigned length calculation underflows and a subsequent decryption call reads far past the end of the input buffer, crashing Vim. This vulnerability is fixed in 9.2.0671.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-57455",
                                "url": "https://ubuntu.com/security/CVE-2026-57455",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0698, the single-byte branch of spell_soundfold_sofo() in src/spell.c translates a word through a spell file's SOFO (sound-folding) byte map into a caller-owned result buffer. Its copy loop advances the output index ri with no upper bound and terminates only on the input NUL, writing one byte per input byte into the MAXWLEN-element stack buffer the caller provides. A word longer than MAXWLEN, passed to soundfold() (or reached via sound-based spell suggestion) while a SOFO-based spell language is active, therefore writes past the end of that buffer. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0698.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-57456",
                                "url": "https://ubuntu.com/security/CVE-2026-57456",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0699, Vim's Python omni-completion (runtime/autoload/python3complete.vim and the legacy pythoncomplete.vim) executes reconstructed function and class definitions from the current buffer with exec() as part of populating the completion dictionary. When reconstructing that source, each scope's docstring is inserted verbatim between triple quotes with no escaping, so a hostile buffer can break out of the triple-quoted literal and execute attacker-controlled Python during omni-completion. This vulnerability is fixed in 9.2.0699.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: Path Traversal in zip.vim",
                            "    - debian/patches/CVE-2026-35177.patch: Detect malicious zip files before",
                            "      writing in runtime/autoload/zip.vim",
                            "    - CVE-2026-35177",
                            "  * SECURITY UPDATE: Out-of-bounds write.",
                            "    - debian/patches/CVE-2026-55693.patch: only descend while",
                            "      depth < MAXWLEN - 1 in src/spellfile.c.",
                            "    - debian/patches/CVE-2026-55892.patch: only descend while",
                            "      depth < MAXWLEN - 1 in src/spell.c.",
                            "    - CVE-2026-55693",
                            "    - CVE-2026-55892",
                            "  * SECURITY UPDATE: Code injection in local file deletion.",
                            "    - debian/patches/CVE-2026-55895.patch: Use fnameescape() to escape",
                            "      file name in runtime/autoload/netrw.vim.",
                            "    - CVE-2026-55895",
                            "  * SECURITY UPDATE: Out-of-bounds read with sodium encrypted files.",
                            "    - debian/patches/CVE-2026-57452.patch: Verify that there is enough space",
                            "      before function call in src/crypt.c.",
                            "    - CVE-2026-57452",
                            "  * SECURITY UPDATE: Out-of-bounds write with soundfold().",
                            "    - debian/patches/CVE-2026-57455.patch: Add an abort condition to validate",
                            "      buffer in src/spell.c.",
                            "    - CVE-2026-57455",
                            "  * SECURITY UPDATE: Code execution with python complete.",
                            "    - debian/patches/CVE-2026-57456.patch: Use repr() to quote the doc strings",
                            "      in runtime/autoload/python3complete.vim and ../pythoncomplete.vim.",
                            "    - CVE-2026-57456",
                            ""
                        ],
                        "package": "vim",
                        "version": "2:8.2.3995-1ubuntu2.33",
                        "urgency": "medium",
                        "distributions": "jammy-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Kyle Kernick <kyle.kernick@canonical.com>",
                        "date": "Tue, 30 Jun 2026 11:46:22 -0600"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "vim-runtime",
                "from_version": {
                    "source_package_name": "vim",
                    "source_package_version": "2:8.2.3995-1ubuntu2.32",
                    "version": "2:8.2.3995-1ubuntu2.32"
                },
                "to_version": {
                    "source_package_name": "vim",
                    "source_package_version": "2:8.2.3995-1ubuntu2.33",
                    "version": "2:8.2.3995-1ubuntu2.33"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-35177",
                        "url": "https://ubuntu.com/security/CVE-2026-35177",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0280, a path traversal bypass in Vim's zip.vim plugin allows overwriting of arbitrary files when opening specially crafted zip archives, circumventing the previous fix for CVE-2025-53906. This vulnerability is fixed in 9.2.0280.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-06 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-55693",
                        "url": "https://ubuntu.com/security/CVE-2026-55693",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0653, the tree_count_words() function in src/spellfile.c fills in the word-count fields of a spell-file word trie by walking it iteratively with a depth counter. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (arridx[], curi[], wordcount[]). A crafted .spl/.sug file pair, loaded when the user invokes spell suggestion, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0653.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-55892",
                        "url": "https://ubuntu.com/security/CVE-2026-55892",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0662, the dump_prefixes() function in src/spell.c walks a spell-file prefix trie iteratively with a depth counter while dumping the prefixes that apply to a word. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (prefix[], arridx[], curi[]). A crafted .spl file, loaded when the user dumps the word list, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0662.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-55895",
                        "url": "https://ubuntu.com/security/CVE-2026-55895",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0663, a Vimscript code injection vulnerability exists in s:NetrwLocalRmFile() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when deleting a local file from the browser. A filename derived from the buffer's directory listing is interpolated into an Ex command line passed to :execute with only the backslash character escaped, allowing a crafted filename containing a bar (|) to terminate the intended command and execute arbitrary Vimscript, including shell commands via :call system() and :!. This vulnerability is fixed in 9.2.0663.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-57452",
                        "url": "https://ubuntu.com/security/CVE-2026-57452",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0671, when Vim opens a file encrypted with the VimCrypt~04! or VimCrypt~05! method (xchacha20poly1305, requires the +sodium feature) whose body is shorter than a single libsodium secretstream header, an unsigned length calculation underflows and a subsequent decryption call reads far past the end of the input buffer, crashing Vim. This vulnerability is fixed in 9.2.0671.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-57455",
                        "url": "https://ubuntu.com/security/CVE-2026-57455",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0698, the single-byte branch of spell_soundfold_sofo() in src/spell.c translates a word through a spell file's SOFO (sound-folding) byte map into a caller-owned result buffer. Its copy loop advances the output index ri with no upper bound and terminates only on the input NUL, writing one byte per input byte into the MAXWLEN-element stack buffer the caller provides. A word longer than MAXWLEN, passed to soundfold() (or reached via sound-based spell suggestion) while a SOFO-based spell language is active, therefore writes past the end of that buffer. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0698.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-57456",
                        "url": "https://ubuntu.com/security/CVE-2026-57456",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0699, Vim's Python omni-completion (runtime/autoload/python3complete.vim and the legacy pythoncomplete.vim) executes reconstructed function and class definitions from the current buffer with exec() as part of populating the completion dictionary. When reconstructing that source, each scope's docstring is inserted verbatim between triple quotes with no escaping, so a hostile buffer can break out of the triple-quoted literal and execute attacker-controlled Python during omni-completion. This vulnerability is fixed in 9.2.0699.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-35177",
                                "url": "https://ubuntu.com/security/CVE-2026-35177",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0280, a path traversal bypass in Vim's zip.vim plugin allows overwriting of arbitrary files when opening specially crafted zip archives, circumventing the previous fix for CVE-2025-53906. This vulnerability is fixed in 9.2.0280.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-06 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-55693",
                                "url": "https://ubuntu.com/security/CVE-2026-55693",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0653, the tree_count_words() function in src/spellfile.c fills in the word-count fields of a spell-file word trie by walking it iteratively with a depth counter. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (arridx[], curi[], wordcount[]). A crafted .spl/.sug file pair, loaded when the user invokes spell suggestion, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0653.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-55892",
                                "url": "https://ubuntu.com/security/CVE-2026-55892",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0662, the dump_prefixes() function in src/spell.c walks a spell-file prefix trie iteratively with a depth counter while dumping the prefixes that apply to a word. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (prefix[], arridx[], curi[]). A crafted .spl file, loaded when the user dumps the word list, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0662.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-55895",
                                "url": "https://ubuntu.com/security/CVE-2026-55895",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0663, a Vimscript code injection vulnerability exists in s:NetrwLocalRmFile() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when deleting a local file from the browser. A filename derived from the buffer's directory listing is interpolated into an Ex command line passed to :execute with only the backslash character escaped, allowing a crafted filename containing a bar (|) to terminate the intended command and execute arbitrary Vimscript, including shell commands via :call system() and :!. This vulnerability is fixed in 9.2.0663.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-57452",
                                "url": "https://ubuntu.com/security/CVE-2026-57452",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0671, when Vim opens a file encrypted with the VimCrypt~04! or VimCrypt~05! method (xchacha20poly1305, requires the +sodium feature) whose body is shorter than a single libsodium secretstream header, an unsigned length calculation underflows and a subsequent decryption call reads far past the end of the input buffer, crashing Vim. This vulnerability is fixed in 9.2.0671.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-57455",
                                "url": "https://ubuntu.com/security/CVE-2026-57455",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0698, the single-byte branch of spell_soundfold_sofo() in src/spell.c translates a word through a spell file's SOFO (sound-folding) byte map into a caller-owned result buffer. Its copy loop advances the output index ri with no upper bound and terminates only on the input NUL, writing one byte per input byte into the MAXWLEN-element stack buffer the caller provides. A word longer than MAXWLEN, passed to soundfold() (or reached via sound-based spell suggestion) while a SOFO-based spell language is active, therefore writes past the end of that buffer. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0698.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-57456",
                                "url": "https://ubuntu.com/security/CVE-2026-57456",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0699, Vim's Python omni-completion (runtime/autoload/python3complete.vim and the legacy pythoncomplete.vim) executes reconstructed function and class definitions from the current buffer with exec() as part of populating the completion dictionary. When reconstructing that source, each scope's docstring is inserted verbatim between triple quotes with no escaping, so a hostile buffer can break out of the triple-quoted literal and execute attacker-controlled Python during omni-completion. This vulnerability is fixed in 9.2.0699.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: Path Traversal in zip.vim",
                            "    - debian/patches/CVE-2026-35177.patch: Detect malicious zip files before",
                            "      writing in runtime/autoload/zip.vim",
                            "    - CVE-2026-35177",
                            "  * SECURITY UPDATE: Out-of-bounds write.",
                            "    - debian/patches/CVE-2026-55693.patch: only descend while",
                            "      depth < MAXWLEN - 1 in src/spellfile.c.",
                            "    - debian/patches/CVE-2026-55892.patch: only descend while",
                            "      depth < MAXWLEN - 1 in src/spell.c.",
                            "    - CVE-2026-55693",
                            "    - CVE-2026-55892",
                            "  * SECURITY UPDATE: Code injection in local file deletion.",
                            "    - debian/patches/CVE-2026-55895.patch: Use fnameescape() to escape",
                            "      file name in runtime/autoload/netrw.vim.",
                            "    - CVE-2026-55895",
                            "  * SECURITY UPDATE: Out-of-bounds read with sodium encrypted files.",
                            "    - debian/patches/CVE-2026-57452.patch: Verify that there is enough space",
                            "      before function call in src/crypt.c.",
                            "    - CVE-2026-57452",
                            "  * SECURITY UPDATE: Out-of-bounds write with soundfold().",
                            "    - debian/patches/CVE-2026-57455.patch: Add an abort condition to validate",
                            "      buffer in src/spell.c.",
                            "    - CVE-2026-57455",
                            "  * SECURITY UPDATE: Code execution with python complete.",
                            "    - debian/patches/CVE-2026-57456.patch: Use repr() to quote the doc strings",
                            "      in runtime/autoload/python3complete.vim and ../pythoncomplete.vim.",
                            "    - CVE-2026-57456",
                            ""
                        ],
                        "package": "vim",
                        "version": "2:8.2.3995-1ubuntu2.33",
                        "urgency": "medium",
                        "distributions": "jammy-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Kyle Kernick <kyle.kernick@canonical.com>",
                        "date": "Tue, 30 Jun 2026 11:46:22 -0600"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "vim-tiny",
                "from_version": {
                    "source_package_name": "vim",
                    "source_package_version": "2:8.2.3995-1ubuntu2.32",
                    "version": "2:8.2.3995-1ubuntu2.32"
                },
                "to_version": {
                    "source_package_name": "vim",
                    "source_package_version": "2:8.2.3995-1ubuntu2.33",
                    "version": "2:8.2.3995-1ubuntu2.33"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-35177",
                        "url": "https://ubuntu.com/security/CVE-2026-35177",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0280, a path traversal bypass in Vim's zip.vim plugin allows overwriting of arbitrary files when opening specially crafted zip archives, circumventing the previous fix for CVE-2025-53906. This vulnerability is fixed in 9.2.0280.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-06 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-55693",
                        "url": "https://ubuntu.com/security/CVE-2026-55693",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0653, the tree_count_words() function in src/spellfile.c fills in the word-count fields of a spell-file word trie by walking it iteratively with a depth counter. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (arridx[], curi[], wordcount[]). A crafted .spl/.sug file pair, loaded when the user invokes spell suggestion, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0653.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-55892",
                        "url": "https://ubuntu.com/security/CVE-2026-55892",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0662, the dump_prefixes() function in src/spell.c walks a spell-file prefix trie iteratively with a depth counter while dumping the prefixes that apply to a word. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (prefix[], arridx[], curi[]). A crafted .spl file, loaded when the user dumps the word list, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0662.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-55895",
                        "url": "https://ubuntu.com/security/CVE-2026-55895",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0663, a Vimscript code injection vulnerability exists in s:NetrwLocalRmFile() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when deleting a local file from the browser. A filename derived from the buffer's directory listing is interpolated into an Ex command line passed to :execute with only the backslash character escaped, allowing a crafted filename containing a bar (|) to terminate the intended command and execute arbitrary Vimscript, including shell commands via :call system() and :!. This vulnerability is fixed in 9.2.0663.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-57452",
                        "url": "https://ubuntu.com/security/CVE-2026-57452",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0671, when Vim opens a file encrypted with the VimCrypt~04! or VimCrypt~05! method (xchacha20poly1305, requires the +sodium feature) whose body is shorter than a single libsodium secretstream header, an unsigned length calculation underflows and a subsequent decryption call reads far past the end of the input buffer, crashing Vim. This vulnerability is fixed in 9.2.0671.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-57455",
                        "url": "https://ubuntu.com/security/CVE-2026-57455",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0698, the single-byte branch of spell_soundfold_sofo() in src/spell.c translates a word through a spell file's SOFO (sound-folding) byte map into a caller-owned result buffer. Its copy loop advances the output index ri with no upper bound and terminates only on the input NUL, writing one byte per input byte into the MAXWLEN-element stack buffer the caller provides. A word longer than MAXWLEN, passed to soundfold() (or reached via sound-based spell suggestion) while a SOFO-based spell language is active, therefore writes past the end of that buffer. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0698.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-57456",
                        "url": "https://ubuntu.com/security/CVE-2026-57456",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0699, Vim's Python omni-completion (runtime/autoload/python3complete.vim and the legacy pythoncomplete.vim) executes reconstructed function and class definitions from the current buffer with exec() as part of populating the completion dictionary. When reconstructing that source, each scope's docstring is inserted verbatim between triple quotes with no escaping, so a hostile buffer can break out of the triple-quoted literal and execute attacker-controlled Python during omni-completion. This vulnerability is fixed in 9.2.0699.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-35177",
                                "url": "https://ubuntu.com/security/CVE-2026-35177",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0280, a path traversal bypass in Vim's zip.vim plugin allows overwriting of arbitrary files when opening specially crafted zip archives, circumventing the previous fix for CVE-2025-53906. This vulnerability is fixed in 9.2.0280.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-06 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-55693",
                                "url": "https://ubuntu.com/security/CVE-2026-55693",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0653, the tree_count_words() function in src/spellfile.c fills in the word-count fields of a spell-file word trie by walking it iteratively with a depth counter. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (arridx[], curi[], wordcount[]). A crafted .spl/.sug file pair, loaded when the user invokes spell suggestion, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0653.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-55892",
                                "url": "https://ubuntu.com/security/CVE-2026-55892",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0662, the dump_prefixes() function in src/spell.c walks a spell-file prefix trie iteratively with a depth counter while dumping the prefixes that apply to a word. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (prefix[], arridx[], curi[]). A crafted .spl file, loaded when the user dumps the word list, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0662.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-55895",
                                "url": "https://ubuntu.com/security/CVE-2026-55895",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0663, a Vimscript code injection vulnerability exists in s:NetrwLocalRmFile() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when deleting a local file from the browser. A filename derived from the buffer's directory listing is interpolated into an Ex command line passed to :execute with only the backslash character escaped, allowing a crafted filename containing a bar (|) to terminate the intended command and execute arbitrary Vimscript, including shell commands via :call system() and :!. This vulnerability is fixed in 9.2.0663.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-57452",
                                "url": "https://ubuntu.com/security/CVE-2026-57452",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0671, when Vim opens a file encrypted with the VimCrypt~04! or VimCrypt~05! method (xchacha20poly1305, requires the +sodium feature) whose body is shorter than a single libsodium secretstream header, an unsigned length calculation underflows and a subsequent decryption call reads far past the end of the input buffer, crashing Vim. This vulnerability is fixed in 9.2.0671.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-57455",
                                "url": "https://ubuntu.com/security/CVE-2026-57455",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0698, the single-byte branch of spell_soundfold_sofo() in src/spell.c translates a word through a spell file's SOFO (sound-folding) byte map into a caller-owned result buffer. Its copy loop advances the output index ri with no upper bound and terminates only on the input NUL, writing one byte per input byte into the MAXWLEN-element stack buffer the caller provides. A word longer than MAXWLEN, passed to soundfold() (or reached via sound-based spell suggestion) while a SOFO-based spell language is active, therefore writes past the end of that buffer. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0698.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-57456",
                                "url": "https://ubuntu.com/security/CVE-2026-57456",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0699, Vim's Python omni-completion (runtime/autoload/python3complete.vim and the legacy pythoncomplete.vim) executes reconstructed function and class definitions from the current buffer with exec() as part of populating the completion dictionary. When reconstructing that source, each scope's docstring is inserted verbatim between triple quotes with no escaping, so a hostile buffer can break out of the triple-quoted literal and execute attacker-controlled Python during omni-completion. This vulnerability is fixed in 9.2.0699.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: Path Traversal in zip.vim",
                            "    - debian/patches/CVE-2026-35177.patch: Detect malicious zip files before",
                            "      writing in runtime/autoload/zip.vim",
                            "    - CVE-2026-35177",
                            "  * SECURITY UPDATE: Out-of-bounds write.",
                            "    - debian/patches/CVE-2026-55693.patch: only descend while",
                            "      depth < MAXWLEN - 1 in src/spellfile.c.",
                            "    - debian/patches/CVE-2026-55892.patch: only descend while",
                            "      depth < MAXWLEN - 1 in src/spell.c.",
                            "    - CVE-2026-55693",
                            "    - CVE-2026-55892",
                            "  * SECURITY UPDATE: Code injection in local file deletion.",
                            "    - debian/patches/CVE-2026-55895.patch: Use fnameescape() to escape",
                            "      file name in runtime/autoload/netrw.vim.",
                            "    - CVE-2026-55895",
                            "  * SECURITY UPDATE: Out-of-bounds read with sodium encrypted files.",
                            "    - debian/patches/CVE-2026-57452.patch: Verify that there is enough space",
                            "      before function call in src/crypt.c.",
                            "    - CVE-2026-57452",
                            "  * SECURITY UPDATE: Out-of-bounds write with soundfold().",
                            "    - debian/patches/CVE-2026-57455.patch: Add an abort condition to validate",
                            "      buffer in src/spell.c.",
                            "    - CVE-2026-57455",
                            "  * SECURITY UPDATE: Code execution with python complete.",
                            "    - debian/patches/CVE-2026-57456.patch: Use repr() to quote the doc strings",
                            "      in runtime/autoload/python3complete.vim and ../pythoncomplete.vim.",
                            "    - CVE-2026-57456",
                            ""
                        ],
                        "package": "vim",
                        "version": "2:8.2.3995-1ubuntu2.33",
                        "urgency": "medium",
                        "distributions": "jammy-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Kyle Kernick <kyle.kernick@canonical.com>",
                        "date": "Tue, 30 Jun 2026 11:46:22 -0600"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "xxd",
                "from_version": {
                    "source_package_name": "vim",
                    "source_package_version": "2:8.2.3995-1ubuntu2.32",
                    "version": "2:8.2.3995-1ubuntu2.32"
                },
                "to_version": {
                    "source_package_name": "vim",
                    "source_package_version": "2:8.2.3995-1ubuntu2.33",
                    "version": "2:8.2.3995-1ubuntu2.33"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-35177",
                        "url": "https://ubuntu.com/security/CVE-2026-35177",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0280, a path traversal bypass in Vim's zip.vim plugin allows overwriting of arbitrary files when opening specially crafted zip archives, circumventing the previous fix for CVE-2025-53906. This vulnerability is fixed in 9.2.0280.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-06 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-55693",
                        "url": "https://ubuntu.com/security/CVE-2026-55693",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0653, the tree_count_words() function in src/spellfile.c fills in the word-count fields of a spell-file word trie by walking it iteratively with a depth counter. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (arridx[], curi[], wordcount[]). A crafted .spl/.sug file pair, loaded when the user invokes spell suggestion, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0653.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-55892",
                        "url": "https://ubuntu.com/security/CVE-2026-55892",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0662, the dump_prefixes() function in src/spell.c walks a spell-file prefix trie iteratively with a depth counter while dumping the prefixes that apply to a word. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (prefix[], arridx[], curi[]). A crafted .spl file, loaded when the user dumps the word list, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0662.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-55895",
                        "url": "https://ubuntu.com/security/CVE-2026-55895",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0663, a Vimscript code injection vulnerability exists in s:NetrwLocalRmFile() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when deleting a local file from the browser. A filename derived from the buffer's directory listing is interpolated into an Ex command line passed to :execute with only the backslash character escaped, allowing a crafted filename containing a bar (|) to terminate the intended command and execute arbitrary Vimscript, including shell commands via :call system() and :!. This vulnerability is fixed in 9.2.0663.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-57452",
                        "url": "https://ubuntu.com/security/CVE-2026-57452",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0671, when Vim opens a file encrypted with the VimCrypt~04! or VimCrypt~05! method (xchacha20poly1305, requires the +sodium feature) whose body is shorter than a single libsodium secretstream header, an unsigned length calculation underflows and a subsequent decryption call reads far past the end of the input buffer, crashing Vim. This vulnerability is fixed in 9.2.0671.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-57455",
                        "url": "https://ubuntu.com/security/CVE-2026-57455",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0698, the single-byte branch of spell_soundfold_sofo() in src/spell.c translates a word through a spell file's SOFO (sound-folding) byte map into a caller-owned result buffer. Its copy loop advances the output index ri with no upper bound and terminates only on the input NUL, writing one byte per input byte into the MAXWLEN-element stack buffer the caller provides. A word longer than MAXWLEN, passed to soundfold() (or reached via sound-based spell suggestion) while a SOFO-based spell language is active, therefore writes past the end of that buffer. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0698.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-57456",
                        "url": "https://ubuntu.com/security/CVE-2026-57456",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0699, Vim's Python omni-completion (runtime/autoload/python3complete.vim and the legacy pythoncomplete.vim) executes reconstructed function and class definitions from the current buffer with exec() as part of populating the completion dictionary. When reconstructing that source, each scope's docstring is inserted verbatim between triple quotes with no escaping, so a hostile buffer can break out of the triple-quoted literal and execute attacker-controlled Python during omni-completion. This vulnerability is fixed in 9.2.0699.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-35177",
                                "url": "https://ubuntu.com/security/CVE-2026-35177",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0280, a path traversal bypass in Vim's zip.vim plugin allows overwriting of arbitrary files when opening specially crafted zip archives, circumventing the previous fix for CVE-2025-53906. This vulnerability is fixed in 9.2.0280.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-06 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-55693",
                                "url": "https://ubuntu.com/security/CVE-2026-55693",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0653, the tree_count_words() function in src/spellfile.c fills in the word-count fields of a spell-file word trie by walking it iteratively with a depth counter. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (arridx[], curi[], wordcount[]). A crafted .spl/.sug file pair, loaded when the user invokes spell suggestion, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0653.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-55892",
                                "url": "https://ubuntu.com/security/CVE-2026-55892",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0662, the dump_prefixes() function in src/spell.c walks a spell-file prefix trie iteratively with a depth counter while dumping the prefixes that apply to a word. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (prefix[], arridx[], curi[]). A crafted .spl file, loaded when the user dumps the word list, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0662.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-55895",
                                "url": "https://ubuntu.com/security/CVE-2026-55895",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0663, a Vimscript code injection vulnerability exists in s:NetrwLocalRmFile() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when deleting a local file from the browser. A filename derived from the buffer's directory listing is interpolated into an Ex command line passed to :execute with only the backslash character escaped, allowing a crafted filename containing a bar (|) to terminate the intended command and execute arbitrary Vimscript, including shell commands via :call system() and :!. This vulnerability is fixed in 9.2.0663.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-57452",
                                "url": "https://ubuntu.com/security/CVE-2026-57452",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0671, when Vim opens a file encrypted with the VimCrypt~04! or VimCrypt~05! method (xchacha20poly1305, requires the +sodium feature) whose body is shorter than a single libsodium secretstream header, an unsigned length calculation underflows and a subsequent decryption call reads far past the end of the input buffer, crashing Vim. This vulnerability is fixed in 9.2.0671.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-57455",
                                "url": "https://ubuntu.com/security/CVE-2026-57455",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0698, the single-byte branch of spell_soundfold_sofo() in src/spell.c translates a word through a spell file's SOFO (sound-folding) byte map into a caller-owned result buffer. Its copy loop advances the output index ri with no upper bound and terminates only on the input NUL, writing one byte per input byte into the MAXWLEN-element stack buffer the caller provides. A word longer than MAXWLEN, passed to soundfold() (or reached via sound-based spell suggestion) while a SOFO-based spell language is active, therefore writes past the end of that buffer. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0698.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-57456",
                                "url": "https://ubuntu.com/security/CVE-2026-57456",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0699, Vim's Python omni-completion (runtime/autoload/python3complete.vim and the legacy pythoncomplete.vim) executes reconstructed function and class definitions from the current buffer with exec() as part of populating the completion dictionary. When reconstructing that source, each scope's docstring is inserted verbatim between triple quotes with no escaping, so a hostile buffer can break out of the triple-quoted literal and execute attacker-controlled Python during omni-completion. This vulnerability is fixed in 9.2.0699.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: Path Traversal in zip.vim",
                            "    - debian/patches/CVE-2026-35177.patch: Detect malicious zip files before",
                            "      writing in runtime/autoload/zip.vim",
                            "    - CVE-2026-35177",
                            "  * SECURITY UPDATE: Out-of-bounds write.",
                            "    - debian/patches/CVE-2026-55693.patch: only descend while",
                            "      depth < MAXWLEN - 1 in src/spellfile.c.",
                            "    - debian/patches/CVE-2026-55892.patch: only descend while",
                            "      depth < MAXWLEN - 1 in src/spell.c.",
                            "    - CVE-2026-55693",
                            "    - CVE-2026-55892",
                            "  * SECURITY UPDATE: Code injection in local file deletion.",
                            "    - debian/patches/CVE-2026-55895.patch: Use fnameescape() to escape",
                            "      file name in runtime/autoload/netrw.vim.",
                            "    - CVE-2026-55895",
                            "  * SECURITY UPDATE: Out-of-bounds read with sodium encrypted files.",
                            "    - debian/patches/CVE-2026-57452.patch: Verify that there is enough space",
                            "      before function call in src/crypt.c.",
                            "    - CVE-2026-57452",
                            "  * SECURITY UPDATE: Out-of-bounds write with soundfold().",
                            "    - debian/patches/CVE-2026-57455.patch: Add an abort condition to validate",
                            "      buffer in src/spell.c.",
                            "    - CVE-2026-57455",
                            "  * SECURITY UPDATE: Code execution with python complete.",
                            "    - debian/patches/CVE-2026-57456.patch: Use repr() to quote the doc strings",
                            "      in runtime/autoload/python3complete.vim and ../pythoncomplete.vim.",
                            "    - CVE-2026-57456",
                            ""
                        ],
                        "package": "vim",
                        "version": "2:8.2.3995-1ubuntu2.33",
                        "urgency": "medium",
                        "distributions": "jammy-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Kyle Kernick <kyle.kernick@canonical.com>",
                        "date": "Tue, 30 Jun 2026 11:46:22 -0600"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            }
        ],
        "snap": [
            {
                "name": "snapd",
                "from_version": {
                    "source_package_name": null,
                    "source_package_version": null,
                    "version": "26878"
                },
                "to_version": {
                    "source_package_name": null,
                    "source_package_version": null,
                    "version": "27417"
                }
            }
        ]
    },
    "added": {
        "deb": [
            {
                "name": "linux-headers-6.8.0-134-generic",
                "from_version": {
                    "source_package_name": "linux-riscv-6.8",
                    "source_package_version": "6.8.0-124.124~22.04.1",
                    "version": null
                },
                "to_version": {
                    "source_package_name": "linux-riscv-6.8",
                    "source_package_version": "6.8.0-134.134~22.04.1",
                    "version": "6.8.0-134.134~22.04.1"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-46244",
                        "url": "https://ubuntu.com/security/CVE-2026-46244",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: nft_inner: Fix IPv6 inner_thoff desync  In nft_inner_parse_l2l3(), when processing inner IPv6 packets, ipv6_find_hdr() correctly computes the transport header offset traversing all extension headers, but the result is immediately overwritten with nhoff + sizeof(_ip6h) (40 bytes), which only accounts for the IPv6 base header. This creates a desync between inner_thoff (wrong — points to extension header start) and l4proto (correct — e.g., IPPROTO_TCP), enabling transport header forgery and potential firewall bypass. This issue affects stable versions from Linux 6.2.  For comparison, the normal (non-inner) IPv6 path correctly preserves ipv6_find_hdr()'s result. Removing the incorrect overwrite ensures that ipv6_find_hdr()'s calculated transport header offset is preserved, thereby fixing the desynchronization.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-03 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43185",
                        "url": "https://ubuntu.com/security/CVE-2026-43185",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ksmbd: fix signededness bug in smb_direct_prepare_negotiation()  smb_direct_prepare_negotiation() casts an unsigned __u32 value from sp->max_recv_size and req->preferred_send_size to a signed int before computing min_t(int, ...). A maliciously provided preferred_send_size of 0x80000000 will return as smaller than max_recv_size, and then be used to set the maximum allowed alowed receive size for the next message.  By sending a second message with a large value (>1420 bytes) the attacker can then achieve a heap buffer overflow.  This fix replaces min_t(int, ...) with min_t(u32)",
                        "cve_priority": "critical",
                        "cve_public_date": "2026-05-06 12:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46289",
                        "url": "https://ubuntu.com/security/CVE-2026-46289",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  lib/scatterlist: fix length calculations in extract_kvec_to_sg  Patch series \"Fix bugs in extract_iter_to_sg()\", v3.  Fix bugs in the kvec and user variants of extract_iter_to_sg.  This series is growing due to useful remarks made by sashiko.dev.  The main bugs are: - The length for an sglist entry when extracting from   a kvec can exceed the number of bytes in the page. This   is obviously not intended. - When extracting a user buffer the sglist is temporarily   used as a scratch buffer for extracted page pointers.   If the sglist already contains some elements this scratch   buffer could overlap with existing entries in the sglist.  The series adds test cases to the kunit_iov_iter test that demonstrate all of these bugs.  Additionally, there is a memory leak fix for the test itself.  The bugs were orignally introduced into kernel v6.3 where the function lived in fs/netfs/iterator.c.  It was later moved to lib/scatterlist.c in v6.5.  Thus the actual fix is only marked for backports to v6.5+.   This patch (of 5):  When extracting from a kvec to a scatterlist, do not cross page boundaries.  The required length was already calculated but not used as intended.  Adjust the copied length if the loop runs out of sglist entries without extracting everything.  While there, return immediately from extract_iter_to_sg if there are no sglist entries at all.  A subsequent commit will add kunit test cases that demonstrate that the patch is necessary.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-08 17:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46119",
                        "url": "https://ubuntu.com/security/CVE-2026-46119",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  libceph: Fix slab-out-of-bounds access in auth message processing  If a (potentially corrupted) message of type CEPH_MSG_AUTH_REPLY contains a positive value in its result field, it is treated as an error code by ceph_handle_auth_reply() and returned to handle_auth_reply(). Thereafter, an attempt is made to send the preallocated message of type CEPH_MSG_AUTH, where the returned value is interpreted as the size of the front segment to send. If the result value in the message is greater than the size of the memory buffer allocated for the front segment, an out-of-bounds access occurs, and the content of the memory region beyond this buffer is sent out.  This patch fixes the issue by treating only negative values in the result field as errors. Positive values are therefore treated as success in the same way as a zero value. Additionally, a BUG_ON is added to __send_prepared_auth_request() comparing the len parameter to front_alloc_len to prevent sending the message if it exceeds the bounds of the allocation and to make it easier to catch any logic flaws leading to this.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46135",
                        "url": "https://ubuntu.com/security/CVE-2026-46135",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  nvmet-tcp: fix race between ICReq handling and queue teardown  nvmet_tcp_handle_icreq() updates queue->state after sending an Initialization Connection Response (ICResp), but it does so without serializing against target-side queue teardown.  If an NVMe/TCP host sends an Initialization Connection Request (ICReq) and immediately closes the connection, target-side teardown may start in softirq context before io_work drains the already buffered ICReq. In that case, nvmet_tcp_schedule_release_queue() sets queue->state to NVMET_TCP_Q_DISCONNECTING and drops the queue reference under state_lock.  If io_work later processes that ICReq, nvmet_tcp_handle_icreq() can still overwrite the state back to NVMET_TCP_Q_LIVE. That defeats the DISCONNECTING-state guard in nvmet_tcp_schedule_release_queue() and allows a later socket state change to re-enter teardown and issue a second kref_put() on an already released queue.  The ICResp send failure path has the same problem. If teardown has already moved the queue to DISCONNECTING, a send error can still overwrite the state with NVMET_TCP_Q_FAILED, again reopening the window for a second teardown path to drop the queue reference.  Fix this by serializing both post-send state transitions with state_lock and bailing out if teardown has already started.  Use -ESHUTDOWN as an internal sentinel for that bail-out path rather than propagating it as a transport error like -ECONNRESET. Keep nvmet_tcp_socket_error() setting rcv_state to NVMET_TCP_RECV_ERR before honoring that sentinel so receive-side parsing stays quiesced until the existing release path completes.",
                        "cve_priority": "critical",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46185",
                        "url": "https://ubuntu.com/security/CVE-2026-46185",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb/client: fix out-of-bounds read in symlink_data()  Since smb2_check_message() returns success without length validation for the symlink error response, in symlink_data() it is possible for iov->iov_len to be smaller than sizeof(struct smb2_err_rsp). If the buffer only contains the base SMB2 header (64 bytes), accessing err->ErrorContextCount (at offset 66) or err->ByteCount later in symlink_data() will cause an out-of-bounds read.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46195",
                        "url": "https://ubuntu.com/security/CVE-2026-46195",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb: client: validate dacloffset before building DACL pointers  parse_sec_desc(), build_sec_desc(), and the chown path in id_mode_to_cifs_acl() all add the server-supplied dacloffset to pntsd before proving a DACL header fits inside the returned security descriptor.  On 32-bit builds a malicious server can return dacloffset near U32_MAX, wrap the derived DACL pointer below end_of_acl, and then slip past the later pointer-based bounds checks. build_sec_desc() and id_mode_to_cifs_acl() can then dereference DACL fields from the wrapped pointer in the chmod/chown rewrite paths.  Validate dacloffset numerically before building any DACL pointer and reuse the same helper at the three DACL entry points.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46115",
                        "url": "https://ubuntu.com/security/CVE-2026-46115",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  block: add pgmap check to biovec_phys_mergeable  biovec_phys_mergeable() is used by the request merge, DMA mapping, and integrity merge paths to decide if two physically contiguous bvec segments can be coalesced into one. It currently has no check for whether the segments belong to different dev_pagemaps.  When zone device memory is registered in multiple chunks, each chunk gets its own dev_pagemap. A single bio can legitimately contain bvecs from different pgmaps -- iov_iter_extract_bvecs() breaks at pgmap boundaries but the outer loop in bio_iov_iter_get_pages() continues filling the same bio. If such bvecs are physically contiguous, biovec_phys_mergeable() will coalesce them, making it impossible to recover the correct pgmap for the merged segment via page_pgmap().  Add a zone_device_pages_have_same_pgmap() check to prevent merging bvec segments that span different pgmaps.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43501",
                        "url": "https://ubuntu.com/security/CVE-2026-43501",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ipv6: rpl: reserve mac_len headroom when recompressed SRH grows  ipv6_rpl_srh_rcv() decompresses an RFC 6554 Source Routing Header, swaps the next segment into ipv6_hdr->daddr, recompresses, then pulls the old header and pushes the new one plus the IPv6 header back.  The recompressed header can be larger than the received one when the swap reduces the common-prefix length the segments share with daddr (CmprI=0, CmprE>0, seg[0][0] != daddr[0] gives the maximum +8 bytes).  pskb_expand_head() was gated on segments_left == 0, so on earlier segments the push consumed unchecked headroom.  Once skb_push() leaves fewer than skb->mac_len bytes in front of data, skb_mac_header_rebuild()'s call to:  \tskb_set_mac_header(skb, -skb->mac_len);  will store (data - head) - mac_len into the u16 mac_header field, which wraps to ~65530, and the following memmove() writes mac_len bytes ~64KiB past skb->head.  A single AF_INET6/SOCK_RAW/IPV6_HDRINCL packet over lo with a two segment type-3 SRH (CmprI=0, CmprE=15) reaches headroom 8 after one pass; KASAN reports a 14-byte OOB write in ipv6_rthdr_rcv.  Fix this by expanding the head whenever the remaining room is less than the push size plus mac_len, and request that much extra so the rebuilt MAC header fits afterwards.",
                        "cve_priority": "critical",
                        "cve_public_date": "2026-05-21 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45988",
                        "url": "https://ubuntu.com/security/CVE-2026-45988",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  rxrpc: Fix re-decryption of RESPONSE packets  If a RESPONSE packet gets a temporary failure during processing, it may end up in a partially decrypted state - and then get requeued for a retry.  Fix this by just discarding the packet; we will send another CHALLENGE packet and thereby elicit a further response.  Similarly, discard an incoming CHALLENGE packet if we get an error whilst generating a RESPONSE; the server will send another CHALLENGE.",
                        "cve_priority": "critical",
                        "cve_public_date": "2026-05-27 14:17:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46043",
                        "url": "https://ubuntu.com/security/CVE-2026-46043",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv  rxe_rcv() currently checks only that the incoming packet is at least header_size(pkt) bytes long before payload_size() is used.  However, payload_size() subtracts both the attacker-controlled BTH pad field and RXE_ICRC_SIZE from pkt->paylen:    payload_size = pkt->paylen - offset[RXE_PAYLOAD] - bth_pad(pkt)                  - RXE_ICRC_SIZE  This means a short packet can still make payload_size() underflow even if it includes enough bytes for the fixed headers. Simply requiring header_size(pkt) + RXE_ICRC_SIZE is not sufficient either, because a packet with a forged non-zero BTH pad can still leave payload_size() negative and pass an underflowed value to later receive-path users.  Fix this by validating pkt->paylen against the full minimum length required by payload_size(): header_size(pkt) + bth_pad(pkt) + RXE_ICRC_SIZE.",
                        "cve_priority": "critical",
                        "cve_public_date": "2026-05-27 14:17:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43493",
                        "url": "https://ubuntu.com/security/CVE-2026-43493",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  crypto: pcrypt - Fix handling of MAY_BACKLOG requests  MAY_BACKLOG requests can return EBUSY.  Handle them by checking for that value and filtering out EINPROGRESS notifications.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-19 12:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43071",
                        "url": "https://ubuntu.com/security/CVE-2026-43071",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  dcache: Limit the minimal number of bucket to two  There is an OOB read problem on dentry_hashtable when user sets 'dhash_entries=1':   BUG: unable to handle page fault for address: ffff888b30b774b0   #PF: supervisor read access in kernel mode   #PF: error_code(0x0000) - not-present page   Oops: Oops: 0000 [#1] SMP PTI   RIP: 0010:__d_lookup+0x56/0x120    Call Trace:     d_lookup.cold+0x16/0x5d     lookup_dcache+0x27/0xf0     lookup_one_qstr_excl+0x2a/0x180     start_dirop+0x55/0xa0     simple_start_creating+0x8d/0xa0     debugfs_start_creating+0x8c/0x180     debugfs_create_dir+0x1d/0x1c0     pinctrl_init+0x6d/0x140     do_one_initcall+0x6d/0x3d0     kernel_init_freeable+0x39f/0x460     kernel_init+0x2a/0x260  There will be only one bucket in dentry_hashtable when dhash_entries is set as one, and d_hash_shift is calculated as 32 by dcache_init(). Then, following process will access more than one buckets(which memory region is not allocated) in dentry_hashtable:  d_lookup   b = d_hash(hash)     dentry_hashtable + ((u32)hashlen >> d_hash_shift)     // The C standard defines the behavior of right shift amounts     // exceeding the bit width of the operand as undefined. The     // result of '(u32)hashlen >> d_hash_shift' becomes 'hashlen',     // so 'b' will point to an unallocated memory region.   hlist_bl_for_each_entry_rcu(b)    hlist_bl_first_rcu(head)     h->first  // read OOB!  Fix it by limiting the minimal number of dentry_hashtable bucket to two, so that 'd_hash_shift' won't exceeds the bit width of type u32.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-05-05 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-31685",
                        "url": "https://ubuntu.com/security/CVE-2026-31685",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: ip6t_eui64: reject invalid MAC header for all packets  `eui64_mt6()` derives a modified EUI-64 from the Ethernet source address and compares it with the low 64 bits of the IPv6 source address.  The existing guard only rejects an invalid MAC header when `par->fragoff != 0`. For packets with `par->fragoff == 0`, `eui64_mt6()` can still reach `eth_hdr(skb)` even when the MAC header is not valid.  Fix this by removing the `par->fragoff != 0` condition so that packets with an invalid MAC header are rejected before accessing `eth_hdr(skb)`.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-25 09:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43117",
                        "url": "https://ubuntu.com/security/CVE-2026-43117",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  btrfs: tracepoints: get correct superblock from dentry in event btrfs_sync_file()  If overlay is used on top of btrfs, dentry->d_sb translates to overlay's super block and fsid assignment will lead to a crash.  Use file_inode(file)->i_sb to always get btrfs_sb.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-06 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43114",
                        "url": "https://ubuntu.com/security/CVE-2026-43114",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: nft_set_pipapo_avx2: don't return non-matching entry on expiry  New test case fails unexpectedly when avx2 matching functions are used.  The test first loads a ranomly generated pipapo set with 'ipv4 . port' key, i.e.  nft -f foo.  This works.  Then, it reloads the set after a flush: (echo flush set t s; cat foo) | nft -f -  This is expected to work, because its the same set after all and it was already loaded once.  But with avx2, this fails: nft reports a clashing element.  The reported clash is of following form:      We successfully re-inserted       a . b       c . d  Then we try to insert a . d  avx2 finds the already existing a . d, which (due to 'flush set') is marked as invalid in the new generation.  It skips the element and moves to next.  Due to incorrect masking, the skip-step finds the next matching element *only considering the first field*,  i.e. we return the already reinserted \"a . b\", even though the last field is different and the entry should not have been matched.  No such error is reported for the generic c implementation (no avx2) or when the last field has to use the 'nft_pipapo_avx2_lookup_slow' fallback.  Bisection points to 7711f4bb4b36 (\"netfilter: nft_set_pipapo: fix range overlap detection\") but that fix merely uncovers this bug.  Before this commit, the wrong element is returned, but erronously reported as a full, identical duplicate.  The root-cause is too early return in the avx2 match functions. When we process the last field, we should continue to process data until the entire input size has been consumed to make sure no stale bits remain in the map.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-06 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-31607",
                        "url": "https://ubuntu.com/security/CVE-2026-31607",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  usbip: validate number_of_packets in usbip_pack_ret_submit()  When a USB/IP client receives a RET_SUBMIT response, usbip_pack_ret_submit() unconditionally overwrites urb->number_of_packets from the network PDU. This value is subsequently used as the loop bound in usbip_recv_iso() and usbip_pad_iso() to iterate over urb->iso_frame_desc[], a flexible array whose size was fixed at URB allocation time based on the *original* number_of_packets from the CMD_SUBMIT.  A malicious USB/IP server can set number_of_packets in the response to a value larger than what was originally submitted, causing a heap out-of-bounds write when usbip_recv_iso() writes to urb->iso_frame_desc[i] beyond the allocated region.  KASAN confirmed this with kernel 7.0.0-rc5:    BUG: KASAN: slab-out-of-bounds in usbip_recv_iso+0x46a/0x640   Write of size 4 at addr ffff888106351d40 by task vhci_rx/69    The buggy address is located 0 bytes to the right of    allocated 320-byte region [ffff888106351c00, ffff888106351d40)  The server side (stub_rx.c) and gadget side (vudc_rx.c) already validate number_of_packets in the CMD_SUBMIT path since commits c6688ef9f297 (\"usbip: fix stub_rx: harden CMD_SUBMIT path to handle malicious input\") and b78d830f0049 (\"usbip: fix vudc_rx: harden CMD_SUBMIT path to handle malicious input\"). The server side validates against USBIP_MAX_ISO_PACKETS because no URB exists yet at that point. On the client side we have the original URB, so we can use the tighter bound: the response must not exceed the original number_of_packets.  This mirrors the existing validation of actual_length against transfer_buffer_length in usbip_recv_xbuff(), which checks the response value against the original allocation size.  Kelvin Mbogo's series (\"usb: usbip: fix integer overflow in usbip_recv_iso()\", v2) hardens the receive-side functions themselves; this patch complements that work by catching the bad value at its source -- in usbip_pack_ret_submit() before the overwrite -- and using the tighter per-URB allocation bound rather than the global USBIP_MAX_ISO_PACKETS limit.  Fix this by checking rpdu->number_of_packets against urb->number_of_packets in usbip_pack_ret_submit() before the overwrite. On violation, clamp to zero so that usbip_recv_iso() and usbip_pad_iso() safely return early.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-04-24 15:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-31659",
                        "url": "https://ubuntu.com/security/CVE-2026-31659",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: reject oversized global TT response buffers  batadv_tt_prepare_tvlv_global_data() builds the allocation length for a global TT response in 16-bit temporaries. When a remote originator advertises a large enough global TT, the TT payload length plus the VLAN header offset can exceed 65535 and wrap before kmalloc().  The full-table response path still uses the original TT payload length when it fills tt_change, so the wrapped allocation is too small and batadv_tt_prepare_tvlv_global_data() writes past the end of the heap object before the later packet-size check runs.  Fix this by rejecting TT responses whose TVLV value length cannot fit in the 16-bit TVLV payload length field.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-04-24 15:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-31649",
                        "url": "https://ubuntu.com/security/CVE-2026-31649",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: stmmac: fix integer underflow in chain mode  The jumbo_frm() chain-mode implementation unconditionally computes      len = nopaged_len - bmax;  where nopaged_len = skb_headlen(skb) (linear bytes only) and bmax is BUF_SIZE_8KiB or BUF_SIZE_2KiB.  However, the caller stmmac_xmit() decides to invoke jumbo_frm() based on skb->len (total length including page fragments):      is_jumbo = stmmac_is_jumbo_frm(priv, skb->len, enh_desc);  When a packet has a small linear portion (nopaged_len <= bmax) but a large total length due to page fragments (skb->len > bmax), the subtraction wraps as an unsigned integer, producing a huge len value (~0xFFFFxxxx).  This causes the while (len != 0) loop to execute hundreds of thousands of iterations, passing skb->data + bmax * i pointers far beyond the skb buffer to dma_map_single().  On IOMMU-less SoCs (the typical deployment for stmmac), this maps arbitrary kernel memory to the DMA engine, constituting a kernel memory disclosure and potential memory corruption from hardware.  Fix this by introducing a buf_len local variable clamped to min(nopaged_len, bmax).  Computing len = nopaged_len - buf_len is then always safe: it is zero when the linear portion fits within a single descriptor, causing the while (len != 0) loop to be skipped naturally, and the fragment loop in stmmac_xmit() handles page fragments afterward.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-24 15:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-31657",
                        "url": "https://ubuntu.com/security/CVE-2026-31657",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: hold claim backbone gateways by reference  batadv_bla_add_claim() can replace claim->backbone_gw and drop the old gateway's last reference while readers still follow the pointer.  The netlink claim dump path dereferences claim->backbone_gw->orig and takes claim->backbone_gw->crc_lock without pinning the underlying backbone gateway. batadv_bla_check_claim() still has the same naked pointer access pattern.  Reuse batadv_bla_claim_get_backbone_gw() in both readers so they operate on a stable gateway reference until the read-side work is complete. This keeps the dump and claim-check paths aligned with the lifetime rules introduced for the other BLA claim readers.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-04-24 15:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-31637",
                        "url": "https://ubuntu.com/security/CVE-2026-31637",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  rxrpc: reject undecryptable rxkad response tickets  rxkad_decrypt_ticket() decrypts the RXKAD response ticket and then parses the buffer as plaintext without checking whether crypto_skcipher_decrypt() succeeded.  A malformed RESPONSE can therefore use a non-block-aligned ticket length, make the decrypt operation fail, and still drive the ticket parser with attacker-controlled bytes.  Check the decrypt result and abort the connection with RXKADBADTICKET when ticket decryption fails.",
                        "cve_priority": "critical",
                        "cve_public_date": "2026-04-24 15:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-31669",
                        "url": "https://ubuntu.com/security/CVE-2026-31669",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mptcp: fix slab-use-after-free in __inet_lookup_established  The ehash table lookups are lockless and rely on SLAB_TYPESAFE_BY_RCU to guarantee socket memory stability during RCU read-side critical sections. Both tcp_prot and tcpv6_prot have their slab caches created with this flag via proto_register().  However, MPTCP's mptcp_subflow_init() copies tcpv6_prot into tcpv6_prot_override during inet_init() (fs_initcall, level 5), before inet6_init() (module_init/device_initcall, level 6) has called proto_register(&tcpv6_prot). At that point, tcpv6_prot.slab is still NULL, so tcpv6_prot_override.slab remains NULL permanently.  This causes MPTCP v6 subflow child sockets to be allocated via kmalloc (falling into kmalloc-4k) instead of the TCPv6 slab cache. The kmalloc-4k cache lacks SLAB_TYPESAFE_BY_RCU, so when these sockets are freed without SOCK_RCU_FREE (which is cleared for child sockets by design), the memory can be immediately reused. Concurrent ehash lookups under rcu_read_lock can then access freed memory, triggering a slab-use-after-free in __inet_lookup_established.  Fix this by splitting the IPv6-specific initialization out of mptcp_subflow_init() into a new mptcp_subflow_v6_init(), called from mptcp_proto_v6_init() before protocol registration. This ensures tcpv6_prot_override.slab correctly inherits the SLAB_TYPESAFE_BY_RCU slab cache.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-04-24 15:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-31668",
                        "url": "https://ubuntu.com/security/CVE-2026-31668",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  seg6: separate dst_cache for input and output paths in seg6 lwtunnel  The seg6 lwtunnel uses a single dst_cache per encap route, shared between seg6_input_core() and seg6_output_core(). These two paths can perform the post-encap SID lookup in different routing contexts (e.g., ip rules matching on the ingress interface, or VRF table separation). Whichever path runs first populates the cache, and the other reuses it blindly, bypassing its own lookup.  Fix this by splitting the cache into cache_input and cache_output, so each path maintains its own cached dst independently.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-24 15:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43011",
                        "url": "https://ubuntu.com/security/CVE-2026-43011",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/x25: Fix potential double free of skb  When alloc_skb fails in x25_queue_rx_frame it calls kfree_skb(skb) at line 48 and returns 1 (error). This error propagates back through the call chain:  x25_queue_rx_frame returns 1     |     v x25_state3_machine receives the return value 1 and takes the else branch at line 278, setting queued=0 and returning 0     |     v x25_process_rx_frame returns queued=0     |     v x25_backlog_rcv at line 452 sees queued=0 and calls kfree_skb(skb) again  This would free the same skb twice. Looking at x25_backlog_rcv:  net/x25/x25_in.c:x25_backlog_rcv() {     ...     queued = x25_process_rx_frame(sk, skb);     ...     if (!queued)         kfree_skb(skb); }",
                        "cve_priority": "critical",
                        "cve_public_date": "2026-05-01 15:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43037",
                        "url": "https://ubuntu.com/security/CVE-2026-43037",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ip6_tunnel: clear skb2->cb[] in ip4ip6_err()  Oskar Kjos reported the following problem.  ip4ip6_err() calls icmp_send() on a cloned skb whose cb[] was written by the IPv6 receive path as struct inet6_skb_parm. icmp_send() passes IPCB(skb2) to __ip_options_echo(), which interprets that cb[] region as struct inet_skb_parm (IPv4). The layouts differ: inet6_skb_parm.nhoff at offset 14 overlaps inet_skb_parm.opt.rr, producing a non-zero rr value. __ip_options_echo() then reads optlen from attacker-controlled packet data at sptr[rr+1] and copies that many bytes into dopt->__data, a fixed 40-byte stack buffer (IP_OPTIONS_DATA_FIXED_SIZE).  To fix this we clear skb2->cb[], as suggested by Oskar Kjos.  Also add minimal IPv4 header validation (version == 4, ihl >= 5).",
                        "cve_priority": "critical",
                        "cve_public_date": "2026-05-01 15:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43341",
                        "url": "https://ubuntu.com/security/CVE-2026-43341",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/ipv6: ioam6: prevent schema length wraparound in trace fill  ioam6_fill_trace_data() stores the schema contribution to the trace length in a u8. With bit 22 enabled and the largest schema payload, sclen becomes 1 + 1020 / 4, wraps from 256 to 0, and bypasses the remaining-space check. __ioam6_fill_trace_data() then positions the write cursor without reserving the schema area but still copies the 4-byte schema header and the full schema payload, overrunning the trace buffer.  Keep sclen in an unsigned int so the remaining-space check and the write cursor calculation both see the full schema length.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-08 14:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43038",
                        "url": "https://ubuntu.com/security/CVE-2026-43038",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ipv6: icmp: clear skb2->cb[] in ip6_err_gen_icmpv6_unreach()  Sashiko AI-review observed:    In ip6_err_gen_icmpv6_unreach(), the skb is an outer IPv4 ICMP error packet   where its cb contains an IPv4 inet_skb_parm. When skb is cloned into skb2   and passed to icmp6_send(), it uses IP6CB(skb2).    IP6CB interprets the IPv4 inet_skb_parm as an inet6_skb_parm. The cipso   offset in inet_skb_parm.opt directly overlaps with dsthao in inet6_skb_parm   at offset 18.    If an attacker sends a forged ICMPv4 error with a CIPSO IP option, dsthao   would be a non-zero offset. Inside icmp6_send(), mip6_addr_swap() is called   and uses ipv6_find_tlv(skb, opt->dsthao, IPV6_TLV_HAO).    This would scan the inner, attacker-controlled IPv6 packet starting at that   offset, potentially returning a fake TLV without checking if the remaining   packet length can hold the full 18-byte struct ipv6_destopt_hao.    Could mip6_addr_swap() then perform a 16-byte swap that extends past the end   of the packet data into skb_shared_info?    Should the cb array also be cleared in ip6_err_gen_icmpv6_unreach() and   ip6ip6_err() to prevent this?  This patch implements the first suggestion.  I am not sure if ip6ip6_err() needs to be changed. A separate patch would be better anyway.",
                        "cve_priority": "critical",
                        "cve_public_date": "2026-05-01 15:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-31682",
                        "url": "https://ubuntu.com/security/CVE-2026-31682",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  bridge: br_nd_send: linearize skb before parsing ND options  br_nd_send() parses neighbour discovery options from ns->opt[] and assumes that these options are in the linear part of request.  Its callers only guarantee that the ICMPv6 header and target address are available, so the option area can still be non-linear. Parsing ns->opt[] in that case can access data past the linear buffer.  Linearize request before option parsing and derive ns from the linear network header.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-25 09:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-31436",
                        "url": "https://ubuntu.com/security/CVE-2026-31436",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  dmaengine: idxd: fix possible wrong descriptor completion in llist_abort_desc()  At the end of this function, d is the traversal cursor of flist, but the code completes found instead. This can lead to issues such as NULL pointer dereferences, double completion, or descriptor leaks.  Fix this by completing d instead of found in the final list_for_each_entry_safe() loop.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-04-22 14:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43384",
                        "url": "https://ubuntu.com/security/CVE-2026-43384",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/tcp-ao: Fix MAC comparison to be constant-time  To prevent timing attacks, MACs need to be compared in constant time.  Use the appropriate helper function for this.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-08 15:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-31448",
                        "url": "https://ubuntu.com/security/CVE-2026-31448",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ext4: avoid infinite loops caused by residual data  On the mkdir/mknod path, when mapping logical blocks to physical blocks, if inserting a new extent into the extent tree fails (in this example, because the file system disabled the huge file feature when marking the inode as dirty), ext4_ext_map_blocks() only calls ext4_free_blocks() to reclaim the physical block without deleting the corresponding data in the extent tree. This causes subsequent mkdir operations to reference the previously reclaimed physical block number again, even though this physical block is already being used by the xattr block. Therefore, a situation arises where both the directory and xattr are using the same buffer head block in memory simultaneously.  The above causes ext4_xattr_block_set() to enter an infinite loop about \"inserted\" and cannot release the inode lock, ultimately leading to the 143s blocking problem mentioned in [1].  If the metadata is corrupted, then trying to remove some extent space can do even more harm. Also in case EXT4_GET_BLOCKS_DELALLOC_RESERVE was passed, remove space wrongly update quota information. Jan Kara suggests distinguishing between two cases:  1) The error is ENOSPC or EDQUOT - in this case the filesystem is fully consistent and we must maintain its consistency including all the accounting. However these errors can happen only early before we've inserted the extent into the extent tree. So current code works correctly for this case.  2) Some other error - this means metadata is corrupted. We should strive to do as few modifications as possible to limit damage. So I'd just skip freeing of allocated blocks.  [1] INFO: task syz.0.17:5995 blocked for more than 143 seconds. Call Trace:  inode_lock_nested include/linux/fs.h:1073 [inline]  __start_dirop fs/namei.c:2923 [inline]  start_dirop fs/namei.c:2934 [inline]",
                        "cve_priority": "low",
                        "cve_public_date": "2026-04-22 14:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-31478",
                        "url": "https://ubuntu.com/security/CVE-2026-31478",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ksmbd: replace hardcoded hdr2_len with offsetof() in smb2_calc_max_out_buf_len()  After this commit (e2b76ab8b5c9 \"ksmbd: add support for read compound\"), response buffer management was changed to use dynamic iov array. In the new design, smb2_calc_max_out_buf_len() expects the second argument (hdr2_len) to be the offset of ->Buffer field in the response structure, not a hardcoded magic number. Fix the remaining call sites to use the correct offsetof() value.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-04-22 14:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-23428",
                        "url": "https://ubuntu.com/security/CVE-2026-23428",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ksmbd: fix use-after-free of share_conf in compound request  smb2_get_ksmbd_tcon() reuses work->tcon in compound requests without validating tcon->t_state. ksmbd_tree_conn_lookup() checks t_state == TREE_CONNECTED on the initial lookup path, but the compound reuse path bypasses this check entirely.  If a prior command in the compound (SMB2_TREE_DISCONNECT) sets t_state to TREE_DISCONNECTED and frees share_conf via ksmbd_share_config_put(), subsequent commands dereference the freed share_conf through work->tcon->share_conf.  KASAN report:  [    4.144653] ================================================================== [    4.145059] BUG: KASAN: slab-use-after-free in smb2_write+0xc74/0xe70 [    4.145415] Read of size 4 at addr ffff88810430c194 by task kworker/1:1/44 [    4.145772] [    4.145867] CPU: 1 UID: 0 PID: 44 Comm: kworker/1:1 Not tainted 7.0.0-rc3+ #60 PREEMPTLAZY [    4.145871] Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [    4.145875] Workqueue: ksmbd-io handle_ksmbd_work [    4.145888] Call Trace: [    4.145892]  <TASK> [    4.145894]  dump_stack_lvl+0x64/0x80 [    4.145910]  print_report+0xce/0x660 [    4.145919]  ? __pfx__raw_spin_lock_irqsave+0x10/0x10 [    4.145928]  ? smb2_write+0xc74/0xe70 [    4.145931]  kasan_report+0xce/0x100 [    4.145934]  ? smb2_write+0xc74/0xe70 [    4.145937]  smb2_write+0xc74/0xe70 [    4.145939]  ? __pfx_smb2_write+0x10/0x10 [    4.145942]  ? _raw_spin_unlock+0xe/0x30 [    4.145945]  ? ksmbd_smb2_check_message+0xeb2/0x24c0 [    4.145948]  ? smb2_tree_disconnect+0x31c/0x480 [    4.145951]  handle_ksmbd_work+0x40f/0x1080 [    4.145953]  process_one_work+0x5fa/0xef0 [    4.145962]  ? assign_work+0x122/0x3e0 [    4.145964]  worker_thread+0x54b/0xf70 [    4.145967]  ? __pfx_worker_thread+0x10/0x10 [    4.145970]  kthread+0x346/0x470 [    4.145976]  ? recalc_sigpending+0x19b/0x230 [    4.145980]  ? __pfx_kthread+0x10/0x10 [    4.145984]  ret_from_fork+0x4fb/0x6c0 [    4.145992]  ? __pfx_ret_from_fork+0x10/0x10 [    4.145995]  ? __switch_to+0x36c/0xbe0 [    4.145999]  ? __pfx_kthread+0x10/0x10 [    4.146003]  ret_from_fork_asm+0x1a/0x30 [    4.146013]  </TASK> [    4.146014] [    4.149858] Allocated by task 44: [    4.149953]  kasan_save_stack+0x33/0x60 [    4.150061]  kasan_save_track+0x14/0x30 [    4.150169]  __kasan_kmalloc+0x8f/0xa0 [    4.150274]  ksmbd_share_config_get+0x1dd/0xdd0 [    4.150401]  ksmbd_tree_conn_connect+0x7e/0x600 [    4.150529]  smb2_tree_connect+0x2e6/0x1000 [    4.150645]  handle_ksmbd_work+0x40f/0x1080 [    4.150761]  process_one_work+0x5fa/0xef0 [    4.150873]  worker_thread+0x54b/0xf70 [    4.150978]  kthread+0x346/0x470 [    4.151071]  ret_from_fork+0x4fb/0x6c0 [    4.151176]  ret_from_fork_asm+0x1a/0x30 [    4.151286] [    4.151332] Freed by task 44: [    4.151418]  kasan_save_stack+0x33/0x60 [    4.151526]  kasan_save_track+0x14/0x30 [    4.151634]  kasan_save_free_info+0x3b/0x60 [    4.151751]  __kasan_slab_free+0x43/0x70 [    4.151861]  kfree+0x1ca/0x430 [    4.151952]  __ksmbd_tree_conn_disconnect+0xc8/0x190 [    4.152088]  smb2_tree_disconnect+0x1cd/0x480 [    4.152211]  handle_ksmbd_work+0x40f/0x1080 [    4.152326]  process_one_work+0x5fa/0xef0 [    4.152438]  worker_thread+0x54b/0xf70 [    4.152545]  kthread+0x346/0x470 [    4.152638]  ret_from_fork+0x4fb/0x6c0 [    4.152743]  ret_from_fork_asm+0x1a/0x30 [    4.152853] [    4.152900] The buggy address belongs to the object at ffff88810430c180 [    4.152900]  which belongs to the cache kmalloc-96 of size 96 [    4.153226] The buggy address is located 20 bytes inside of [    4.153226]  freed 96-byte region [ffff88810430c180, ffff88810430c1e0) [    4.153549] [    4.153596] The buggy address belongs to the physical page: [    4.153750] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88810430ce80 pfn:0x10430c [    4.154000] flags: 0x ---truncated---",
                        "cve_priority": "high",
                        "cve_public_date": "2026-04-03 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-23450",
                        "url": "https://ubuntu.com/security/CVE-2026-23450",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/smc: fix NULL dereference and UAF in smc_tcp_syn_recv_sock()  Syzkaller reported a panic in smc_tcp_syn_recv_sock() [1].  smc_tcp_syn_recv_sock() is called in the TCP receive path (softirq) via icsk_af_ops->syn_recv_sock on the clcsock (TCP listening socket). It reads sk_user_data to get the smc_sock pointer. However, when the SMC listen socket is being closed concurrently, smc_close_active() sets clcsock->sk_user_data to NULL under sk_callback_lock, and then the smc_sock itself can be freed via sock_put() in smc_release().  This leads to two issues:  1) NULL pointer dereference: sk_user_data is NULL when    accessed. 2) Use-after-free: sk_user_data is read as non-NULL, but the    smc_sock is freed before its fields (e.g., queued_smc_hs,    ori_af_ops) are accessed.  The race window looks like this (the syzkaller crash [1] triggers via the SYN cookie path: tcp_get_cookie_sock() -> smc_tcp_syn_recv_sock(), but the normal tcp_check_req() path has the same race):    CPU A (softirq)              CPU B (process ctx)    tcp_v4_rcv()     TCP_NEW_SYN_RECV:     sk = req->rsk_listener     sock_hold(sk)     /* No lock on listener */                                smc_close_active():                                  write_lock_bh(cb_lock)                                  sk_user_data = NULL                                  write_unlock_bh(cb_lock)                                  ...                                  smc_clcsock_release()                                  sock_put(smc->sk) x2                                    -> smc_sock freed!     tcp_check_req()       smc_tcp_syn_recv_sock():         smc = user_data(sk)           -> NULL or dangling         smc->queued_smc_hs           -> crash!  Note that the clcsock and smc_sock are two independent objects with separate refcounts. TCP stack holds a reference on the clcsock, which keeps it alive, but this does NOT prevent the smc_sock from being freed.  Fix this by using RCU and refcount_inc_not_zero() to safely access smc_sock. Since smc_tcp_syn_recv_sock() is called in the TCP three-way handshake path, taking read_lock_bh on sk_callback_lock is too heavy and would not survive a SYN flood attack. Using rcu_read_lock() is much more lightweight.  - Set SOCK_RCU_FREE on the SMC listen socket so that   smc_sock freeing is deferred until after the RCU grace   period. This guarantees the memory is still valid when   accessed inside rcu_read_lock(). - Use rcu_read_lock() to protect reading sk_user_data. - Use refcount_inc_not_zero(&smc->sk.sk_refcnt) to pin the   smc_sock. If the refcount has already reached zero (close   path completed), it returns false and we bail out safely.  Note: smc_hs_congested() has a similar lockless read of sk_user_data without rcu_read_lock(), but it only checks for NULL and accesses the global smc_hs_wq, never dereferencing any smc_sock field, so it is not affected.  Reproducer was verified with mdelay injection and smc_run, the issue no longer occurs with this patch applied.  [1] https://syzkaller.appspot.com/bug?extid=827ae2bfb3a3529333e9",
                        "cve_priority": "high",
                        "cve_public_date": "2026-04-03 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-23455",
                        "url": "https://ubuntu.com/security/CVE-2026-23455",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: nf_conntrack_h323: check for zero length in DecodeQ931()  In DecodeQ931(), the UserUserIE code path reads a 16-bit length from the packet, then decrements it by 1 to skip the protocol discriminator byte before passing it to DecodeH323_UserInformation(). If the encoded length is 0, the decrement wraps to -1, which is then passed as a large value to the decoder, leading to an out-of-bounds read.  Add a check to ensure len is positive after the decrement.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-04-03 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-31402",
                        "url": "https://ubuntu.com/security/CVE-2026-31402",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  nfsd: fix heap overflow in NFSv4.0 LOCK replay cache  The NFSv4.0 replay cache uses a fixed 112-byte inline buffer (rp_ibuf[NFSD4_REPLAY_ISIZE]) to store encoded operation responses. This size was calculated based on OPEN responses and does not account for LOCK denied responses, which include the conflicting lock owner as a variable-length field up to 1024 bytes (NFS4_OPAQUE_LIMIT).  When a LOCK operation is denied due to a conflict with an existing lock that has a large owner, nfsd4_encode_operation() copies the full encoded response into the undersized replay buffer via read_bytes_from_xdr_buf() with no bounds check. This results in a slab-out-of-bounds write of up to 944 bytes past the end of the buffer, corrupting adjacent heap memory.  This can be triggered remotely by an unauthenticated attacker with two cooperating NFSv4.0 clients: one sets a lock with a large owner string, then the other requests a conflicting lock to provoke the denial.  We could fix this by increasing NFSD4_REPLAY_ISIZE to allow for a full opaque, but that would increase the size of every stateowner, when most lockowners are not that large.  Instead, fix this by checking the encoded response length against NFSD4_REPLAY_ISIZE before copying into the replay buffer. If the response is too large, set rp_buflen to 0 to skip caching the replay payload. The status is still cached, and the client already received the correct response on the original request.",
                        "cve_priority": "critical",
                        "cve_public_date": "2026-04-03 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43383",
                        "url": "https://ubuntu.com/security/CVE-2026-43383",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/tcp-md5: Fix MAC comparison to be constant-time  To prevent timing attacks, MACs need to be compared in constant time.  Use the appropriate helper function for this.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-08 15:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43378",
                        "url": "https://ubuntu.com/security/CVE-2026-43378",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb: server: fix use-after-free in smb2_open()  The opinfo pointer obtained via rcu_dereference(fp->f_opinfo) is dereferenced after rcu_read_unlock(), creating a use-after-free window.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-08 15:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46243",
                        "url": "https://ubuntu.com/security/CVE-2026-46243",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb: client: reject userspace cifs.spnego descriptions  cifs.spnego key descriptions contain authority-bearing fields such as pid, uid, creduid, and upcall_target that cifs.upcall treats as kernel-originating inputs. However, userspace can also create keys of this type through request_key(2) or add_key(2), allowing those fields to be supplied without CIFS origin.  Only accept cifs.spnego descriptions while CIFS is using its private spnego_cred to request the key.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-01 17:17:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43414",
                        "url": "https://ubuntu.com/security/CVE-2026-43414",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  scsi: qla2xxx: Completely fix fcport double free  In qla24xx_els_dcmd_iocb() sp->free is set to qla2x00_els_dcmd_sp_free(). When an error happens, this function is called by qla2x00_sp_release(), when kref_put() releases the first and the last reference.  qla2x00_els_dcmd_sp_free() frees fcport by calling qla2x00_free_fcport(). Doing it one more time after kref_put() is a bad idea.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-05-08 15:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43407",
                        "url": "https://ubuntu.com/security/CVE-2026-43407",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  libceph: Fix potential out-of-bounds access in ceph_handle_auth_reply()  This patch fixes an out-of-bounds access in ceph_handle_auth_reply() that can be triggered by a message of type CEPH_MSG_AUTH_REPLY. In ceph_handle_auth_reply(), the value of the payload_len field of such a message is stored in a variable of type int. A value greater than INT_MAX leads to an integer overflow and is interpreted as a negative value. This leads to decrementing the pointer address by this value and subsequently accessing it because ceph_decode_need() only checks that the memory access does not exceed the end address of the allocation.  This patch fixes the issue by changing the data type of payload_len to u32. Additionally, the data type of result_msg_len is changed to u32, as it is also a variable holding a non-negative length.  Also, an additional layer of sanity checks is introduced, ensuring that directly after reading it from the message, payload_len and result_msg_len are not greater than the overall segment length.  BUG: KASAN: slab-out-of-bounds in ceph_handle_auth_reply+0x642/0x7a0 [libceph] Read of size 4 at addr ffff88811404df14 by task kworker/20:1/262  CPU: 20 UID: 0 PID: 262 Comm: kworker/20:1 Not tainted 6.19.2 #5 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Workqueue: ceph-msgr ceph_con_workfn [libceph] Call Trace:  <TASK>  dump_stack_lvl+0x76/0xa0  print_report+0xd1/0x620  ? __pfx__raw_spin_lock_irqsave+0x10/0x10  ? kasan_complete_mode_report_info+0x72/0x210  kasan_report+0xe7/0x130  ? ceph_handle_auth_reply+0x642/0x7a0 [libceph]  ? ceph_handle_auth_reply+0x642/0x7a0 [libceph]  __asan_report_load_n_noabort+0xf/0x20  ceph_handle_auth_reply+0x642/0x7a0 [libceph]  mon_dispatch+0x973/0x23d0 [libceph]  ? apparmor_socket_recvmsg+0x6b/0xa0  ? __pfx_mon_dispatch+0x10/0x10 [libceph]  ? __kasan_check_write+0x14/0x30i  ? mutex_unlock+0x7f/0xd0  ? __pfx_mutex_unlock+0x10/0x10  ? __pfx_do_recvmsg+0x10/0x10 [libceph]  ceph_con_process_message+0x1f1/0x650 [libceph]  process_message+0x1e/0x450 [libceph]  ceph_con_v2_try_read+0x2e48/0x6c80 [libceph]  ? __pfx_ceph_con_v2_try_read+0x10/0x10 [libceph]  ? save_fpregs_to_fpstate+0xb0/0x230  ? raw_spin_rq_unlock+0x17/0xa0  ? finish_task_switch.isra.0+0x13b/0x760  ? __switch_to+0x385/0xda0  ? __kasan_check_write+0x14/0x30  ? mutex_lock+0x8d/0xe0  ? __pfx_mutex_lock+0x10/0x10  ceph_con_workfn+0x248/0x10c0 [libceph]  process_one_work+0x629/0xf80  ? __kasan_check_write+0x14/0x30  worker_thread+0x87f/0x1570  ? __pfx__raw_spin_lock_irqsave+0x10/0x10  ? __pfx_try_to_wake_up+0x10/0x10  ? kasan_print_address_stack_frame+0x1f7/0x280  ? __pfx_worker_thread+0x10/0x10  kthread+0x396/0x830  ? __pfx__raw_spin_lock_irq+0x10/0x10  ? __pfx_kthread+0x10/0x10  ? __kasan_check_write+0x14/0x30  ? recalc_sigpending+0x180/0x210  ? __pfx_kthread+0x10/0x10  ret_from_fork+0x3f7/0x610  ? __pfx_ret_from_fork+0x10/0x10  ? __switch_to+0x385/0xda0  ? __pfx_kthread+0x10/0x10  ret_from_fork_asm+0x1a/0x30  </TASK>  [ idryomov: replace if statements with ceph_decode_need() for   payload_len and result_msg_len ]",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-08 15:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43406",
                        "url": "https://ubuntu.com/security/CVE-2026-43406",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  libceph: prevent potential out-of-bounds reads in process_message_header()  If the message frame is (maliciously) corrupted in a way that the length of the control segment ends up being less than the size of the message header or a different frame is made to look like a message frame, out-of-bounds reads may ensue in process_message_header().  Perform an explicit bounds check before decoding the message header.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-08 15:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-23249",
                        "url": "https://ubuntu.com/security/CVE-2026-23249",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  xfs: check for deleted cursors when revalidating two btrees  The free space and inode btree repair functions will rebuild both btrees at the same time, after which it needs to evaluate both btrees to confirm that the corruptions are gone.  However, Jiaming Zhang ran syzbot and produced a crash in the second xchk_allocbt call.  His root-cause analysis is as follows (with minor corrections):   In xrep_revalidate_allocbt(), xchk_allocbt() is called twice (first  for BNOBT, second for CNTBT). The cause of this issue is that the  first call nullified the cursor required by the second call.   Let's first enter xrep_revalidate_allocbt() via following call chain:   xfs_file_ioctl() ->  xfs_ioc_scrubv_metadata() ->  xfs_scrub_metadata() ->  `sc->ops->repair_eval(sc)` ->  xrep_revalidate_allocbt()   xchk_allocbt() is called twice in this function. In the first call:   /* Note that sc->sm->sm_type is XFS_SCRUB_TYPE_BNOPT now */  xchk_allocbt() ->  xchk_btree() ->  `bs->scrub_rec(bs, recp)` ->  xchk_allocbt_rec() ->  xchk_allocbt_xref() ->  xchk_allocbt_xref_other()   since sm_type is XFS_SCRUB_TYPE_BNOBT, pur is set to &sc->sa.cnt_cur.  Kernel called xfs_alloc_get_rec() and returned -EFSCORRUPTED. Call  chain:   xfs_alloc_get_rec() ->  xfs_btree_get_rec() ->  xfs_btree_check_block() ->  (XFS_IS_CORRUPT || XFS_TEST_ERROR), the former is false and the latter  is true, return -EFSCORRUPTED. This should be caused by  ioctl$XFS_IOC_ERROR_INJECTION I guess.   Back to xchk_allocbt_xref_other(), after receiving -EFSCORRUPTED from  xfs_alloc_get_rec(), kernel called xchk_should_check_xref(). In this  function, *curpp (points to sc->sa.cnt_cur) is nullified.   Back to xrep_revalidate_allocbt(), since sc->sa.cnt_cur has been  nullified, it then triggered null-ptr-deref via xchk_allocbt() (second  call) -> xchk_btree().  So.  The bnobt revalidation failed on a cross-reference attempt, so we deleted the cntbt cursor, and then crashed when we tried to revalidate the cntbt.  Therefore, check for a null cntbt cursor before that revalidation, and mark the repair incomplete.  Also we can ignore the second tree entirely if the first tree was rebuilt but is already corrupt.  Apply the same fix to xrep_revalidate_iallocbt because it has the same problem.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-18 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2025-71267",
                        "url": "https://ubuntu.com/security/CVE-2025-71267",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  fs: ntfs3: fix infinite loop triggered by zero-sized ATTR_LIST  We found an infinite loop bug in the ntfs3 file system that can lead to a Denial-of-Service (DoS) condition.  A malformed NTFS image can cause an infinite loop when an ATTR_LIST attribute indicates a zero data size while the driver allocates memory for it.  When ntfs_load_attr_list() processes a resident ATTR_LIST with data_size set to zero, it still allocates memory because of al_aligned(0). This creates an inconsistent state where ni->attr_list.size is zero, but ni->attr_list.le is non-null. This causes ni_enum_attr_ex to incorrectly assume that no attribute list exists and enumerates only the primary MFT record. When it finds ATTR_LIST, the code reloads it and restarts the enumeration, repeating indefinitely. The mount operation never completes, hanging the kernel thread.  This patch adds validation to ensure that data_size is non-zero before memory allocation. When a zero-sized ATTR_LIST is detected, the function returns -EINVAL, preventing a DoS vulnerability.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-18 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2025-71265",
                        "url": "https://ubuntu.com/security/CVE-2025-71265",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  fs: ntfs3: fix infinite loop in attr_load_runs_range on inconsistent metadata  We found an infinite loop bug in the ntfs3 file system that can lead to a Denial-of-Service (DoS) condition.  A malformed NTFS image can cause an infinite loop when an attribute header indicates an empty run list, while directory entries reference it as containing actual data. In NTFS, setting evcn=-1 with svcn=0 is a valid way to represent an empty run list, and run_unpack() correctly handles this by checking if evcn + 1 equals svcn and returning early without parsing any run data. However, this creates a problem when there is metadata inconsistency, where the attribute header claims to be empty (evcn=-1) but the caller expects to read actual data. When run_unpack() immediately returns success upon seeing this condition, it leaves the runs_tree uninitialized with run->runs as a NULL. The calling function attr_load_runs_range() assumes that a successful return means that the runs were loaded and sets clen to 0, expecting the next run_lookup_entry() call to succeed. Because runs_tree remains uninitialized, run_lookup_entry() continues to fail, and the loop increments vcn by zero (vcn += 0), leading to an infinite loop.  This patch adds a retry counter to detect when run_lookup_entry() fails consecutively after attr_load_runs_vcn(). If the run is still not found on the second attempt, it indicates corrupted metadata and returns -EINVAL, preventing the Denial-of-Service (DoS) vulnerability.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-18 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2025-71266",
                        "url": "https://ubuntu.com/security/CVE-2025-71266",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  fs: ntfs3: check return value of indx_find to avoid infinite loop  We found an infinite loop bug in the ntfs3 file system that can lead to a Denial-of-Service (DoS) condition.  A malformed dentry in the ntfs3 filesystem can cause the kernel to hang during the lookup operations. By setting the HAS_SUB_NODE flag in an INDEX_ENTRY within a directory's INDEX_ALLOCATION block and manipulating the VCN pointer, an attacker can cause the indx_find() function to repeatedly read the same block, allocating 4 KB of memory each time. The kernel lacks VCN loop detection and depth limits, causing memory exhaustion and an OOM crash.  This patch adds a return value check for fnd_push() to prevent a memory exhaustion vulnerability caused by infinite loops. When the index exceeds the size of the fnd->nodes array, fnd_push() returns -EINVAL. The indx_find() function checks this return value and stops processing, preventing further memory allocation.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-18 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-23241",
                        "url": "https://ubuntu.com/security/CVE-2026-23241",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  audit: add missing syscalls to read class  The \"at\" variant of getxattr() and listxattr() are missing from the audit read class. Calling getxattrat() or listxattrat() on a file to read its extended attributes will bypass audit rules such as:  -w /tmp/test -p rwa -k test_rwa  The current patch adds missing syscalls to the audit read class.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-17 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2025-71239",
                        "url": "https://ubuntu.com/security/CVE-2025-71239",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  audit: add fchmodat2() to change attributes class  fchmodat2(), introduced in version 6.6 is currently not in the change attribute class of audit. Calling fchmodat2() to change a file attribute in the same fashion than chmod() or fchmodat() will bypass audit rules such as:  -w /tmp/test -p rwa -k test_rwa  The current patch adds fchmodat2() to the change attributes class.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-17 10:15:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-31411",
                        "url": "https://ubuntu.com/security/CVE-2026-31411",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: atm: fix crash due to unvalidated vcc pointer in sigd_send()  Reproducer available at [1].  The ATM send path (sendmsg -> vcc_sendmsg -> sigd_send) reads the vcc pointer from msg->vcc and uses it directly without any validation. This pointer comes from userspace via sendmsg() and can be arbitrarily forged:      int fd = socket(AF_ATMSVC, SOCK_DGRAM, 0);     ioctl(fd, ATMSIGD_CTRL);  // become ATM signaling daemon     struct msghdr msg = { .msg_iov = &iov, ... };     *(unsigned long *)(buf + 4) = 0xdeadbeef;  // fake vcc pointer     sendmsg(fd, &msg, 0);  // kernel dereferences 0xdeadbeef  In normal operation, the kernel sends the vcc pointer to the signaling daemon via sigd_enq() when processing operations like connect(), bind(), or listen(). The daemon is expected to return the same pointer when responding. However, a malicious daemon can send arbitrary pointer values.  Fix this by introducing find_get_vcc() which validates the pointer by searching through vcc_hash (similar to how sigd_close() iterates over all VCCs), and acquires a reference via sock_hold() if found.  Since struct atm_vcc embeds struct sock as its first member, they share the same lifetime. Therefore using sock_hold/sock_put is sufficient to keep the vcc alive while it is being used.  Note that there may be a race with sigd_close() which could mark the vcc with various flags (e.g., ATM_VF_RELEASED) after find_get_vcc() returns. However, sock_hold() guarantees the memory remains valid, so this race only affects the logical state, not memory safety.  [1]: https://gist.github.com/mrpre/1ba5949c45529c511152e2f4c755b0f3",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-08 14:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-23243",
                        "url": "https://ubuntu.com/security/CVE-2026-23243",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/umad: Reject negative data_len in ib_umad_write  ib_umad_write computes data_len from user-controlled count and the MAD header sizes. With a mismatched user MAD header size and RMPP header length, data_len can become negative and reach ib_create_send_mad(). This can make the padding calculation exceed the segment size and trigger an out-of-bounds memset in alloc_send_rmpp_list().  Add an explicit check to reject negative data_len before creating the send buffer.  KASAN splat: [  211.363464] BUG: KASAN: slab-out-of-bounds in ib_create_send_mad+0xa01/0x11b0 [  211.364077] Write of size 220 at addr ffff88800c3fa1f8 by task spray_thread/102 [  211.365867] ib_create_send_mad+0xa01/0x11b0 [  211.365887] ib_umad_write+0x853/0x1c80",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-18 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-23242",
                        "url": "https://ubuntu.com/security/CVE-2026-23242",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/siw: Fix potential NULL pointer dereference in header processing  If siw_get_hdr() returns -EINVAL before set_rx_fpdu_context(), qp->rx_fpdu can be NULL. The error path in siw_tcp_rx_data() dereferences qp->rx_fpdu->more_ddp_segs without checking, which may lead to a NULL pointer deref. Only check more_ddp_segs when rx_fpdu is present.  KASAN splat: [  101.384271] KASAN: null-ptr-deref in range [0x00000000000000c0-0x00000000000000c7] [  101.385869] RIP: 0010:siw_tcp_rx_data+0x13ad/0x1e50",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-18 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2025-71233",
                        "url": "https://ubuntu.com/security/CVE-2025-71233",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  PCI: endpoint: Avoid creating sub-groups asynchronously  The asynchronous creation of sub-groups by a delayed work could lead to a NULL pointer dereference when the driver directory is removed before the work completes.  The crash can be easily reproduced with the following commands:    # cd /sys/kernel/config/pci_ep/functions/pci_epf_test   # for i in {1..20}; do mkdir test && rmdir test; done    BUG: kernel NULL pointer dereference, address: 0000000000000088   ...   Call Trace:    configfs_register_group+0x3d/0x190    pci_epf_cfs_work+0x41/0x110    process_one_work+0x18f/0x350    worker_thread+0x25a/0x3a0  Fix this issue by using configfs_add_default_group() API which does not have the deadlock problem as configfs_register_group() and does not require the delayed work handler.  [mani: slightly reworded the description and added stable list]",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-02-18 16:22:00 UTC"
                    },
                    {
                        "cve": "CVE-2025-71231",
                        "url": "https://ubuntu.com/security/CVE-2025-71231",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  crypto: iaa - Fix out-of-bounds index in find_empty_iaa_compression_mode  The local variable 'i' is initialized with -EINVAL, but the for loop immediately overwrites it and -EINVAL is never returned.  If no empty compression mode can be found, the function would return the out-of-bounds index IAA_COMP_MODES_MAX, which would cause an invalid array access in add_iaa_compression_mode().  Fix both issues by returning either a valid index or -EINVAL.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-02-18 16:22:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-23169",
                        "url": "https://ubuntu.com/security/CVE-2026-23169",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mptcp: fix race in mptcp_pm_nl_flush_addrs_doit()  syzbot and Eulgyu Kim reported crashes in mptcp_pm_nl_get_local_id() and/or mptcp_pm_nl_is_backup()  Root cause is list_splice_init() in mptcp_pm_nl_flush_addrs_doit() which is not RCU ready.  list_splice_init_rcu() can not be called here while holding pernet->lock spinlock.  Many thanks to Eulgyu Kim for providing a repro and testing our patches.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-02-14 16:15:00 UTC"
                    },
                    {
                        "cve": "CVE-2025-40005",
                        "url": "https://ubuntu.com/security/CVE-2025-40005",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: cadence-quadspi: Implement refcount to handle unbind during busy  driver support indirect read and indirect write operation with assumption no force device removal(unbind) operation. However force device removal(removal) is still available to root superuser.  Unbinding driver during operation causes kernel crash. This changes ensure driver able to handle such operation for indirect read and indirect write by implementing refcount to track attached devices to the controller and gracefully wait and until attached devices remove operation completed before proceed with removal operation.",
                        "cve_priority": "medium",
                        "cve_public_date": "2025-10-20 16:15:00 UTC"
                    },
                    {
                        "cve": "CVE-2025-71232",
                        "url": "https://ubuntu.com/security/CVE-2025-71232",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  scsi: qla2xxx: Free sp in error path to fix system crash  System crash seen during load/unload test in a loop,  [61110.449331] qla2xxx [0000:27:00.0]-0042:0: Disabled MSI-X. [61110.467494] ============================================================================= [61110.467498] BUG qla2xxx_srbs (Tainted: G           OE    --------  --- ): Objects remaining in qla2xxx_srbs on __kmem_cache_shutdown() [61110.467501] -----------------------------------------------------------------------------  [61110.467502] Slab 0x000000000ffc8162 objects=51 used=1 fp=0x00000000e25d3d85 flags=0x57ffffc0010200(slab|head|node=1|zone=2|lastcpupid=0x1fffff) [61110.467509] CPU: 53 PID: 455206 Comm: rmmod Kdump: loaded Tainted: G          OE    --------  ---  5.14.0-284.11.1.el9_2.x86_64 #1 [61110.467513] Hardware name: HPE ProLiant DL385 Gen10 Plus v2/ProLiant DL385 Gen10 Plus v2, BIOS A42 08/17/2023 [61110.467515] Call Trace: [61110.467516]  <TASK> [61110.467519]  dump_stack_lvl+0x34/0x48 [61110.467526]  slab_err.cold+0x53/0x67 [61110.467534]  __kmem_cache_shutdown+0x16e/0x320 [61110.467540]  kmem_cache_destroy+0x51/0x160 [61110.467544]  qla2x00_module_exit+0x93/0x99 [qla2xxx] [61110.467607]  ? __do_sys_delete_module.constprop.0+0x178/0x280 [61110.467613]  ? syscall_trace_enter.constprop.0+0x145/0x1d0 [61110.467616]  ? do_syscall_64+0x5c/0x90 [61110.467619]  ? exc_page_fault+0x62/0x150 [61110.467622]  ? entry_SYSCALL_64_after_hwframe+0x63/0xcd [61110.467626]  </TASK> [61110.467627] Disabling lock debugging due to kernel taint [61110.467635] Object 0x0000000026f7e6e6 @offset=16000 [61110.467639] ------------[ cut here ]------------ [61110.467639] kmem_cache_destroy qla2xxx_srbs: Slab cache still has objects when called from qla2x00_module_exit+0x93/0x99 [qla2xxx] [61110.467659] WARNING: CPU: 53 PID: 455206 at mm/slab_common.c:520 kmem_cache_destroy+0x14d/0x160 [61110.467718] CPU: 53 PID: 455206 Comm: rmmod Kdump: loaded Tainted: G   B      OE    --------  ---  5.14.0-284.11.1.el9_2.x86_64 #1 [61110.467720] Hardware name: HPE ProLiant DL385 Gen10 Plus v2/ProLiant DL385 Gen10 Plus v2, BIOS A42 08/17/2023 [61110.467721] RIP: 0010:kmem_cache_destroy+0x14d/0x160 [61110.467724] Code: 99 7d 07 00 48 89 ef e8 e1 6a 07 00 eb b3 48 8b 55 60 48 8b 4c 24 20 48 c7 c6 70 fc 66 90 48 c7 c7 f8 ef a1 90 e8 e1 ed 7c 00 <0f> 0b eb 93 c3 cc cc cc cc 66 2e 0f 1f 84 00 00 00 00 00 55 48 89 [61110.467725] RSP: 0018:ffffa304e489fe80 EFLAGS: 00010282 [61110.467727] RAX: 0000000000000000 RBX: ffffffffc0d9a860 RCX: 0000000000000027 [61110.467729] RDX: ffff8fd5ff9598a8 RSI: 0000000000000001 RDI: ffff8fd5ff9598a0 [61110.467730] RBP: ffff8fb6aaf78700 R08: 0000000000000000 R09: 0000000100d863b7 [61110.467731] R10: ffffa304e489fd20 R11: ffffffff913bef48 R12: 0000000040002000 [61110.467731] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [61110.467733] FS:  00007f64c89fb740(0000) GS:ffff8fd5ff940000(0000) knlGS:0000000000000000 [61110.467734] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [61110.467735] CR2: 00007f0f02bfe000 CR3: 00000020ad6dc005 CR4: 0000000000770ee0 [61110.467736] PKRU: 55555554 [61110.467737] Call Trace: [61110.467738]  <TASK> [61110.467739]  qla2x00_module_exit+0x93/0x99 [qla2xxx] [61110.467755]  ? __do_sys_delete_module.constprop.0+0x178/0x280  Free sp in the error path to fix the crash.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-02-18 16:22:00 UTC"
                    },
                    {
                        "cve": "CVE-2025-71235",
                        "url": "https://ubuntu.com/security/CVE-2025-71235",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  scsi: qla2xxx: Delay module unload while fabric scan in progress  System crash seen during load/unload test in a loop.  [105954.384919] RBP: ffff914589838dc0 R08: 0000000000000000 R09: 0000000000000086 [105954.384920] R10: 000000000000000f R11: ffffa31240904be5 R12: ffff914605f868e0 [105954.384921] R13: ffff914605f86910 R14: 0000000000008010 R15: 00000000ddb7c000 [105954.384923] FS:  0000000000000000(0000) GS:ffff9163fec40000(0000) knlGS:0000000000000000 [105954.384925] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [105954.384926] CR2: 000055d31ce1d6a0 CR3: 0000000119f5e001 CR4: 0000000000770ee0 [105954.384928] PKRU: 55555554 [105954.384929] Call Trace: [105954.384931]  <IRQ> [105954.384934]  qla24xx_sp_unmap+0x1f3/0x2a0 [qla2xxx] [105954.384962]  ? qla_async_scan_sp_done+0x114/0x1f0 [qla2xxx] [105954.384980]  ? qla24xx_els_ct_entry+0x4de/0x760 [qla2xxx] [105954.384999]  ? __wake_up_common+0x80/0x190 [105954.385004]  ? qla24xx_process_response_queue+0xc2/0xaa0 [qla2xxx] [105954.385023]  ? qla24xx_msix_rsp_q+0x44/0xb0 [qla2xxx] [105954.385040]  ? __handle_irq_event_percpu+0x3d/0x190 [105954.385044]  ? handle_irq_event+0x58/0xb0 [105954.385046]  ? handle_edge_irq+0x93/0x240 [105954.385050]  ? __common_interrupt+0x41/0xa0 [105954.385055]  ? common_interrupt+0x3e/0xa0 [105954.385060]  ? asm_common_interrupt+0x22/0x40  The root cause of this was that there was a free (dma_free_attrs) in the interrupt context.  There was a device discovery/fabric scan in progress.  A module unload was issued which set the UNLOADING flag.  As part of the discovery, after receiving an interrupt a work queue was scheduled (which involved a work to be queued).  Since the UNLOADING flag is set, the work item was not allocated and the mapped memory had to be freed.  The free occurred in interrupt context leading to system crash.  Delay the driver unload until the fabric scan is complete to avoid the crash.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-02-18 16:22:00 UTC"
                    },
                    {
                        "cve": "CVE-2025-71236",
                        "url": "https://ubuntu.com/security/CVE-2025-71236",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  scsi: qla2xxx: Validate sp before freeing associated memory  System crash with the following signature [154563.214890] nvme nvme2: NVME-FC{1}: controller connect complete [154564.169363] qla2xxx [0000:b0:00.1]-3002:2: nvme: Sched: Set ZIO exchange threshold to 3. [154564.169405] qla2xxx [0000:b0:00.1]-ffffff:2: SET ZIO Activity exchange threshold to 5. [154565.539974] qla2xxx [0000:b0:00.1]-5013:2: RSCN database changed – 0078 0080 0000. [154565.545744] qla2xxx [0000:b0:00.1]-5013:2: RSCN database changed – 0078 00a0 0000. [154565.545857] qla2xxx [0000:b0:00.1]-11a2:2: FEC=enabled (data rate). [154565.552760] qla2xxx [0000:b0:00.1]-11a2:2: FEC=enabled (data rate). [154565.553079] BUG: kernel NULL pointer dereference, address: 00000000000000f8 [154565.553080] #PF: supervisor read access in kernel mode [154565.553082] #PF: error_code(0x0000) - not-present page [154565.553084] PGD 80000010488ab067 P4D 80000010488ab067 PUD 104978a067 PMD 0 [154565.553089] Oops: 0000 1 PREEMPT SMP PTI [154565.553092] CPU: 10 PID: 858 Comm: qla2xxx_2_dpc Kdump: loaded Tainted: G           OE     -------  ---  5.14.0-503.11.1.el9_5.x86_64 #1 [154565.553096] Hardware name: HPE Synergy 660 Gen10/Synergy 660 Gen10 Compute Module, BIOS I43 09/30/2024 [154565.553097] RIP: 0010:qla_fab_async_scan.part.0+0x40b/0x870 [qla2xxx] [154565.553141] Code: 00 00 e8 58 a3 ec d4 49 89 e9 ba 12 20 00 00 4c 89 e6 49 c7 c0 00 ee a8 c0 48 c7 c1 66 c0 a9 c0 bf 00 80 00 10 e8 15 69 00 00 <4c> 8b 8d f8 00 00 00 4d 85 c9 74 35 49 8b 84 24 00 19 00 00 48 8b [154565.553143] RSP: 0018:ffffb4dbc8aebdd0 EFLAGS: 00010286 [154565.553145] RAX: 0000000000000000 RBX: ffff8ec2cf0908d0 RCX: 0000000000000002 [154565.553147] RDX: 0000000000000000 RSI: ffffffffc0a9c896 RDI: ffffb4dbc8aebd47 [154565.553148] RBP: 0000000000000000 R08: ffffb4dbc8aebd45 R09: 0000000000ffff0a [154565.553150] R10: 0000000000000000 R11: 000000000000000f R12: ffff8ec2cf0908d0 [154565.553151] R13: ffff8ec2cf090900 R14: 0000000000000102 R15: ffff8ec2cf084000 [154565.553152] FS:  0000000000000000(0000) GS:ffff8ed27f800000(0000) knlGS:0000000000000000 [154565.553154] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [154565.553155] CR2: 00000000000000f8 CR3: 000000113ae0a005 CR4: 00000000007706f0 [154565.553157] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [154565.553158] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [154565.553159] PKRU: 55555554 [154565.553160] Call Trace: [154565.553162]  <TASK> [154565.553165]  ? show_trace_log_lvl+0x1c4/0x2df [154565.553172]  ? show_trace_log_lvl+0x1c4/0x2df [154565.553177]  ? qla_fab_async_scan.part.0+0x40b/0x870 [qla2xxx] [154565.553215]  ? __die_body.cold+0x8/0xd [154565.553218]  ? page_fault_oops+0x134/0x170 [154565.553223]  ? snprintf+0x49/0x70 [154565.553229]  ? exc_page_fault+0x62/0x150 [154565.553238]  ? asm_exc_page_fault+0x22/0x30  Check for sp being non NULL before freeing any associated memory",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-02-18 16:22:00 UTC"
                    },
                    {
                        "cve": "CVE-2025-71229",
                        "url": "https://ubuntu.com/security/CVE-2025-71229",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: rtw88: Fix alignment fault in rtw_core_enable_beacon()  rtw_core_enable_beacon() reads 4 bytes from an address that is not a multiple of 4. This results in a crash on some systems.  Do 1 byte reads/writes instead.  Unable to handle kernel paging request at virtual address ffff8000827e0522 Mem abort info:   ESR = 0x0000000096000021   EC = 0x25: DABT (current EL), IL = 32 bits   SET = 0, FnV = 0   EA = 0, S1PTW = 0   FSC = 0x21: alignment fault Data abort info:   ISV = 0, ISS = 0x00000021, ISS2 = 0x00000000   CM = 0, WnR = 0, TnD = 0, TagAccess = 0   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000005492000 [ffff8000827e0522] pgd=0000000000000000, p4d=10000001021d9403, pud=10000001021da403, pmd=100000011061c403, pte=00780000f3200f13 Internal error: Oops: 0000000096000021 [#1]  SMP Modules linked in: [...] rtw88_8822ce rtw88_8822c rtw88_pci rtw88_core [...] CPU: 0 UID: 0 PID: 73 Comm: kworker/u32:2 Tainted: G        W          6.17.9 #1-NixOS VOLUNTARY Tainted: [W]=WARN Hardware name: FriendlyElec NanoPC-T6 LTS (DT) Workqueue: phy0 rtw_c2h_work [rtw88_core] pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : rtw_pci_read32+0x18/0x40 [rtw88_pci] lr : rtw_core_enable_beacon+0xe0/0x148 [rtw88_core] sp : ffff800080cc3ca0 x29: ffff800080cc3ca0 x28: ffff0001031fc240 x27: ffff000102100828 x26: ffffd2cb7c9b4088 x25: ffff0001031fc2c0 x24: ffff000112fdef00 x23: ffff000112fdef18 x22: ffff000111c29970 x21: 0000000000000001 x20: 0000000000000001 x19: ffff000111c22040 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000000 x10: 0000000000000000 x9 : ffffd2cb6507c090 x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000 x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000 x2 : 0000000000007f10 x1 : 0000000000000522 x0 : ffff8000827e0522 Call trace:  rtw_pci_read32+0x18/0x40 [rtw88_pci] (P)  rtw_hw_scan_chan_switch+0x124/0x1a8 [rtw88_core]  rtw_fw_c2h_cmd_handle+0x254/0x290 [rtw88_core]  rtw_c2h_work+0x50/0x98 [rtw88_core]  process_one_work+0x178/0x3f8  worker_thread+0x208/0x418  kthread+0x120/0x220  ret_from_fork+0x10/0x20 Code: d28fe202 8b020000 f9524400 8b214000 (b9400000) ---[ end trace 0000000000000000 ]---",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-02-18 16:22:00 UTC"
                    },
                    {
                        "cve": "CVE-2025-71237",
                        "url": "https://ubuntu.com/security/CVE-2025-71237",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  nilfs2: Fix potential block overflow that cause system hang  When a user executes the FITRIM command, an underflow can occur when calculating nblocks if end_block is too small. Since nblocks is of type sector_t, which is u64, a negative nblocks value will become a very large positive integer. This ultimately leads to the block layer function __blkdev_issue_discard() taking an excessively long time to process the bio chain, and the ns_segctor_sem lock remains held for a long period. This prevents other tasks from acquiring the ns_segctor_sem lock, resulting in the hang reported by syzbot in [1].  If the ending block is too small, typically if it is smaller than 4KiB range, depending on the usage of the segment 0, it may be possible to attempt a discard request beyond the device size causing the hang.  Exiting successfully and assign the discarded size (0 in this case) to range->len.  Although the start and len values in the user input range are too small, a conservative strategy is adopted here to safely ignore them, which is equivalent to a no-op; it will not perform any trimming and will not throw an error.  [1] task:segctord state:D stack:28968 pid:6093 tgid:6093  ppid:2 task_flags:0x200040 flags:0x00080000 Call Trace:  rwbase_write_lock+0x3dd/0x750 kernel/locking/rwbase_rt.c:272  nilfs_transaction_lock+0x253/0x4c0 fs/nilfs2/segment.c:357  nilfs_segctor_thread_construct fs/nilfs2/segment.c:2569 [inline]  nilfs_segctor_thread+0x6ec/0xe00 fs/nilfs2/segment.c:2684  [ryusuke: corrected part of the commit message about the consequences]",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-02-18 16:22:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-23229",
                        "url": "https://ubuntu.com/security/CVE-2026-23229",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  crypto: virtio - Add spinlock protection with virtqueue notification  When VM boots with one virtio-crypto PCI device and builtin backend, run openssl benchmark command with multiple processes, such as   openssl speed -evp aes-128-cbc -engine afalg  -seconds 10 -multi 32  openssl processes will hangup and there is error reported like this:  virtio_crypto virtio0: dataq.0:id 3 is not a head!  It seems that the data virtqueue need protection when it is handled for virtio done notification. If the spinlock protection is added in virtcrypto_done_task(), openssl benchmark with multiple processes works well.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-02-18 16:22:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-23222",
                        "url": "https://ubuntu.com/security/CVE-2026-23222",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  crypto: omap - Allocate OMAP_CRYPTO_FORCE_COPY scatterlists correctly  The existing allocation of scatterlists in omap_crypto_copy_sg_lists() was allocating an array of scatterlist pointers, not scatterlist objects, resulting in a 4x too small allocation.  Use sizeof(*new_sg) to get the correct object size.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-02-18 16:22:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-23228",
                        "url": "https://ubuntu.com/security/CVE-2026-23228",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb: server: fix leak of active_num_conn in ksmbd_tcp_new_connection()  On kthread_run() failure in ksmbd_tcp_new_connection(), the transport is freed via free_transport(), which does not decrement active_num_conn, leaking this counter.  Replace free_transport() with ksmbd_tcp_disconnect().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-02-18 16:22:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-23220",
                        "url": "https://ubuntu.com/security/CVE-2026-23220",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ksmbd: fix infinite loop caused by next_smb2_rcv_hdr_off reset in error paths  The problem occurs when a signed request fails smb2 signature verification check. In __process_request(), if check_sign_req() returns an error, set_smb2_rsp_status(work, STATUS_ACCESS_DENIED) is called. set_smb2_rsp_status() set work->next_smb2_rcv_hdr_off as zero. By resetting next_smb2_rcv_hdr_off to zero, the pointer to the next command in the chain is lost. Consequently, is_chained_smb2_message() continues to point to the same request header instead of advancing. If the header's NextCommand field is non-zero, the function returns true, causing __handle_ksmbd_work() to repeatedly process the same failed request in an infinite loop. This results in the kernel log being flooded with \"bad smb2 signature\" messages and high CPU usage.  This patch fixes the issue by changing the return value from SERVER_HANDLER_CONTINUE to SERVER_HANDLER_ABORT. This ensures that the processing loop terminates immediately rather than attempting to continue from an invalidated offset.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-02-18 16:22:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-23230",
                        "url": "https://ubuntu.com/security/CVE-2026-23230",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb: client: split cached_fid bitfields to avoid shared-byte RMW races  is_open, has_lease and on_list are stored in the same bitfield byte in struct cached_fid but are updated in different code paths that may run concurrently. Bitfield assignments generate byte read–modify–write operations (e.g. `orb $mask, addr` on x86_64), so updating one flag can restore stale values of the others.  A possible interleaving is:     CPU1: load old byte (has_lease=1, on_list=1)     CPU2: clear both flags (store 0)     CPU1: RMW store (old | IS_OPEN) -> reintroduces cleared bits  To avoid this class of races, convert these flags to separate bool fields.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-02-18 16:22:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-23272",
                        "url": "https://ubuntu.com/security/CVE-2026-23272",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: nf_tables: unconditionally bump set->nelems before insertion  In case that the set is full, a new element gets published then removed without waiting for the RCU grace period, while RCU reader can be walking over it already.  To address this issue, add the element transaction even if set is full, but toggle the set_full flag to report -ENFILE so the abort path safely unwinds the set to its previous state.  As for element updates, decrement set->nelems to restore it.  A simpler fix is to call synchronize_rcu() in the error path. However, with a large batch adding elements to already maxed-out set, this could cause noticeable slowdown of such batches.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-20 09:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-31418",
                        "url": "https://ubuntu.com/security/CVE-2026-31418",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: ipset: drop logically empty buckets in mtype_del  mtype_del() counts empty slots below n->pos in k, but it only drops the bucket when both n->pos and k are zero. This misses buckets whose live entries have all been removed while n->pos still points past deleted slots.  Treat a bucket as empty when all positions below n->pos are unused and release it directly instead of shrinking it further.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-13 14:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-23392",
                        "url": "https://ubuntu.com/security/CVE-2026-23392",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: nf_tables: release flowtable after rcu grace period on error  Call synchronize_rcu() after unregistering the hooks from error path, since a hook that already refers to this flowtable can be already registered, exposing this flowtable to packet path and nfnetlink_hook control plane.  This error path is rare, it should only happen by reaching the maximum number hooks or by failing to set up to hardware offload, just call synchronize_rcu().  There is a check for already used device hooks by different flowtable that could result in EEXIST at this late stage. The hook parser can be updated to perform this check earlier to this error path really becomes rarely exercised.  Uncovered by KASAN reported as use-after-free from nfnetlink_hook path when dumping hooks.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-03-25 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-23278",
                        "url": "https://ubuntu.com/security/CVE-2026-23278",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: nf_tables: always walk all pending catchall elements  During transaction processing we might have more than one catchall element: 1 live catchall element and 1 pending element that is coming as part of the new batch.  If the map holding the catchall elements is also going away, its required to toggle all catchall elements and not just the first viable candidate.  Otherwise, we get:  WARNING: ./include/net/netfilter/nf_tables.h:1281 at nft_data_release+0xb7/0xe0 [nf_tables], CPU#2: nft/1404  RIP: 0010:nft_data_release+0xb7/0xe0 [nf_tables]  [..]  __nft_set_elem_destroy+0x106/0x380 [nf_tables]  nf_tables_abort_release+0x348/0x8d0 [nf_tables]  nf_tables_abort+0xcf2/0x3ac0 [nf_tables]  nfnetlink_rcv_batch+0x9c9/0x20e0 [..]",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-20 09:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-47337",
                        "url": "https://ubuntu.com/security/CVE-2026-47337",
                        "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a possible NULL pointer dereference in the handling of AF_INET/AF_INET6 socket mediation. The bug can be triggered by an unprivileged local user. This can lead to a kernel oops.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 19:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-47336",
                        "url": "https://ubuntu.com/security/CVE-2026-47336",
                        "cve_description": "Ubuntu Linux 6.8 contains SAUCE patches with a possible use of an uninitialized variable in AppArmor AF_INET/AF_INET6 socket mediation code. The bug can be triggered by an unprivileged local user and could result in incorrect fine-grained mediation of network sockets.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-05-28 19:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-47335",
                        "url": "https://ubuntu.com/security/CVE-2026-47335",
                        "cve_description": "Ubuntu Linux 6.8 contains SAUCE patches with a possible NULL pointer dereference in the handling of AppArmor notifications. The bug can be triggered by an unprivileged local user. This can lead to a kernel panic.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 19:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-47334",
                        "url": "https://ubuntu.com/security/CVE-2026-47334",
                        "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly sleep while holding a spinlock in notification handling code. The bug can be triggered by an unprivileged local user and can result in kernel panic or deadlock.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 19:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-47333",
                        "url": "https://ubuntu.com/security/CVE-2026-47333",
                        "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which can potentially incorrectly compute the size of an internal buffer, leading to a heap memory out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in invalid data being processed by the AppArmor DFA policy engine.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-28 19:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-47332",
                        "url": "https://ubuntu.com/security/CVE-2026-47332",
                        "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly validate the size of an internal structure, leading to an out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in information disclosure from adjacent slab objects.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 19:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-47331",
                        "url": "https://ubuntu.com/security/CVE-2026-47331",
                        "cve_description": "Ubuntu Linux 6.8 contains AppArmor SAUCE patches which fail to acquire a lock when modifying a linked list. An unprivileged local user could trigger the race condition that can lead to a use-after-free (UAF) and, theoretically, arbitrary code execution.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-28 19:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-47330",
                        "url": "https://ubuntu.com/security/CVE-2026-47330",
                        "cve_description": "Ubuntu Linux 6.8, 7.17 and 7.0 contain AppArmor SAUCE patches which can, under certain circumstances, use an uninitialized variable in notification handling code. The bug can be triggered by an unprivileged local user and can result in the incorrect caching of AppArmor notification responses.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-05-28 19:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-47329",
                        "url": "https://ubuntu.com/security/CVE-2026-47329",
                        "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches which fail to validate invalid sizes of the name field in AppAmor notification responses. The bug can be triggered by an unprivileged local user and could result in handling of crafted responses.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-05-28 19:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-47327",
                        "url": "https://ubuntu.com/security/CVE-2026-47327",
                        "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a possible NULL pointer dereference in the handling of AppArmor notifications. The bug can be triggered by an unprivileged local user. This can lead to a kernel oops.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 19:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-47328",
                        "url": "https://ubuntu.com/security/CVE-2026-47328",
                        "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly attempt to free a pointer which was not previously kmalloc()d, while at the same time leaking allocated memory. The bug can be triggered by an unprivileged local user and can result in the corruption of slab metadata and could lead to resource exhaustion.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 19:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-47326",
                        "url": "https://ubuntu.com/security/CVE-2026-47326",
                        "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a memory leak in the handling of big responses to AppArmor notifications. The bug can be triggered by an unprivileged local user. The memory leak could lead to resource exhaustion.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 19:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46300",
                        "url": "https://ubuntu.com/security/CVE-2026-46300",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: skbuff: preserve shared-frag marker during coalescing  skb_try_coalesce() can attach paged frags from @from to @to.  If @from has SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same externally-owned or page-cache-backed frags, but the shared-frag marker is currently lost.  That breaks the invariant relied on by later in-place writers.  In particular, ESP input checks skb_has_shared_frag() before deciding whether an uncloned nonlinear skb can skip skb_cow_data().  If TCP receive coalescing has moved shared frags into an unmarked skb, ESP can see skb_has_shared_frag() as false and decrypt in place over page-cache backed frags.  Propagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged frags.  The tailroom copy path does not need the marker because it copies bytes into @to's linear data rather than transferring frag descriptors.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-23 12:17:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46333",
                        "url": "https://ubuntu.com/security/CVE-2026-46333",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ptrace: slightly saner 'get_dumpable()' logic  The 'dumpability' of a task is fundamentally about the memory image of the task - the concept comes from whether it can core dump or not - and makes no sense when you don't have an associated mm.  And almost all users do in fact use it only for the case where the task has a mm pointer.  But we have one odd special case: ptrace_may_access() uses 'dumpable' to check various other things entirely independently of the MM (typically explicitly using flags like PTRACE_MODE_READ_FSCREDS).  Including for threads that no longer have a VM (and maybe never did, like most kernel threads).  It's not what this flag was designed for, but it is what it is.  The ptrace code does check that the uid/gid matches, so you do have to be uid-0 to see kernel thread details, but this means that the traditional \"drop capabilities\" model doesn't make any difference for this all.  Make it all make a *bit* more sense by saying that if you don't have a MM pointer, we'll use a cached \"last dumpability\" flag if the thread ever had a MM (it will be zero for kernel threads since it is never set), and require a proper CAP_SYS_PTRACE capability to override.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-15 14:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43500",
                        "url": "https://ubuntu.com/security/CVE-2026-43500",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present  The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE handler in rxrpc_verify_response() copy the skb to a linear one before calling into the security ops only when skb_cloned() is true.  An skb that is not cloned but still carries externally-owned paged fragments (e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via __ip_append_data, or a chained skb_has_frag_list()) falls through to the in-place decryption path, which binds the frag pages directly into the AEAD/skcipher SGL via skb_to_sgvec().  Extend the gate to also unshare when skb_has_frag_list() or skb_has_shared_frag() is true.  This catches the splice-loopback vector and other externally-shared frag sources while preserving the zero-copy fast path for skbs whose frags are kernel-private (e.g. NIC page_pool RX, GRO).  The OOM/trace handling already in place is reused.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-11 08:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-31676",
                        "url": "https://ubuntu.com/security/CVE-2026-31676",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  rxrpc: only handle RESPONSE during service challenge  Only process RESPONSE packets while the service connection is still in RXRPC_CONN_SERVICE_CHALLENGING. Check that state under state_lock before running response verification and security initialization, then use a local secured flag to decide whether to queue the secured-connection work after the state transition. This keeps duplicate or late RESPONSE packets from re-running the setup path and removes the unlocked post-transition state test.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-25 09:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43284",
                        "url": "https://ubuntu.com/security/CVE-2026-43284",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  xfrm: esp: avoid in-place decrypt on shared skb frags  MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later paths that may modify packet data can first make a private copy. The IPv4/IPv6 datagram append paths did not set this flag when splicing pages into UDP skbs.  That leaves an ESP-in-UDP packet made from shared pipe pages looking like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW fast path for uncloned skbs without a frag_list and decrypts in place over data that is not owned privately by the skb.  Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching TCP. Also make ESP input fall back to skb_cow_data() when the flag is present, so ESP does not decrypt externally backed frags in place. Private nonlinear skb frags still use the existing fast path.  This intentionally does not change ESP output. In esp_output_head(), the path that appends the ESP trailer to existing skb tailroom without calling skb_cow_data() is not reachable for nonlinear skbs: skb_tailroom() returns zero when skb->data_len is nonzero, while ESP tailen is positive. Thus ESP output will either use the separate destination-frag path or fall back to skb_cow_data().",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-08 08:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-31419",
                        "url": "https://ubuntu.com/security/CVE-2026-31419",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: bonding: fix use-after-free in bond_xmit_broadcast()  bond_xmit_broadcast() reuses the original skb for the last slave (determined by bond_is_last_slave()) and clones it for others. Concurrent slave enslave/release can mutate the slave list during RCU-protected iteration, changing which slave is \"last\" mid-loop. This causes the original skb to be double-consumed (double-freed).  Replace the racy bond_is_last_slave() check with a simple index comparison (i + 1 == slaves_count) against the pre-snapshot slave count taken via READ_ONCE() before the loop.  This preserves the zero-copy optimization for the last slave while making the \"last\" determination stable against concurrent list mutations.  The UAF can trigger the following crash:  ================================================================== BUG: KASAN: slab-use-after-free in skb_clone Read of size 8 at addr ffff888100ef8d40 by task exploit/147  CPU: 1 UID: 0 PID: 147 Comm: exploit Not tainted 7.0.0-rc3+ #4 PREEMPTLAZY Call Trace:  <TASK>  dump_stack_lvl (lib/dump_stack.c:123)  print_report (mm/kasan/report.c:379 mm/kasan/report.c:482)  kasan_report (mm/kasan/report.c:597)  skb_clone (include/linux/skbuff.h:1724 include/linux/skbuff.h:1792 include/linux/skbuff.h:3396 net/core/skbuff.c:2108)  bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5334)  bond_start_xmit (drivers/net/bonding/bond_main.c:5567 drivers/net/bonding/bond_main.c:5593)  dev_hard_start_xmit (include/linux/netdevice.h:5325 include/linux/netdevice.h:5334 net/core/dev.c:3871 net/core/dev.c:3887)  __dev_queue_xmit (include/linux/netdevice.h:3601 net/core/dev.c:4838)  ip6_finish_output2 (include/net/neighbour.h:540 include/net/neighbour.h:554 net/ipv6/ip6_output.c:136)  ip6_finish_output (net/ipv6/ip6_output.c:208 net/ipv6/ip6_output.c:219)  ip6_output (net/ipv6/ip6_output.c:250)  ip6_send_skb (net/ipv6/ip6_output.c:1985)  udp_v6_send_skb (net/ipv6/udp.c:1442)  udpv6_sendmsg (net/ipv6/udp.c:1733)  __sys_sendto (net/socket.c:730 net/socket.c:742 net/socket.c:2206)  __x64_sys_sendto (net/socket.c:2209)  do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)  entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)  </TASK>  Allocated by task 147:  Freed by task 147:  The buggy address belongs to the object at ffff888100ef8c80  which belongs to the cache skbuff_head_cache of size 224 The buggy address is located 192 bytes inside of  freed 224-byte region [ffff888100ef8c80, ffff888100ef8d60)  Memory state around the buggy address:  ffff888100ef8c00: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc  ffff888100ef8c80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff888100ef8d00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc                                                     ^  ffff888100ef8d80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb  ffff888100ef8e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================",
                        "cve_priority": "high",
                        "cve_public_date": "2026-04-13 14:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-31431",
                        "url": "https://ubuntu.com/security/CVE-2026-31431",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  crypto: algif_aead - Revert to operating out-of-place  This mostly reverts commit 72548b093ee3 except for the copying of the associated data.  There is no benefit in operating in-place in algif_aead since the source and destination come from different mappings.  Get rid of all the complexity added for in-place operation and just copy the AD directly.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-04-22 09:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-31533",
                        "url": "https://ubuntu.com/security/CVE-2026-31533",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/tls: fix use-after-free in -EBUSY error path of tls_do_encryption  The -EBUSY handling in tls_do_encryption(), introduced by commit 859054147318 (\"net: tls: handle backlogging of crypto requests\"), has a use-after-free due to double cleanup of encrypt_pending and the scatterlist entry.  When crypto_aead_encrypt() returns -EBUSY, the request is enqueued to the cryptd backlog and the async callback tls_encrypt_done() will be invoked upon completion. That callback unconditionally restores the scatterlist entry (sge->offset, sge->length) and decrements ctx->encrypt_pending. However, if tls_encrypt_async_wait() returns an error, the synchronous error path in tls_do_encryption() performs the same cleanup again, double-decrementing encrypt_pending and double-restoring the scatterlist.  The double-decrement corrupts the encrypt_pending sentinel (initialized to 1), making tls_encrypt_async_wait() permanently skip the wait for pending async callbacks. A subsequent sendmsg can then free the tls_rec via bpf_exec_tx_verdict() while a cryptd callback is still pending, resulting in a use-after-free when the callback fires on the freed record.  Fix this by skipping the synchronous cleanup when the -EBUSY async wait returns an error, since the callback has already handled encrypt_pending and sge restoration.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-23 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-31504",
                        "url": "https://ubuntu.com/security/CVE-2026-31504",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: fix fanout UAF in packet_release() via NETDEV_UP race  `packet_release()` has a race window where `NETDEV_UP` can re-register a socket into a fanout group's `arr[]` array. The re-registration is not cleaned up by `fanout_release()`, leaving a dangling pointer in the fanout array. `packet_release()` does NOT zero `po->num` in its `bind_lock` section. After releasing `bind_lock`, `po->num` is still non-zero and `po->ifindex` still matches the bound device. A concurrent `packet_notifier(NETDEV_UP)` that already found the socket in `sklist` can re-register the hook. For fanout sockets, this re-registration calls `__fanout_link(sk, po)` which adds the socket back into `f->arr[]` and increments `f->num_members`, but does NOT increment `f->sk_ref`.  The fix sets `po->num` to zero in `packet_release` while `bind_lock` is held to prevent NETDEV_UP from linking, preventing the race window.  This bug was found following an additional audit with Claude Code based on CVE-2025-38617.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-04-22 14:16:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [
                    2158431,
                    2158432,
                    2158377,
                    2157195,
                    2157196,
                    1786013,
                    2151948,
                    2154560,
                    2146465,
                    2153556,
                    2152194,
                    2141536,
                    2150809,
                    2150809,
                    2150809,
                    2150809,
                    2150809,
                    2150809,
                    2150809,
                    2150809,
                    2150809,
                    2150809,
                    2148714,
                    2148260,
                    2148260,
                    2148260,
                    2148260,
                    2148260,
                    2148260,
                    2148260,
                    2148260,
                    2148260,
                    2148260,
                    2148260,
                    2148260,
                    2148260,
                    2148260,
                    2148260,
                    2154172,
                    2151747,
                    2151747,
                    2151747,
                    2151747,
                    2151747,
                    2151747,
                    2151747,
                    2151747,
                    2148809,
                    2151747,
                    2151747,
                    2151747,
                    2153962
                ],
                "changes": [
                    {
                        "cves": [],
                        "log": [
                            "",
                            "  * jammy/linux-riscv-6.8: 6.8.0-134.134~22.04.1 -proposed tracker (LP: #2158431)",
                            "",
                            "  [ Ubuntu: 6.8.0-134.134 ]",
                            "",
                            "  * noble/linux: 6.8.0-134.134 -proposed tracker (LP: #2158432)",
                            "  * ext4: writeback causes kernel oops when low on space (LP: #2158377)",
                            "    - ext4: get rid of ppath in get_ext_path()",
                            ""
                        ],
                        "package": "linux-riscv-6.8",
                        "version": "6.8.0-134.134~22.04.1",
                        "urgency": "medium",
                        "distributions": "jammy",
                        "launchpad_bugs_fixed": [
                            2158431,
                            2158432,
                            2158377
                        ],
                        "author": "Alessio Faina <alessio.faina@canonical.com>",
                        "date": "Mon, 29 Jun 2026 16:08:57 +0200"
                    },
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-46244",
                                "url": "https://ubuntu.com/security/CVE-2026-46244",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: nft_inner: Fix IPv6 inner_thoff desync  In nft_inner_parse_l2l3(), when processing inner IPv6 packets, ipv6_find_hdr() correctly computes the transport header offset traversing all extension headers, but the result is immediately overwritten with nhoff + sizeof(_ip6h) (40 bytes), which only accounts for the IPv6 base header. This creates a desync between inner_thoff (wrong — points to extension header start) and l4proto (correct — e.g., IPPROTO_TCP), enabling transport header forgery and potential firewall bypass. This issue affects stable versions from Linux 6.2.  For comparison, the normal (non-inner) IPv6 path correctly preserves ipv6_find_hdr()'s result. Removing the incorrect overwrite ensures that ipv6_find_hdr()'s calculated transport header offset is preserved, thereby fixing the desynchronization.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-03 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43185",
                                "url": "https://ubuntu.com/security/CVE-2026-43185",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ksmbd: fix signededness bug in smb_direct_prepare_negotiation()  smb_direct_prepare_negotiation() casts an unsigned __u32 value from sp->max_recv_size and req->preferred_send_size to a signed int before computing min_t(int, ...). A maliciously provided preferred_send_size of 0x80000000 will return as smaller than max_recv_size, and then be used to set the maximum allowed alowed receive size for the next message.  By sending a second message with a large value (>1420 bytes) the attacker can then achieve a heap buffer overflow.  This fix replaces min_t(int, ...) with min_t(u32)",
                                "cve_priority": "critical",
                                "cve_public_date": "2026-05-06 12:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46289",
                                "url": "https://ubuntu.com/security/CVE-2026-46289",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  lib/scatterlist: fix length calculations in extract_kvec_to_sg  Patch series \"Fix bugs in extract_iter_to_sg()\", v3.  Fix bugs in the kvec and user variants of extract_iter_to_sg.  This series is growing due to useful remarks made by sashiko.dev.  The main bugs are: - The length for an sglist entry when extracting from   a kvec can exceed the number of bytes in the page. This   is obviously not intended. - When extracting a user buffer the sglist is temporarily   used as a scratch buffer for extracted page pointers.   If the sglist already contains some elements this scratch   buffer could overlap with existing entries in the sglist.  The series adds test cases to the kunit_iov_iter test that demonstrate all of these bugs.  Additionally, there is a memory leak fix for the test itself.  The bugs were orignally introduced into kernel v6.3 where the function lived in fs/netfs/iterator.c.  It was later moved to lib/scatterlist.c in v6.5.  Thus the actual fix is only marked for backports to v6.5+.   This patch (of 5):  When extracting from a kvec to a scatterlist, do not cross page boundaries.  The required length was already calculated but not used as intended.  Adjust the copied length if the loop runs out of sglist entries without extracting everything.  While there, return immediately from extract_iter_to_sg if there are no sglist entries at all.  A subsequent commit will add kunit test cases that demonstrate that the patch is necessary.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-08 17:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46119",
                                "url": "https://ubuntu.com/security/CVE-2026-46119",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  libceph: Fix slab-out-of-bounds access in auth message processing  If a (potentially corrupted) message of type CEPH_MSG_AUTH_REPLY contains a positive value in its result field, it is treated as an error code by ceph_handle_auth_reply() and returned to handle_auth_reply(). Thereafter, an attempt is made to send the preallocated message of type CEPH_MSG_AUTH, where the returned value is interpreted as the size of the front segment to send. If the result value in the message is greater than the size of the memory buffer allocated for the front segment, an out-of-bounds access occurs, and the content of the memory region beyond this buffer is sent out.  This patch fixes the issue by treating only negative values in the result field as errors. Positive values are therefore treated as success in the same way as a zero value. Additionally, a BUG_ON is added to __send_prepared_auth_request() comparing the len parameter to front_alloc_len to prevent sending the message if it exceeds the bounds of the allocation and to make it easier to catch any logic flaws leading to this.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46135",
                                "url": "https://ubuntu.com/security/CVE-2026-46135",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  nvmet-tcp: fix race between ICReq handling and queue teardown  nvmet_tcp_handle_icreq() updates queue->state after sending an Initialization Connection Response (ICResp), but it does so without serializing against target-side queue teardown.  If an NVMe/TCP host sends an Initialization Connection Request (ICReq) and immediately closes the connection, target-side teardown may start in softirq context before io_work drains the already buffered ICReq. In that case, nvmet_tcp_schedule_release_queue() sets queue->state to NVMET_TCP_Q_DISCONNECTING and drops the queue reference under state_lock.  If io_work later processes that ICReq, nvmet_tcp_handle_icreq() can still overwrite the state back to NVMET_TCP_Q_LIVE. That defeats the DISCONNECTING-state guard in nvmet_tcp_schedule_release_queue() and allows a later socket state change to re-enter teardown and issue a second kref_put() on an already released queue.  The ICResp send failure path has the same problem. If teardown has already moved the queue to DISCONNECTING, a send error can still overwrite the state with NVMET_TCP_Q_FAILED, again reopening the window for a second teardown path to drop the queue reference.  Fix this by serializing both post-send state transitions with state_lock and bailing out if teardown has already started.  Use -ESHUTDOWN as an internal sentinel for that bail-out path rather than propagating it as a transport error like -ECONNRESET. Keep nvmet_tcp_socket_error() setting rcv_state to NVMET_TCP_RECV_ERR before honoring that sentinel so receive-side parsing stays quiesced until the existing release path completes.",
                                "cve_priority": "critical",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46185",
                                "url": "https://ubuntu.com/security/CVE-2026-46185",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb/client: fix out-of-bounds read in symlink_data()  Since smb2_check_message() returns success without length validation for the symlink error response, in symlink_data() it is possible for iov->iov_len to be smaller than sizeof(struct smb2_err_rsp). If the buffer only contains the base SMB2 header (64 bytes), accessing err->ErrorContextCount (at offset 66) or err->ByteCount later in symlink_data() will cause an out-of-bounds read.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46195",
                                "url": "https://ubuntu.com/security/CVE-2026-46195",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb: client: validate dacloffset before building DACL pointers  parse_sec_desc(), build_sec_desc(), and the chown path in id_mode_to_cifs_acl() all add the server-supplied dacloffset to pntsd before proving a DACL header fits inside the returned security descriptor.  On 32-bit builds a malicious server can return dacloffset near U32_MAX, wrap the derived DACL pointer below end_of_acl, and then slip past the later pointer-based bounds checks. build_sec_desc() and id_mode_to_cifs_acl() can then dereference DACL fields from the wrapped pointer in the chmod/chown rewrite paths.  Validate dacloffset numerically before building any DACL pointer and reuse the same helper at the three DACL entry points.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46115",
                                "url": "https://ubuntu.com/security/CVE-2026-46115",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  block: add pgmap check to biovec_phys_mergeable  biovec_phys_mergeable() is used by the request merge, DMA mapping, and integrity merge paths to decide if two physically contiguous bvec segments can be coalesced into one. It currently has no check for whether the segments belong to different dev_pagemaps.  When zone device memory is registered in multiple chunks, each chunk gets its own dev_pagemap. A single bio can legitimately contain bvecs from different pgmaps -- iov_iter_extract_bvecs() breaks at pgmap boundaries but the outer loop in bio_iov_iter_get_pages() continues filling the same bio. If such bvecs are physically contiguous, biovec_phys_mergeable() will coalesce them, making it impossible to recover the correct pgmap for the merged segment via page_pgmap().  Add a zone_device_pages_have_same_pgmap() check to prevent merging bvec segments that span different pgmaps.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43501",
                                "url": "https://ubuntu.com/security/CVE-2026-43501",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ipv6: rpl: reserve mac_len headroom when recompressed SRH grows  ipv6_rpl_srh_rcv() decompresses an RFC 6554 Source Routing Header, swaps the next segment into ipv6_hdr->daddr, recompresses, then pulls the old header and pushes the new one plus the IPv6 header back.  The recompressed header can be larger than the received one when the swap reduces the common-prefix length the segments share with daddr (CmprI=0, CmprE>0, seg[0][0] != daddr[0] gives the maximum +8 bytes).  pskb_expand_head() was gated on segments_left == 0, so on earlier segments the push consumed unchecked headroom.  Once skb_push() leaves fewer than skb->mac_len bytes in front of data, skb_mac_header_rebuild()'s call to:  \tskb_set_mac_header(skb, -skb->mac_len);  will store (data - head) - mac_len into the u16 mac_header field, which wraps to ~65530, and the following memmove() writes mac_len bytes ~64KiB past skb->head.  A single AF_INET6/SOCK_RAW/IPV6_HDRINCL packet over lo with a two segment type-3 SRH (CmprI=0, CmprE=15) reaches headroom 8 after one pass; KASAN reports a 14-byte OOB write in ipv6_rthdr_rcv.  Fix this by expanding the head whenever the remaining room is less than the push size plus mac_len, and request that much extra so the rebuilt MAC header fits afterwards.",
                                "cve_priority": "critical",
                                "cve_public_date": "2026-05-21 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45988",
                                "url": "https://ubuntu.com/security/CVE-2026-45988",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  rxrpc: Fix re-decryption of RESPONSE packets  If a RESPONSE packet gets a temporary failure during processing, it may end up in a partially decrypted state - and then get requeued for a retry.  Fix this by just discarding the packet; we will send another CHALLENGE packet and thereby elicit a further response.  Similarly, discard an incoming CHALLENGE packet if we get an error whilst generating a RESPONSE; the server will send another CHALLENGE.",
                                "cve_priority": "critical",
                                "cve_public_date": "2026-05-27 14:17:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46043",
                                "url": "https://ubuntu.com/security/CVE-2026-46043",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv  rxe_rcv() currently checks only that the incoming packet is at least header_size(pkt) bytes long before payload_size() is used.  However, payload_size() subtracts both the attacker-controlled BTH pad field and RXE_ICRC_SIZE from pkt->paylen:    payload_size = pkt->paylen - offset[RXE_PAYLOAD] - bth_pad(pkt)                  - RXE_ICRC_SIZE  This means a short packet can still make payload_size() underflow even if it includes enough bytes for the fixed headers. Simply requiring header_size(pkt) + RXE_ICRC_SIZE is not sufficient either, because a packet with a forged non-zero BTH pad can still leave payload_size() negative and pass an underflowed value to later receive-path users.  Fix this by validating pkt->paylen against the full minimum length required by payload_size(): header_size(pkt) + bth_pad(pkt) + RXE_ICRC_SIZE.",
                                "cve_priority": "critical",
                                "cve_public_date": "2026-05-27 14:17:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43493",
                                "url": "https://ubuntu.com/security/CVE-2026-43493",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  crypto: pcrypt - Fix handling of MAY_BACKLOG requests  MAY_BACKLOG requests can return EBUSY.  Handle them by checking for that value and filtering out EINPROGRESS notifications.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-19 12:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43071",
                                "url": "https://ubuntu.com/security/CVE-2026-43071",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  dcache: Limit the minimal number of bucket to two  There is an OOB read problem on dentry_hashtable when user sets 'dhash_entries=1':   BUG: unable to handle page fault for address: ffff888b30b774b0   #PF: supervisor read access in kernel mode   #PF: error_code(0x0000) - not-present page   Oops: Oops: 0000 [#1] SMP PTI   RIP: 0010:__d_lookup+0x56/0x120    Call Trace:     d_lookup.cold+0x16/0x5d     lookup_dcache+0x27/0xf0     lookup_one_qstr_excl+0x2a/0x180     start_dirop+0x55/0xa0     simple_start_creating+0x8d/0xa0     debugfs_start_creating+0x8c/0x180     debugfs_create_dir+0x1d/0x1c0     pinctrl_init+0x6d/0x140     do_one_initcall+0x6d/0x3d0     kernel_init_freeable+0x39f/0x460     kernel_init+0x2a/0x260  There will be only one bucket in dentry_hashtable when dhash_entries is set as one, and d_hash_shift is calculated as 32 by dcache_init(). Then, following process will access more than one buckets(which memory region is not allocated) in dentry_hashtable:  d_lookup   b = d_hash(hash)     dentry_hashtable + ((u32)hashlen >> d_hash_shift)     // The C standard defines the behavior of right shift amounts     // exceeding the bit width of the operand as undefined. The     // result of '(u32)hashlen >> d_hash_shift' becomes 'hashlen',     // so 'b' will point to an unallocated memory region.   hlist_bl_for_each_entry_rcu(b)    hlist_bl_first_rcu(head)     h->first  // read OOB!  Fix it by limiting the minimal number of dentry_hashtable bucket to two, so that 'd_hash_shift' won't exceeds the bit width of type u32.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-05-05 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-31685",
                                "url": "https://ubuntu.com/security/CVE-2026-31685",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: ip6t_eui64: reject invalid MAC header for all packets  `eui64_mt6()` derives a modified EUI-64 from the Ethernet source address and compares it with the low 64 bits of the IPv6 source address.  The existing guard only rejects an invalid MAC header when `par->fragoff != 0`. For packets with `par->fragoff == 0`, `eui64_mt6()` can still reach `eth_hdr(skb)` even when the MAC header is not valid.  Fix this by removing the `par->fragoff != 0` condition so that packets with an invalid MAC header are rejected before accessing `eth_hdr(skb)`.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-25 09:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43117",
                                "url": "https://ubuntu.com/security/CVE-2026-43117",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  btrfs: tracepoints: get correct superblock from dentry in event btrfs_sync_file()  If overlay is used on top of btrfs, dentry->d_sb translates to overlay's super block and fsid assignment will lead to a crash.  Use file_inode(file)->i_sb to always get btrfs_sb.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-06 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43114",
                                "url": "https://ubuntu.com/security/CVE-2026-43114",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: nft_set_pipapo_avx2: don't return non-matching entry on expiry  New test case fails unexpectedly when avx2 matching functions are used.  The test first loads a ranomly generated pipapo set with 'ipv4 . port' key, i.e.  nft -f foo.  This works.  Then, it reloads the set after a flush: (echo flush set t s; cat foo) | nft -f -  This is expected to work, because its the same set after all and it was already loaded once.  But with avx2, this fails: nft reports a clashing element.  The reported clash is of following form:      We successfully re-inserted       a . b       c . d  Then we try to insert a . d  avx2 finds the already existing a . d, which (due to 'flush set') is marked as invalid in the new generation.  It skips the element and moves to next.  Due to incorrect masking, the skip-step finds the next matching element *only considering the first field*,  i.e. we return the already reinserted \"a . b\", even though the last field is different and the entry should not have been matched.  No such error is reported for the generic c implementation (no avx2) or when the last field has to use the 'nft_pipapo_avx2_lookup_slow' fallback.  Bisection points to 7711f4bb4b36 (\"netfilter: nft_set_pipapo: fix range overlap detection\") but that fix merely uncovers this bug.  Before this commit, the wrong element is returned, but erronously reported as a full, identical duplicate.  The root-cause is too early return in the avx2 match functions. When we process the last field, we should continue to process data until the entire input size has been consumed to make sure no stale bits remain in the map.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-06 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-31607",
                                "url": "https://ubuntu.com/security/CVE-2026-31607",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  usbip: validate number_of_packets in usbip_pack_ret_submit()  When a USB/IP client receives a RET_SUBMIT response, usbip_pack_ret_submit() unconditionally overwrites urb->number_of_packets from the network PDU. This value is subsequently used as the loop bound in usbip_recv_iso() and usbip_pad_iso() to iterate over urb->iso_frame_desc[], a flexible array whose size was fixed at URB allocation time based on the *original* number_of_packets from the CMD_SUBMIT.  A malicious USB/IP server can set number_of_packets in the response to a value larger than what was originally submitted, causing a heap out-of-bounds write when usbip_recv_iso() writes to urb->iso_frame_desc[i] beyond the allocated region.  KASAN confirmed this with kernel 7.0.0-rc5:    BUG: KASAN: slab-out-of-bounds in usbip_recv_iso+0x46a/0x640   Write of size 4 at addr ffff888106351d40 by task vhci_rx/69    The buggy address is located 0 bytes to the right of    allocated 320-byte region [ffff888106351c00, ffff888106351d40)  The server side (stub_rx.c) and gadget side (vudc_rx.c) already validate number_of_packets in the CMD_SUBMIT path since commits c6688ef9f297 (\"usbip: fix stub_rx: harden CMD_SUBMIT path to handle malicious input\") and b78d830f0049 (\"usbip: fix vudc_rx: harden CMD_SUBMIT path to handle malicious input\"). The server side validates against USBIP_MAX_ISO_PACKETS because no URB exists yet at that point. On the client side we have the original URB, so we can use the tighter bound: the response must not exceed the original number_of_packets.  This mirrors the existing validation of actual_length against transfer_buffer_length in usbip_recv_xbuff(), which checks the response value against the original allocation size.  Kelvin Mbogo's series (\"usb: usbip: fix integer overflow in usbip_recv_iso()\", v2) hardens the receive-side functions themselves; this patch complements that work by catching the bad value at its source -- in usbip_pack_ret_submit() before the overwrite -- and using the tighter per-URB allocation bound rather than the global USBIP_MAX_ISO_PACKETS limit.  Fix this by checking rpdu->number_of_packets against urb->number_of_packets in usbip_pack_ret_submit() before the overwrite. On violation, clamp to zero so that usbip_recv_iso() and usbip_pad_iso() safely return early.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-04-24 15:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-31659",
                                "url": "https://ubuntu.com/security/CVE-2026-31659",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: reject oversized global TT response buffers  batadv_tt_prepare_tvlv_global_data() builds the allocation length for a global TT response in 16-bit temporaries. When a remote originator advertises a large enough global TT, the TT payload length plus the VLAN header offset can exceed 65535 and wrap before kmalloc().  The full-table response path still uses the original TT payload length when it fills tt_change, so the wrapped allocation is too small and batadv_tt_prepare_tvlv_global_data() writes past the end of the heap object before the later packet-size check runs.  Fix this by rejecting TT responses whose TVLV value length cannot fit in the 16-bit TVLV payload length field.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-04-24 15:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-31649",
                                "url": "https://ubuntu.com/security/CVE-2026-31649",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: stmmac: fix integer underflow in chain mode  The jumbo_frm() chain-mode implementation unconditionally computes      len = nopaged_len - bmax;  where nopaged_len = skb_headlen(skb) (linear bytes only) and bmax is BUF_SIZE_8KiB or BUF_SIZE_2KiB.  However, the caller stmmac_xmit() decides to invoke jumbo_frm() based on skb->len (total length including page fragments):      is_jumbo = stmmac_is_jumbo_frm(priv, skb->len, enh_desc);  When a packet has a small linear portion (nopaged_len <= bmax) but a large total length due to page fragments (skb->len > bmax), the subtraction wraps as an unsigned integer, producing a huge len value (~0xFFFFxxxx).  This causes the while (len != 0) loop to execute hundreds of thousands of iterations, passing skb->data + bmax * i pointers far beyond the skb buffer to dma_map_single().  On IOMMU-less SoCs (the typical deployment for stmmac), this maps arbitrary kernel memory to the DMA engine, constituting a kernel memory disclosure and potential memory corruption from hardware.  Fix this by introducing a buf_len local variable clamped to min(nopaged_len, bmax).  Computing len = nopaged_len - buf_len is then always safe: it is zero when the linear portion fits within a single descriptor, causing the while (len != 0) loop to be skipped naturally, and the fragment loop in stmmac_xmit() handles page fragments afterward.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-24 15:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-31657",
                                "url": "https://ubuntu.com/security/CVE-2026-31657",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: hold claim backbone gateways by reference  batadv_bla_add_claim() can replace claim->backbone_gw and drop the old gateway's last reference while readers still follow the pointer.  The netlink claim dump path dereferences claim->backbone_gw->orig and takes claim->backbone_gw->crc_lock without pinning the underlying backbone gateway. batadv_bla_check_claim() still has the same naked pointer access pattern.  Reuse batadv_bla_claim_get_backbone_gw() in both readers so they operate on a stable gateway reference until the read-side work is complete. This keeps the dump and claim-check paths aligned with the lifetime rules introduced for the other BLA claim readers.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-04-24 15:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-31637",
                                "url": "https://ubuntu.com/security/CVE-2026-31637",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  rxrpc: reject undecryptable rxkad response tickets  rxkad_decrypt_ticket() decrypts the RXKAD response ticket and then parses the buffer as plaintext without checking whether crypto_skcipher_decrypt() succeeded.  A malformed RESPONSE can therefore use a non-block-aligned ticket length, make the decrypt operation fail, and still drive the ticket parser with attacker-controlled bytes.  Check the decrypt result and abort the connection with RXKADBADTICKET when ticket decryption fails.",
                                "cve_priority": "critical",
                                "cve_public_date": "2026-04-24 15:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-31669",
                                "url": "https://ubuntu.com/security/CVE-2026-31669",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mptcp: fix slab-use-after-free in __inet_lookup_established  The ehash table lookups are lockless and rely on SLAB_TYPESAFE_BY_RCU to guarantee socket memory stability during RCU read-side critical sections. Both tcp_prot and tcpv6_prot have their slab caches created with this flag via proto_register().  However, MPTCP's mptcp_subflow_init() copies tcpv6_prot into tcpv6_prot_override during inet_init() (fs_initcall, level 5), before inet6_init() (module_init/device_initcall, level 6) has called proto_register(&tcpv6_prot). At that point, tcpv6_prot.slab is still NULL, so tcpv6_prot_override.slab remains NULL permanently.  This causes MPTCP v6 subflow child sockets to be allocated via kmalloc (falling into kmalloc-4k) instead of the TCPv6 slab cache. The kmalloc-4k cache lacks SLAB_TYPESAFE_BY_RCU, so when these sockets are freed without SOCK_RCU_FREE (which is cleared for child sockets by design), the memory can be immediately reused. Concurrent ehash lookups under rcu_read_lock can then access freed memory, triggering a slab-use-after-free in __inet_lookup_established.  Fix this by splitting the IPv6-specific initialization out of mptcp_subflow_init() into a new mptcp_subflow_v6_init(), called from mptcp_proto_v6_init() before protocol registration. This ensures tcpv6_prot_override.slab correctly inherits the SLAB_TYPESAFE_BY_RCU slab cache.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-04-24 15:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-31668",
                                "url": "https://ubuntu.com/security/CVE-2026-31668",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  seg6: separate dst_cache for input and output paths in seg6 lwtunnel  The seg6 lwtunnel uses a single dst_cache per encap route, shared between seg6_input_core() and seg6_output_core(). These two paths can perform the post-encap SID lookup in different routing contexts (e.g., ip rules matching on the ingress interface, or VRF table separation). Whichever path runs first populates the cache, and the other reuses it blindly, bypassing its own lookup.  Fix this by splitting the cache into cache_input and cache_output, so each path maintains its own cached dst independently.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-24 15:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43011",
                                "url": "https://ubuntu.com/security/CVE-2026-43011",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/x25: Fix potential double free of skb  When alloc_skb fails in x25_queue_rx_frame it calls kfree_skb(skb) at line 48 and returns 1 (error). This error propagates back through the call chain:  x25_queue_rx_frame returns 1     |     v x25_state3_machine receives the return value 1 and takes the else branch at line 278, setting queued=0 and returning 0     |     v x25_process_rx_frame returns queued=0     |     v x25_backlog_rcv at line 452 sees queued=0 and calls kfree_skb(skb) again  This would free the same skb twice. Looking at x25_backlog_rcv:  net/x25/x25_in.c:x25_backlog_rcv() {     ...     queued = x25_process_rx_frame(sk, skb);     ...     if (!queued)         kfree_skb(skb); }",
                                "cve_priority": "critical",
                                "cve_public_date": "2026-05-01 15:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43037",
                                "url": "https://ubuntu.com/security/CVE-2026-43037",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ip6_tunnel: clear skb2->cb[] in ip4ip6_err()  Oskar Kjos reported the following problem.  ip4ip6_err() calls icmp_send() on a cloned skb whose cb[] was written by the IPv6 receive path as struct inet6_skb_parm. icmp_send() passes IPCB(skb2) to __ip_options_echo(), which interprets that cb[] region as struct inet_skb_parm (IPv4). The layouts differ: inet6_skb_parm.nhoff at offset 14 overlaps inet_skb_parm.opt.rr, producing a non-zero rr value. __ip_options_echo() then reads optlen from attacker-controlled packet data at sptr[rr+1] and copies that many bytes into dopt->__data, a fixed 40-byte stack buffer (IP_OPTIONS_DATA_FIXED_SIZE).  To fix this we clear skb2->cb[], as suggested by Oskar Kjos.  Also add minimal IPv4 header validation (version == 4, ihl >= 5).",
                                "cve_priority": "critical",
                                "cve_public_date": "2026-05-01 15:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43341",
                                "url": "https://ubuntu.com/security/CVE-2026-43341",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/ipv6: ioam6: prevent schema length wraparound in trace fill  ioam6_fill_trace_data() stores the schema contribution to the trace length in a u8. With bit 22 enabled and the largest schema payload, sclen becomes 1 + 1020 / 4, wraps from 256 to 0, and bypasses the remaining-space check. __ioam6_fill_trace_data() then positions the write cursor without reserving the schema area but still copies the 4-byte schema header and the full schema payload, overrunning the trace buffer.  Keep sclen in an unsigned int so the remaining-space check and the write cursor calculation both see the full schema length.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-08 14:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43038",
                                "url": "https://ubuntu.com/security/CVE-2026-43038",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ipv6: icmp: clear skb2->cb[] in ip6_err_gen_icmpv6_unreach()  Sashiko AI-review observed:    In ip6_err_gen_icmpv6_unreach(), the skb is an outer IPv4 ICMP error packet   where its cb contains an IPv4 inet_skb_parm. When skb is cloned into skb2   and passed to icmp6_send(), it uses IP6CB(skb2).    IP6CB interprets the IPv4 inet_skb_parm as an inet6_skb_parm. The cipso   offset in inet_skb_parm.opt directly overlaps with dsthao in inet6_skb_parm   at offset 18.    If an attacker sends a forged ICMPv4 error with a CIPSO IP option, dsthao   would be a non-zero offset. Inside icmp6_send(), mip6_addr_swap() is called   and uses ipv6_find_tlv(skb, opt->dsthao, IPV6_TLV_HAO).    This would scan the inner, attacker-controlled IPv6 packet starting at that   offset, potentially returning a fake TLV without checking if the remaining   packet length can hold the full 18-byte struct ipv6_destopt_hao.    Could mip6_addr_swap() then perform a 16-byte swap that extends past the end   of the packet data into skb_shared_info?    Should the cb array also be cleared in ip6_err_gen_icmpv6_unreach() and   ip6ip6_err() to prevent this?  This patch implements the first suggestion.  I am not sure if ip6ip6_err() needs to be changed. A separate patch would be better anyway.",
                                "cve_priority": "critical",
                                "cve_public_date": "2026-05-01 15:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-31682",
                                "url": "https://ubuntu.com/security/CVE-2026-31682",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  bridge: br_nd_send: linearize skb before parsing ND options  br_nd_send() parses neighbour discovery options from ns->opt[] and assumes that these options are in the linear part of request.  Its callers only guarantee that the ICMPv6 header and target address are available, so the option area can still be non-linear. Parsing ns->opt[] in that case can access data past the linear buffer.  Linearize request before option parsing and derive ns from the linear network header.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-25 09:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-31436",
                                "url": "https://ubuntu.com/security/CVE-2026-31436",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  dmaengine: idxd: fix possible wrong descriptor completion in llist_abort_desc()  At the end of this function, d is the traversal cursor of flist, but the code completes found instead. This can lead to issues such as NULL pointer dereferences, double completion, or descriptor leaks.  Fix this by completing d instead of found in the final list_for_each_entry_safe() loop.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-04-22 14:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43384",
                                "url": "https://ubuntu.com/security/CVE-2026-43384",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/tcp-ao: Fix MAC comparison to be constant-time  To prevent timing attacks, MACs need to be compared in constant time.  Use the appropriate helper function for this.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-08 15:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-31448",
                                "url": "https://ubuntu.com/security/CVE-2026-31448",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ext4: avoid infinite loops caused by residual data  On the mkdir/mknod path, when mapping logical blocks to physical blocks, if inserting a new extent into the extent tree fails (in this example, because the file system disabled the huge file feature when marking the inode as dirty), ext4_ext_map_blocks() only calls ext4_free_blocks() to reclaim the physical block without deleting the corresponding data in the extent tree. This causes subsequent mkdir operations to reference the previously reclaimed physical block number again, even though this physical block is already being used by the xattr block. Therefore, a situation arises where both the directory and xattr are using the same buffer head block in memory simultaneously.  The above causes ext4_xattr_block_set() to enter an infinite loop about \"inserted\" and cannot release the inode lock, ultimately leading to the 143s blocking problem mentioned in [1].  If the metadata is corrupted, then trying to remove some extent space can do even more harm. Also in case EXT4_GET_BLOCKS_DELALLOC_RESERVE was passed, remove space wrongly update quota information. Jan Kara suggests distinguishing between two cases:  1) The error is ENOSPC or EDQUOT - in this case the filesystem is fully consistent and we must maintain its consistency including all the accounting. However these errors can happen only early before we've inserted the extent into the extent tree. So current code works correctly for this case.  2) Some other error - this means metadata is corrupted. We should strive to do as few modifications as possible to limit damage. So I'd just skip freeing of allocated blocks.  [1] INFO: task syz.0.17:5995 blocked for more than 143 seconds. Call Trace:  inode_lock_nested include/linux/fs.h:1073 [inline]  __start_dirop fs/namei.c:2923 [inline]  start_dirop fs/namei.c:2934 [inline]",
                                "cve_priority": "low",
                                "cve_public_date": "2026-04-22 14:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-31478",
                                "url": "https://ubuntu.com/security/CVE-2026-31478",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ksmbd: replace hardcoded hdr2_len with offsetof() in smb2_calc_max_out_buf_len()  After this commit (e2b76ab8b5c9 \"ksmbd: add support for read compound\"), response buffer management was changed to use dynamic iov array. In the new design, smb2_calc_max_out_buf_len() expects the second argument (hdr2_len) to be the offset of ->Buffer field in the response structure, not a hardcoded magic number. Fix the remaining call sites to use the correct offsetof() value.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-04-22 14:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-23428",
                                "url": "https://ubuntu.com/security/CVE-2026-23428",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ksmbd: fix use-after-free of share_conf in compound request  smb2_get_ksmbd_tcon() reuses work->tcon in compound requests without validating tcon->t_state. ksmbd_tree_conn_lookup() checks t_state == TREE_CONNECTED on the initial lookup path, but the compound reuse path bypasses this check entirely.  If a prior command in the compound (SMB2_TREE_DISCONNECT) sets t_state to TREE_DISCONNECTED and frees share_conf via ksmbd_share_config_put(), subsequent commands dereference the freed share_conf through work->tcon->share_conf.  KASAN report:  [    4.144653] ================================================================== [    4.145059] BUG: KASAN: slab-use-after-free in smb2_write+0xc74/0xe70 [    4.145415] Read of size 4 at addr ffff88810430c194 by task kworker/1:1/44 [    4.145772] [    4.145867] CPU: 1 UID: 0 PID: 44 Comm: kworker/1:1 Not tainted 7.0.0-rc3+ #60 PREEMPTLAZY [    4.145871] Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [    4.145875] Workqueue: ksmbd-io handle_ksmbd_work [    4.145888] Call Trace: [    4.145892]  <TASK> [    4.145894]  dump_stack_lvl+0x64/0x80 [    4.145910]  print_report+0xce/0x660 [    4.145919]  ? __pfx__raw_spin_lock_irqsave+0x10/0x10 [    4.145928]  ? smb2_write+0xc74/0xe70 [    4.145931]  kasan_report+0xce/0x100 [    4.145934]  ? smb2_write+0xc74/0xe70 [    4.145937]  smb2_write+0xc74/0xe70 [    4.145939]  ? __pfx_smb2_write+0x10/0x10 [    4.145942]  ? _raw_spin_unlock+0xe/0x30 [    4.145945]  ? ksmbd_smb2_check_message+0xeb2/0x24c0 [    4.145948]  ? smb2_tree_disconnect+0x31c/0x480 [    4.145951]  handle_ksmbd_work+0x40f/0x1080 [    4.145953]  process_one_work+0x5fa/0xef0 [    4.145962]  ? assign_work+0x122/0x3e0 [    4.145964]  worker_thread+0x54b/0xf70 [    4.145967]  ? __pfx_worker_thread+0x10/0x10 [    4.145970]  kthread+0x346/0x470 [    4.145976]  ? recalc_sigpending+0x19b/0x230 [    4.145980]  ? __pfx_kthread+0x10/0x10 [    4.145984]  ret_from_fork+0x4fb/0x6c0 [    4.145992]  ? __pfx_ret_from_fork+0x10/0x10 [    4.145995]  ? __switch_to+0x36c/0xbe0 [    4.145999]  ? __pfx_kthread+0x10/0x10 [    4.146003]  ret_from_fork_asm+0x1a/0x30 [    4.146013]  </TASK> [    4.146014] [    4.149858] Allocated by task 44: [    4.149953]  kasan_save_stack+0x33/0x60 [    4.150061]  kasan_save_track+0x14/0x30 [    4.150169]  __kasan_kmalloc+0x8f/0xa0 [    4.150274]  ksmbd_share_config_get+0x1dd/0xdd0 [    4.150401]  ksmbd_tree_conn_connect+0x7e/0x600 [    4.150529]  smb2_tree_connect+0x2e6/0x1000 [    4.150645]  handle_ksmbd_work+0x40f/0x1080 [    4.150761]  process_one_work+0x5fa/0xef0 [    4.150873]  worker_thread+0x54b/0xf70 [    4.150978]  kthread+0x346/0x470 [    4.151071]  ret_from_fork+0x4fb/0x6c0 [    4.151176]  ret_from_fork_asm+0x1a/0x30 [    4.151286] [    4.151332] Freed by task 44: [    4.151418]  kasan_save_stack+0x33/0x60 [    4.151526]  kasan_save_track+0x14/0x30 [    4.151634]  kasan_save_free_info+0x3b/0x60 [    4.151751]  __kasan_slab_free+0x43/0x70 [    4.151861]  kfree+0x1ca/0x430 [    4.151952]  __ksmbd_tree_conn_disconnect+0xc8/0x190 [    4.152088]  smb2_tree_disconnect+0x1cd/0x480 [    4.152211]  handle_ksmbd_work+0x40f/0x1080 [    4.152326]  process_one_work+0x5fa/0xef0 [    4.152438]  worker_thread+0x54b/0xf70 [    4.152545]  kthread+0x346/0x470 [    4.152638]  ret_from_fork+0x4fb/0x6c0 [    4.152743]  ret_from_fork_asm+0x1a/0x30 [    4.152853] [    4.152900] The buggy address belongs to the object at ffff88810430c180 [    4.152900]  which belongs to the cache kmalloc-96 of size 96 [    4.153226] The buggy address is located 20 bytes inside of [    4.153226]  freed 96-byte region [ffff88810430c180, ffff88810430c1e0) [    4.153549] [    4.153596] The buggy address belongs to the physical page: [    4.153750] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88810430ce80 pfn:0x10430c [    4.154000] flags: 0x ---truncated---",
                                "cve_priority": "high",
                                "cve_public_date": "2026-04-03 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-23450",
                                "url": "https://ubuntu.com/security/CVE-2026-23450",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/smc: fix NULL dereference and UAF in smc_tcp_syn_recv_sock()  Syzkaller reported a panic in smc_tcp_syn_recv_sock() [1].  smc_tcp_syn_recv_sock() is called in the TCP receive path (softirq) via icsk_af_ops->syn_recv_sock on the clcsock (TCP listening socket). It reads sk_user_data to get the smc_sock pointer. However, when the SMC listen socket is being closed concurrently, smc_close_active() sets clcsock->sk_user_data to NULL under sk_callback_lock, and then the smc_sock itself can be freed via sock_put() in smc_release().  This leads to two issues:  1) NULL pointer dereference: sk_user_data is NULL when    accessed. 2) Use-after-free: sk_user_data is read as non-NULL, but the    smc_sock is freed before its fields (e.g., queued_smc_hs,    ori_af_ops) are accessed.  The race window looks like this (the syzkaller crash [1] triggers via the SYN cookie path: tcp_get_cookie_sock() -> smc_tcp_syn_recv_sock(), but the normal tcp_check_req() path has the same race):    CPU A (softirq)              CPU B (process ctx)    tcp_v4_rcv()     TCP_NEW_SYN_RECV:     sk = req->rsk_listener     sock_hold(sk)     /* No lock on listener */                                smc_close_active():                                  write_lock_bh(cb_lock)                                  sk_user_data = NULL                                  write_unlock_bh(cb_lock)                                  ...                                  smc_clcsock_release()                                  sock_put(smc->sk) x2                                    -> smc_sock freed!     tcp_check_req()       smc_tcp_syn_recv_sock():         smc = user_data(sk)           -> NULL or dangling         smc->queued_smc_hs           -> crash!  Note that the clcsock and smc_sock are two independent objects with separate refcounts. TCP stack holds a reference on the clcsock, which keeps it alive, but this does NOT prevent the smc_sock from being freed.  Fix this by using RCU and refcount_inc_not_zero() to safely access smc_sock. Since smc_tcp_syn_recv_sock() is called in the TCP three-way handshake path, taking read_lock_bh on sk_callback_lock is too heavy and would not survive a SYN flood attack. Using rcu_read_lock() is much more lightweight.  - Set SOCK_RCU_FREE on the SMC listen socket so that   smc_sock freeing is deferred until after the RCU grace   period. This guarantees the memory is still valid when   accessed inside rcu_read_lock(). - Use rcu_read_lock() to protect reading sk_user_data. - Use refcount_inc_not_zero(&smc->sk.sk_refcnt) to pin the   smc_sock. If the refcount has already reached zero (close   path completed), it returns false and we bail out safely.  Note: smc_hs_congested() has a similar lockless read of sk_user_data without rcu_read_lock(), but it only checks for NULL and accesses the global smc_hs_wq, never dereferencing any smc_sock field, so it is not affected.  Reproducer was verified with mdelay injection and smc_run, the issue no longer occurs with this patch applied.  [1] https://syzkaller.appspot.com/bug?extid=827ae2bfb3a3529333e9",
                                "cve_priority": "high",
                                "cve_public_date": "2026-04-03 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-23455",
                                "url": "https://ubuntu.com/security/CVE-2026-23455",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: nf_conntrack_h323: check for zero length in DecodeQ931()  In DecodeQ931(), the UserUserIE code path reads a 16-bit length from the packet, then decrements it by 1 to skip the protocol discriminator byte before passing it to DecodeH323_UserInformation(). If the encoded length is 0, the decrement wraps to -1, which is then passed as a large value to the decoder, leading to an out-of-bounds read.  Add a check to ensure len is positive after the decrement.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-04-03 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-31402",
                                "url": "https://ubuntu.com/security/CVE-2026-31402",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  nfsd: fix heap overflow in NFSv4.0 LOCK replay cache  The NFSv4.0 replay cache uses a fixed 112-byte inline buffer (rp_ibuf[NFSD4_REPLAY_ISIZE]) to store encoded operation responses. This size was calculated based on OPEN responses and does not account for LOCK denied responses, which include the conflicting lock owner as a variable-length field up to 1024 bytes (NFS4_OPAQUE_LIMIT).  When a LOCK operation is denied due to a conflict with an existing lock that has a large owner, nfsd4_encode_operation() copies the full encoded response into the undersized replay buffer via read_bytes_from_xdr_buf() with no bounds check. This results in a slab-out-of-bounds write of up to 944 bytes past the end of the buffer, corrupting adjacent heap memory.  This can be triggered remotely by an unauthenticated attacker with two cooperating NFSv4.0 clients: one sets a lock with a large owner string, then the other requests a conflicting lock to provoke the denial.  We could fix this by increasing NFSD4_REPLAY_ISIZE to allow for a full opaque, but that would increase the size of every stateowner, when most lockowners are not that large.  Instead, fix this by checking the encoded response length against NFSD4_REPLAY_ISIZE before copying into the replay buffer. If the response is too large, set rp_buflen to 0 to skip caching the replay payload. The status is still cached, and the client already received the correct response on the original request.",
                                "cve_priority": "critical",
                                "cve_public_date": "2026-04-03 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43383",
                                "url": "https://ubuntu.com/security/CVE-2026-43383",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/tcp-md5: Fix MAC comparison to be constant-time  To prevent timing attacks, MACs need to be compared in constant time.  Use the appropriate helper function for this.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-08 15:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43378",
                                "url": "https://ubuntu.com/security/CVE-2026-43378",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb: server: fix use-after-free in smb2_open()  The opinfo pointer obtained via rcu_dereference(fp->f_opinfo) is dereferenced after rcu_read_unlock(), creating a use-after-free window.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-08 15:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46243",
                                "url": "https://ubuntu.com/security/CVE-2026-46243",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb: client: reject userspace cifs.spnego descriptions  cifs.spnego key descriptions contain authority-bearing fields such as pid, uid, creduid, and upcall_target that cifs.upcall treats as kernel-originating inputs. However, userspace can also create keys of this type through request_key(2) or add_key(2), allowing those fields to be supplied without CIFS origin.  Only accept cifs.spnego descriptions while CIFS is using its private spnego_cred to request the key.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-01 17:17:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43414",
                                "url": "https://ubuntu.com/security/CVE-2026-43414",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  scsi: qla2xxx: Completely fix fcport double free  In qla24xx_els_dcmd_iocb() sp->free is set to qla2x00_els_dcmd_sp_free(). When an error happens, this function is called by qla2x00_sp_release(), when kref_put() releases the first and the last reference.  qla2x00_els_dcmd_sp_free() frees fcport by calling qla2x00_free_fcport(). Doing it one more time after kref_put() is a bad idea.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-05-08 15:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43407",
                                "url": "https://ubuntu.com/security/CVE-2026-43407",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  libceph: Fix potential out-of-bounds access in ceph_handle_auth_reply()  This patch fixes an out-of-bounds access in ceph_handle_auth_reply() that can be triggered by a message of type CEPH_MSG_AUTH_REPLY. In ceph_handle_auth_reply(), the value of the payload_len field of such a message is stored in a variable of type int. A value greater than INT_MAX leads to an integer overflow and is interpreted as a negative value. This leads to decrementing the pointer address by this value and subsequently accessing it because ceph_decode_need() only checks that the memory access does not exceed the end address of the allocation.  This patch fixes the issue by changing the data type of payload_len to u32. Additionally, the data type of result_msg_len is changed to u32, as it is also a variable holding a non-negative length.  Also, an additional layer of sanity checks is introduced, ensuring that directly after reading it from the message, payload_len and result_msg_len are not greater than the overall segment length.  BUG: KASAN: slab-out-of-bounds in ceph_handle_auth_reply+0x642/0x7a0 [libceph] Read of size 4 at addr ffff88811404df14 by task kworker/20:1/262  CPU: 20 UID: 0 PID: 262 Comm: kworker/20:1 Not tainted 6.19.2 #5 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Workqueue: ceph-msgr ceph_con_workfn [libceph] Call Trace:  <TASK>  dump_stack_lvl+0x76/0xa0  print_report+0xd1/0x620  ? __pfx__raw_spin_lock_irqsave+0x10/0x10  ? kasan_complete_mode_report_info+0x72/0x210  kasan_report+0xe7/0x130  ? ceph_handle_auth_reply+0x642/0x7a0 [libceph]  ? ceph_handle_auth_reply+0x642/0x7a0 [libceph]  __asan_report_load_n_noabort+0xf/0x20  ceph_handle_auth_reply+0x642/0x7a0 [libceph]  mon_dispatch+0x973/0x23d0 [libceph]  ? apparmor_socket_recvmsg+0x6b/0xa0  ? __pfx_mon_dispatch+0x10/0x10 [libceph]  ? __kasan_check_write+0x14/0x30i  ? mutex_unlock+0x7f/0xd0  ? __pfx_mutex_unlock+0x10/0x10  ? __pfx_do_recvmsg+0x10/0x10 [libceph]  ceph_con_process_message+0x1f1/0x650 [libceph]  process_message+0x1e/0x450 [libceph]  ceph_con_v2_try_read+0x2e48/0x6c80 [libceph]  ? __pfx_ceph_con_v2_try_read+0x10/0x10 [libceph]  ? save_fpregs_to_fpstate+0xb0/0x230  ? raw_spin_rq_unlock+0x17/0xa0  ? finish_task_switch.isra.0+0x13b/0x760  ? __switch_to+0x385/0xda0  ? __kasan_check_write+0x14/0x30  ? mutex_lock+0x8d/0xe0  ? __pfx_mutex_lock+0x10/0x10  ceph_con_workfn+0x248/0x10c0 [libceph]  process_one_work+0x629/0xf80  ? __kasan_check_write+0x14/0x30  worker_thread+0x87f/0x1570  ? __pfx__raw_spin_lock_irqsave+0x10/0x10  ? __pfx_try_to_wake_up+0x10/0x10  ? kasan_print_address_stack_frame+0x1f7/0x280  ? __pfx_worker_thread+0x10/0x10  kthread+0x396/0x830  ? __pfx__raw_spin_lock_irq+0x10/0x10  ? __pfx_kthread+0x10/0x10  ? __kasan_check_write+0x14/0x30  ? recalc_sigpending+0x180/0x210  ? __pfx_kthread+0x10/0x10  ret_from_fork+0x3f7/0x610  ? __pfx_ret_from_fork+0x10/0x10  ? __switch_to+0x385/0xda0  ? __pfx_kthread+0x10/0x10  ret_from_fork_asm+0x1a/0x30  </TASK>  [ idryomov: replace if statements with ceph_decode_need() for   payload_len and result_msg_len ]",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-08 15:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43406",
                                "url": "https://ubuntu.com/security/CVE-2026-43406",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  libceph: prevent potential out-of-bounds reads in process_message_header()  If the message frame is (maliciously) corrupted in a way that the length of the control segment ends up being less than the size of the message header or a different frame is made to look like a message frame, out-of-bounds reads may ensue in process_message_header().  Perform an explicit bounds check before decoding the message header.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-08 15:16:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * jammy/linux-riscv-6.8: 6.8.0-131.131~22.04.1 -proposed tracker (LP: #2157195)",
                            "",
                            "  [ Ubuntu: 6.8.0-131.131 ]",
                            "",
                            "  * noble/linux: 6.8.0-131.131 -proposed tracker (LP: #2157196)",
                            "  * Packaging resync (LP: #1786013)",
                            "    - [Packaging] update annotations scripts",
                            "  * CVE-2026-46244",
                            "    - netfilter: nft_inner: Fix IPv6 inner_thoff desync",
                            "  * CVE-2026-43185",
                            "    - ksmbd: fix signededness bug in smb_direct_prepare_negotiation()",
                            "  * CVE-2026-46289",
                            "    - lib/scatterlist: fix length calculations in extract_kvec_to_sg",
                            "  * CVE-2026-46119",
                            "    - libceph: Fix slab-out-of-bounds access in auth message processing",
                            "  * CVE-2026-46135",
                            "    - nvmet-tcp: fix race between ICReq handling and queue teardown",
                            "  * CVE-2026-46185",
                            "    - smb/client: fix out-of-bounds read in symlink_data()",
                            "  * CVE-2026-46195",
                            "    - smb: client: validate dacloffset before building DACL pointers",
                            "  * CVE-2026-46115",
                            "    - block: add pgmap check to biovec_phys_mergeable",
                            "  * CVE-2026-43501",
                            "    - ipv6: rpl: reserve mac_len headroom when recompressed SRH grows",
                            "  * CVE-2026-45988",
                            "    - rxrpc: Fix re-decryption of RESPONSE packets",
                            "  * CVE-2026-46043",
                            "    - RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv",
                            "  * CVE-2026-43493",
                            "    - crypto: pcrypt - Fix handling of MAY_BACKLOG requests",
                            "  * CVE-2026-43071",
                            "    - dcache: Limit the minimal number of bucket to two",
                            "  * CVE-2026-31685",
                            "    - netfilter: ip6t_eui64: reject invalid MAC header for all packets",
                            "  * CVE-2026-43117",
                            "    - btrfs: tracepoints: get correct superblock from dentry in event",
                            "      btrfs_sync_file()",
                            "  * CVE-2026-43114",
                            "    - netfilter: nft_set_pipapo_avx2: don't return non-matching entry on",
                            "      expiry",
                            "  * CVE-2026-31607",
                            "    - usbip: validate number_of_packets in usbip_pack_ret_submit()",
                            "  * CVE-2026-31659",
                            "    - batman-adv: reject oversized global TT response buffers",
                            "  * CVE-2026-31649",
                            "    - net: stmmac: fix integer underflow in chain mode",
                            "  * CVE-2026-31657",
                            "    - batman-adv: hold claim backbone gateways by reference",
                            "  * CVE-2026-31637",
                            "    - rxrpc: reject undecryptable rxkad response tickets",
                            "  * CVE-2026-31669",
                            "    - mptcp: fix slab-use-after-free in __inet_lookup_established",
                            "  * CVE-2026-31668",
                            "    - seg6: separate dst_cache for input and output paths in seg6 lwtunnel",
                            "  * CVE-2026-43011",
                            "    - net/x25: Fix potential double free of skb",
                            "  * CVE-2026-43037",
                            "    - ip6_tunnel: clear skb2->cb[] in ip4ip6_err()",
                            "  * CVE-2026-43341",
                            "    - net/ipv6: ioam6: prevent schema length wraparound in trace fill",
                            "  * CVE-2026-43038",
                            "    - ipv6: icmp: clear skb2->cb[] in ip6_err_gen_icmpv6_unreach()",
                            "  * CVE-2026-31682",
                            "    - bridge: br_nd_send: linearize skb before parsing ND options",
                            "  * CVE-2026-31436",
                            "    - dmaengine: idxd: fix possible wrong descriptor completion in",
                            "      llist_abort_desc()",
                            "  * CVE-2026-43384",
                            "    - net/tcp-ao: Fix MAC comparison to be constant-time",
                            "  * CVE-2026-31448",
                            "    - ext4: get rid of ppath in ext4_find_extent()",
                            "    - ext4: get rid of ppath in ext4_ext_create_new_leaf()",
                            "    - ext4: get rid of ppath in ext4_ext_insert_extent()",
                            "    - ext4: avoid infinite loops caused by residual data",
                            "  * CVE-2026-31478",
                            "    - ksmbd: replace hardcoded hdr2_len with offsetof() in",
                            "      smb2_calc_max_out_buf_len()",
                            "  * CVE-2026-23428",
                            "    - ksmbd: fix use-after-free of share_conf in compound request",
                            "  * CVE-2026-23450",
                            "    - net/smc: fix NULL dereference and UAF in smc_tcp_syn_recv_sock()",
                            "  * CVE-2026-23455",
                            "    - netfilter: nf_conntrack_h323: check for zero length in DecodeQ931()",
                            "  * CVE-2026-31402",
                            "    - nfsd: fix heap overflow in NFSv4.0 LOCK replay cache",
                            "  * CVE-2026-43383",
                            "    - net/tcp-md5: Fix MAC comparison to be constant-time",
                            "  * CVE-2026-43378",
                            "    - smb: server: fix use-after-free in smb2_open()",
                            "  * CVE-2026-46243",
                            "    - smb: client: reject userspace cifs.spnego descriptions",
                            "  * CVE-2026-43414",
                            "    - scsi: qla2xxx: Completely fix fcport double free",
                            "  * CVE-2026-43407",
                            "    - libceph: Fix potential out-of-bounds access in ceph_handle_auth_reply()",
                            "  * CVE-2026-43406",
                            "    - libceph: prevent potential out-of-bounds reads in",
                            "      process_message_header()",
                            ""
                        ],
                        "package": "linux-riscv-6.8",
                        "version": "6.8.0-131.131~22.04.1",
                        "urgency": "medium",
                        "distributions": "jammy",
                        "launchpad_bugs_fixed": [
                            2157195,
                            2157196,
                            1786013
                        ],
                        "author": "Alessio Faina <alessio.faina@canonical.com>",
                        "date": "Tue, 23 Jun 2026 10:45:49 +0200"
                    },
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-23249",
                                "url": "https://ubuntu.com/security/CVE-2026-23249",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  xfs: check for deleted cursors when revalidating two btrees  The free space and inode btree repair functions will rebuild both btrees at the same time, after which it needs to evaluate both btrees to confirm that the corruptions are gone.  However, Jiaming Zhang ran syzbot and produced a crash in the second xchk_allocbt call.  His root-cause analysis is as follows (with minor corrections):   In xrep_revalidate_allocbt(), xchk_allocbt() is called twice (first  for BNOBT, second for CNTBT). The cause of this issue is that the  first call nullified the cursor required by the second call.   Let's first enter xrep_revalidate_allocbt() via following call chain:   xfs_file_ioctl() ->  xfs_ioc_scrubv_metadata() ->  xfs_scrub_metadata() ->  `sc->ops->repair_eval(sc)` ->  xrep_revalidate_allocbt()   xchk_allocbt() is called twice in this function. In the first call:   /* Note that sc->sm->sm_type is XFS_SCRUB_TYPE_BNOPT now */  xchk_allocbt() ->  xchk_btree() ->  `bs->scrub_rec(bs, recp)` ->  xchk_allocbt_rec() ->  xchk_allocbt_xref() ->  xchk_allocbt_xref_other()   since sm_type is XFS_SCRUB_TYPE_BNOBT, pur is set to &sc->sa.cnt_cur.  Kernel called xfs_alloc_get_rec() and returned -EFSCORRUPTED. Call  chain:   xfs_alloc_get_rec() ->  xfs_btree_get_rec() ->  xfs_btree_check_block() ->  (XFS_IS_CORRUPT || XFS_TEST_ERROR), the former is false and the latter  is true, return -EFSCORRUPTED. This should be caused by  ioctl$XFS_IOC_ERROR_INJECTION I guess.   Back to xchk_allocbt_xref_other(), after receiving -EFSCORRUPTED from  xfs_alloc_get_rec(), kernel called xchk_should_check_xref(). In this  function, *curpp (points to sc->sa.cnt_cur) is nullified.   Back to xrep_revalidate_allocbt(), since sc->sa.cnt_cur has been  nullified, it then triggered null-ptr-deref via xchk_allocbt() (second  call) -> xchk_btree().  So.  The bnobt revalidation failed on a cross-reference attempt, so we deleted the cntbt cursor, and then crashed when we tried to revalidate the cntbt.  Therefore, check for a null cntbt cursor before that revalidation, and mark the repair incomplete.  Also we can ignore the second tree entirely if the first tree was rebuilt but is already corrupt.  Apply the same fix to xrep_revalidate_iallocbt because it has the same problem.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-18 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2025-71267",
                                "url": "https://ubuntu.com/security/CVE-2025-71267",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  fs: ntfs3: fix infinite loop triggered by zero-sized ATTR_LIST  We found an infinite loop bug in the ntfs3 file system that can lead to a Denial-of-Service (DoS) condition.  A malformed NTFS image can cause an infinite loop when an ATTR_LIST attribute indicates a zero data size while the driver allocates memory for it.  When ntfs_load_attr_list() processes a resident ATTR_LIST with data_size set to zero, it still allocates memory because of al_aligned(0). This creates an inconsistent state where ni->attr_list.size is zero, but ni->attr_list.le is non-null. This causes ni_enum_attr_ex to incorrectly assume that no attribute list exists and enumerates only the primary MFT record. When it finds ATTR_LIST, the code reloads it and restarts the enumeration, repeating indefinitely. The mount operation never completes, hanging the kernel thread.  This patch adds validation to ensure that data_size is non-zero before memory allocation. When a zero-sized ATTR_LIST is detected, the function returns -EINVAL, preventing a DoS vulnerability.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-18 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2025-71265",
                                "url": "https://ubuntu.com/security/CVE-2025-71265",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  fs: ntfs3: fix infinite loop in attr_load_runs_range on inconsistent metadata  We found an infinite loop bug in the ntfs3 file system that can lead to a Denial-of-Service (DoS) condition.  A malformed NTFS image can cause an infinite loop when an attribute header indicates an empty run list, while directory entries reference it as containing actual data. In NTFS, setting evcn=-1 with svcn=0 is a valid way to represent an empty run list, and run_unpack() correctly handles this by checking if evcn + 1 equals svcn and returning early without parsing any run data. However, this creates a problem when there is metadata inconsistency, where the attribute header claims to be empty (evcn=-1) but the caller expects to read actual data. When run_unpack() immediately returns success upon seeing this condition, it leaves the runs_tree uninitialized with run->runs as a NULL. The calling function attr_load_runs_range() assumes that a successful return means that the runs were loaded and sets clen to 0, expecting the next run_lookup_entry() call to succeed. Because runs_tree remains uninitialized, run_lookup_entry() continues to fail, and the loop increments vcn by zero (vcn += 0), leading to an infinite loop.  This patch adds a retry counter to detect when run_lookup_entry() fails consecutively after attr_load_runs_vcn(). If the run is still not found on the second attempt, it indicates corrupted metadata and returns -EINVAL, preventing the Denial-of-Service (DoS) vulnerability.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-18 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2025-71266",
                                "url": "https://ubuntu.com/security/CVE-2025-71266",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  fs: ntfs3: check return value of indx_find to avoid infinite loop  We found an infinite loop bug in the ntfs3 file system that can lead to a Denial-of-Service (DoS) condition.  A malformed dentry in the ntfs3 filesystem can cause the kernel to hang during the lookup operations. By setting the HAS_SUB_NODE flag in an INDEX_ENTRY within a directory's INDEX_ALLOCATION block and manipulating the VCN pointer, an attacker can cause the indx_find() function to repeatedly read the same block, allocating 4 KB of memory each time. The kernel lacks VCN loop detection and depth limits, causing memory exhaustion and an OOM crash.  This patch adds a return value check for fnd_push() to prevent a memory exhaustion vulnerability caused by infinite loops. When the index exceeds the size of the fnd->nodes array, fnd_push() returns -EINVAL. The indx_find() function checks this return value and stops processing, preventing further memory allocation.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-18 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-23241",
                                "url": "https://ubuntu.com/security/CVE-2026-23241",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  audit: add missing syscalls to read class  The \"at\" variant of getxattr() and listxattr() are missing from the audit read class. Calling getxattrat() or listxattrat() on a file to read its extended attributes will bypass audit rules such as:  -w /tmp/test -p rwa -k test_rwa  The current patch adds missing syscalls to the audit read class.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-17 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2025-71239",
                                "url": "https://ubuntu.com/security/CVE-2025-71239",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  audit: add fchmodat2() to change attributes class  fchmodat2(), introduced in version 6.6 is currently not in the change attribute class of audit. Calling fchmodat2() to change a file attribute in the same fashion than chmod() or fchmodat() will bypass audit rules such as:  -w /tmp/test -p rwa -k test_rwa  The current patch adds fchmodat2() to the change attributes class.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-17 10:15:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-31411",
                                "url": "https://ubuntu.com/security/CVE-2026-31411",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: atm: fix crash due to unvalidated vcc pointer in sigd_send()  Reproducer available at [1].  The ATM send path (sendmsg -> vcc_sendmsg -> sigd_send) reads the vcc pointer from msg->vcc and uses it directly without any validation. This pointer comes from userspace via sendmsg() and can be arbitrarily forged:      int fd = socket(AF_ATMSVC, SOCK_DGRAM, 0);     ioctl(fd, ATMSIGD_CTRL);  // become ATM signaling daemon     struct msghdr msg = { .msg_iov = &iov, ... };     *(unsigned long *)(buf + 4) = 0xdeadbeef;  // fake vcc pointer     sendmsg(fd, &msg, 0);  // kernel dereferences 0xdeadbeef  In normal operation, the kernel sends the vcc pointer to the signaling daemon via sigd_enq() when processing operations like connect(), bind(), or listen(). The daemon is expected to return the same pointer when responding. However, a malicious daemon can send arbitrary pointer values.  Fix this by introducing find_get_vcc() which validates the pointer by searching through vcc_hash (similar to how sigd_close() iterates over all VCCs), and acquires a reference via sock_hold() if found.  Since struct atm_vcc embeds struct sock as its first member, they share the same lifetime. Therefore using sock_hold/sock_put is sufficient to keep the vcc alive while it is being used.  Note that there may be a race with sigd_close() which could mark the vcc with various flags (e.g., ATM_VF_RELEASED) after find_get_vcc() returns. However, sock_hold() guarantees the memory remains valid, so this race only affects the logical state, not memory safety.  [1]: https://gist.github.com/mrpre/1ba5949c45529c511152e2f4c755b0f3",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-08 14:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-23243",
                                "url": "https://ubuntu.com/security/CVE-2026-23243",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/umad: Reject negative data_len in ib_umad_write  ib_umad_write computes data_len from user-controlled count and the MAD header sizes. With a mismatched user MAD header size and RMPP header length, data_len can become negative and reach ib_create_send_mad(). This can make the padding calculation exceed the segment size and trigger an out-of-bounds memset in alloc_send_rmpp_list().  Add an explicit check to reject negative data_len before creating the send buffer.  KASAN splat: [  211.363464] BUG: KASAN: slab-out-of-bounds in ib_create_send_mad+0xa01/0x11b0 [  211.364077] Write of size 220 at addr ffff88800c3fa1f8 by task spray_thread/102 [  211.365867] ib_create_send_mad+0xa01/0x11b0 [  211.365887] ib_umad_write+0x853/0x1c80",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-18 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-23242",
                                "url": "https://ubuntu.com/security/CVE-2026-23242",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/siw: Fix potential NULL pointer dereference in header processing  If siw_get_hdr() returns -EINVAL before set_rx_fpdu_context(), qp->rx_fpdu can be NULL. The error path in siw_tcp_rx_data() dereferences qp->rx_fpdu->more_ddp_segs without checking, which may lead to a NULL pointer deref. Only check more_ddp_segs when rx_fpdu is present.  KASAN splat: [  101.384271] KASAN: null-ptr-deref in range [0x00000000000000c0-0x00000000000000c7] [  101.385869] RIP: 0010:siw_tcp_rx_data+0x13ad/0x1e50",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-18 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2025-71233",
                                "url": "https://ubuntu.com/security/CVE-2025-71233",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  PCI: endpoint: Avoid creating sub-groups asynchronously  The asynchronous creation of sub-groups by a delayed work could lead to a NULL pointer dereference when the driver directory is removed before the work completes.  The crash can be easily reproduced with the following commands:    # cd /sys/kernel/config/pci_ep/functions/pci_epf_test   # for i in {1..20}; do mkdir test && rmdir test; done    BUG: kernel NULL pointer dereference, address: 0000000000000088   ...   Call Trace:    configfs_register_group+0x3d/0x190    pci_epf_cfs_work+0x41/0x110    process_one_work+0x18f/0x350    worker_thread+0x25a/0x3a0  Fix this issue by using configfs_add_default_group() API which does not have the deadlock problem as configfs_register_group() and does not require the delayed work handler.  [mani: slightly reworded the description and added stable list]",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-02-18 16:22:00 UTC"
                            },
                            {
                                "cve": "CVE-2025-71231",
                                "url": "https://ubuntu.com/security/CVE-2025-71231",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  crypto: iaa - Fix out-of-bounds index in find_empty_iaa_compression_mode  The local variable 'i' is initialized with -EINVAL, but the for loop immediately overwrites it and -EINVAL is never returned.  If no empty compression mode can be found, the function would return the out-of-bounds index IAA_COMP_MODES_MAX, which would cause an invalid array access in add_iaa_compression_mode().  Fix both issues by returning either a valid index or -EINVAL.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-02-18 16:22:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-23169",
                                "url": "https://ubuntu.com/security/CVE-2026-23169",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mptcp: fix race in mptcp_pm_nl_flush_addrs_doit()  syzbot and Eulgyu Kim reported crashes in mptcp_pm_nl_get_local_id() and/or mptcp_pm_nl_is_backup()  Root cause is list_splice_init() in mptcp_pm_nl_flush_addrs_doit() which is not RCU ready.  list_splice_init_rcu() can not be called here while holding pernet->lock spinlock.  Many thanks to Eulgyu Kim for providing a repro and testing our patches.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-02-14 16:15:00 UTC"
                            },
                            {
                                "cve": "CVE-2025-40005",
                                "url": "https://ubuntu.com/security/CVE-2025-40005",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: cadence-quadspi: Implement refcount to handle unbind during busy  driver support indirect read and indirect write operation with assumption no force device removal(unbind) operation. However force device removal(removal) is still available to root superuser.  Unbinding driver during operation causes kernel crash. This changes ensure driver able to handle such operation for indirect read and indirect write by implementing refcount to track attached devices to the controller and gracefully wait and until attached devices remove operation completed before proceed with removal operation.",
                                "cve_priority": "medium",
                                "cve_public_date": "2025-10-20 16:15:00 UTC"
                            },
                            {
                                "cve": "CVE-2025-71232",
                                "url": "https://ubuntu.com/security/CVE-2025-71232",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  scsi: qla2xxx: Free sp in error path to fix system crash  System crash seen during load/unload test in a loop,  [61110.449331] qla2xxx [0000:27:00.0]-0042:0: Disabled MSI-X. [61110.467494] ============================================================================= [61110.467498] BUG qla2xxx_srbs (Tainted: G           OE    --------  --- ): Objects remaining in qla2xxx_srbs on __kmem_cache_shutdown() [61110.467501] -----------------------------------------------------------------------------  [61110.467502] Slab 0x000000000ffc8162 objects=51 used=1 fp=0x00000000e25d3d85 flags=0x57ffffc0010200(slab|head|node=1|zone=2|lastcpupid=0x1fffff) [61110.467509] CPU: 53 PID: 455206 Comm: rmmod Kdump: loaded Tainted: G          OE    --------  ---  5.14.0-284.11.1.el9_2.x86_64 #1 [61110.467513] Hardware name: HPE ProLiant DL385 Gen10 Plus v2/ProLiant DL385 Gen10 Plus v2, BIOS A42 08/17/2023 [61110.467515] Call Trace: [61110.467516]  <TASK> [61110.467519]  dump_stack_lvl+0x34/0x48 [61110.467526]  slab_err.cold+0x53/0x67 [61110.467534]  __kmem_cache_shutdown+0x16e/0x320 [61110.467540]  kmem_cache_destroy+0x51/0x160 [61110.467544]  qla2x00_module_exit+0x93/0x99 [qla2xxx] [61110.467607]  ? __do_sys_delete_module.constprop.0+0x178/0x280 [61110.467613]  ? syscall_trace_enter.constprop.0+0x145/0x1d0 [61110.467616]  ? do_syscall_64+0x5c/0x90 [61110.467619]  ? exc_page_fault+0x62/0x150 [61110.467622]  ? entry_SYSCALL_64_after_hwframe+0x63/0xcd [61110.467626]  </TASK> [61110.467627] Disabling lock debugging due to kernel taint [61110.467635] Object 0x0000000026f7e6e6 @offset=16000 [61110.467639] ------------[ cut here ]------------ [61110.467639] kmem_cache_destroy qla2xxx_srbs: Slab cache still has objects when called from qla2x00_module_exit+0x93/0x99 [qla2xxx] [61110.467659] WARNING: CPU: 53 PID: 455206 at mm/slab_common.c:520 kmem_cache_destroy+0x14d/0x160 [61110.467718] CPU: 53 PID: 455206 Comm: rmmod Kdump: loaded Tainted: G   B      OE    --------  ---  5.14.0-284.11.1.el9_2.x86_64 #1 [61110.467720] Hardware name: HPE ProLiant DL385 Gen10 Plus v2/ProLiant DL385 Gen10 Plus v2, BIOS A42 08/17/2023 [61110.467721] RIP: 0010:kmem_cache_destroy+0x14d/0x160 [61110.467724] Code: 99 7d 07 00 48 89 ef e8 e1 6a 07 00 eb b3 48 8b 55 60 48 8b 4c 24 20 48 c7 c6 70 fc 66 90 48 c7 c7 f8 ef a1 90 e8 e1 ed 7c 00 <0f> 0b eb 93 c3 cc cc cc cc 66 2e 0f 1f 84 00 00 00 00 00 55 48 89 [61110.467725] RSP: 0018:ffffa304e489fe80 EFLAGS: 00010282 [61110.467727] RAX: 0000000000000000 RBX: ffffffffc0d9a860 RCX: 0000000000000027 [61110.467729] RDX: ffff8fd5ff9598a8 RSI: 0000000000000001 RDI: ffff8fd5ff9598a0 [61110.467730] RBP: ffff8fb6aaf78700 R08: 0000000000000000 R09: 0000000100d863b7 [61110.467731] R10: ffffa304e489fd20 R11: ffffffff913bef48 R12: 0000000040002000 [61110.467731] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [61110.467733] FS:  00007f64c89fb740(0000) GS:ffff8fd5ff940000(0000) knlGS:0000000000000000 [61110.467734] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [61110.467735] CR2: 00007f0f02bfe000 CR3: 00000020ad6dc005 CR4: 0000000000770ee0 [61110.467736] PKRU: 55555554 [61110.467737] Call Trace: [61110.467738]  <TASK> [61110.467739]  qla2x00_module_exit+0x93/0x99 [qla2xxx] [61110.467755]  ? __do_sys_delete_module.constprop.0+0x178/0x280  Free sp in the error path to fix the crash.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-02-18 16:22:00 UTC"
                            },
                            {
                                "cve": "CVE-2025-71235",
                                "url": "https://ubuntu.com/security/CVE-2025-71235",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  scsi: qla2xxx: Delay module unload while fabric scan in progress  System crash seen during load/unload test in a loop.  [105954.384919] RBP: ffff914589838dc0 R08: 0000000000000000 R09: 0000000000000086 [105954.384920] R10: 000000000000000f R11: ffffa31240904be5 R12: ffff914605f868e0 [105954.384921] R13: ffff914605f86910 R14: 0000000000008010 R15: 00000000ddb7c000 [105954.384923] FS:  0000000000000000(0000) GS:ffff9163fec40000(0000) knlGS:0000000000000000 [105954.384925] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [105954.384926] CR2: 000055d31ce1d6a0 CR3: 0000000119f5e001 CR4: 0000000000770ee0 [105954.384928] PKRU: 55555554 [105954.384929] Call Trace: [105954.384931]  <IRQ> [105954.384934]  qla24xx_sp_unmap+0x1f3/0x2a0 [qla2xxx] [105954.384962]  ? qla_async_scan_sp_done+0x114/0x1f0 [qla2xxx] [105954.384980]  ? qla24xx_els_ct_entry+0x4de/0x760 [qla2xxx] [105954.384999]  ? __wake_up_common+0x80/0x190 [105954.385004]  ? qla24xx_process_response_queue+0xc2/0xaa0 [qla2xxx] [105954.385023]  ? qla24xx_msix_rsp_q+0x44/0xb0 [qla2xxx] [105954.385040]  ? __handle_irq_event_percpu+0x3d/0x190 [105954.385044]  ? handle_irq_event+0x58/0xb0 [105954.385046]  ? handle_edge_irq+0x93/0x240 [105954.385050]  ? __common_interrupt+0x41/0xa0 [105954.385055]  ? common_interrupt+0x3e/0xa0 [105954.385060]  ? asm_common_interrupt+0x22/0x40  The root cause of this was that there was a free (dma_free_attrs) in the interrupt context.  There was a device discovery/fabric scan in progress.  A module unload was issued which set the UNLOADING flag.  As part of the discovery, after receiving an interrupt a work queue was scheduled (which involved a work to be queued).  Since the UNLOADING flag is set, the work item was not allocated and the mapped memory had to be freed.  The free occurred in interrupt context leading to system crash.  Delay the driver unload until the fabric scan is complete to avoid the crash.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-02-18 16:22:00 UTC"
                            },
                            {
                                "cve": "CVE-2025-71236",
                                "url": "https://ubuntu.com/security/CVE-2025-71236",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  scsi: qla2xxx: Validate sp before freeing associated memory  System crash with the following signature [154563.214890] nvme nvme2: NVME-FC{1}: controller connect complete [154564.169363] qla2xxx [0000:b0:00.1]-3002:2: nvme: Sched: Set ZIO exchange threshold to 3. [154564.169405] qla2xxx [0000:b0:00.1]-ffffff:2: SET ZIO Activity exchange threshold to 5. [154565.539974] qla2xxx [0000:b0:00.1]-5013:2: RSCN database changed – 0078 0080 0000. [154565.545744] qla2xxx [0000:b0:00.1]-5013:2: RSCN database changed – 0078 00a0 0000. [154565.545857] qla2xxx [0000:b0:00.1]-11a2:2: FEC=enabled (data rate). [154565.552760] qla2xxx [0000:b0:00.1]-11a2:2: FEC=enabled (data rate). [154565.553079] BUG: kernel NULL pointer dereference, address: 00000000000000f8 [154565.553080] #PF: supervisor read access in kernel mode [154565.553082] #PF: error_code(0x0000) - not-present page [154565.553084] PGD 80000010488ab067 P4D 80000010488ab067 PUD 104978a067 PMD 0 [154565.553089] Oops: 0000 1 PREEMPT SMP PTI [154565.553092] CPU: 10 PID: 858 Comm: qla2xxx_2_dpc Kdump: loaded Tainted: G           OE     -------  ---  5.14.0-503.11.1.el9_5.x86_64 #1 [154565.553096] Hardware name: HPE Synergy 660 Gen10/Synergy 660 Gen10 Compute Module, BIOS I43 09/30/2024 [154565.553097] RIP: 0010:qla_fab_async_scan.part.0+0x40b/0x870 [qla2xxx] [154565.553141] Code: 00 00 e8 58 a3 ec d4 49 89 e9 ba 12 20 00 00 4c 89 e6 49 c7 c0 00 ee a8 c0 48 c7 c1 66 c0 a9 c0 bf 00 80 00 10 e8 15 69 00 00 <4c> 8b 8d f8 00 00 00 4d 85 c9 74 35 49 8b 84 24 00 19 00 00 48 8b [154565.553143] RSP: 0018:ffffb4dbc8aebdd0 EFLAGS: 00010286 [154565.553145] RAX: 0000000000000000 RBX: ffff8ec2cf0908d0 RCX: 0000000000000002 [154565.553147] RDX: 0000000000000000 RSI: ffffffffc0a9c896 RDI: ffffb4dbc8aebd47 [154565.553148] RBP: 0000000000000000 R08: ffffb4dbc8aebd45 R09: 0000000000ffff0a [154565.553150] R10: 0000000000000000 R11: 000000000000000f R12: ffff8ec2cf0908d0 [154565.553151] R13: ffff8ec2cf090900 R14: 0000000000000102 R15: ffff8ec2cf084000 [154565.553152] FS:  0000000000000000(0000) GS:ffff8ed27f800000(0000) knlGS:0000000000000000 [154565.553154] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [154565.553155] CR2: 00000000000000f8 CR3: 000000113ae0a005 CR4: 00000000007706f0 [154565.553157] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [154565.553158] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [154565.553159] PKRU: 55555554 [154565.553160] Call Trace: [154565.553162]  <TASK> [154565.553165]  ? show_trace_log_lvl+0x1c4/0x2df [154565.553172]  ? show_trace_log_lvl+0x1c4/0x2df [154565.553177]  ? qla_fab_async_scan.part.0+0x40b/0x870 [qla2xxx] [154565.553215]  ? __die_body.cold+0x8/0xd [154565.553218]  ? page_fault_oops+0x134/0x170 [154565.553223]  ? snprintf+0x49/0x70 [154565.553229]  ? exc_page_fault+0x62/0x150 [154565.553238]  ? asm_exc_page_fault+0x22/0x30  Check for sp being non NULL before freeing any associated memory",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-02-18 16:22:00 UTC"
                            },
                            {
                                "cve": "CVE-2025-71229",
                                "url": "https://ubuntu.com/security/CVE-2025-71229",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: rtw88: Fix alignment fault in rtw_core_enable_beacon()  rtw_core_enable_beacon() reads 4 bytes from an address that is not a multiple of 4. This results in a crash on some systems.  Do 1 byte reads/writes instead.  Unable to handle kernel paging request at virtual address ffff8000827e0522 Mem abort info:   ESR = 0x0000000096000021   EC = 0x25: DABT (current EL), IL = 32 bits   SET = 0, FnV = 0   EA = 0, S1PTW = 0   FSC = 0x21: alignment fault Data abort info:   ISV = 0, ISS = 0x00000021, ISS2 = 0x00000000   CM = 0, WnR = 0, TnD = 0, TagAccess = 0   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000005492000 [ffff8000827e0522] pgd=0000000000000000, p4d=10000001021d9403, pud=10000001021da403, pmd=100000011061c403, pte=00780000f3200f13 Internal error: Oops: 0000000096000021 [#1]  SMP Modules linked in: [...] rtw88_8822ce rtw88_8822c rtw88_pci rtw88_core [...] CPU: 0 UID: 0 PID: 73 Comm: kworker/u32:2 Tainted: G        W          6.17.9 #1-NixOS VOLUNTARY Tainted: [W]=WARN Hardware name: FriendlyElec NanoPC-T6 LTS (DT) Workqueue: phy0 rtw_c2h_work [rtw88_core] pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : rtw_pci_read32+0x18/0x40 [rtw88_pci] lr : rtw_core_enable_beacon+0xe0/0x148 [rtw88_core] sp : ffff800080cc3ca0 x29: ffff800080cc3ca0 x28: ffff0001031fc240 x27: ffff000102100828 x26: ffffd2cb7c9b4088 x25: ffff0001031fc2c0 x24: ffff000112fdef00 x23: ffff000112fdef18 x22: ffff000111c29970 x21: 0000000000000001 x20: 0000000000000001 x19: ffff000111c22040 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000000 x10: 0000000000000000 x9 : ffffd2cb6507c090 x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000 x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000 x2 : 0000000000007f10 x1 : 0000000000000522 x0 : ffff8000827e0522 Call trace:  rtw_pci_read32+0x18/0x40 [rtw88_pci] (P)  rtw_hw_scan_chan_switch+0x124/0x1a8 [rtw88_core]  rtw_fw_c2h_cmd_handle+0x254/0x290 [rtw88_core]  rtw_c2h_work+0x50/0x98 [rtw88_core]  process_one_work+0x178/0x3f8  worker_thread+0x208/0x418  kthread+0x120/0x220  ret_from_fork+0x10/0x20 Code: d28fe202 8b020000 f9524400 8b214000 (b9400000) ---[ end trace 0000000000000000 ]---",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-02-18 16:22:00 UTC"
                            },
                            {
                                "cve": "CVE-2025-71237",
                                "url": "https://ubuntu.com/security/CVE-2025-71237",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  nilfs2: Fix potential block overflow that cause system hang  When a user executes the FITRIM command, an underflow can occur when calculating nblocks if end_block is too small. Since nblocks is of type sector_t, which is u64, a negative nblocks value will become a very large positive integer. This ultimately leads to the block layer function __blkdev_issue_discard() taking an excessively long time to process the bio chain, and the ns_segctor_sem lock remains held for a long period. This prevents other tasks from acquiring the ns_segctor_sem lock, resulting in the hang reported by syzbot in [1].  If the ending block is too small, typically if it is smaller than 4KiB range, depending on the usage of the segment 0, it may be possible to attempt a discard request beyond the device size causing the hang.  Exiting successfully and assign the discarded size (0 in this case) to range->len.  Although the start and len values in the user input range are too small, a conservative strategy is adopted here to safely ignore them, which is equivalent to a no-op; it will not perform any trimming and will not throw an error.  [1] task:segctord state:D stack:28968 pid:6093 tgid:6093  ppid:2 task_flags:0x200040 flags:0x00080000 Call Trace:  rwbase_write_lock+0x3dd/0x750 kernel/locking/rwbase_rt.c:272  nilfs_transaction_lock+0x253/0x4c0 fs/nilfs2/segment.c:357  nilfs_segctor_thread_construct fs/nilfs2/segment.c:2569 [inline]  nilfs_segctor_thread+0x6ec/0xe00 fs/nilfs2/segment.c:2684  [ryusuke: corrected part of the commit message about the consequences]",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-02-18 16:22:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-23229",
                                "url": "https://ubuntu.com/security/CVE-2026-23229",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  crypto: virtio - Add spinlock protection with virtqueue notification  When VM boots with one virtio-crypto PCI device and builtin backend, run openssl benchmark command with multiple processes, such as   openssl speed -evp aes-128-cbc -engine afalg  -seconds 10 -multi 32  openssl processes will hangup and there is error reported like this:  virtio_crypto virtio0: dataq.0:id 3 is not a head!  It seems that the data virtqueue need protection when it is handled for virtio done notification. If the spinlock protection is added in virtcrypto_done_task(), openssl benchmark with multiple processes works well.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-02-18 16:22:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-23222",
                                "url": "https://ubuntu.com/security/CVE-2026-23222",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  crypto: omap - Allocate OMAP_CRYPTO_FORCE_COPY scatterlists correctly  The existing allocation of scatterlists in omap_crypto_copy_sg_lists() was allocating an array of scatterlist pointers, not scatterlist objects, resulting in a 4x too small allocation.  Use sizeof(*new_sg) to get the correct object size.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-02-18 16:22:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-23228",
                                "url": "https://ubuntu.com/security/CVE-2026-23228",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb: server: fix leak of active_num_conn in ksmbd_tcp_new_connection()  On kthread_run() failure in ksmbd_tcp_new_connection(), the transport is freed via free_transport(), which does not decrement active_num_conn, leaking this counter.  Replace free_transport() with ksmbd_tcp_disconnect().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-02-18 16:22:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-23220",
                                "url": "https://ubuntu.com/security/CVE-2026-23220",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ksmbd: fix infinite loop caused by next_smb2_rcv_hdr_off reset in error paths  The problem occurs when a signed request fails smb2 signature verification check. In __process_request(), if check_sign_req() returns an error, set_smb2_rsp_status(work, STATUS_ACCESS_DENIED) is called. set_smb2_rsp_status() set work->next_smb2_rcv_hdr_off as zero. By resetting next_smb2_rcv_hdr_off to zero, the pointer to the next command in the chain is lost. Consequently, is_chained_smb2_message() continues to point to the same request header instead of advancing. If the header's NextCommand field is non-zero, the function returns true, causing __handle_ksmbd_work() to repeatedly process the same failed request in an infinite loop. This results in the kernel log being flooded with \"bad smb2 signature\" messages and high CPU usage.  This patch fixes the issue by changing the return value from SERVER_HANDLER_CONTINUE to SERVER_HANDLER_ABORT. This ensures that the processing loop terminates immediately rather than attempting to continue from an invalidated offset.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-02-18 16:22:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-23230",
                                "url": "https://ubuntu.com/security/CVE-2026-23230",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb: client: split cached_fid bitfields to avoid shared-byte RMW races  is_open, has_lease and on_list are stored in the same bitfield byte in struct cached_fid but are updated in different code paths that may run concurrently. Bitfield assignments generate byte read–modify–write operations (e.g. `orb $mask, addr` on x86_64), so updating one flag can restore stale values of the others.  A possible interleaving is:     CPU1: load old byte (has_lease=1, on_list=1)     CPU2: clear both flags (store 0)     CPU1: RMW store (old | IS_OPEN) -> reintroduces cleared bits  To avoid this class of races, convert these flags to separate bool fields.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-02-18 16:22:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-23272",
                                "url": "https://ubuntu.com/security/CVE-2026-23272",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: nf_tables: unconditionally bump set->nelems before insertion  In case that the set is full, a new element gets published then removed without waiting for the RCU grace period, while RCU reader can be walking over it already.  To address this issue, add the element transaction even if set is full, but toggle the set_full flag to report -ENFILE so the abort path safely unwinds the set to its previous state.  As for element updates, decrement set->nelems to restore it.  A simpler fix is to call synchronize_rcu() in the error path. However, with a large batch adding elements to already maxed-out set, this could cause noticeable slowdown of such batches.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-20 09:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-31418",
                                "url": "https://ubuntu.com/security/CVE-2026-31418",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: ipset: drop logically empty buckets in mtype_del  mtype_del() counts empty slots below n->pos in k, but it only drops the bucket when both n->pos and k are zero. This misses buckets whose live entries have all been removed while n->pos still points past deleted slots.  Treat a bucket as empty when all positions below n->pos are unused and release it directly instead of shrinking it further.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-13 14:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-23392",
                                "url": "https://ubuntu.com/security/CVE-2026-23392",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: nf_tables: release flowtable after rcu grace period on error  Call synchronize_rcu() after unregistering the hooks from error path, since a hook that already refers to this flowtable can be already registered, exposing this flowtable to packet path and nfnetlink_hook control plane.  This error path is rare, it should only happen by reaching the maximum number hooks or by failing to set up to hardware offload, just call synchronize_rcu().  There is a check for already used device hooks by different flowtable that could result in EEXIST at this late stage. The hook parser can be updated to perform this check earlier to this error path really becomes rarely exercised.  Uncovered by KASAN reported as use-after-free from nfnetlink_hook path when dumping hooks.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-03-25 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-23278",
                                "url": "https://ubuntu.com/security/CVE-2026-23278",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: nf_tables: always walk all pending catchall elements  During transaction processing we might have more than one catchall element: 1 live catchall element and 1 pending element that is coming as part of the new batch.  If the map holding the catchall elements is also going away, its required to toggle all catchall elements and not just the first viable candidate.  Otherwise, we get:  WARNING: ./include/net/netfilter/nf_tables.h:1281 at nft_data_release+0xb7/0xe0 [nf_tables], CPU#2: nft/1404  RIP: 0010:nft_data_release+0xb7/0xe0 [nf_tables]  [..]  __nft_set_elem_destroy+0x106/0x380 [nf_tables]  nf_tables_abort_release+0x348/0x8d0 [nf_tables]  nf_tables_abort+0xcf2/0x3ac0 [nf_tables]  nfnetlink_rcv_batch+0x9c9/0x20e0 [..]",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-20 09:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-47337",
                                "url": "https://ubuntu.com/security/CVE-2026-47337",
                                "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a possible NULL pointer dereference in the handling of AF_INET/AF_INET6 socket mediation. The bug can be triggered by an unprivileged local user. This can lead to a kernel oops.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 19:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-47336",
                                "url": "https://ubuntu.com/security/CVE-2026-47336",
                                "cve_description": "Ubuntu Linux 6.8 contains SAUCE patches with a possible use of an uninitialized variable in AppArmor AF_INET/AF_INET6 socket mediation code. The bug can be triggered by an unprivileged local user and could result in incorrect fine-grained mediation of network sockets.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-05-28 19:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-47335",
                                "url": "https://ubuntu.com/security/CVE-2026-47335",
                                "cve_description": "Ubuntu Linux 6.8 contains SAUCE patches with a possible NULL pointer dereference in the handling of AppArmor notifications. The bug can be triggered by an unprivileged local user. This can lead to a kernel panic.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 19:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-47334",
                                "url": "https://ubuntu.com/security/CVE-2026-47334",
                                "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly sleep while holding a spinlock in notification handling code. The bug can be triggered by an unprivileged local user and can result in kernel panic or deadlock.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 19:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-47333",
                                "url": "https://ubuntu.com/security/CVE-2026-47333",
                                "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which can potentially incorrectly compute the size of an internal buffer, leading to a heap memory out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in invalid data being processed by the AppArmor DFA policy engine.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-28 19:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-47332",
                                "url": "https://ubuntu.com/security/CVE-2026-47332",
                                "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly validate the size of an internal structure, leading to an out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in information disclosure from adjacent slab objects.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 19:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-47331",
                                "url": "https://ubuntu.com/security/CVE-2026-47331",
                                "cve_description": "Ubuntu Linux 6.8 contains AppArmor SAUCE patches which fail to acquire a lock when modifying a linked list. An unprivileged local user could trigger the race condition that can lead to a use-after-free (UAF) and, theoretically, arbitrary code execution.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-28 19:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-47330",
                                "url": "https://ubuntu.com/security/CVE-2026-47330",
                                "cve_description": "Ubuntu Linux 6.8, 7.17 and 7.0 contain AppArmor SAUCE patches which can, under certain circumstances, use an uninitialized variable in notification handling code. The bug can be triggered by an unprivileged local user and can result in the incorrect caching of AppArmor notification responses.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-05-28 19:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-47329",
                                "url": "https://ubuntu.com/security/CVE-2026-47329",
                                "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches which fail to validate invalid sizes of the name field in AppAmor notification responses. The bug can be triggered by an unprivileged local user and could result in handling of crafted responses.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-05-28 19:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-47327",
                                "url": "https://ubuntu.com/security/CVE-2026-47327",
                                "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a possible NULL pointer dereference in the handling of AppArmor notifications. The bug can be triggered by an unprivileged local user. This can lead to a kernel oops.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 19:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-47328",
                                "url": "https://ubuntu.com/security/CVE-2026-47328",
                                "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly attempt to free a pointer which was not previously kmalloc()d, while at the same time leaking allocated memory. The bug can be triggered by an unprivileged local user and can result in the corruption of slab metadata and could lead to resource exhaustion.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 19:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-47326",
                                "url": "https://ubuntu.com/security/CVE-2026-47326",
                                "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a memory leak in the handling of big responses to AppArmor notifications. The bug can be triggered by an unprivileged local user. The memory leak could lead to resource exhaustion.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 19:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46300",
                                "url": "https://ubuntu.com/security/CVE-2026-46300",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: skbuff: preserve shared-frag marker during coalescing  skb_try_coalesce() can attach paged frags from @from to @to.  If @from has SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same externally-owned or page-cache-backed frags, but the shared-frag marker is currently lost.  That breaks the invariant relied on by later in-place writers.  In particular, ESP input checks skb_has_shared_frag() before deciding whether an uncloned nonlinear skb can skip skb_cow_data().  If TCP receive coalescing has moved shared frags into an unmarked skb, ESP can see skb_has_shared_frag() as false and decrypt in place over page-cache backed frags.  Propagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged frags.  The tailroom copy path does not need the marker because it copies bytes into @to's linear data rather than transferring frag descriptors.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-23 12:17:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46333",
                                "url": "https://ubuntu.com/security/CVE-2026-46333",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ptrace: slightly saner 'get_dumpable()' logic  The 'dumpability' of a task is fundamentally about the memory image of the task - the concept comes from whether it can core dump or not - and makes no sense when you don't have an associated mm.  And almost all users do in fact use it only for the case where the task has a mm pointer.  But we have one odd special case: ptrace_may_access() uses 'dumpable' to check various other things entirely independently of the MM (typically explicitly using flags like PTRACE_MODE_READ_FSCREDS).  Including for threads that no longer have a VM (and maybe never did, like most kernel threads).  It's not what this flag was designed for, but it is what it is.  The ptrace code does check that the uid/gid matches, so you do have to be uid-0 to see kernel thread details, but this means that the traditional \"drop capabilities\" model doesn't make any difference for this all.  Make it all make a *bit* more sense by saying that if you don't have a MM pointer, we'll use a cached \"last dumpability\" flag if the thread ever had a MM (it will be zero for kernel threads since it is never set), and require a proper CAP_SYS_PTRACE capability to override.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-15 14:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43500",
                                "url": "https://ubuntu.com/security/CVE-2026-43500",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present  The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE handler in rxrpc_verify_response() copy the skb to a linear one before calling into the security ops only when skb_cloned() is true.  An skb that is not cloned but still carries externally-owned paged fragments (e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via __ip_append_data, or a chained skb_has_frag_list()) falls through to the in-place decryption path, which binds the frag pages directly into the AEAD/skcipher SGL via skb_to_sgvec().  Extend the gate to also unshare when skb_has_frag_list() or skb_has_shared_frag() is true.  This catches the splice-loopback vector and other externally-shared frag sources while preserving the zero-copy fast path for skbs whose frags are kernel-private (e.g. NIC page_pool RX, GRO).  The OOM/trace handling already in place is reused.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-11 08:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-31676",
                                "url": "https://ubuntu.com/security/CVE-2026-31676",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  rxrpc: only handle RESPONSE during service challenge  Only process RESPONSE packets while the service connection is still in RXRPC_CONN_SERVICE_CHALLENGING. Check that state under state_lock before running response verification and security initialization, then use a local secured flag to decide whether to queue the secured-connection work after the state transition. This keeps duplicate or late RESPONSE packets from re-running the setup path and removes the unlocked post-transition state test.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-25 09:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43284",
                                "url": "https://ubuntu.com/security/CVE-2026-43284",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  xfrm: esp: avoid in-place decrypt on shared skb frags  MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later paths that may modify packet data can first make a private copy. The IPv4/IPv6 datagram append paths did not set this flag when splicing pages into UDP skbs.  That leaves an ESP-in-UDP packet made from shared pipe pages looking like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW fast path for uncloned skbs without a frag_list and decrypts in place over data that is not owned privately by the skb.  Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching TCP. Also make ESP input fall back to skb_cow_data() when the flag is present, so ESP does not decrypt externally backed frags in place. Private nonlinear skb frags still use the existing fast path.  This intentionally does not change ESP output. In esp_output_head(), the path that appends the ESP trailer to existing skb tailroom without calling skb_cow_data() is not reachable for nonlinear skbs: skb_tailroom() returns zero when skb->data_len is nonzero, while ESP tailen is positive. Thus ESP output will either use the separate destination-frag path or fall back to skb_cow_data().",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-08 08:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-31419",
                                "url": "https://ubuntu.com/security/CVE-2026-31419",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: bonding: fix use-after-free in bond_xmit_broadcast()  bond_xmit_broadcast() reuses the original skb for the last slave (determined by bond_is_last_slave()) and clones it for others. Concurrent slave enslave/release can mutate the slave list during RCU-protected iteration, changing which slave is \"last\" mid-loop. This causes the original skb to be double-consumed (double-freed).  Replace the racy bond_is_last_slave() check with a simple index comparison (i + 1 == slaves_count) against the pre-snapshot slave count taken via READ_ONCE() before the loop.  This preserves the zero-copy optimization for the last slave while making the \"last\" determination stable against concurrent list mutations.  The UAF can trigger the following crash:  ================================================================== BUG: KASAN: slab-use-after-free in skb_clone Read of size 8 at addr ffff888100ef8d40 by task exploit/147  CPU: 1 UID: 0 PID: 147 Comm: exploit Not tainted 7.0.0-rc3+ #4 PREEMPTLAZY Call Trace:  <TASK>  dump_stack_lvl (lib/dump_stack.c:123)  print_report (mm/kasan/report.c:379 mm/kasan/report.c:482)  kasan_report (mm/kasan/report.c:597)  skb_clone (include/linux/skbuff.h:1724 include/linux/skbuff.h:1792 include/linux/skbuff.h:3396 net/core/skbuff.c:2108)  bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5334)  bond_start_xmit (drivers/net/bonding/bond_main.c:5567 drivers/net/bonding/bond_main.c:5593)  dev_hard_start_xmit (include/linux/netdevice.h:5325 include/linux/netdevice.h:5334 net/core/dev.c:3871 net/core/dev.c:3887)  __dev_queue_xmit (include/linux/netdevice.h:3601 net/core/dev.c:4838)  ip6_finish_output2 (include/net/neighbour.h:540 include/net/neighbour.h:554 net/ipv6/ip6_output.c:136)  ip6_finish_output (net/ipv6/ip6_output.c:208 net/ipv6/ip6_output.c:219)  ip6_output (net/ipv6/ip6_output.c:250)  ip6_send_skb (net/ipv6/ip6_output.c:1985)  udp_v6_send_skb (net/ipv6/udp.c:1442)  udpv6_sendmsg (net/ipv6/udp.c:1733)  __sys_sendto (net/socket.c:730 net/socket.c:742 net/socket.c:2206)  __x64_sys_sendto (net/socket.c:2209)  do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)  entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)  </TASK>  Allocated by task 147:  Freed by task 147:  The buggy address belongs to the object at ffff888100ef8c80  which belongs to the cache skbuff_head_cache of size 224 The buggy address is located 192 bytes inside of  freed 224-byte region [ffff888100ef8c80, ffff888100ef8d60)  Memory state around the buggy address:  ffff888100ef8c00: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc  ffff888100ef8c80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff888100ef8d00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc                                                     ^  ffff888100ef8d80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb  ffff888100ef8e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================",
                                "cve_priority": "high",
                                "cve_public_date": "2026-04-13 14:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-31431",
                                "url": "https://ubuntu.com/security/CVE-2026-31431",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  crypto: algif_aead - Revert to operating out-of-place  This mostly reverts commit 72548b093ee3 except for the copying of the associated data.  There is no benefit in operating in-place in algif_aead since the source and destination come from different mappings.  Get rid of all the complexity added for in-place operation and just copy the AD directly.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-04-22 09:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-31533",
                                "url": "https://ubuntu.com/security/CVE-2026-31533",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/tls: fix use-after-free in -EBUSY error path of tls_do_encryption  The -EBUSY handling in tls_do_encryption(), introduced by commit 859054147318 (\"net: tls: handle backlogging of crypto requests\"), has a use-after-free due to double cleanup of encrypt_pending and the scatterlist entry.  When crypto_aead_encrypt() returns -EBUSY, the request is enqueued to the cryptd backlog and the async callback tls_encrypt_done() will be invoked upon completion. That callback unconditionally restores the scatterlist entry (sge->offset, sge->length) and decrements ctx->encrypt_pending. However, if tls_encrypt_async_wait() returns an error, the synchronous error path in tls_do_encryption() performs the same cleanup again, double-decrementing encrypt_pending and double-restoring the scatterlist.  The double-decrement corrupts the encrypt_pending sentinel (initialized to 1), making tls_encrypt_async_wait() permanently skip the wait for pending async callbacks. A subsequent sendmsg can then free the tls_rec via bpf_exec_tx_verdict() while a cryptd callback is still pending, resulting in a use-after-free when the callback fires on the freed record.  Fix this by skipping the synchronous cleanup when the -EBUSY async wait returns an error, since the callback has already handled encrypt_pending and sge restoration.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-23 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-31504",
                                "url": "https://ubuntu.com/security/CVE-2026-31504",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: fix fanout UAF in packet_release() via NETDEV_UP race  `packet_release()` has a race window where `NETDEV_UP` can re-register a socket into a fanout group's `arr[]` array. The re-registration is not cleaned up by `fanout_release()`, leaving a dangling pointer in the fanout array. `packet_release()` does NOT zero `po->num` in its `bind_lock` section. After releasing `bind_lock`, `po->num` is still non-zero and `po->ifindex` still matches the bound device. A concurrent `packet_notifier(NETDEV_UP)` that already found the socket in `sklist` can re-register the hook. For fanout sockets, this re-registration calls `__fanout_link(sk, po)` which adds the socket back into `f->arr[]` and increments `f->num_members`, but does NOT increment `f->sk_ref`.  The fix sets `po->num` to zero in `packet_release` while `bind_lock` is held to prevent NETDEV_UP from linking, preventing the race window.  This bug was found following an additional audit with Claude Code based on CVE-2025-38617.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-04-22 14:16:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * jammy/linux-riscv-6.8: 6.8.0-130.130~22.04.1 -proposed tracker (LP: #2151948)",
                            "",
                            "  [ Ubuntu: 6.8.0-130.130 ]",
                            "",
                            "  * noble/linux: 6.8.0-130.130 -proposed tracker (LP: #2154560)",
                            "  * Noble update: upstream stable patchset 2026-03-26 (LP: #2146465)",
                            "    - Revert \"UBUNTU: SAUCE: Fix skb_vlan_inet_prepare() usage\"",
                            "  * Kernel regression (6.8.0-117.generic) (LP: #2153556)",
                            "    - net: bonding: update the slave array for broadcast mode",
                            "    - bonding: do not set usable_slaves for broadcast mode",
                            "  * perf_cpu_map__merge fails to compile on ppc46el, s390x on noble linux",
                            "    (LP: #2152194)",
                            "    - SAUCE: temporary fix attempt for size eceed",
                            "  * Some powerpc test from ubuntu_kernel_selftests timeout with 45 seconds",
                            "    (LP: #2141536)",
                            "    - selftests/powerpc: Lower run time of count_stcx_fail test",
                            "    - selftests/powerpc: Give all tests 2 minutes timeout",
                            "  * Noble update: upstream stable patchset 2026-05-01 (LP: #2150809)",
                            "    - auxdisplay: arm-charlcd: fix release_mem_region() size",
                            "    - hfsplus: return error when node already exists in hfs_bnode_create",
                            "    - rcu: s/boost_kthread_mutex/kthread_mutex",
                            "    - rcu/exp: Move expedited kthread worker creation functions above",
                            "      rcutree_prepare_cpu()",
                            "    - rcu: Refactor expedited handling check in rcu_read_unlock_special()",
                            "    - rcu: Remove local_irq_save/restore() in",
                            "      rcu_preempt_deferred_qs_handler()",
                            "    - rcu: Fix rcu_read_unlock() deadloop due to softirq",
                            "    - audit: move the compat_xxx_class[] extern declarations to audit_arch.h",
                            "    - i3c: Move device name assignment after i3c_bus_init",
                            "    - fs: add <linux/init_task.h> for 'init_fs'",
                            "    - i3c: master: Update hot-join flag only on success",
                            "    - gfs2: Retries missing in gfs2_{rename,exchange}",
                            "    - gfs2: Fix use-after-free in iomap inline data write path",
                            "    - i3c: dw: Initialize spinlock to avoid upsetting lockdep",
                            "    - tpm: tpm_i2c_infineon: Fix locality leak on get_burstcount() failure",
                            "    - tpm: st33zp24: Fix missing cleanup on get_burstcount() error",
                            "    - btrfs: qgroup: return correct error when deleting qgroup relation item",
                            "    - btrfs: fix block_group_tree dirty_list corruption",
                            "    - smb: client: fix potential UAF and double free in smb2_open_file()",
                            "    - xen/virtio: Don't use grant-dma-ops when running as Dom0",
                            "    - ACPICA: Fix NULL pointer dereference in acpi_ev_address_space_dispatch()",
                            "    - io_uring/sync: validate passed in offset",
                            "    - cpuidle: menu: Cleanup after loadavg removal",
                            "    - cpuidle: governors: menu: Always check timers with tick stopped",
                            "    - md/raid10: fix any_working flag handling in raid10_sync_request",
                            "    - iomap: fix submission side handling of completion side errors",
                            "    - ublk: Validate SQE128 flag before accessing the cmd",
                            "    - x86/xen: make some functions static",
                            "    - Partial revert \"x86/xen: fix balloon target initialization for PVH dom0\"",
                            "    - PM: wakeup: Handle empty list in wakeup_sources_walk_start()",
                            "    - perf: arm_spe: Properly set hw.state on failures",
                            "    - PM: sleep: wakeirq: harden dev_pm_clear_wake_irq() against races",
                            "    - s390/cio: Fix device lifecycle handling in css_alloc_subchannel()",
                            "    - crypto: qat - fix warning on adf_pfvf_pf_proto.c",
                            "    - selftests/bpf: veristat: fix printing order in output_stats()",
                            "    - libbpf: Fix OOB read in btf_dump_get_bitfield_value",
                            "    - ARM: VDSO: Patch out __vdso_clock_getres() if unavailable",
                            "    - crypto: cavium - fix dma_free_coherent() size",
                            "    - crypto: octeontx - fix dma_free_coherent() size",
                            "    - crypto: hisilicon/zip - adjust the way to obtain the req in the callback",
                            "      function",
                            "    - crypto: hisilicon/sec2 - support skcipher/aead fallback for hardware",
                            "      queue unavailable",
                            "    - hrtimer: Fix trace oddity",
                            "    - bpf, sockmap: Fix incorrect copied_seq calculation",
                            "    - bpf, sockmap: Fix FIONREAD for sockmap",
                            "    - crypto: hisilicon/trng - modifying the order of header files",
                            "    - crypto: hisilicon/trng - support tfms sharing the device",
                            "    - bpf: Fix bpf_xdp_store_bytes proto for read-only arg",
                            "    - scsi: efct: Use IRQF_ONESHOT and default primary handler",
                            "    - EDAC/altera: Remove IRQF_ONESHOT",
                            "    - mfd: wm8350-core: Use IRQF_ONESHOT",
                            "    - sched/rt: Skip currently executing CPU in rto_next_cpu()",
                            "    - pstore/ram: fix buffer overflow in persistent_ram_save_old()",
                            "    - soc: qcom: smem: handle ENOMEM error during probe",
                            "    - EDAC/i5000: Fix snprintf() size calculation in calculate_dimm_size()",
                            "    - EDAC/i5400: Fix snprintf() limit calculation in calculate_dimm_size()",
                            "    - arm64: dts: tqma8mpql-mba8mpxl: Fix HDMI CEC pad control settings",
                            "    - clk: qcom: Return correct error code in qcom_cc_probe_by_index()",
                            "    - arm64: dts: qcom: sdm630: fix gpu_speed_bin size",
                            "    - arm64: dts: qcom: sdm845-oneplus: Don't mark ts supply boot-on",
                            "    - ARM: dts: allwinner: sun5i-a13-utoo-p66: delete \"power-gpios\" property",
                            "    - powerpc/uaccess: Move barrier_nospec() out of",
                            "      allow_read_{from/write}_user()",
                            "    - soc: qcom: cmd-db: Use devm_memremap() to fix memory leak in",
                            "      cmd_db_dev_probe",
                            "    - soc: mediatek: svs: Fix memory leak in svs_enable_debug_write()",
                            "    - powerpc/eeh: fix recursive pci_lock_rescan_remove locking in EEH event",
                            "      handling",
                            "    - ARM: dts: lpc32xx: Set motor PWM #pwm-cells property value to 3 cells",
                            "    - arm: dts: lpc32xx: add clocks property to Motor Control PWM device tree",
                            "      node",
                            "    - arm64: dts: amlogic: axg: assign the MMC signal clocks",
                            "    - arm64: dts: amlogic: gx: assign the MMC signal clocks",
                            "    - arm64: dts: amlogic: g12: assign the MMC B and C signal clocks",
                            "    - arm64: dts: amlogic: g12: assign the MMC A signal clock",
                            "    - arm64: dts: qcom: sdm845-db845c: drop CS from SPIO0",
                            "    - arm64: dts: qcom: sdm845-db845c: specify power for WiFi CH1",
                            "    - arm64: dts: qcom: sm6115: Add CX_MEM/DBGC GPU regions",
                            "    - workqueue: Factor out assign_rescuer_work()",
                            "    - workqueue: Only assign rescuer work when really needed",
                            "    - workqueue: Process rescuer work items one-by-one using a cursor",
                            "    - smack: /smack/doi must be > 0",
                            "    - smack: /smack/doi: accept previously used values",
                            "    - ASoC: nau8821: Consistently clear interrupts before unmasking",
                            "    - ASoC: nau8821: Avoid unnecessary blocking in IRQ handler",
                            "    - ASoC: nau8821: Fixup nau8821_enable_jack_detect()",
                            "    - drm/amdgpu: Use explicit VCN instance 0 in SR-IOV init",
                            "    - drm/msm/disp/dpu: add merge3d support for sc7280",
                            "    - regulator: core: move supply check earlier in set_machine_constraints()",
                            "    - HID: playstation: Add missing check for input_ff_create_memless",
                            "    - drm/msm/dpu: fix CMD panels on DPU 1.x - 3.x",
                            "    - media: ccs: Accommodate C-PHY into the calculation",
                            "    - drm/msm/a2xx: fix pixel shader start on A225",
                            "    - platform/chrome: cros_typec_switch: Don't touch struct",
                            "      fwnode_handle::dev",
                            "    - media: uvcvideo: Fix allocation for small frame sizes",
                            "    - platform/chrome: cros_ec_lightbar: Fix response size initialization",
                            "    - spi: tools: Add include folder to .gitignore",
                            "    - Revert \"hwmon: (ibmpex) fix use-after-free in high/low store\"",
                            "    - PCI: mediatek: Fix IRQ domain leak when MSI allocation fails",
                            "    - Documentation: PCI: endpoint: Fix ntb/vntb copy & paste errors",
                            "    - PCI/PM: Avoid redundant delays on D3hot->D3cold",
                            "    - PCI/P2PDMA: Release per-CPU pgmap ref when vm_insert_page() fails",
                            "    - Documentation: tracing: Add ring-buffer mapping",
                            "    - docs: fix WARNING document not included in any toctree",
                            "    - Documentation: trace: Refactor toctree",
                            "    - Documentation: tracing: Add PCI tracepoint documentation",
                            "    - PCI: Do not attempt to set ExtTag for VFs",
                            "    - PCI/portdrv: Fix potential resource leak",
                            "    - quota: fix livelock between quotactl and freeze_super",
                            "    - net: mctp-i2c: fix duplicate reception of old data",
                            "    - mctp i2c: initialise event handler read bytes",
                            "    - wifi: cfg80211: stop NAN and P2P in cfg80211_leave",
                            "    - netfilter: nf_tables: reset table validation state on abort",
                            "    - netfilter: nf_conncount: make nf_conncount_gc_list() to disable BH",
                            "    - netfilter: nf_conncount: increase the connection clean up limit to 64",
                            "    - netfilter: nft_compat: add more restrictions on netlink attributes",
                            "    - netfilter: nf_conncount: fix tracking of connections from localhost",
                            "    - module: add helper function for reading module_buildid()",
                            "    - kallsyms/ftrace: set module buildid in ftrace_mod_address_lookup()",
                            "    - PCI: Mark 3ware-9650SA Root Port Extended Tags as broken",
                            "    - iommu/vt-d: Flush cache for PASID table before using it",
                            "    - dm: use bio_clone_blkg_association",
                            "    - nfsd: never defer requests during idmap lookup",
                            "    - fat: avoid parent link count underflow in rmdir",
                            "    - tcp: tcp_tx_timestamp() must look at the rtx queue",
                            "    - wifi: ath10k: sdio: add missing lock protection in",
                            "      ath10k_sdio_fw_crashed_dump()",
                            "    - PCI: Initialize RCB from pci_configure_device()",
                            "    - PCI: Add PCIE_MSG_CODE_ASSERT_INTx message macros",
                            "    - PCI: Add defines for bridge window indexing",
                            "    - PCI/ACPI: Restrict program_hpx_type2() to AER bits",
                            "    - ipc: don't audit capability check in ipc_permissions()",
                            "    - ucount: check for CAP_SYS_RESOURCE using ns_capable_noaudit()",
                            "    - of: unittest: fix possible null-pointer dereferences in",
                            "      of_unittest_property_copy()",
                            "    - mptcp: fix receive space timestamp initialization",
                            "    - octeontx2-af: Fix PF driver crash with kexec kernel booting",
                            "    - bonding: only set speed/duplex to unknown, if getting speed failed",
                            "    - inet: RAW sockets using IPPROTO_RAW MUST drop incoming ICMP",
                            "    - nfc: hci: shdlc: Stop timers and work before freeing context",
                            "    - netfilter: nft_set_hash: fix get operation on big endian",
                            "    - netfilter: nft_counter: fix reset of counters on 32bit archs",
                            "    - netfilter: nft_set_rbtree: check for partial overlaps in anonymous sets",
                            "    - PCI: Add ACS quirk for Pericom PI7C9X2G404 switches [12d8:b404]",
                            "    - net: hns3: fix double free issue for tx spare buffer",
                            "    - procfs: fix missing RCU protection when reading real_parent in",
                            "      do_task_stat()",
                            "    - smb: client: correct value for smbd_max_fragmented_recv_size",
                            "    - net: sunhme: Fix sbus regression",
                            "    - net: Add skb_dstref_steal and skb_dstref_restore",
                            "    - net: Switch to skb_dstref_steal/skb_dstref_restore for ip_route_input",
                            "      callers",
                            "    - xfrm: fix ip_rt_bug race in icmp_route_lookup reverse path",
                            "    - serial: caif: fix use-after-free in caif_serial ldisc_close()",
                            "    - octeon_ep: disable per ring interrupts",
                            "    - octeon_ep: ensure dbell BADDR updation",
                            "    - ionic: Rate limit unknown xcvr type messages",
                            "    - octeontx2-pf: Unregister devlink on probe failure",
                            "    - RDMA/rtrs: server: remove dead code",
                            "    - IB/cache: update gid cache on client reregister event",
                            "    - RDMA/hns: Fix WQ_MEM_RECLAIM warning",
                            "    - RDMA/hns: Notify ULP of remaining soft-WCs during reset",
                            "    - power: supply: ab8500: Fix use-after-free in power_supply_changed()",
                            "    - power: supply: act8945a: Fix use-after-free in power_supply_changed()",
                            "    - power: supply: bq256xx: Fix use-after-free in power_supply_changed()",
                            "    - power: supply: bq25980: Fix use-after-free in power_supply_changed()",
                            "    - power: supply: cpcap-battery: Fix use-after-free in",
                            "      power_supply_changed()",
                            "    - power: supply: goldfish: Fix use-after-free in power_supply_changed()",
                            "    - power: supply: rt9455: Fix use-after-free in power_supply_changed()",
                            "    - power: supply: sbs-battery: Fix use-after-free in power_supply_changed()",
                            "    - power: reset: nvmem-reboot-mode: respect cell size for nvmem_cell_write",
                            "    - power: supply: bq27xxx: fix wrong errno when bus ops are unsupported",
                            "    - power: supply: wm97xx: Fix NULL pointer dereference in",
                            "      power_supply_changed()",
                            "    - RDMA/rtrs-srv: fix SG mapping",
                            "    - RDMA/rxe: Fix double free in rxe_srq_from_init",
                            "    - tools/power/x86/intel-speed-select: Fix file descriptor leak in",
                            "      isolate_cpus()",
                            "    - mtd: rawnand: cadence: Fix return type of CDMA send-and-wait helper",
                            "    - crypto: ccp - Add an S4 restore flow",
                            "    - crypto: ccp - Factor out ring destroy handling to a helper",
                            "    - crypto: ccp - Send PSP_CMD_TEE_RING_DESTROY when PSP_CMD_TEE_RING_INIT",
                            "      fails",
                            "    - mtd: parsers: Fix memory leak in mtd_parser_tplink_safeloader_parse()",
                            "    - RDMA/uverbs: Validate wqe_size before using it in ib_uverbs_post_send",
                            "    - RDMA/rxe: Fix race condition in QP timer handlers",
                            "    - svcrdma: Increase the per-transport rw_ctx count",
                            "    - svcrdma: Reduce the number of rdma_rw contexts per-QP",
                            "    - RDMA/core: add rdma_rw_max_sge() helper for SQ sizing",
                            "    - cxl: Fix premature commit_end increment on decoder commit failure",
                            "    - mtd: parsers: ofpart: fix OF node refcount leak in",
                            "      parse_fixed_partitions()",
                            "    - mtd: spinand: Fix kernel doc",
                            "    - power: supply: qcom_battmgr: Recognize \"LiP\" as lithium-polymer",
                            "    - RDMA/uverbs: Add __GFP_NOWARN to ib_uverbs_unmarshall_recv() kmalloc",
                            "    - pNFS: fix a missing wake up while waiting on NFS_LAYOUT_DRAIN",
                            "    - scsi: smartpqi: Fix memory leak in pqi_report_phys_luns()",
                            "    - scsi: ufs: host: mediatek: Require CONFIG_PM",
                            "    - scsi: csiostor: Fix dereference of null pointer rn",
                            "    - nvdimm: virtio_pmem: serialize flush requests",
                            "    - fs/nfs: Fix readdir slow-start regression",
                            "    - tracing: Properly process error handling in event_hist_trigger_parse()",
                            "    - tracing: Remove duplicate ENABLE_EVENT_STR and DISABLE_EVENT_STR macros",
                            "    - fbdev: of_display_timing: Fix device node reference leak in",
                            "      of_get_display_timings()",
                            "    - fbdev: au1200fb: Fix a memory leak in au1200fb_drv_probe()",
                            "    - clk: qcom: gcc-sm8550: Use floor ops for SDCC RCGs",
                            "    - clk: qcom: rcg2: compute 2d using duty fraction directly",
                            "    - clk: meson: gxbb: Limit the HDMI PLL OD to /4 on GXL/GXM SoCs",
                            "    - clk: qcom: gcc-sm8450: Update the SDCC RCGs to use shared_floor_ops",
                            "    - clk: qcom: gcc-sdx75: Update the SDCC RCGs to use shared_floor_ops",
                            "    - clk: qcom: gcc-qdu1000: Update the SDCC RCGs to use shared_floor_ops",
                            "    - clk: qcom: gcc-msm8953: Remove ALWAYS_ON flag from cpp_gdsc",
                            "    - clk: qcom: gcc-msm8917: Remove ALWAYS_ON flag from cpp_gdsc",
                            "    - clk: qcom: gcc-ipq5018: flag sleep clock as critical",
                            "    - clk: Move clk_{save,restore}_context() to COMMON_CLK section",
                            "    - clk: qcom: dispcc-sdm845: Enable parents for pixel clocks",
                            "    - clk: qcom: gfx3d: add parent to parent request map",
                            "    - clk: mediatek: Fix error handling in runtime PM setup",
                            "    - dmaengine: mediatek: uart-apdma: Fix above 4G addressing TX/RX",
                            "    - dma: dma-axi-dmac: fix SW cyclic transfers",
                            "    - staging: greybus: lights: avoid NULL deref",
                            "    - serial: imx: change SERIAL_IMX_CONSOLE to bool",
                            "    - serial: SH_SCI: improve \"DMA support\" prompt",
                            "    - mmc: rtsx_pci_sdmmc: increase power-on settling delay to 5ms",
                            "    - iio: pressure: mprls0025pa: fix scan_type struct",
                            "    - watchdog: starfive-wdt: Fix PM reference leak in probe error path",
                            "    - coresight: etm3x: Fix cpulocked warning on cpuhp",
                            "    - Revert \"mmc: rtsx_pci_sdmmc: increase power-on settling delay to 5ms\"",
                            "    - mfd: arizona: Fix regulator resource leak on",
                            "      wm5102_clear_write_sequencer() failure",
                            "    - mfd: simple-mfd-i2c: Add MAX77705 support",
                            "    - mfd: simple-mfd-i2c: Add compatible strings for Layerscape QIXIS FPGA",
                            "    - mfd: simple-mfd-i2c: Add SpacemiT P1 support",
                            "    - mfd: simple-mfd-i2c: Keep compatible strings in alphabetical order",
                            "    - mfd: simple-mfd-i2c: Add Delta TN48M CPLD support",
                            "    - [Config] Disable new Delta TN48M CPLD support by default",
                            "    - drivers: iio: mpu3050: use dev_err_probe for regulator request",
                            "    - usb: bdc: fix sleep during atomic",
                            "    - pinctrl: equilibrium: Fix device node reference leak in pinbank_init()",
                            "    - ovl: Fix uninit-value in ovl_fill_real",
                            "    - iio: sca3000: Fix a resource leak in sca3000_probe()",
                            "    - pinctrl: qcom: sm8250-lpass-lpi: Fix i2s2_data_groups definition",
                            "    - pinctrl: single: fix refcount leak in pcs_add_gpio_func()",
                            "    - leds: qcom-lpg: Check the return value of regmap_bulk_write()",
                            "    - backlight: qcom-wled: Support ovp values for PMI8994",
                            "    - backlight: qcom-wled: Change PM8950 WLED configurations",
                            "    - dmaengine: fsl-edma: don't explicitly disable clocks in .remove()",
                            "    - io_uring/cancel: de-unionize file and user_data in struct io_cancel_data",
                            "    - fs/ntfs3: prevent infinite loops caused by the next valid being the same",
                            "    - fs/ntfs3: Fix slab-out-of-bounds read in DeleteIndexEntryRoot",
                            "    - ACPI: CPPC: Fix remaining for_each_possible_cpu() to use online CPUs",
                            "    - powercap: intel_rapl_tpmi: Remove FW_BUG from invalid version check",
                            "    - kbuild: Add objtool to top-level clean target",
                            "    - selftests/memfd: delete unused declarations",
                            "    - selftests/memfd: use IPC semaphore instead of SIGSTOP/SIGCONT",
                            "    - ACPI: PM: Add unused power resource quirk for THUNDEROBOT ZERO",
                            "    - cpuidle: Skip governor when only one idle state is available",
                            "    - selftests: mlxsw: tc_restrictions: Fix test failure with new iproute2",
                            "    - net: sparx5/lan969x: fix DWRR cost max to match hardware register width",
                            "    - net: mscc: ocelot: extract ocelot_xmit_timestamp() helper",
                            "    - net: mscc: ocelot: split xmit into FDMA and register injection paths",
                            "    - net: mscc: ocelot: add missing lock protection in ocelot_port_xmit_inj()",
                            "    - ipv6: Fix out-of-bound access in fib6_add_rt2node().",
                            "    - net: sparx5/lan969x: fix PTP clock max_adj value",
                            "    - net: usb: catc: enable basic endpoint checking",
                            "    - xen-netback: reject zero-queue configuration from guest",
                            "    - net/rds: rds_sendmsg should not discard payload_len",
                            "    - net: bridge: mcast: always update mdb_n_entries for vlan contexts",
                            "    - selftests: forwarding: vxlan_bridge_1d: fix test failure with",
                            "      br_netfilter enabled",
                            "    - selftests: forwarding: vxlan_bridge_1d_ipv6: fix test failure with",
                            "      br_netfilter enabled",
                            "    - netfilter: nf_conntrack_h323: don't pass uninitialised l3num value",
                            "    - net: remove WARN_ON_ONCE when accessing forward path array",
                            "    - ipv6: fix a race in ip6_sock_set_v6only()",
                            "    - bpftool: Fix truncated netlink dumps",
                            "    - ping: annotate data-races in ping_lookup()",
                            "    - icmp: move icmp_global.credit and icmp_global.stamp to per netns storage",
                            "    - icmp: icmp_msgs_per_sec and icmp_msgs_burst sysctls become per netns",
                            "    - icmp: prevent possible overflow in icmp_global_allow()",
                            "    - cache: add __cacheline_group_{begin, end}_aligned() (+ couple more)",
                            "    - inet: move icmp_global_{credit,stamp} to a separate cache line",
                            "    - octeontx2-af: Fix default entries mcam entry action",
                            "    - bonding: alb: fix UAF in rlb_arp_recv during bond up/down",
                            "    - net/mlx5: Fix multiport device check over light SFs",
                            "    - apparmor: fix NULL sock in aa_sock_file_perm",
                            "    - apparmor: return -ENOMEM in unpack_perms_table upon alloc failure",
                            "    - apparmor: fix rlimit for posix cpu timers",
                            "    - apparmor: remove apply_modes_to_perms from label_match",
                            "    - apparmor: make label_match return a consistent value",
                            "    - apparmor: fix invalid deref of rawdata when export_binary is unset",
                            "    - apparmor: fix aa_label to return state from compount and component match",
                            "    - drm/amdgpu: Fix memory leak in amdgpu_acpi_enumerate_xcc()",
                            "    - drm/amdgpu: Fix memory leak in amdgpu_ras_init()",
                            "    - drm/i915/acpi: free _DSM package when no connectors",
                            "    - ASoC: codecs: aw88261: Fix erroneous bitmask logic in Awinic init",
                            "    - drm/amdkfd: fix debug watchpoints for logical devices",
                            "    - drm/amdkfd: Fix watch_id bounds checking in debug address watch v2",
                            "    - spi: wpcm-fiu: Use devm_platform_ioremap_resource_byname()",
                            "    - spi: wpcm-fiu: Fix uninitialized res",
                            "    - spi: wpcm-fiu: Simplify with dev_err_probe()",
                            "    - spi: wpcm-fiu: Fix potential NULL pointer dereference in",
                            "      wpcm_fiu_probe()",
                            "    - s390/kexec: Make KEXEC_SIG available when CONFIG_MODULES=n",
                            "    - efi: Fix reservation of unaccepted memory table",
                            "    - btrfs: fix invalid leaf access in btrfs_quota_enable() if ref key not",
                            "      found",
                            "    - x86/hyperv: Fix error pointer dereference",
                            "    - ASoC: rockchip: i2s-tdm: Use param rate if not provided by set_sysclk",
                            "    - drm/amd/display: Use same max plane scaling limits for all 64 bpp",
                            "      formats",
                            "    - MIPS: Work around LLVM bug when gp is used as global register variable",
                            "    - ext4: don't cache extent during splitting extent",
                            "    - ext4: fix memory leak in ext4_ext_shift_extents()",
                            "    - ext4: use optimized mballoc scanning regardless of inode format",
                            "    - ata: pata_ftide010: Fix some DMA timings",
                            "    - ata: libata-scsi: refactor ata_scsi_translate()",
                            "    - SUNRPC: auth_gss: fix memory leaks in XDR decoding error paths",
                            "    - SUNRPC: fix gss_auth kref leak in gss_alloc_msg error path",
                            "    - ASoC: dt-bindings: asahi-kasei,ak4458: Fix the supply names",
                            "    - ASoC: dt-bindings: asahi-kasei,ak5558: Fix the supply names",
                            "    - perf test stat: Update test expectations and events",
                            "    - perf test stat tests: Fix for virtualized machines",
                            "    - perf unwind-libdw: Fix invalid reference counts",
                            "    - perf callchain: Fix srcline printing with inlines",
                            "    - libsubcmd: Fix null intersection case in exclude_cmds()",
                            "    - libperf: Don't remove -g when EXTRA_CFLAGS are used",
                            "    - libperf build: Always place libperf includes first",
                            "    - rtc: interface: Alarm race handling should not discard preceding error",
                            "    - hfsplus: fix volume corruption issue for generic/498",
                            "    - fs/buffer: add alert in try_to_free_buffers() for folios without buffers",
                            "    - hfsplus: pretend special inodes as regular files",
                            "    - i3c: master: svc: Initialize 'dev' to NULL in svc_i3c_master_ibi_isr()",
                            "    - minix: Add required sanity checking to minix_check_superblock()",
                            "    - btrfs: handle user interrupt properly in btrfs_trim_fs()",
                            "    - smb: client: add proper locking around ses->iface_last_update",
                            "    - gfs2: fiemap page fault fix",
                            "    - smb: client: prevent races in ->query_interfaces()",
                            "    - tools/power cpupower: Reset errno before strtoull()",
                            "    - s390/purgatory: Add -Wno-default-const-init-unsafe to KBUILD_CFLAGS",
                            "    - perf/arm-cmn: Support CMN-600AE",
                            "    - arm64: Add support for TSV110 Spectre-BHB mitigation",
                            "    - rnbd-srv: Zero the rsp buffer before using it",
                            "    - x86/xen/pvh: Enable PAE mode for 32-bit guest only when CONFIG_X86_PAE",
                            "      is set",
                            "    - EFI/CPER: don't dump the entire memory region",
                            "    - APEI/GHES: ensure that won't go past CPER allocated record",
                            "    - EFI/CPER: don't go past the ARM processor CPER record buffer",
                            "    - ACPI: processor: Fix NULL-pointer dereference in",
                            "      acpi_processor_errata_piix4()",
                            "    - ACPICA: Abort AML bytecode execution when executing AML_FATAL_OP",
                            "    - md-cluster: fix NULL pointer dereference in process_metadata_update",
                            "    - cpufreq: dt-platdev: Block the driver from probing on more QC platforms",
                            "    - s390/perf: Disable register readout on sampling events",
                            "    - perf/cxlpmu: Replace IRQF_ONESHOT with IRQF_NO_THREAD",
                            "    - xenbus: Use .freeze/.thaw to handle xenbus devices",
                            "    - blk-mq-debugfs: add missing debugfs_mutex in",
                            "      blk_mq_debugfs_register_hctxs()",
                            "    - sparc: Synchronize user stack on fork and clone",
                            "    - sparc: don't reference obsolete termio struct for TC* constants",
                            "    - bpf: verifier improvement in 32bit shift sign extension pattern",
                            "    - clocksource/drivers/sh_tmu: Always leave device running after probe",
                            "    - clocksource/drivers/timer-integrator-ap: Add missing Kconfig dependency",
                            "      on OF",
                            "    - PCI/MSI: Unmap MSI-X region on error",
                            "    - crypto: hisilicon/qm - move the barrier before writing to the mailbox",
                            "      register",
                            "    - mailbox: bcm-ferxrm-mailbox: Use default primary handler",
                            "    - char: tpm: cr50: Remove IRQF_ONESHOT",
                            "    - pstore: ram_core: fix incorrect success return when vmap() fails",
                            "    - arm64: tegra: smaug: Add usb-role-switch support",
                            "    - parisc: Prevent interrupts during reboot",
                            "    - drm/display/dp_mst: Add protection against 0 vcpi",
                            "    - spi-geni-qcom: initialize mode related registers to 0",
                            "    - spi-geni-qcom: use xfer->bits_per_word for can_dma()",
                            "    - media: dvb-core: dmxdevfilter must always flush bufs",
                            "    - spi: stm32: fix Overrun issue at < 8bpw",
                            "    - drm/v3d: Set DMA segment size to avoid debug warnings",
                            "    - media: omap3isp: isp_video_mbus_to_pix/pix_to_mbus fixes",
                            "    - media: omap3isp: isppreview: always clamp in preview_try_format()",
                            "    - media: omap3isp: set initial format",
                            "    - media: mediatek: vcodec: Don't try to decode 422/444 VP9",
                            "    - drm/amdgpu: add support for HDP IP version 6.1.1",
                            "    - drm/amdgpu: avoid a warning in timedout job handler",
                            "    - HID: apple: Add \"SONiX KN85 Keyboard\" to the list of non-apple keyboards",
                            "    - ASoC: wm8962: Add WM8962_ADC_MONOMIX to \"3D Coefficients\" mask",
                            "    - ASoC: wm8962: Don't report a microphone if it's shorted to ground on",
                            "      plug",
                            "    - spi: spi-mem: Limit octal DTR constraints to octal DTR situations",
                            "    - media: amphion: Clear last_buffer_dequeued flag for DEC_CMD_START",
                            "    - media: adv7180: fix frame interval in progressive mode",
                            "    - media: pvrusb2: fix URB leak in pvr2_send_request_ex",
                            "    - media: solo6x10: Check for out of bounds chip_id",
                            "    - media: cx25821: Fix a resource leak in cx25821_dev_setup()",
                            "    - media: v4l2-async: Fix error handling on steps after finding a match",
                            "    - drm/amdkfd: Fix GART PTE for non-4K pagesize in svm_migrate_gart_map()",
                            "    - drm: Account property blob allocations to memcg",
                            "    - hyper-v: Mark inner union in hv_kvp_exchg_msg_value as packed",
                            "    - virt: vbox: uapi: Mark inner unions in packed structs as packed",
                            "    - drm/atmel-hlcdc: fix memory leak from the atomic_destroy_state callback",
                            "    - drm/atmel-hlcdc: don't reject the commit if the src rect has fractional",
                            "      parts",
                            "    - drm/atmel-hlcdc: fix use-after-free of drm_crtc_commit after release",
                            "    - media: rkisp1: Fix filter mode register configuration",
                            "    - HID: multitouch: add eGalaxTouch EXC3188 support",
                            "    - HID: elecom: Add support for ELECOM HUGE Plus M-HT1MRBK",
                            "    - ALSA: hda/conexant: Add headset mic fix for MECHREVO Wujie 15X Pro",
                            "    - gpio: aspeed-sgpio: Change the macro to support deferred probe",
                            "    - ASoC: sunxi: sun50i-dmic: Add missing check for devm_regmap_init_mmio",
                            "    - spi: spi-mem: Protect dirmap_create() with spi_mem_access_start/end",
                            "    - ASoC: codecs: max98390: Check return value of devm_gpiod_get_optional()",
                            "      in max98390_i2c_probe()",
                            "    - hwmon: (nct6775) Add ASUS Pro WS WRX90E-SAGE SE",
                            "    - hwmon: (f71882fg) Add F81968 support",
                            "    - ASoC: es8328: Add error unwind in resume",
                            "    - modpost: Amend ppc64 save/restfpr symnames for -Os build",
                            "    - ALSA: usb-audio: Add iface reset and delay quirk for AB13X USB Audio",
                            "    - jfs: Add missing set_freezable() for freezable kthread",
                            "    - jfs: nlink overflow in jfs_rename",
                            "    - wifi: rtw88: fix DTIM period handling when conf->dtim_period is zero",
                            "    - wifi: rtw88: 8822b: Avoid WARNING in rtw8822b_config_trx_mode()",
                            "    - wifi: rtw88: rtw8821cu: Add ID for Mercusys MU6H",
                            "    - dm: replace -EEXIST with -EBUSY",
                            "    - dm: remove fake timeout to avoid leak request",
                            "    - iommu/arm-smmu-v3: Improve CMDQ lock fairness and efficiency",
                            "    - wifi: libertas: fix WARNING in usb_tx_block",
                            "    - iommu/amd: move wait_on_sem() out of spinlock",
                            "    - wifi: rtw89: wow: add reason codes for disassociation in WoWLAN mode",
                            "    - PCI: dw-rockchip: Disable BAR 0 and BAR 1 for Root Port",
                            "    - wifi: ath11k: add pm quirk for Thinkpad Z13/Z16 Gen1",
                            "    - wifi: ath12k: fix preferred hardware mode calculation",
                            "    - ipv6: annotate data-races in ip6_multipath_hash_{policy,fields}()",
                            "    - ipv6: exthdrs: annotate data-race over multiple sysctl",
                            "    - ext4: mark group add fast-commit ineligible",
                            "    - ext4: move ext4_percpu_param_init() before ext4_mb_init()",
                            "    - ext4: mark group extend fast-commit ineligible",
                            "    - netfilter: nf_conntrack: Add allow_clash to generic protocol handler",
                            "    - netfilter: xt_tcpmss: check remaining length before reading optlen",
                            "    - openrisc: define arch-specific version of nop()",
                            "    - net: usb: r8152: fix transmit queue timeout",
                            "    - wifi: iwlwifi: mvm: check the validity of noa_len",
                            "    - net/rds: No shortcut out of RDS_CONN_ERROR",
                            "    - gro: change the BUG_ON() in gro_pull_from_frag0()",
                            "    - ipv4: igmp: annotate data-races around idev->mr_maxdelay",
                            "    - net: hns3: extend HCLGE_FD_AD_QID to 11 bits",
                            "    - wifi: iwlegacy: add missing mutex protection in il4965_store_tx_power()",
                            "    - wifi: iwlegacy: add missing mutex protection in",
                            "      il3945_store_measurement()",
                            "    - ipv4: fib: Annotate access to struct fib_alias.fa_state.",
                            "    - Bluetooth: hci_conn: Set link_policy on incoming ACL connections",
                            "    - Bluetooth: hci_conn: use mod_delayed_work for active mode timeout",
                            "    - Bluetooth: btusb: Add new VID/PID for RTL8852CE",
                            "    - Bluetooth: btusb: Add device ID for Realtek RTL8761BU",
                            "    - octeontx2-af: Workaround SQM/PSE stalls by disabling sticky",
                            "    - wifi: rtw89: pci: restore LDO setting after device resume",
                            "    - wifi: ath10k: fix lock protection in",
                            "      ath10k_wmi_event_peer_sta_ps_state_chg()",
                            "    - net: usb: sr9700: remove code to drive nonexistent multicast filter",
                            "    - vmw_vsock: bypass false-positive Wnonnull warning with gcc-16",
                            "    - net/rds: Clear reconnect pending bit",
                            "    - PCI: Mark ASM1164 SATA controller to avoid bus reset",
                            "    - PCI: Fix pci_slot_lock () device locking",
                            "    - PCI: Enable ACS after configuring IOMMU for OF platforms",
                            "    - PCI: Add ACS quirk for Qualcomm Hamoa & Glymur",
                            "    - PCI: Mark Nvidia GB10 to avoid bus reset",
                            "    - myri10ge: avoid uninitialized variable use",
                            "    - nfc: nxp-nci: remove interrupt trigger type",
                            "    - RDMA/rtrs-clt: For conn rejection use actual err number",
                            "    - ata: libata: avoid long timeouts on hot-unplugged SATA DAS",
                            "    - hisi_acc_vfio_pci: update status after RAS error",
                            "    - scsi: buslogic: Reduce stack usage",
                            "    - vhost: fix caching attributes of MMIO regions by setting them explicitly",
                            "    - tracing: Fix false sharing in hwlat get_sample()",
                            "    - remoteproc: imx_dsp_rproc: Skip RP_MBOX_SUSPEND_SYSTEM when mailbox TX",
                            "      channel is uninitialized",
                            "    - mailbox: pcc: Remove spurious IRQF_ONESHOT usage",
                            "    - mailbox: imx: Skip the suspend flag for i.MX7ULP",
                            "    - mailbox: sprd: mask interrupts that are not handled",
                            "    - remoteproc: mediatek: Break lock dependency to `prepare_lock`",
                            "    - mailbox: sprd: clear delivery flag before handling TX done",
                            "    - clk: microchip: core: correct return value on *_get_parent()",
                            "    - m68k: nommu: fix memmove() with differently aligned src and dest for",
                            "      68000",
                            "    - soundwire: dmi-quirks: add mapping for Avell B.ON (OEM rebranded of",
                            "      NUC15)",
                            "    - staging: rtl8723bs: fix missing status update on sdio_alloc_irq()",
                            "      failure",
                            "    - serial: 8250_dw: handle clock enable errors in runtime_resume",
                            "    - usb: typec: ucsi: psy: Fix voltage and current max for non-Fixed PDOs",
                            "    - fpga: of-fpga-region: Fail if any bridge is missing",
                            "    - dmaengine: sun6i: Choose appropriate burst length under maxburst",
                            "    - dmaengine: stm32-mdma: initialize m2m_hw_period and ccr to fix warnings",
                            "    - misc: bcm_vk: Fix possible null-pointer dereferences in bcm_vk_read()",
                            "    - misc: eeprom: Fix EWEN/EWDS/ERAL commands for 93xx56 and 93xx66",
                            "    - staging: rtl8723bs: fix memory leak on failure path",
                            "    - serial: 8250: 8250_omap.c: Clear DMA RX running status only after DMA",
                            "      termination is done",
                            "    - fix it87_wdt early reboot by reporting running timer",
                            "    - binder: don't use %pK through printk",
                            "    - watchdog: imx7ulp_wdt: handle the nowayout option",
                            "    - phy: mvebu-cp110-utmi: fix dr_mode property read from dts",
                            "    - phy: fsl-imx8mq-usb: disable bind/unbind platform driver feature",
                            "    - Revert \"mfd: da9052-spi: Change read-mask to write-mask\"",
                            "    - iio: Use IRQF_NO_THREAD",
                            "    - iio: magnetometer: Remove IRQF_ONESHOT",
                            "    - MIPS: Loongson: Make cpumask_of_node() robust against NUMA_NO_NODE",
                            "    - fs/ntfs3: drop preallocated clusters for sparse and compressed files",
                            "    - fs/ntfs3: avoid calling run_get_entry() when run == NULL in",
                            "      ntfs_read_run_nb_ra()",
                            "    - ceph: supply snapshot context in ceph_uninline_data()",
                            "    - libceph: define and enforce CEPH_MAX_KEY_LEN",
                            "    - thermal: int340x: Fix sysfs group leak on DLVR registration failure",
                            "    - include: uapi: netfilter_bridge.h: Cover for musl libc",
                            "    - ARM: 9467/1: mm: Don't use %pK through printk",
                            "    - drm/amd/display: Avoid updating surface with the same surface under MPO",
                            "    - drm/amdgpu: Adjust usleep_range in fence wait",
                            "    - ALSA: usb-audio: Update the number of packets properly at receiving",
                            "    - drm/amdgpu: Add HAINAN clock adjustment",
                            "    - drm/radeon: Add HAINAN clock adjustment",
                            "    - ALSA: usb-audio: Add sanity check for OOB writes at silencing",
                            "    - btrfs: replace BUG() with error handling in __btrfs_balance()",
                            "    - drm/amd/display: Remove conditional for shaper 3DLUT power-on",
                            "    - rtc: zynqmp: correct frequency value",
                            "    - ntb: ntb_hw_switchtec: Fix array-index-out-of-bounds access",
                            "    - ntb: ntb_hw_switchtec: Fix shift-out-of-bounds for 0 mw lut",
                            "    - xfrm6: fix uninitialized saddr in xfrm6_get_saddr()",
                            "    - xfrm: skip templates check for packet offload tunnel mode",
                            "    - ipmi: ipmb: initialise event handler read bytes",
                            "    - xfrm: always flush state and policy upon NETDEV_UNREGISTER event",
                            "    - net: usb: kaweth: remove TX queue manipulation in kaweth_set_rx_mode",
                            "    - net: usb: lan78xx: scan all MDIO addresses on LAN7801",
                            "    - net: ixp4xx_eth: convert to ndo_hwtstamp_get() and ndo_hwtstamp_set()",
                            "    - net: ethernet: xscale: Check for PTP support properly",
                            "    - wifi: cfg80211: wext: fix IGTK key ID off-by-one",
                            "    - Remove WARN_ALL_UNSEEDED_RANDOM kernel config option",
                            "    - [Config] Remove WARN_ALL_UNSEEDED_RANDOM",
                            "    - Bluetooth: L2CAP: Fix invalid response to L2CAP_ECRED_RECONF_REQ",
                            "    - Bluetooth: hci_qca: Cleanup on all setup failures",
                            "    - Bluetooth: L2CAP: Fix response to L2CAP_ECRED_CONN_REQ",
                            "    - Bluetooth: L2CAP: Fix not checking output MTU is acceptable on",
                            "      L2CAP_ECRED_CONN_REQ",
                            "    - Bluetooth: L2CAP: Fix missing key size check for L2CAP_LE_CONN_REQ",
                            "    - tipc: fix duplicate publication key in tipc_service_insert_publ()",
                            "    - RDMA/core: Fix stale RoCE GIDs during netdev events at registration",
                            "    - net: wan: farsync: Fix use-after-free bugs caused by unfinished tasklets",
                            "    - RDMA/efa: Fix typo in efa_alloc_mr()",
                            "    - net: usb: pegasus: enable basic endpoint checking",
                            "    - RDMA/umem: Fix double dma_buf_unpin in failure path",
                            "    - net/mlx5: DR, Fix circular locking dependency in dump",
                            "    - net/mlx5: Fix missing devlink lock in SRIOV enable error path",
                            "    - net: consume xmit errors of GSO frames",
                            "    - dpaa2-switch: validate num_ifs to prevent out-of-bounds write",
                            "    - netfilter: nf_conntrack_h323: fix OOB read in decode_choice()",
                            "    - rpmsg: core: fix race in driver_override_show() and use core helper",
                            "    - clk: renesas: rzg2l: Fix intin variable size",
                            "    - clk: renesas: rzg2l: Select correct div round macro",
                            "    - ASoC: SOF: ipc4-control: If there is no data do not send bytes update",
                            "    - ASoC: SOF: ipc4-topology: Correct the allocation size for bytes controls",
                            "    - ASoC: SOF: ipc4-control: Use the correct size for",
                            "      scontrol->ipc_control_data",
                            "    - ASoC: SOF: ipc4-control: Keep the payload size up to date",
                            "    - fpga: dfl: use subsys_initcall to allow built-in drivers to be added",
                            "    - dm-verity: correctly handle dm_bufio_client_create() failure",
                            "    - media: mediatek: encoder: Fix uninitialized scalar variable issue",
                            "    - media: mtk-mdp: Fix error handling in probe function",
                            "    - media: mtk-mdp: Fix a reference leak bug in mtk_mdp_remove()",
                            "    - media: verisilicon: AV1: Fix enable cdef computation",
                            "    - media: verisilicon: AV1: Fix tx mode bit setting",
                            "    - ARM: omap2: Fix reference count leaks in omap_control_init()",
                            "    - KVM: nSVM: Remove a user-triggerable WARN on nested_svm_load_cr3()",
                            "      succeeding",
                            "    - arm64: Disable branch profiling for all arm64 code",
                            "    - HID: hid-pl: handle probe errors",
                            "    - HID: magicmouse: Do not crash on missing msc->input",
                            "    - HID: prodikeys: Check presence of pm->input_ep82",
                            "    - HID: logitech-hidpp: Check maxfield in hidpp_get_report_length()",
                            "    - arm64: dts: apple: t8112-j473: Keep the HDMI port powered on",
                            "    - media: verisilicon: AV1: Set IDR flag for intra_only frame type",
                            "    - media: radio-keene: fix memory leak in error path",
                            "    - media: cx88: Add missing unmap in snd_cx88_hw_params()",
                            "    - media: cx23885: Add missing unmap in snd_cx23885_hw_params()",
                            "    - media: cx25821: Add missing unmap in snd_cx25821_hw_params()",
                            "    - media: i2c/tw9903: Fix potential memory leak in tw9903_probe()",
                            "    - media: i2c/tw9906: Fix potential memory leak in tw9906_probe()",
                            "    - media: i2c: ov01a10: Fix the horizontal flip control",
                            "    - media: i2c: ov01a10: Fix reported pixel-rate value",
                            "    - media: i2c: ov01a10: Fix analogue gain range",
                            "    - media: i2c: ov01a10: Add missing v4l2_subdev_cleanup() calls",
                            "    - media: i2c: ov01a10: Fix test-pattern disabling",
                            "    - media: qcom: camss: vfe: Fix out-of-bounds access in",
                            "      vfe_isr_reg_update()",
                            "    - media: ccs: Avoid possible division by zero",
                            "    - media: i2c: ov5647: Initialize subdev before controls",
                            "    - media: i2c: ov5647: Correct pixel array offset",
                            "    - media: i2c: ov5647: Correct minimum VBLANK value",
                            "    - media: i2c: ov5647: Sensor should report RAW color space",
                            "    - media: i2c: ov5647: Fix PIXEL_RATE value for VGA mode",
                            "    - media: i2c: ov5647: use our own mutex for the ctrl lock",
                            "    - dm-integrity: fix a typo in the code for write/discard race",
                            "    - dm: clear cloned request bio pointer when last clone bio completes",
                            "    - soc: ti: k3-socinfo: Fix regmap leak on probe failure",
                            "    - soc: ti: pruss: Fix double free in pruss_clk_mux_setup()",
                            "    - KVM: nSVM: Always use vmcb01 in VMLOAD/VMSAVE emulation",
                            "    - clk: clk-apple-nco: Add \"apple,t8103-nco\" compatible",
                            "    - media: i2c: ov01a10: Fix digital gain range",
                            "    - clk: tegra: tegra124-emc: Fix potential memory leak in",
                            "      tegra124_clk_register_emc()",
                            "    - s390/pci: Handle futile config accesses of disabled devices directly",
                            "    - dm-integrity: fix recalculation in bitmap mode",
                            "    - dm-unstripe: fix mapping bug when there are multiple targets in a table",
                            "    - arm64: dts: rockchip: Do not enable hdmi_sound node on Pinebook Pro",
                            "    - media: venus: vdec: fix error state assignment for zero bytesused",
                            "    - media: venus: vdec: restrict EOS addr quirk to IRIS2 only",
                            "    - drm: of: drm_of_panel_bridge_remove(): fix device_node leak",
                            "    - mm, page_alloc, thp: prevent reclaim for __GFP_THISNODE THP allocations",
                            "    - selftests/mm/charge_reserved_hugetlb: drop mount size for hugetlbfs",
                            "    - xfs: mark data structures corrupt on EIO and ENODATA",
                            "    - media: verisilicon: AV1: Fix tile info buffer size",
                            "    - iommu/vt-d: Flush dev-IOTLB only when PCIe device is accessible in",
                            "      scalable mode",
                            "    - mfd: core: Add locking around 'mfd_of_node_list'",
                            "    - xfs: delete attr leaf freemap entries when empty",
                            "    - xfs: fix freemap adjustments when adding xattrs to leaf blocks",
                            "    - xfs: fix remote xattr valuelblk check",
                            "    - KVM: x86: Add SRCU protection for reading PDPTRs in __get_sregs2()",
                            "    - PCI: endpoint: Fix swapped parameters in",
                            "      pci_{primary/secondary}_epc_epf_unlink() functions",
                            "    - md/bitmap: fix GPF in write_page caused by resize race",
                            "    - nfsd: fix return error code for nfsd_map_name_to_[ug]id",
                            "    - nvmem: Drop OF node reference on nvmem_add_one_cell() failure",
                            "    - usb: gadget: tegra-xudc: Add handling for BLCG_COREPLL_PWRDN",
                            "    - bus: fsl-mc: fix an error handling in fsl_mc_device_add()",
                            "    - dm mpath: make pg_init_delay_msecs settable",
                            "    - tools: Fix bitfield dependency failure",
                            "    - powerpc/smp: Add check for kcalloc() failure in parse_thread_groups()",
                            "    - iio: gyro: itg3200: Fix unchecked return value in read_raw",
                            "    - mm/highmem: fix __kmap_to_page() build error",
                            "    - rapidio: replace rio_free_net() with kfree() in rio_scan_alloc_net()",
                            "    - ocfs2: fix reflink preserve cleanup issue",
                            "    - kexec: derive purgatory entry from symbol",
                            "    - Revert \"PCI/IOV: Add PCI rescan-remove locking when enabling/disabling",
                            "      SR-IOV\"",
                            "    - PCI/IOV: Fix race between SR-IOV enable/disable and hotplug",
                            "    - arm64: Fix non-atomic __READ_ONCE() with CONFIG_LTO=y",
                            "    - btrfs: continue trimming remaining devices on failure",
                            "    - remoteproc: imx_rproc: Fix invalid loaded resource table detection",
                            "    - perf/arm-cmn: Reject unsupported hardware configurations",
                            "    - scsi: ufs: core: Flush exception handling work when RPM level is zero",
                            "    - usb: dwc3: gadget: Move vbus draw to workqueue context",
                            "    - usb: dwc2: fix resume failure if dr_mode is host",
                            "    - mtd: rawnand: pl353: Fix software ECC support",
                            "    - tipc: fix RCU dereference race in tipc_aead_users_dec()",
                            "    - drm/amdkfd: Fix out-of-bounds write in kfd_event_page_set()",
                            "    - net: cpsw_new: Fix unnecessary netdev unregistration in cpsw_probe()",
                            "      error path",
                            "    - PCI: Fix pci_slot_trylock() error handling",
                            "    - parisc: kernel: replace kfree() with put_device() in create_tree_node()",
                            "    - staging: rtl8723bs: fix null dereference in find_network",
                            "    - cifs: Fix locking usage for tcon fields",
                            "    - MIPS: rb532: Fix MMIO UART resource registration",
                            "    - ceph: supply snapshot context in ceph_zero_partial_object()",
                            "    - LoongArch: Make cpumask_of_node() robust against NUMA_NO_NODE",
                            "    - LoongArch: Prefer top-down allocation after arch_mem_init()",
                            "    - LoongArch: Guard percpu handler under !CONFIG_PREEMPT_RT",
                            "    - LoongArch: Disable instrumentation for setup_ptwalker()",
                            "    - net: ethernet: marvell: skge: remove incorrect conflicting PCI ID",
                            "    - net: wan/fsl_ucc_hdlc: Fix dma_free_coherent() in uhdlc_memclean()",
                            "    - octeontx2-af: CGX: fix bitmap leaks",
                            "    - net: macb: Fix tx/rx malfunction after phy link down and up",
                            "    - tracing: Fix to set write permission to per-cpu buffer_size_kb",
                            "    - io_uring/filetable: clamp alloc_hint to the configured alloc range",
                            "    - net: intel: fix PCI device ID conflict between i40e and ipw2200",
                            "    - atm: fore200e: fix use-after-free in tasklets during device removal",
                            "    - ipv6: ioam: fix heap buffer overflow in __ioam6_fill_trace_data()",
                            "    - fbcon: check return value of con2fb_acquire_newinfo()",
                            "    - fbdev: vt8500lcdfb: fix missing dma_free_coherent()",
                            "    - fbdev: of: display_timing: fix refcount leak in of_get_display_timings()",
                            "    - fbdev: ffb: fix corrupted video output on Sun FFB1",
                            "    - fbcon: Remove struct fbcon_display.inverse",
                            "    - cifs: some missing initializations on replay",
                            "    - ASoC: amd: yc: Add DMI quirk for ASUS Vivobook Pro 15X M6501RR",
                            "    - net: ethernet: ec_bhf: Fix dma_free_coherent() dma handle",
                            "    - net/sched: act_skbedit: fix divide-by-zero in tcf_skbedit_hash()",
                            "    - x86/kexec: Copy ACPI root pointer address from config table",
                            "    - arm64: Force the use of CNTVCT_EL0 in __delay()",
                            "    - net: nfc: nci: Fix parameter validation for packet data",
                            "    - tracing: Fix checking of freed trace_event_file for hist files",
                            "    - tracing: Wake up poll waiters for hist files when removing an event",
                            "    - NTB: ntb_transport: Fix too small buffer for debugfs_name",
                            "    - drm/i915/wakeref: clean up INTEL_WAKEREF_PUT_* flag macros",
                            "    - arm64: Fix sampling the \"stable\" virtual counter in preemptible section",
                            "    - gfs2: Fix slab-use-after-free in qd_put",
                            "    - io_uring: use release-acquire ordering for IORING_SETUP_R_DISABLED",
                            "    - thermal: intel: x86_pkg_temp_thermal: Handle invalid temperature",
                            "    - OPP: Return correct value in dev_pm_opp_get_level",
                            "    - cpufreq: scmi: Fix device_node reference leak in scmi_cpu_domain_id()",
                            "    - perf/x86/core: Do not set bit width for unavailable counters",
                            "    - genirq: Set IRQF_COND_ONESHOT in devm_request_irq().",
                            "    - platform/x86: int0002: Remove IRQF_ONESHOT from request_irq()",
                            "    - media: pci: mg4b: Use IRQF_NO_THREAD",
                            "    - firmware: arm_ffa: Correct 32-bit response handling in",
                            "      NOTIFICATION_INFO_GET",
                            "    - arm64: dts: qcom: msm8994-octagon: Fix Analog Devices vendor prefix of",
                            "      AD7147",
                            "    - arm64: dts: mediatek: mt8183-jacuzzi-pico6: Fix typo in pinmux node",
                            "    - arm64: dts: qcom: qrb4210-rb2: Fix UART3 wakeup IRQ storm",
                            "    - arm64: dts: qcom: x1e: bus is 40-bits (fix 64GB models)",
                            "    - media: chips-media: wave5: Fix memory leak on codec_info allocation",
                            "      failure",
                            "    - drm/amd: Drop \"amdgpu kernel modesetting enabled\" message",
                            "    - drm/amdkfd: Fix signal_eviction_fence() bool return value",
                            "    - drm/xe: Unregister drm device on probe error",
                            "    - HID: intel-ish-hid: fix NULL-ptr-deref in ishtp_bus_remove_all_clients",
                            "    - wifi: cfg80211: Fix use_for flag update on BSS refresh",
                            "    - PCI: Check parent for NULL in of_pci_bus_release_domain_nr()",
                            "    - netfilter: nfnetlink_queue: optimize verdict lookup with hash table",
                            "    - netfilter: nfnetlink_queue: do shared-unconfirmed check before",
                            "      segmentation",
                            "    - netfilter: nft_set_rbtree: fix bogus EEXIST with NLM_F_CREATE with null",
                            "      interval",
                            "    - power: supply: pm8916_bms_vm: Fix use-after-free in",
                            "      power_supply_changed()",
                            "    - power: supply: pm8916_lbc: Fix use-after-free in power_supply_changed()",
                            "    - RDMA/mlx5: Fix UMR hang in LAG error state unload",
                            "    - IB/mlx5: Fix port speed query for representors",
                            "    - platform/x86/amd/pmf: Prevent TEE errors after hibernate",
                            "    - crypto: ccp - Declare PSP dead if PSP_CMD_TEE_RING_INIT fails",
                            "    - power: supply: pm8916_lbc: Fix use-after-free for extcon in IRQ handler",
                            "    - clk: qcom: gcc-sm8650: Use floor ops for SDCC RCGs",
                            "    - clk: qcom: gcc-sm4450: Update the SDCC RCGs to use shared_floor_ops",
                            "    - clk: qcom: gcc-x1e80100: Update the SDCC RCGs to use shared_floor_ops",
                            "    - dma: dma-axi-dmac: fix HW scatter-gather not looking at the queue",
                            "    - iio: pressure: mprls0025pa: fix interrupt flag",
                            "    - objpool: fix the overestimation of object pooling metadata size",
                            "    - ipvs: do not keep dest_dst if dev is going down",
                            "    - net/mlx5e: Use unsigned for mlx5e_get_max_num_channels",
                            "    - AppArmor: Allow apparmor to handle unaligned dfa tables",
                            "    - apparmor: Fix & Optimize table creation from possibly unaligned memory",
                            "    - apparmor: avoid per-cpu hold underflow in aa_get_buffer",
                            "    - drm/amd/display: Fix out-of-bounds stream encoder index v3",
                            "    - btrfs: use the correct type to initialize block reserve for delayed refs",
                            "    - Drivers: hv: vmbus: Use kthread for vmbus interrupts on PREEMPT_RT",
                            "    - i3c: mipi-i3c-hci: Reset RING_OPERATION1 fields during init",
                            "    - APEI/GHES: ARM processor Error: don't go past allocated memory",
                            "    - ACPI: resource: Add JWIPC JVC9100 to irq1_level_low_skip_override[]",
                            "    - powercap: intel_rapl: Add PL4 support for Ice Lake",
                            "    - alpha: fix user-space corruption during memory compaction",
                            "    - ACPI: x86: s2idle: Invoke Microsoft _DSM Function 9 (Turn On Display)",
                            "    - ACPI: battery: fix incorrect charging status when current is zero",
                            "    - perf/x86/msr: Add Airmont NP",
                            "    - perf/x86/cstate: Add Airmont NP",
                            "    - bpf: Recognize special arithmetic shift in the verifier",
                            "    - firmware: arm_ffa: Unmap Rx/Tx buffers on init failure",
                            "    - gpu/panel-edp: add AUO panel entry for B140HAN06.4",
                            "    - drm/amdgpu: fix NULL pointer issue buffer funcs",
                            "    - ASoC: SOF: ipc4: Support for sending payload along with LARGE_CONFIG_GET",
                            "    - media: chips-media: wave5: Fix conditional in start_streaming",
                            "    - media: chips-media: wave5: Process ready frames when CMD_STOP sent to",
                            "      Encoder",
                            "    - drm/amd/display: Fix dsc eDP issue",
                            "    - drm/panel: Fix a possible null-pointer dereference in",
                            "      jdi_panel_dsi_remove()",
                            "    - media: mt9m114: Avoid a reset low spike during probe()",
                            "    - media: mt9m114: Return -EPROBE_DEFER if no endpoint is found",
                            "    - ALSA: hda/realtek: add HP Victus 16-e0xxx mute LED quirk",
                            "    - PCI: Add Intel Nova Lake audio Device ID",
                            "    - drm/amd/display: Disable FEC when powering down encoders",
                            "    - drm/amd/display: avoid dig reg access timeout on usb4 link training fail",
                            "    - hwmon: (dell-smm) Add support for Dell OptiPlex 7080",
                            "    - HID: logitech-hidpp: Add support for Logitech K980",
                            "    - ASoC: SOF: Intel: hda: Fix NULL pointer dereference",
                            "    - spi: geni-qcom: Fix abort sequence execution for serial engine errors",
                            "    - ALSA: hda/realtek - Enable mute LEDs on HP ENVY x360 15-es0xxx",
                            "    - wifi: rtw89: 8922a: set random mac if efuse contains zeroes",
                            "    - wifi: rtw89: ser: enable error IMR after recovering from L1",
                            "    - wifi: rtw88: Use devm_kmemdup() in rtw_set_supported_band()",
                            "    - wifi: rtw89: mac: correct page number for CSI response",
                            "    - wifi: ath11k: Fix failure to connect to a 6 GHz AP",
                            "    - ipv6: annotate data-races over sysctl.flowlabel_reflect",
                            "    - ext4: use reserved metadata blocks when splitting extent on endio",
                            "    - Bluetooth: btusb: Add support for MediaTek7920 0489:e158",
                            "    - net: sfp: add quirk for Lantech 8330-265D",
                            "    - PCI/AER: Clear stale errors on reporting agents upon probe",
                            "    - scsi: ufs: mediatek: Fix page faults in ufs_mtk_clk_scale() trace event",
                            "    - riscv: vector: init vector context with proper vlenb",
                            "    - HID: i2c-hid: Add FocalTech FT8112",
                            "    - 9p/xen: protect xen_9pfs_front_free against concurrent calls",
                            "    - soundwire: intel_auxdevice: add cs42l45 codec to wake_capable_list",
                            "    - most: remove usage of the deprecated ida_simple_xx() API",
                            "    - most: core: fix resource leak in most_register_interface error paths",
                            "    - usb: chipidea: udc: fix DMA and SG cleanup in _ep_nuke()",
                            "    - serial: 8250: 8250_omap.c: Add support for handling UART error",
                            "      conditions",
                            "    - mfd: intel-lpss: Add Intel Nova Lake-S PCI IDs",
                            "    - ACPI: x86: Force enabling of PWM2 on the Yogabook YB1-X90",
                            "    - drm/amd/display: Fix writeback on DCN 3.2+",
                            "    - drm/amd/display: Fix system resume lag issue",
                            "    - drm/amd/display: bypass post csc for additional color spaces in dal",
                            "    - spi: spidev: fix lock inversion between spi_lock and buf_lock",
                            "    - Bluetooth: L2CAP: Avoid -Wflex-array-member-not-at-end warnings",
                            "    - Bluetooth: L2CAP: Fix result of L2CAP_ECRED_CONN_RSP when MTU is too",
                            "      short",
                            "    - kcm: fix zero-frag skb in frag_list on partial sendmsg error",
                            "    - net/mlx5: E-switch, Clear legacy flag when moving to switchdev",
                            "    - net/mlx5e: Separate address related variables to be in struct",
                            "    - net/mlx5e: Support routed networks during IPsec MACs initialization",
                            "    - net/mlx5e: Fix \"scheduling while atomic\" in IPsec MAC address query",
                            "    - drm/tests: shmem: Swap names of export tests",
                            "    - KVM: x86: Return \"unsupported\" instead of \"invalid\" on access to",
                            "      unsupported PV MSR",
                            "    - media: amphion: Drop min_queued_buffers assignment",
                            "    - media: rockchip: rga: Fix possible ERR_PTR dereference in rga_buf_init()",
                            "    - media: i2c: ov01a10: Fix passing stream instead of pad to",
                            "      v4l2_subdev_state_get_format()",
                            "    - media: ccs: Fix setting initial sub-device state",
                            "    - platform/x86: ISST: Add missing write block check",
                            "    - bus: omap-ocp2scp: fix OF populate on driver rebind",
                            "    - media: stm32: dcmipp: bytecap: clear all interrupts upon stream stop",
                            "    - drm/buddy: Prevent BUG_ON by validating rounded allocation",
                            "    - xfs: remove xfs_attr_leaf_hasname",
                            "    - mfd: qcom-pm8xxx: Fix OF populate on driver rebind",
                            "    - mfd: omap-usb-host: Fix OF populate on driver rebind",
                            "    - xfs: fix the xattr scrub to detect freemap/entries array collisions",
                            "    - pinctrl: intel: Add code name documentation",
                            "    - vhost: move vdpa group bound check to vhost_vdpa",
                            "    - clk: rs9: Reserve 8 struct clk_hw slots for for 9FGV0841",
                            "    - mm/slab: use unsigned long for orig_size to ensure proper metadata align",
                            "    - drm/amd/display: Increase DCN35 SR enter/exit latency",
                            "    - drm/amdgpu: fix sync handling in amdgpu_dma_buf_move_notify",
                            "    - mm: numa_memblks: Identify the accurate NUMA ID of CFMW",
                            "    - drm/amdgpu: keep vga memory on MacBooks with switchable graphics",
                            "    - most: core: fix leak on early registration failure",
                            "    - Bluetooth: L2CAP: Fix stack-out-of-bounds read in l2cap_ecred_conn_req",
                            "    - Upstream stable to v6.6.128, v6.12.75",
                            "  * Noble update: upstream stable patchset 2026-05-01 (LP: #2150809) //",
                            "    CVE-2026-23249",
                            "    - xfs: check for deleted cursors when revalidating two btrees",
                            "  * Noble update: upstream stable patchset 2026-05-01 (LP: #2150809) //",
                            "    CVE-2025-71267",
                            "    - fs: ntfs3: fix infinite loop triggered by zero-sized ATTR_LIST",
                            "  * Noble update: upstream stable patchset 2026-05-01 (LP: #2150809) //",
                            "    CVE-2025-71265",
                            "    - fs: ntfs3: fix infinite loop in attr_load_runs_range on inconsistent",
                            "      metadata",
                            "  * Noble update: upstream stable patchset 2026-05-01 (LP: #2150809) //",
                            "    CVE-2025-71266",
                            "    - fs: ntfs3: check return value of indx_find to avoid infinite loop",
                            "  * Noble update: upstream stable patchset 2026-05-01 (LP: #2150809) //",
                            "    CVE-2026-23241",
                            "    - audit: add missing syscalls to read class",
                            "  * Noble update: upstream stable patchset 2026-05-01 (LP: #2150809) //",
                            "    CVE-2025-71239",
                            "    - audit: add fchmodat2() to change attributes class",
                            "  * Noble update: upstream stable patchset 2026-05-01 (LP: #2150809) //",
                            "    CVE-2026-31411",
                            "    - net: atm: fix crash due to unvalidated vcc pointer in sigd_send()",
                            "  * Noble update: upstream stable patchset 2026-05-01 (LP: #2150809) //",
                            "    CVE-2026-23243",
                            "    - RDMA/umad: Reject negative data_len in ib_umad_write",
                            "  * Noble update: upstream stable patchset 2026-05-01 (LP: #2150809) //",
                            "    CVE-2026-23242",
                            "    - RDMA/siw: Fix potential NULL pointer dereference in header processing",
                            "  * Noble update: upstream stable patchset 2026-04-17 (LP: #2148714)",
                            "    - scsi: qla2xxx: Fix bsg_done() causing double free",
                            "    - PCI: endpoint: Remove unused field in struct pci_epf_group",
                            "    - bus: fsl-mc: Replace snprintf and sprintf with sysfs_emit in sysfs show",
                            "      functions",
                            "    - bus: fsl-mc: fix use-after-free in driver_override_show()",
                            "    - ASoC: amd: yc: Add ASUS ExpertBook PM1503CDA to quirks list",
                            "    - gpio: sprd: Change sprd_gpio lock to raw_spin_lock",
                            "    - ALSA: hda/realtek: Add quirk for Inspur S14-G1",
                            "    - ASoC: cs35l45: Corrects ASP_TX5 DAPM widget channel",
                            "    - romfs: check sb_set_blocksize() return value",
                            "    - drm/tegra: hdmi: sor: Fix error: variable ‘j’ set but not used",
                            "    - platform/x86: classmate-laptop: Add missing NULL pointer checks",
                            "    - ASoC: Intel: sof_es8336: Add DMI quirk for Huawei BOD-WXX9",
                            "    - ASoC: amd: yc: Add quirk for HP 200 G2a 16",
                            "    - platform/x86/amd/pmc: Add quirk for MECHREVO Wujie 15X Pro",
                            "    - platform/x86: panasonic-laptop: Fix sysfs group leak in error path",
                            "    - ASoC: cs42l43: Correct handling of 3-pole jack load detection",
                            "    - ASoC: fsl_xcvr: fix missing lock in fsl_xcvr_mode_put()",
                            "    - gpiolib: acpi: Fix gpio count with string references",
                            "    - LoongArch: Rework KASAN initialization for PTW-enabled systems",
                            "    - Revert \"wireguard: device: enable threaded NAPI\"",
                            "    - mm/hugetlb: fix copy_hugetlb_page_range() to use ->pt_share_count",
                            "    - mm/hugetlb: fix hugetlb_pmd_shared()",
                            "    - mm/hugetlb: fix two comments related to huge_pmd_unshare()",
                            "    - mm/hugetlb: fix excessive IPI broadcasts when unsharing PMD tables using",
                            "      mmu_gather",
                            "    - cpuset: Fix missing adaptation for cpuset_is_populated",
                            "    - LoongArch: Add writecombine support for DMW-based ioremap()",
                            "    - fbdev: rivafb: fix divide error in nv3_arb()",
                            "    - fbdev: smscufx: properly copy ioctl memory to kernelspace",
                            "    - f2fs: fix to add gc count stat in f2fs_gc_range",
                            "    - f2fs: fix out-of-bounds access in sysfs attribute read/write",
                            "    - f2fs: fix IS_CHECKPOINTED flag inconsistency issue caused by concurrent",
                            "      atomic commit and checkpoint writes",
                            "    - f2fs: fix to avoid UAF in f2fs_write_end_io()",
                            "    - f2fs: fix to avoid mapping wrong physical block for swapfile",
                            "    - USB: serial: option: add Telit FN920C04 RNDIS compositions",
                            "    - bnxt_en: Change FW message timeout warning",
                            "    - bnxt_en: hide CONFIG_DETECT_HUNG_TASK specific code",
                            "    - ALSA: hda/realtek: Enable headset mic for Acer Nitro 5",
                            "    - drm/amd/display: remove assert around dpp_base replacement",
                            "    - ASoC: fsl_xcvr: Revert fix missing lock in fsl_xcvr_mode_put()",
                            "    - Upstream stable to v6.6.126, v6.6.127, v6.12.73, v6.12.74",
                            "  * Noble update: upstream stable patchset 2026-04-13 (LP: #2148260)",
                            "    - Bluetooth: btusb: Add USB ID 7392:e611 for Edimax EW-7611UXB",
                            "    - crypto: octeontx - Fix length check to avoid truncation in",
                            "      ucode_load_store",
                            "    - crypto: virtio - Remove duplicated virtqueue_kick in",
                            "      virtio_crypto_skcipher_crypt_req",
                            "    - scsi: qla2xxx: Allow recovery for tape devices",
                            "    - scsi: qla2xxx: Query FW again before proceeding with login",
                            "    - Revert \"netfilter: nf_tables: missing objects with no memcg accounting\"",
                            "    - netfilter: nf_tables: missing objects with no memcg accounting",
                            "    - vsock/test: verify socket options after setting them",
                            "    - selftests: mptcp: pm: ensure unknown flags are ignored",
                            "    - gpio: omap: do not register driver in probe()",
                            "    - net: tunnel: make skb_vlan_inet_prepare() return drop reasons",
                            "    - Upstream stable to v6.6.125, v6.12.71, v6.12.72",
                            "  * Noble update: upstream stable patchset 2026-04-13 (LP: #2148260) //",
                            "    CVE-2025-71233",
                            "    - PCI: endpoint: Avoid creating sub-groups asynchronously",
                            "  * Noble update: upstream stable patchset 2026-04-13 (LP: #2148260) //",
                            "    CVE-2025-71231",
                            "    - crypto: iaa - Fix out-of-bounds index in find_empty_iaa_compression_mode",
                            "  * Noble update: upstream stable patchset 2026-04-13 (LP: #2148260) //",
                            "    CVE-2026-23169",
                            "    - mptcp: fix race in mptcp_pm_nl_flush_addrs_doit()",
                            "  * Noble update: upstream stable patchset 2026-04-13 (LP: #2148260) //",
                            "    CVE-2025-40005",
                            "    - spi: cadence-quadspi: Implement refcount to handle unbind during busy",
                            "  * Noble update: upstream stable patchset 2026-04-13 (LP: #2148260) //",
                            "    CVE-2025-71232",
                            "    - scsi: qla2xxx: Free sp in error path to fix system crash",
                            "  * Noble update: upstream stable patchset 2026-04-13 (LP: #2148260) //",
                            "    CVE-2025-71235",
                            "    - scsi: qla2xxx: Delay module unload while fabric scan in progress",
                            "  * Noble update: upstream stable patchset 2026-04-13 (LP: #2148260) //",
                            "    CVE-2025-71236",
                            "    - scsi: qla2xxx: Validate sp before freeing associated memory",
                            "  * Noble update: upstream stable patchset 2026-04-13 (LP: #2148260) //",
                            "    CVE-2025-71229",
                            "    - wifi: rtw88: Fix alignment fault in rtw_core_enable_beacon()",
                            "  * Noble update: upstream stable patchset 2026-04-13 (LP: #2148260) //",
                            "    CVE-2025-71237",
                            "    - nilfs2: Fix potential block overflow that cause system hang",
                            "  * Noble update: upstream stable patchset 2026-04-13 (LP: #2148260) //",
                            "    CVE-2026-23229",
                            "    - crypto: virtio - Add spinlock protection with virtqueue notification",
                            "  * Noble update: upstream stable patchset 2026-04-13 (LP: #2148260) //",
                            "    CVE-2026-23222",
                            "    - crypto: omap - Allocate OMAP_CRYPTO_FORCE_COPY scatterlists correctly",
                            "  * Noble update: upstream stable patchset 2026-04-13 (LP: #2148260) //",
                            "    CVE-2026-23228",
                            "    - smb: server: fix leak of active_num_conn in ksmbd_tcp_new_connection()",
                            "  * Noble update: upstream stable patchset 2026-04-13 (LP: #2148260) //",
                            "    CVE-2026-23220",
                            "    - ksmbd: fix infinite loop caused by next_smb2_rcv_hdr_off reset in error",
                            "      paths",
                            "  * Noble update: upstream stable patchset 2026-04-13 (LP: #2148260) //",
                            "    CVE-2026-23230",
                            "    - smb: client: split cached_fid bitfields to avoid shared-byte RMW races",
                            "  * CVE-2026-23272",
                            "    - netfilter: nf_tables: unconditionally bump set->nelems before insertion",
                            "  * CVE-2026-31418",
                            "    - netfilter: ipset: drop logically empty buckets in mtype_del",
                            "  * CVE-2026-23392",
                            "    - netfilter: nf_tables: release flowtable after rcu grace period on error",
                            "  * CVE-2026-23278",
                            "    - netfilter: nf_tables: always walk all pending catchall elements",
                            "  * GRO managed-frag use-after-free leading to local privilege escalation",
                            "    (LP: #2154172)",
                            "    - net: gro: don't merge zcopy skbs",
                            "  * AppArmor Vulnerabilities  (LP: #2151747)",
                            "    - apparmor: Fix incorrect profile->signal range check",
                            "    - SAUCE: apparmor: pass big_resp to handler",
                            "    - SAUCE: apparmor: remove redundant kref_init for listener->count",
                            "    - SAUCE: apparmor: fix NULL pointer dereference in unpack_pdb",
                            "  * AppArmor Vulnerabilities  (LP: #2151747) // CVE-2026-47337",
                            "    - SAUCE: apparmor: fix NULL pointer dereference in bind_map_addr",
                            "  * AppArmor Vulnerabilities  (LP: #2151747) // CVE-2026-47336",
                            "    - SAUCE: apparmor: fix use of unintialized variable in net opt level",
                            "  * AppArmor Vulnerabilities  (LP: #2151747) // CVE-2026-47335",
                            "    - SAUCE: apparmor: fix possible NULL pointer dereference by adding a NULL",
                            "      check",
                            "  * AppArmor Vulnerabilities  (LP: #2151747) // CVE-2026-47334",
                            "    - SAUCE: apparmor: fix sleep prone memory allocation under a spin_lock",
                            "  * AppArmor Vulnerabilities  (LP: #2151747) // CVE-2026-47333",
                            "    - SAUCE: apparmor: fix dfa unpacking size of the notification filter",
                            "  * AppArmor Vulnerabilities  (LP: #2151747) // CVE-2026-47332",
                            "    - SAUCE: apparmor: fix size check against type instead of pointer",
                            "  * AppArmor Vulnerabilities  (LP: #2151747) // CVE-2026-47331",
                            "    - SAUCE: apparmor: fix changing rules list without a lock",
                            "  * apparmor: LLVM/clang build failure due to uninitialized variable in",
                            "    notify.c (LP: #2148809) // CVE-2026-47330",
                            "    - SAUCE: apparmor: initialize variable used in uninitialized context",
                            "  * AppArmor Vulnerabilities  (LP: #2151747) // CVE-2026-47329",
                            "    - SAUCE: apparmor: fix name validation bypass on notification",
                            "  * AppArmor Vulnerabilities  (LP: #2151747) // CVE-2026-47327 //",
                            "    CVE-2026-47328",
                            "    - SAUCE: apparmor: fix glob memory leak after kstrdup",
                            "  * AppArmor Vulnerabilities  (LP: #2151747) // CVE-2026-47326",
                            "    - SAUCE: apparmor: fix inverted NULL check after aa_get_buffer",
                            "  * CVE-2026-46300",
                            "    - net: skbuff: preserve shared-frag marker during coalescing",
                            "    - net: skbuff: propagate shared-frag marker through frag-transfer helpers",
                            "  * net/rds: reset op_nents when zerocopy page pin fails (LP: #2153962)",
                            "    - net/rds: reset op_nents when zerocopy page pin fails",
                            "  * CVE-2026-46333",
                            "    - ptrace: slightly saner 'get_dumpable()' logic",
                            "  * CVE-2026-43500",
                            "    - rxrpc: Fix conn-level packet handling to unshare RESPONSE packets",
                            "    - rxrpc: Parse received packets before dealing with timeouts",
                            "    - rxrpc: Fix potential UAF after skb_unshare() failure",
                            "    - rxrpc: Fix rxrpc_input_call_event() to only unshare DATA packets",
                            "    - rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present",
                            "  * CVE-2026-31676 // CVE-2026-43500",
                            "    - rxrpc: only handle RESPONSE during service challenge",
                            "  * CVE-2026-43284",
                            "    - xfrm: esp: avoid in-place decrypt on shared skb frags",
                            "  * CVE-2026-31419",
                            "    - net: bonding: fix use-after-free in bond_xmit_broadcast()",
                            "  * CVE-2026-31431",
                            "    - crypto: scatterwalk - Backport memcpy_sglist()",
                            "    - crypto: algif_aead - use memcpy_sglist() instead of null skcipher",
                            "    - crypto: algif_aead - Revert to operating out-of-place",
                            "    - crypto: algif_aead - snapshot IV for async AEAD requests",
                            "    - crypto: authenc - use memcpy_sglist() instead of null skcipher",
                            "    - crypto: authencesn - Do not place hiseq at end of dst for out-of-place",
                            "      decryption",
                            "    - crypto: authencesn - Fix src offset when decrypting in-place",
                            "    - crypto: af_alg - Fix page reassignment overflow in af_alg_pull_tsgl",
                            "    - crypto: algif_aead - Fix minimum RX size check for decryption",
                            "  * CVE-2026-31533",
                            "    - net/tls: fix use-after-free in -EBUSY error path of tls_do_encryption",
                            "  * CVE-2026-31504",
                            "    - net: fix fanout UAF in packet_release() via NETDEV_UP race",
                            ""
                        ],
                        "package": "linux-riscv-6.8",
                        "version": "6.8.0-130.130~22.04.1",
                        "urgency": "medium",
                        "distributions": "jammy",
                        "launchpad_bugs_fixed": [
                            2151948,
                            2154560,
                            2146465,
                            2153556,
                            2152194,
                            2141536,
                            2150809,
                            2150809,
                            2150809,
                            2150809,
                            2150809,
                            2150809,
                            2150809,
                            2150809,
                            2150809,
                            2150809,
                            2148714,
                            2148260,
                            2148260,
                            2148260,
                            2148260,
                            2148260,
                            2148260,
                            2148260,
                            2148260,
                            2148260,
                            2148260,
                            2148260,
                            2148260,
                            2148260,
                            2148260,
                            2148260,
                            2154172,
                            2151747,
                            2151747,
                            2151747,
                            2151747,
                            2151747,
                            2151747,
                            2151747,
                            2151747,
                            2148809,
                            2151747,
                            2151747,
                            2151747,
                            2153962
                        ],
                        "author": "Sarah Emery <sarah.emery@canonical.com>",
                        "date": "Wed, 03 Jun 2026 17:23:35 +0200"
                    }
                ],
                "notes": "linux-headers-6.8.0-134-generic version '6.8.0-134.134~22.04.1' (source package linux-riscv-6.8 version '6.8.0-134.134~22.04.1') was added. linux-headers-6.8.0-134-generic version '6.8.0-134.134~22.04.1' has the same source package name, linux-riscv-6.8, as removed package linux-headers-6.8.0-124-generic. As such we can use the source package version of the removed package, '6.8.0-124.124~22.04.1', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.",
                "is_version_downgrade": false
            },
            {
                "name": "linux-image-6.8.0-134-generic",
                "from_version": {
                    "source_package_name": "linux-riscv-6.8",
                    "source_package_version": "6.8.0-124.124~22.04.1",
                    "version": null
                },
                "to_version": {
                    "source_package_name": "linux-riscv-6.8",
                    "source_package_version": "6.8.0-134.134~22.04.1",
                    "version": "6.8.0-134.134~22.04.1"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-46244",
                        "url": "https://ubuntu.com/security/CVE-2026-46244",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: nft_inner: Fix IPv6 inner_thoff desync  In nft_inner_parse_l2l3(), when processing inner IPv6 packets, ipv6_find_hdr() correctly computes the transport header offset traversing all extension headers, but the result is immediately overwritten with nhoff + sizeof(_ip6h) (40 bytes), which only accounts for the IPv6 base header. This creates a desync between inner_thoff (wrong — points to extension header start) and l4proto (correct — e.g., IPPROTO_TCP), enabling transport header forgery and potential firewall bypass. This issue affects stable versions from Linux 6.2.  For comparison, the normal (non-inner) IPv6 path correctly preserves ipv6_find_hdr()'s result. Removing the incorrect overwrite ensures that ipv6_find_hdr()'s calculated transport header offset is preserved, thereby fixing the desynchronization.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-03 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43185",
                        "url": "https://ubuntu.com/security/CVE-2026-43185",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ksmbd: fix signededness bug in smb_direct_prepare_negotiation()  smb_direct_prepare_negotiation() casts an unsigned __u32 value from sp->max_recv_size and req->preferred_send_size to a signed int before computing min_t(int, ...). A maliciously provided preferred_send_size of 0x80000000 will return as smaller than max_recv_size, and then be used to set the maximum allowed alowed receive size for the next message.  By sending a second message with a large value (>1420 bytes) the attacker can then achieve a heap buffer overflow.  This fix replaces min_t(int, ...) with min_t(u32)",
                        "cve_priority": "critical",
                        "cve_public_date": "2026-05-06 12:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46289",
                        "url": "https://ubuntu.com/security/CVE-2026-46289",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  lib/scatterlist: fix length calculations in extract_kvec_to_sg  Patch series \"Fix bugs in extract_iter_to_sg()\", v3.  Fix bugs in the kvec and user variants of extract_iter_to_sg.  This series is growing due to useful remarks made by sashiko.dev.  The main bugs are: - The length for an sglist entry when extracting from   a kvec can exceed the number of bytes in the page. This   is obviously not intended. - When extracting a user buffer the sglist is temporarily   used as a scratch buffer for extracted page pointers.   If the sglist already contains some elements this scratch   buffer could overlap with existing entries in the sglist.  The series adds test cases to the kunit_iov_iter test that demonstrate all of these bugs.  Additionally, there is a memory leak fix for the test itself.  The bugs were orignally introduced into kernel v6.3 where the function lived in fs/netfs/iterator.c.  It was later moved to lib/scatterlist.c in v6.5.  Thus the actual fix is only marked for backports to v6.5+.   This patch (of 5):  When extracting from a kvec to a scatterlist, do not cross page boundaries.  The required length was already calculated but not used as intended.  Adjust the copied length if the loop runs out of sglist entries without extracting everything.  While there, return immediately from extract_iter_to_sg if there are no sglist entries at all.  A subsequent commit will add kunit test cases that demonstrate that the patch is necessary.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-08 17:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46119",
                        "url": "https://ubuntu.com/security/CVE-2026-46119",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  libceph: Fix slab-out-of-bounds access in auth message processing  If a (potentially corrupted) message of type CEPH_MSG_AUTH_REPLY contains a positive value in its result field, it is treated as an error code by ceph_handle_auth_reply() and returned to handle_auth_reply(). Thereafter, an attempt is made to send the preallocated message of type CEPH_MSG_AUTH, where the returned value is interpreted as the size of the front segment to send. If the result value in the message is greater than the size of the memory buffer allocated for the front segment, an out-of-bounds access occurs, and the content of the memory region beyond this buffer is sent out.  This patch fixes the issue by treating only negative values in the result field as errors. Positive values are therefore treated as success in the same way as a zero value. Additionally, a BUG_ON is added to __send_prepared_auth_request() comparing the len parameter to front_alloc_len to prevent sending the message if it exceeds the bounds of the allocation and to make it easier to catch any logic flaws leading to this.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46135",
                        "url": "https://ubuntu.com/security/CVE-2026-46135",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  nvmet-tcp: fix race between ICReq handling and queue teardown  nvmet_tcp_handle_icreq() updates queue->state after sending an Initialization Connection Response (ICResp), but it does so without serializing against target-side queue teardown.  If an NVMe/TCP host sends an Initialization Connection Request (ICReq) and immediately closes the connection, target-side teardown may start in softirq context before io_work drains the already buffered ICReq. In that case, nvmet_tcp_schedule_release_queue() sets queue->state to NVMET_TCP_Q_DISCONNECTING and drops the queue reference under state_lock.  If io_work later processes that ICReq, nvmet_tcp_handle_icreq() can still overwrite the state back to NVMET_TCP_Q_LIVE. That defeats the DISCONNECTING-state guard in nvmet_tcp_schedule_release_queue() and allows a later socket state change to re-enter teardown and issue a second kref_put() on an already released queue.  The ICResp send failure path has the same problem. If teardown has already moved the queue to DISCONNECTING, a send error can still overwrite the state with NVMET_TCP_Q_FAILED, again reopening the window for a second teardown path to drop the queue reference.  Fix this by serializing both post-send state transitions with state_lock and bailing out if teardown has already started.  Use -ESHUTDOWN as an internal sentinel for that bail-out path rather than propagating it as a transport error like -ECONNRESET. Keep nvmet_tcp_socket_error() setting rcv_state to NVMET_TCP_RECV_ERR before honoring that sentinel so receive-side parsing stays quiesced until the existing release path completes.",
                        "cve_priority": "critical",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46185",
                        "url": "https://ubuntu.com/security/CVE-2026-46185",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb/client: fix out-of-bounds read in symlink_data()  Since smb2_check_message() returns success without length validation for the symlink error response, in symlink_data() it is possible for iov->iov_len to be smaller than sizeof(struct smb2_err_rsp). If the buffer only contains the base SMB2 header (64 bytes), accessing err->ErrorContextCount (at offset 66) or err->ByteCount later in symlink_data() will cause an out-of-bounds read.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46195",
                        "url": "https://ubuntu.com/security/CVE-2026-46195",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb: client: validate dacloffset before building DACL pointers  parse_sec_desc(), build_sec_desc(), and the chown path in id_mode_to_cifs_acl() all add the server-supplied dacloffset to pntsd before proving a DACL header fits inside the returned security descriptor.  On 32-bit builds a malicious server can return dacloffset near U32_MAX, wrap the derived DACL pointer below end_of_acl, and then slip past the later pointer-based bounds checks. build_sec_desc() and id_mode_to_cifs_acl() can then dereference DACL fields from the wrapped pointer in the chmod/chown rewrite paths.  Validate dacloffset numerically before building any DACL pointer and reuse the same helper at the three DACL entry points.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46115",
                        "url": "https://ubuntu.com/security/CVE-2026-46115",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  block: add pgmap check to biovec_phys_mergeable  biovec_phys_mergeable() is used by the request merge, DMA mapping, and integrity merge paths to decide if two physically contiguous bvec segments can be coalesced into one. It currently has no check for whether the segments belong to different dev_pagemaps.  When zone device memory is registered in multiple chunks, each chunk gets its own dev_pagemap. A single bio can legitimately contain bvecs from different pgmaps -- iov_iter_extract_bvecs() breaks at pgmap boundaries but the outer loop in bio_iov_iter_get_pages() continues filling the same bio. If such bvecs are physically contiguous, biovec_phys_mergeable() will coalesce them, making it impossible to recover the correct pgmap for the merged segment via page_pgmap().  Add a zone_device_pages_have_same_pgmap() check to prevent merging bvec segments that span different pgmaps.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43501",
                        "url": "https://ubuntu.com/security/CVE-2026-43501",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ipv6: rpl: reserve mac_len headroom when recompressed SRH grows  ipv6_rpl_srh_rcv() decompresses an RFC 6554 Source Routing Header, swaps the next segment into ipv6_hdr->daddr, recompresses, then pulls the old header and pushes the new one plus the IPv6 header back.  The recompressed header can be larger than the received one when the swap reduces the common-prefix length the segments share with daddr (CmprI=0, CmprE>0, seg[0][0] != daddr[0] gives the maximum +8 bytes).  pskb_expand_head() was gated on segments_left == 0, so on earlier segments the push consumed unchecked headroom.  Once skb_push() leaves fewer than skb->mac_len bytes in front of data, skb_mac_header_rebuild()'s call to:  \tskb_set_mac_header(skb, -skb->mac_len);  will store (data - head) - mac_len into the u16 mac_header field, which wraps to ~65530, and the following memmove() writes mac_len bytes ~64KiB past skb->head.  A single AF_INET6/SOCK_RAW/IPV6_HDRINCL packet over lo with a two segment type-3 SRH (CmprI=0, CmprE=15) reaches headroom 8 after one pass; KASAN reports a 14-byte OOB write in ipv6_rthdr_rcv.  Fix this by expanding the head whenever the remaining room is less than the push size plus mac_len, and request that much extra so the rebuilt MAC header fits afterwards.",
                        "cve_priority": "critical",
                        "cve_public_date": "2026-05-21 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45988",
                        "url": "https://ubuntu.com/security/CVE-2026-45988",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  rxrpc: Fix re-decryption of RESPONSE packets  If a RESPONSE packet gets a temporary failure during processing, it may end up in a partially decrypted state - and then get requeued for a retry.  Fix this by just discarding the packet; we will send another CHALLENGE packet and thereby elicit a further response.  Similarly, discard an incoming CHALLENGE packet if we get an error whilst generating a RESPONSE; the server will send another CHALLENGE.",
                        "cve_priority": "critical",
                        "cve_public_date": "2026-05-27 14:17:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46043",
                        "url": "https://ubuntu.com/security/CVE-2026-46043",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv  rxe_rcv() currently checks only that the incoming packet is at least header_size(pkt) bytes long before payload_size() is used.  However, payload_size() subtracts both the attacker-controlled BTH pad field and RXE_ICRC_SIZE from pkt->paylen:    payload_size = pkt->paylen - offset[RXE_PAYLOAD] - bth_pad(pkt)                  - RXE_ICRC_SIZE  This means a short packet can still make payload_size() underflow even if it includes enough bytes for the fixed headers. Simply requiring header_size(pkt) + RXE_ICRC_SIZE is not sufficient either, because a packet with a forged non-zero BTH pad can still leave payload_size() negative and pass an underflowed value to later receive-path users.  Fix this by validating pkt->paylen against the full minimum length required by payload_size(): header_size(pkt) + bth_pad(pkt) + RXE_ICRC_SIZE.",
                        "cve_priority": "critical",
                        "cve_public_date": "2026-05-27 14:17:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43493",
                        "url": "https://ubuntu.com/security/CVE-2026-43493",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  crypto: pcrypt - Fix handling of MAY_BACKLOG requests  MAY_BACKLOG requests can return EBUSY.  Handle them by checking for that value and filtering out EINPROGRESS notifications.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-19 12:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43071",
                        "url": "https://ubuntu.com/security/CVE-2026-43071",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  dcache: Limit the minimal number of bucket to two  There is an OOB read problem on dentry_hashtable when user sets 'dhash_entries=1':   BUG: unable to handle page fault for address: ffff888b30b774b0   #PF: supervisor read access in kernel mode   #PF: error_code(0x0000) - not-present page   Oops: Oops: 0000 [#1] SMP PTI   RIP: 0010:__d_lookup+0x56/0x120    Call Trace:     d_lookup.cold+0x16/0x5d     lookup_dcache+0x27/0xf0     lookup_one_qstr_excl+0x2a/0x180     start_dirop+0x55/0xa0     simple_start_creating+0x8d/0xa0     debugfs_start_creating+0x8c/0x180     debugfs_create_dir+0x1d/0x1c0     pinctrl_init+0x6d/0x140     do_one_initcall+0x6d/0x3d0     kernel_init_freeable+0x39f/0x460     kernel_init+0x2a/0x260  There will be only one bucket in dentry_hashtable when dhash_entries is set as one, and d_hash_shift is calculated as 32 by dcache_init(). Then, following process will access more than one buckets(which memory region is not allocated) in dentry_hashtable:  d_lookup   b = d_hash(hash)     dentry_hashtable + ((u32)hashlen >> d_hash_shift)     // The C standard defines the behavior of right shift amounts     // exceeding the bit width of the operand as undefined. The     // result of '(u32)hashlen >> d_hash_shift' becomes 'hashlen',     // so 'b' will point to an unallocated memory region.   hlist_bl_for_each_entry_rcu(b)    hlist_bl_first_rcu(head)     h->first  // read OOB!  Fix it by limiting the minimal number of dentry_hashtable bucket to two, so that 'd_hash_shift' won't exceeds the bit width of type u32.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-05-05 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-31685",
                        "url": "https://ubuntu.com/security/CVE-2026-31685",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: ip6t_eui64: reject invalid MAC header for all packets  `eui64_mt6()` derives a modified EUI-64 from the Ethernet source address and compares it with the low 64 bits of the IPv6 source address.  The existing guard only rejects an invalid MAC header when `par->fragoff != 0`. For packets with `par->fragoff == 0`, `eui64_mt6()` can still reach `eth_hdr(skb)` even when the MAC header is not valid.  Fix this by removing the `par->fragoff != 0` condition so that packets with an invalid MAC header are rejected before accessing `eth_hdr(skb)`.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-25 09:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43117",
                        "url": "https://ubuntu.com/security/CVE-2026-43117",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  btrfs: tracepoints: get correct superblock from dentry in event btrfs_sync_file()  If overlay is used on top of btrfs, dentry->d_sb translates to overlay's super block and fsid assignment will lead to a crash.  Use file_inode(file)->i_sb to always get btrfs_sb.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-06 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43114",
                        "url": "https://ubuntu.com/security/CVE-2026-43114",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: nft_set_pipapo_avx2: don't return non-matching entry on expiry  New test case fails unexpectedly when avx2 matching functions are used.  The test first loads a ranomly generated pipapo set with 'ipv4 . port' key, i.e.  nft -f foo.  This works.  Then, it reloads the set after a flush: (echo flush set t s; cat foo) | nft -f -  This is expected to work, because its the same set after all and it was already loaded once.  But with avx2, this fails: nft reports a clashing element.  The reported clash is of following form:      We successfully re-inserted       a . b       c . d  Then we try to insert a . d  avx2 finds the already existing a . d, which (due to 'flush set') is marked as invalid in the new generation.  It skips the element and moves to next.  Due to incorrect masking, the skip-step finds the next matching element *only considering the first field*,  i.e. we return the already reinserted \"a . b\", even though the last field is different and the entry should not have been matched.  No such error is reported for the generic c implementation (no avx2) or when the last field has to use the 'nft_pipapo_avx2_lookup_slow' fallback.  Bisection points to 7711f4bb4b36 (\"netfilter: nft_set_pipapo: fix range overlap detection\") but that fix merely uncovers this bug.  Before this commit, the wrong element is returned, but erronously reported as a full, identical duplicate.  The root-cause is too early return in the avx2 match functions. When we process the last field, we should continue to process data until the entire input size has been consumed to make sure no stale bits remain in the map.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-06 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-31607",
                        "url": "https://ubuntu.com/security/CVE-2026-31607",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  usbip: validate number_of_packets in usbip_pack_ret_submit()  When a USB/IP client receives a RET_SUBMIT response, usbip_pack_ret_submit() unconditionally overwrites urb->number_of_packets from the network PDU. This value is subsequently used as the loop bound in usbip_recv_iso() and usbip_pad_iso() to iterate over urb->iso_frame_desc[], a flexible array whose size was fixed at URB allocation time based on the *original* number_of_packets from the CMD_SUBMIT.  A malicious USB/IP server can set number_of_packets in the response to a value larger than what was originally submitted, causing a heap out-of-bounds write when usbip_recv_iso() writes to urb->iso_frame_desc[i] beyond the allocated region.  KASAN confirmed this with kernel 7.0.0-rc5:    BUG: KASAN: slab-out-of-bounds in usbip_recv_iso+0x46a/0x640   Write of size 4 at addr ffff888106351d40 by task vhci_rx/69    The buggy address is located 0 bytes to the right of    allocated 320-byte region [ffff888106351c00, ffff888106351d40)  The server side (stub_rx.c) and gadget side (vudc_rx.c) already validate number_of_packets in the CMD_SUBMIT path since commits c6688ef9f297 (\"usbip: fix stub_rx: harden CMD_SUBMIT path to handle malicious input\") and b78d830f0049 (\"usbip: fix vudc_rx: harden CMD_SUBMIT path to handle malicious input\"). The server side validates against USBIP_MAX_ISO_PACKETS because no URB exists yet at that point. On the client side we have the original URB, so we can use the tighter bound: the response must not exceed the original number_of_packets.  This mirrors the existing validation of actual_length against transfer_buffer_length in usbip_recv_xbuff(), which checks the response value against the original allocation size.  Kelvin Mbogo's series (\"usb: usbip: fix integer overflow in usbip_recv_iso()\", v2) hardens the receive-side functions themselves; this patch complements that work by catching the bad value at its source -- in usbip_pack_ret_submit() before the overwrite -- and using the tighter per-URB allocation bound rather than the global USBIP_MAX_ISO_PACKETS limit.  Fix this by checking rpdu->number_of_packets against urb->number_of_packets in usbip_pack_ret_submit() before the overwrite. On violation, clamp to zero so that usbip_recv_iso() and usbip_pad_iso() safely return early.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-04-24 15:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-31659",
                        "url": "https://ubuntu.com/security/CVE-2026-31659",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: reject oversized global TT response buffers  batadv_tt_prepare_tvlv_global_data() builds the allocation length for a global TT response in 16-bit temporaries. When a remote originator advertises a large enough global TT, the TT payload length plus the VLAN header offset can exceed 65535 and wrap before kmalloc().  The full-table response path still uses the original TT payload length when it fills tt_change, so the wrapped allocation is too small and batadv_tt_prepare_tvlv_global_data() writes past the end of the heap object before the later packet-size check runs.  Fix this by rejecting TT responses whose TVLV value length cannot fit in the 16-bit TVLV payload length field.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-04-24 15:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-31649",
                        "url": "https://ubuntu.com/security/CVE-2026-31649",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: stmmac: fix integer underflow in chain mode  The jumbo_frm() chain-mode implementation unconditionally computes      len = nopaged_len - bmax;  where nopaged_len = skb_headlen(skb) (linear bytes only) and bmax is BUF_SIZE_8KiB or BUF_SIZE_2KiB.  However, the caller stmmac_xmit() decides to invoke jumbo_frm() based on skb->len (total length including page fragments):      is_jumbo = stmmac_is_jumbo_frm(priv, skb->len, enh_desc);  When a packet has a small linear portion (nopaged_len <= bmax) but a large total length due to page fragments (skb->len > bmax), the subtraction wraps as an unsigned integer, producing a huge len value (~0xFFFFxxxx).  This causes the while (len != 0) loop to execute hundreds of thousands of iterations, passing skb->data + bmax * i pointers far beyond the skb buffer to dma_map_single().  On IOMMU-less SoCs (the typical deployment for stmmac), this maps arbitrary kernel memory to the DMA engine, constituting a kernel memory disclosure and potential memory corruption from hardware.  Fix this by introducing a buf_len local variable clamped to min(nopaged_len, bmax).  Computing len = nopaged_len - buf_len is then always safe: it is zero when the linear portion fits within a single descriptor, causing the while (len != 0) loop to be skipped naturally, and the fragment loop in stmmac_xmit() handles page fragments afterward.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-24 15:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-31657",
                        "url": "https://ubuntu.com/security/CVE-2026-31657",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: hold claim backbone gateways by reference  batadv_bla_add_claim() can replace claim->backbone_gw and drop the old gateway's last reference while readers still follow the pointer.  The netlink claim dump path dereferences claim->backbone_gw->orig and takes claim->backbone_gw->crc_lock without pinning the underlying backbone gateway. batadv_bla_check_claim() still has the same naked pointer access pattern.  Reuse batadv_bla_claim_get_backbone_gw() in both readers so they operate on a stable gateway reference until the read-side work is complete. This keeps the dump and claim-check paths aligned with the lifetime rules introduced for the other BLA claim readers.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-04-24 15:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-31637",
                        "url": "https://ubuntu.com/security/CVE-2026-31637",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  rxrpc: reject undecryptable rxkad response tickets  rxkad_decrypt_ticket() decrypts the RXKAD response ticket and then parses the buffer as plaintext without checking whether crypto_skcipher_decrypt() succeeded.  A malformed RESPONSE can therefore use a non-block-aligned ticket length, make the decrypt operation fail, and still drive the ticket parser with attacker-controlled bytes.  Check the decrypt result and abort the connection with RXKADBADTICKET when ticket decryption fails.",
                        "cve_priority": "critical",
                        "cve_public_date": "2026-04-24 15:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-31669",
                        "url": "https://ubuntu.com/security/CVE-2026-31669",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mptcp: fix slab-use-after-free in __inet_lookup_established  The ehash table lookups are lockless and rely on SLAB_TYPESAFE_BY_RCU to guarantee socket memory stability during RCU read-side critical sections. Both tcp_prot and tcpv6_prot have their slab caches created with this flag via proto_register().  However, MPTCP's mptcp_subflow_init() copies tcpv6_prot into tcpv6_prot_override during inet_init() (fs_initcall, level 5), before inet6_init() (module_init/device_initcall, level 6) has called proto_register(&tcpv6_prot). At that point, tcpv6_prot.slab is still NULL, so tcpv6_prot_override.slab remains NULL permanently.  This causes MPTCP v6 subflow child sockets to be allocated via kmalloc (falling into kmalloc-4k) instead of the TCPv6 slab cache. The kmalloc-4k cache lacks SLAB_TYPESAFE_BY_RCU, so when these sockets are freed without SOCK_RCU_FREE (which is cleared for child sockets by design), the memory can be immediately reused. Concurrent ehash lookups under rcu_read_lock can then access freed memory, triggering a slab-use-after-free in __inet_lookup_established.  Fix this by splitting the IPv6-specific initialization out of mptcp_subflow_init() into a new mptcp_subflow_v6_init(), called from mptcp_proto_v6_init() before protocol registration. This ensures tcpv6_prot_override.slab correctly inherits the SLAB_TYPESAFE_BY_RCU slab cache.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-04-24 15:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-31668",
                        "url": "https://ubuntu.com/security/CVE-2026-31668",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  seg6: separate dst_cache for input and output paths in seg6 lwtunnel  The seg6 lwtunnel uses a single dst_cache per encap route, shared between seg6_input_core() and seg6_output_core(). These two paths can perform the post-encap SID lookup in different routing contexts (e.g., ip rules matching on the ingress interface, or VRF table separation). Whichever path runs first populates the cache, and the other reuses it blindly, bypassing its own lookup.  Fix this by splitting the cache into cache_input and cache_output, so each path maintains its own cached dst independently.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-24 15:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43011",
                        "url": "https://ubuntu.com/security/CVE-2026-43011",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/x25: Fix potential double free of skb  When alloc_skb fails in x25_queue_rx_frame it calls kfree_skb(skb) at line 48 and returns 1 (error). This error propagates back through the call chain:  x25_queue_rx_frame returns 1     |     v x25_state3_machine receives the return value 1 and takes the else branch at line 278, setting queued=0 and returning 0     |     v x25_process_rx_frame returns queued=0     |     v x25_backlog_rcv at line 452 sees queued=0 and calls kfree_skb(skb) again  This would free the same skb twice. Looking at x25_backlog_rcv:  net/x25/x25_in.c:x25_backlog_rcv() {     ...     queued = x25_process_rx_frame(sk, skb);     ...     if (!queued)         kfree_skb(skb); }",
                        "cve_priority": "critical",
                        "cve_public_date": "2026-05-01 15:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43037",
                        "url": "https://ubuntu.com/security/CVE-2026-43037",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ip6_tunnel: clear skb2->cb[] in ip4ip6_err()  Oskar Kjos reported the following problem.  ip4ip6_err() calls icmp_send() on a cloned skb whose cb[] was written by the IPv6 receive path as struct inet6_skb_parm. icmp_send() passes IPCB(skb2) to __ip_options_echo(), which interprets that cb[] region as struct inet_skb_parm (IPv4). The layouts differ: inet6_skb_parm.nhoff at offset 14 overlaps inet_skb_parm.opt.rr, producing a non-zero rr value. __ip_options_echo() then reads optlen from attacker-controlled packet data at sptr[rr+1] and copies that many bytes into dopt->__data, a fixed 40-byte stack buffer (IP_OPTIONS_DATA_FIXED_SIZE).  To fix this we clear skb2->cb[], as suggested by Oskar Kjos.  Also add minimal IPv4 header validation (version == 4, ihl >= 5).",
                        "cve_priority": "critical",
                        "cve_public_date": "2026-05-01 15:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43341",
                        "url": "https://ubuntu.com/security/CVE-2026-43341",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/ipv6: ioam6: prevent schema length wraparound in trace fill  ioam6_fill_trace_data() stores the schema contribution to the trace length in a u8. With bit 22 enabled and the largest schema payload, sclen becomes 1 + 1020 / 4, wraps from 256 to 0, and bypasses the remaining-space check. __ioam6_fill_trace_data() then positions the write cursor without reserving the schema area but still copies the 4-byte schema header and the full schema payload, overrunning the trace buffer.  Keep sclen in an unsigned int so the remaining-space check and the write cursor calculation both see the full schema length.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-08 14:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43038",
                        "url": "https://ubuntu.com/security/CVE-2026-43038",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ipv6: icmp: clear skb2->cb[] in ip6_err_gen_icmpv6_unreach()  Sashiko AI-review observed:    In ip6_err_gen_icmpv6_unreach(), the skb is an outer IPv4 ICMP error packet   where its cb contains an IPv4 inet_skb_parm. When skb is cloned into skb2   and passed to icmp6_send(), it uses IP6CB(skb2).    IP6CB interprets the IPv4 inet_skb_parm as an inet6_skb_parm. The cipso   offset in inet_skb_parm.opt directly overlaps with dsthao in inet6_skb_parm   at offset 18.    If an attacker sends a forged ICMPv4 error with a CIPSO IP option, dsthao   would be a non-zero offset. Inside icmp6_send(), mip6_addr_swap() is called   and uses ipv6_find_tlv(skb, opt->dsthao, IPV6_TLV_HAO).    This would scan the inner, attacker-controlled IPv6 packet starting at that   offset, potentially returning a fake TLV without checking if the remaining   packet length can hold the full 18-byte struct ipv6_destopt_hao.    Could mip6_addr_swap() then perform a 16-byte swap that extends past the end   of the packet data into skb_shared_info?    Should the cb array also be cleared in ip6_err_gen_icmpv6_unreach() and   ip6ip6_err() to prevent this?  This patch implements the first suggestion.  I am not sure if ip6ip6_err() needs to be changed. A separate patch would be better anyway.",
                        "cve_priority": "critical",
                        "cve_public_date": "2026-05-01 15:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-31682",
                        "url": "https://ubuntu.com/security/CVE-2026-31682",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  bridge: br_nd_send: linearize skb before parsing ND options  br_nd_send() parses neighbour discovery options from ns->opt[] and assumes that these options are in the linear part of request.  Its callers only guarantee that the ICMPv6 header and target address are available, so the option area can still be non-linear. Parsing ns->opt[] in that case can access data past the linear buffer.  Linearize request before option parsing and derive ns from the linear network header.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-25 09:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-31436",
                        "url": "https://ubuntu.com/security/CVE-2026-31436",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  dmaengine: idxd: fix possible wrong descriptor completion in llist_abort_desc()  At the end of this function, d is the traversal cursor of flist, but the code completes found instead. This can lead to issues such as NULL pointer dereferences, double completion, or descriptor leaks.  Fix this by completing d instead of found in the final list_for_each_entry_safe() loop.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-04-22 14:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43384",
                        "url": "https://ubuntu.com/security/CVE-2026-43384",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/tcp-ao: Fix MAC comparison to be constant-time  To prevent timing attacks, MACs need to be compared in constant time.  Use the appropriate helper function for this.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-08 15:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-31448",
                        "url": "https://ubuntu.com/security/CVE-2026-31448",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ext4: avoid infinite loops caused by residual data  On the mkdir/mknod path, when mapping logical blocks to physical blocks, if inserting a new extent into the extent tree fails (in this example, because the file system disabled the huge file feature when marking the inode as dirty), ext4_ext_map_blocks() only calls ext4_free_blocks() to reclaim the physical block without deleting the corresponding data in the extent tree. This causes subsequent mkdir operations to reference the previously reclaimed physical block number again, even though this physical block is already being used by the xattr block. Therefore, a situation arises where both the directory and xattr are using the same buffer head block in memory simultaneously.  The above causes ext4_xattr_block_set() to enter an infinite loop about \"inserted\" and cannot release the inode lock, ultimately leading to the 143s blocking problem mentioned in [1].  If the metadata is corrupted, then trying to remove some extent space can do even more harm. Also in case EXT4_GET_BLOCKS_DELALLOC_RESERVE was passed, remove space wrongly update quota information. Jan Kara suggests distinguishing between two cases:  1) The error is ENOSPC or EDQUOT - in this case the filesystem is fully consistent and we must maintain its consistency including all the accounting. However these errors can happen only early before we've inserted the extent into the extent tree. So current code works correctly for this case.  2) Some other error - this means metadata is corrupted. We should strive to do as few modifications as possible to limit damage. So I'd just skip freeing of allocated blocks.  [1] INFO: task syz.0.17:5995 blocked for more than 143 seconds. Call Trace:  inode_lock_nested include/linux/fs.h:1073 [inline]  __start_dirop fs/namei.c:2923 [inline]  start_dirop fs/namei.c:2934 [inline]",
                        "cve_priority": "low",
                        "cve_public_date": "2026-04-22 14:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-31478",
                        "url": "https://ubuntu.com/security/CVE-2026-31478",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ksmbd: replace hardcoded hdr2_len with offsetof() in smb2_calc_max_out_buf_len()  After this commit (e2b76ab8b5c9 \"ksmbd: add support for read compound\"), response buffer management was changed to use dynamic iov array. In the new design, smb2_calc_max_out_buf_len() expects the second argument (hdr2_len) to be the offset of ->Buffer field in the response structure, not a hardcoded magic number. Fix the remaining call sites to use the correct offsetof() value.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-04-22 14:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-23428",
                        "url": "https://ubuntu.com/security/CVE-2026-23428",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ksmbd: fix use-after-free of share_conf in compound request  smb2_get_ksmbd_tcon() reuses work->tcon in compound requests without validating tcon->t_state. ksmbd_tree_conn_lookup() checks t_state == TREE_CONNECTED on the initial lookup path, but the compound reuse path bypasses this check entirely.  If a prior command in the compound (SMB2_TREE_DISCONNECT) sets t_state to TREE_DISCONNECTED and frees share_conf via ksmbd_share_config_put(), subsequent commands dereference the freed share_conf through work->tcon->share_conf.  KASAN report:  [    4.144653] ================================================================== [    4.145059] BUG: KASAN: slab-use-after-free in smb2_write+0xc74/0xe70 [    4.145415] Read of size 4 at addr ffff88810430c194 by task kworker/1:1/44 [    4.145772] [    4.145867] CPU: 1 UID: 0 PID: 44 Comm: kworker/1:1 Not tainted 7.0.0-rc3+ #60 PREEMPTLAZY [    4.145871] Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [    4.145875] Workqueue: ksmbd-io handle_ksmbd_work [    4.145888] Call Trace: [    4.145892]  <TASK> [    4.145894]  dump_stack_lvl+0x64/0x80 [    4.145910]  print_report+0xce/0x660 [    4.145919]  ? __pfx__raw_spin_lock_irqsave+0x10/0x10 [    4.145928]  ? smb2_write+0xc74/0xe70 [    4.145931]  kasan_report+0xce/0x100 [    4.145934]  ? smb2_write+0xc74/0xe70 [    4.145937]  smb2_write+0xc74/0xe70 [    4.145939]  ? __pfx_smb2_write+0x10/0x10 [    4.145942]  ? _raw_spin_unlock+0xe/0x30 [    4.145945]  ? ksmbd_smb2_check_message+0xeb2/0x24c0 [    4.145948]  ? smb2_tree_disconnect+0x31c/0x480 [    4.145951]  handle_ksmbd_work+0x40f/0x1080 [    4.145953]  process_one_work+0x5fa/0xef0 [    4.145962]  ? assign_work+0x122/0x3e0 [    4.145964]  worker_thread+0x54b/0xf70 [    4.145967]  ? __pfx_worker_thread+0x10/0x10 [    4.145970]  kthread+0x346/0x470 [    4.145976]  ? recalc_sigpending+0x19b/0x230 [    4.145980]  ? __pfx_kthread+0x10/0x10 [    4.145984]  ret_from_fork+0x4fb/0x6c0 [    4.145992]  ? __pfx_ret_from_fork+0x10/0x10 [    4.145995]  ? __switch_to+0x36c/0xbe0 [    4.145999]  ? __pfx_kthread+0x10/0x10 [    4.146003]  ret_from_fork_asm+0x1a/0x30 [    4.146013]  </TASK> [    4.146014] [    4.149858] Allocated by task 44: [    4.149953]  kasan_save_stack+0x33/0x60 [    4.150061]  kasan_save_track+0x14/0x30 [    4.150169]  __kasan_kmalloc+0x8f/0xa0 [    4.150274]  ksmbd_share_config_get+0x1dd/0xdd0 [    4.150401]  ksmbd_tree_conn_connect+0x7e/0x600 [    4.150529]  smb2_tree_connect+0x2e6/0x1000 [    4.150645]  handle_ksmbd_work+0x40f/0x1080 [    4.150761]  process_one_work+0x5fa/0xef0 [    4.150873]  worker_thread+0x54b/0xf70 [    4.150978]  kthread+0x346/0x470 [    4.151071]  ret_from_fork+0x4fb/0x6c0 [    4.151176]  ret_from_fork_asm+0x1a/0x30 [    4.151286] [    4.151332] Freed by task 44: [    4.151418]  kasan_save_stack+0x33/0x60 [    4.151526]  kasan_save_track+0x14/0x30 [    4.151634]  kasan_save_free_info+0x3b/0x60 [    4.151751]  __kasan_slab_free+0x43/0x70 [    4.151861]  kfree+0x1ca/0x430 [    4.151952]  __ksmbd_tree_conn_disconnect+0xc8/0x190 [    4.152088]  smb2_tree_disconnect+0x1cd/0x480 [    4.152211]  handle_ksmbd_work+0x40f/0x1080 [    4.152326]  process_one_work+0x5fa/0xef0 [    4.152438]  worker_thread+0x54b/0xf70 [    4.152545]  kthread+0x346/0x470 [    4.152638]  ret_from_fork+0x4fb/0x6c0 [    4.152743]  ret_from_fork_asm+0x1a/0x30 [    4.152853] [    4.152900] The buggy address belongs to the object at ffff88810430c180 [    4.152900]  which belongs to the cache kmalloc-96 of size 96 [    4.153226] The buggy address is located 20 bytes inside of [    4.153226]  freed 96-byte region [ffff88810430c180, ffff88810430c1e0) [    4.153549] [    4.153596] The buggy address belongs to the physical page: [    4.153750] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88810430ce80 pfn:0x10430c [    4.154000] flags: 0x ---truncated---",
                        "cve_priority": "high",
                        "cve_public_date": "2026-04-03 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-23450",
                        "url": "https://ubuntu.com/security/CVE-2026-23450",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/smc: fix NULL dereference and UAF in smc_tcp_syn_recv_sock()  Syzkaller reported a panic in smc_tcp_syn_recv_sock() [1].  smc_tcp_syn_recv_sock() is called in the TCP receive path (softirq) via icsk_af_ops->syn_recv_sock on the clcsock (TCP listening socket). It reads sk_user_data to get the smc_sock pointer. However, when the SMC listen socket is being closed concurrently, smc_close_active() sets clcsock->sk_user_data to NULL under sk_callback_lock, and then the smc_sock itself can be freed via sock_put() in smc_release().  This leads to two issues:  1) NULL pointer dereference: sk_user_data is NULL when    accessed. 2) Use-after-free: sk_user_data is read as non-NULL, but the    smc_sock is freed before its fields (e.g., queued_smc_hs,    ori_af_ops) are accessed.  The race window looks like this (the syzkaller crash [1] triggers via the SYN cookie path: tcp_get_cookie_sock() -> smc_tcp_syn_recv_sock(), but the normal tcp_check_req() path has the same race):    CPU A (softirq)              CPU B (process ctx)    tcp_v4_rcv()     TCP_NEW_SYN_RECV:     sk = req->rsk_listener     sock_hold(sk)     /* No lock on listener */                                smc_close_active():                                  write_lock_bh(cb_lock)                                  sk_user_data = NULL                                  write_unlock_bh(cb_lock)                                  ...                                  smc_clcsock_release()                                  sock_put(smc->sk) x2                                    -> smc_sock freed!     tcp_check_req()       smc_tcp_syn_recv_sock():         smc = user_data(sk)           -> NULL or dangling         smc->queued_smc_hs           -> crash!  Note that the clcsock and smc_sock are two independent objects with separate refcounts. TCP stack holds a reference on the clcsock, which keeps it alive, but this does NOT prevent the smc_sock from being freed.  Fix this by using RCU and refcount_inc_not_zero() to safely access smc_sock. Since smc_tcp_syn_recv_sock() is called in the TCP three-way handshake path, taking read_lock_bh on sk_callback_lock is too heavy and would not survive a SYN flood attack. Using rcu_read_lock() is much more lightweight.  - Set SOCK_RCU_FREE on the SMC listen socket so that   smc_sock freeing is deferred until after the RCU grace   period. This guarantees the memory is still valid when   accessed inside rcu_read_lock(). - Use rcu_read_lock() to protect reading sk_user_data. - Use refcount_inc_not_zero(&smc->sk.sk_refcnt) to pin the   smc_sock. If the refcount has already reached zero (close   path completed), it returns false and we bail out safely.  Note: smc_hs_congested() has a similar lockless read of sk_user_data without rcu_read_lock(), but it only checks for NULL and accesses the global smc_hs_wq, never dereferencing any smc_sock field, so it is not affected.  Reproducer was verified with mdelay injection and smc_run, the issue no longer occurs with this patch applied.  [1] https://syzkaller.appspot.com/bug?extid=827ae2bfb3a3529333e9",
                        "cve_priority": "high",
                        "cve_public_date": "2026-04-03 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-23455",
                        "url": "https://ubuntu.com/security/CVE-2026-23455",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: nf_conntrack_h323: check for zero length in DecodeQ931()  In DecodeQ931(), the UserUserIE code path reads a 16-bit length from the packet, then decrements it by 1 to skip the protocol discriminator byte before passing it to DecodeH323_UserInformation(). If the encoded length is 0, the decrement wraps to -1, which is then passed as a large value to the decoder, leading to an out-of-bounds read.  Add a check to ensure len is positive after the decrement.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-04-03 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-31402",
                        "url": "https://ubuntu.com/security/CVE-2026-31402",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  nfsd: fix heap overflow in NFSv4.0 LOCK replay cache  The NFSv4.0 replay cache uses a fixed 112-byte inline buffer (rp_ibuf[NFSD4_REPLAY_ISIZE]) to store encoded operation responses. This size was calculated based on OPEN responses and does not account for LOCK denied responses, which include the conflicting lock owner as a variable-length field up to 1024 bytes (NFS4_OPAQUE_LIMIT).  When a LOCK operation is denied due to a conflict with an existing lock that has a large owner, nfsd4_encode_operation() copies the full encoded response into the undersized replay buffer via read_bytes_from_xdr_buf() with no bounds check. This results in a slab-out-of-bounds write of up to 944 bytes past the end of the buffer, corrupting adjacent heap memory.  This can be triggered remotely by an unauthenticated attacker with two cooperating NFSv4.0 clients: one sets a lock with a large owner string, then the other requests a conflicting lock to provoke the denial.  We could fix this by increasing NFSD4_REPLAY_ISIZE to allow for a full opaque, but that would increase the size of every stateowner, when most lockowners are not that large.  Instead, fix this by checking the encoded response length against NFSD4_REPLAY_ISIZE before copying into the replay buffer. If the response is too large, set rp_buflen to 0 to skip caching the replay payload. The status is still cached, and the client already received the correct response on the original request.",
                        "cve_priority": "critical",
                        "cve_public_date": "2026-04-03 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43383",
                        "url": "https://ubuntu.com/security/CVE-2026-43383",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/tcp-md5: Fix MAC comparison to be constant-time  To prevent timing attacks, MACs need to be compared in constant time.  Use the appropriate helper function for this.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-08 15:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43378",
                        "url": "https://ubuntu.com/security/CVE-2026-43378",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb: server: fix use-after-free in smb2_open()  The opinfo pointer obtained via rcu_dereference(fp->f_opinfo) is dereferenced after rcu_read_unlock(), creating a use-after-free window.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-08 15:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46243",
                        "url": "https://ubuntu.com/security/CVE-2026-46243",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb: client: reject userspace cifs.spnego descriptions  cifs.spnego key descriptions contain authority-bearing fields such as pid, uid, creduid, and upcall_target that cifs.upcall treats as kernel-originating inputs. However, userspace can also create keys of this type through request_key(2) or add_key(2), allowing those fields to be supplied without CIFS origin.  Only accept cifs.spnego descriptions while CIFS is using its private spnego_cred to request the key.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-01 17:17:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43414",
                        "url": "https://ubuntu.com/security/CVE-2026-43414",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  scsi: qla2xxx: Completely fix fcport double free  In qla24xx_els_dcmd_iocb() sp->free is set to qla2x00_els_dcmd_sp_free(). When an error happens, this function is called by qla2x00_sp_release(), when kref_put() releases the first and the last reference.  qla2x00_els_dcmd_sp_free() frees fcport by calling qla2x00_free_fcport(). Doing it one more time after kref_put() is a bad idea.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-05-08 15:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43407",
                        "url": "https://ubuntu.com/security/CVE-2026-43407",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  libceph: Fix potential out-of-bounds access in ceph_handle_auth_reply()  This patch fixes an out-of-bounds access in ceph_handle_auth_reply() that can be triggered by a message of type CEPH_MSG_AUTH_REPLY. In ceph_handle_auth_reply(), the value of the payload_len field of such a message is stored in a variable of type int. A value greater than INT_MAX leads to an integer overflow and is interpreted as a negative value. This leads to decrementing the pointer address by this value and subsequently accessing it because ceph_decode_need() only checks that the memory access does not exceed the end address of the allocation.  This patch fixes the issue by changing the data type of payload_len to u32. Additionally, the data type of result_msg_len is changed to u32, as it is also a variable holding a non-negative length.  Also, an additional layer of sanity checks is introduced, ensuring that directly after reading it from the message, payload_len and result_msg_len are not greater than the overall segment length.  BUG: KASAN: slab-out-of-bounds in ceph_handle_auth_reply+0x642/0x7a0 [libceph] Read of size 4 at addr ffff88811404df14 by task kworker/20:1/262  CPU: 20 UID: 0 PID: 262 Comm: kworker/20:1 Not tainted 6.19.2 #5 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Workqueue: ceph-msgr ceph_con_workfn [libceph] Call Trace:  <TASK>  dump_stack_lvl+0x76/0xa0  print_report+0xd1/0x620  ? __pfx__raw_spin_lock_irqsave+0x10/0x10  ? kasan_complete_mode_report_info+0x72/0x210  kasan_report+0xe7/0x130  ? ceph_handle_auth_reply+0x642/0x7a0 [libceph]  ? ceph_handle_auth_reply+0x642/0x7a0 [libceph]  __asan_report_load_n_noabort+0xf/0x20  ceph_handle_auth_reply+0x642/0x7a0 [libceph]  mon_dispatch+0x973/0x23d0 [libceph]  ? apparmor_socket_recvmsg+0x6b/0xa0  ? __pfx_mon_dispatch+0x10/0x10 [libceph]  ? __kasan_check_write+0x14/0x30i  ? mutex_unlock+0x7f/0xd0  ? __pfx_mutex_unlock+0x10/0x10  ? __pfx_do_recvmsg+0x10/0x10 [libceph]  ceph_con_process_message+0x1f1/0x650 [libceph]  process_message+0x1e/0x450 [libceph]  ceph_con_v2_try_read+0x2e48/0x6c80 [libceph]  ? __pfx_ceph_con_v2_try_read+0x10/0x10 [libceph]  ? save_fpregs_to_fpstate+0xb0/0x230  ? raw_spin_rq_unlock+0x17/0xa0  ? finish_task_switch.isra.0+0x13b/0x760  ? __switch_to+0x385/0xda0  ? __kasan_check_write+0x14/0x30  ? mutex_lock+0x8d/0xe0  ? __pfx_mutex_lock+0x10/0x10  ceph_con_workfn+0x248/0x10c0 [libceph]  process_one_work+0x629/0xf80  ? __kasan_check_write+0x14/0x30  worker_thread+0x87f/0x1570  ? __pfx__raw_spin_lock_irqsave+0x10/0x10  ? __pfx_try_to_wake_up+0x10/0x10  ? kasan_print_address_stack_frame+0x1f7/0x280  ? __pfx_worker_thread+0x10/0x10  kthread+0x396/0x830  ? __pfx__raw_spin_lock_irq+0x10/0x10  ? __pfx_kthread+0x10/0x10  ? __kasan_check_write+0x14/0x30  ? recalc_sigpending+0x180/0x210  ? __pfx_kthread+0x10/0x10  ret_from_fork+0x3f7/0x610  ? __pfx_ret_from_fork+0x10/0x10  ? __switch_to+0x385/0xda0  ? __pfx_kthread+0x10/0x10  ret_from_fork_asm+0x1a/0x30  </TASK>  [ idryomov: replace if statements with ceph_decode_need() for   payload_len and result_msg_len ]",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-08 15:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43406",
                        "url": "https://ubuntu.com/security/CVE-2026-43406",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  libceph: prevent potential out-of-bounds reads in process_message_header()  If the message frame is (maliciously) corrupted in a way that the length of the control segment ends up being less than the size of the message header or a different frame is made to look like a message frame, out-of-bounds reads may ensue in process_message_header().  Perform an explicit bounds check before decoding the message header.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-08 15:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-23249",
                        "url": "https://ubuntu.com/security/CVE-2026-23249",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  xfs: check for deleted cursors when revalidating two btrees  The free space and inode btree repair functions will rebuild both btrees at the same time, after which it needs to evaluate both btrees to confirm that the corruptions are gone.  However, Jiaming Zhang ran syzbot and produced a crash in the second xchk_allocbt call.  His root-cause analysis is as follows (with minor corrections):   In xrep_revalidate_allocbt(), xchk_allocbt() is called twice (first  for BNOBT, second for CNTBT). The cause of this issue is that the  first call nullified the cursor required by the second call.   Let's first enter xrep_revalidate_allocbt() via following call chain:   xfs_file_ioctl() ->  xfs_ioc_scrubv_metadata() ->  xfs_scrub_metadata() ->  `sc->ops->repair_eval(sc)` ->  xrep_revalidate_allocbt()   xchk_allocbt() is called twice in this function. In the first call:   /* Note that sc->sm->sm_type is XFS_SCRUB_TYPE_BNOPT now */  xchk_allocbt() ->  xchk_btree() ->  `bs->scrub_rec(bs, recp)` ->  xchk_allocbt_rec() ->  xchk_allocbt_xref() ->  xchk_allocbt_xref_other()   since sm_type is XFS_SCRUB_TYPE_BNOBT, pur is set to &sc->sa.cnt_cur.  Kernel called xfs_alloc_get_rec() and returned -EFSCORRUPTED. Call  chain:   xfs_alloc_get_rec() ->  xfs_btree_get_rec() ->  xfs_btree_check_block() ->  (XFS_IS_CORRUPT || XFS_TEST_ERROR), the former is false and the latter  is true, return -EFSCORRUPTED. This should be caused by  ioctl$XFS_IOC_ERROR_INJECTION I guess.   Back to xchk_allocbt_xref_other(), after receiving -EFSCORRUPTED from  xfs_alloc_get_rec(), kernel called xchk_should_check_xref(). In this  function, *curpp (points to sc->sa.cnt_cur) is nullified.   Back to xrep_revalidate_allocbt(), since sc->sa.cnt_cur has been  nullified, it then triggered null-ptr-deref via xchk_allocbt() (second  call) -> xchk_btree().  So.  The bnobt revalidation failed on a cross-reference attempt, so we deleted the cntbt cursor, and then crashed when we tried to revalidate the cntbt.  Therefore, check for a null cntbt cursor before that revalidation, and mark the repair incomplete.  Also we can ignore the second tree entirely if the first tree was rebuilt but is already corrupt.  Apply the same fix to xrep_revalidate_iallocbt because it has the same problem.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-18 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2025-71267",
                        "url": "https://ubuntu.com/security/CVE-2025-71267",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  fs: ntfs3: fix infinite loop triggered by zero-sized ATTR_LIST  We found an infinite loop bug in the ntfs3 file system that can lead to a Denial-of-Service (DoS) condition.  A malformed NTFS image can cause an infinite loop when an ATTR_LIST attribute indicates a zero data size while the driver allocates memory for it.  When ntfs_load_attr_list() processes a resident ATTR_LIST with data_size set to zero, it still allocates memory because of al_aligned(0). This creates an inconsistent state where ni->attr_list.size is zero, but ni->attr_list.le is non-null. This causes ni_enum_attr_ex to incorrectly assume that no attribute list exists and enumerates only the primary MFT record. When it finds ATTR_LIST, the code reloads it and restarts the enumeration, repeating indefinitely. The mount operation never completes, hanging the kernel thread.  This patch adds validation to ensure that data_size is non-zero before memory allocation. When a zero-sized ATTR_LIST is detected, the function returns -EINVAL, preventing a DoS vulnerability.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-18 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2025-71265",
                        "url": "https://ubuntu.com/security/CVE-2025-71265",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  fs: ntfs3: fix infinite loop in attr_load_runs_range on inconsistent metadata  We found an infinite loop bug in the ntfs3 file system that can lead to a Denial-of-Service (DoS) condition.  A malformed NTFS image can cause an infinite loop when an attribute header indicates an empty run list, while directory entries reference it as containing actual data. In NTFS, setting evcn=-1 with svcn=0 is a valid way to represent an empty run list, and run_unpack() correctly handles this by checking if evcn + 1 equals svcn and returning early without parsing any run data. However, this creates a problem when there is metadata inconsistency, where the attribute header claims to be empty (evcn=-1) but the caller expects to read actual data. When run_unpack() immediately returns success upon seeing this condition, it leaves the runs_tree uninitialized with run->runs as a NULL. The calling function attr_load_runs_range() assumes that a successful return means that the runs were loaded and sets clen to 0, expecting the next run_lookup_entry() call to succeed. Because runs_tree remains uninitialized, run_lookup_entry() continues to fail, and the loop increments vcn by zero (vcn += 0), leading to an infinite loop.  This patch adds a retry counter to detect when run_lookup_entry() fails consecutively after attr_load_runs_vcn(). If the run is still not found on the second attempt, it indicates corrupted metadata and returns -EINVAL, preventing the Denial-of-Service (DoS) vulnerability.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-18 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2025-71266",
                        "url": "https://ubuntu.com/security/CVE-2025-71266",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  fs: ntfs3: check return value of indx_find to avoid infinite loop  We found an infinite loop bug in the ntfs3 file system that can lead to a Denial-of-Service (DoS) condition.  A malformed dentry in the ntfs3 filesystem can cause the kernel to hang during the lookup operations. By setting the HAS_SUB_NODE flag in an INDEX_ENTRY within a directory's INDEX_ALLOCATION block and manipulating the VCN pointer, an attacker can cause the indx_find() function to repeatedly read the same block, allocating 4 KB of memory each time. The kernel lacks VCN loop detection and depth limits, causing memory exhaustion and an OOM crash.  This patch adds a return value check for fnd_push() to prevent a memory exhaustion vulnerability caused by infinite loops. When the index exceeds the size of the fnd->nodes array, fnd_push() returns -EINVAL. The indx_find() function checks this return value and stops processing, preventing further memory allocation.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-18 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-23241",
                        "url": "https://ubuntu.com/security/CVE-2026-23241",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  audit: add missing syscalls to read class  The \"at\" variant of getxattr() and listxattr() are missing from the audit read class. Calling getxattrat() or listxattrat() on a file to read its extended attributes will bypass audit rules such as:  -w /tmp/test -p rwa -k test_rwa  The current patch adds missing syscalls to the audit read class.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-17 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2025-71239",
                        "url": "https://ubuntu.com/security/CVE-2025-71239",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  audit: add fchmodat2() to change attributes class  fchmodat2(), introduced in version 6.6 is currently not in the change attribute class of audit. Calling fchmodat2() to change a file attribute in the same fashion than chmod() or fchmodat() will bypass audit rules such as:  -w /tmp/test -p rwa -k test_rwa  The current patch adds fchmodat2() to the change attributes class.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-17 10:15:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-31411",
                        "url": "https://ubuntu.com/security/CVE-2026-31411",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: atm: fix crash due to unvalidated vcc pointer in sigd_send()  Reproducer available at [1].  The ATM send path (sendmsg -> vcc_sendmsg -> sigd_send) reads the vcc pointer from msg->vcc and uses it directly without any validation. This pointer comes from userspace via sendmsg() and can be arbitrarily forged:      int fd = socket(AF_ATMSVC, SOCK_DGRAM, 0);     ioctl(fd, ATMSIGD_CTRL);  // become ATM signaling daemon     struct msghdr msg = { .msg_iov = &iov, ... };     *(unsigned long *)(buf + 4) = 0xdeadbeef;  // fake vcc pointer     sendmsg(fd, &msg, 0);  // kernel dereferences 0xdeadbeef  In normal operation, the kernel sends the vcc pointer to the signaling daemon via sigd_enq() when processing operations like connect(), bind(), or listen(). The daemon is expected to return the same pointer when responding. However, a malicious daemon can send arbitrary pointer values.  Fix this by introducing find_get_vcc() which validates the pointer by searching through vcc_hash (similar to how sigd_close() iterates over all VCCs), and acquires a reference via sock_hold() if found.  Since struct atm_vcc embeds struct sock as its first member, they share the same lifetime. Therefore using sock_hold/sock_put is sufficient to keep the vcc alive while it is being used.  Note that there may be a race with sigd_close() which could mark the vcc with various flags (e.g., ATM_VF_RELEASED) after find_get_vcc() returns. However, sock_hold() guarantees the memory remains valid, so this race only affects the logical state, not memory safety.  [1]: https://gist.github.com/mrpre/1ba5949c45529c511152e2f4c755b0f3",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-08 14:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-23243",
                        "url": "https://ubuntu.com/security/CVE-2026-23243",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/umad: Reject negative data_len in ib_umad_write  ib_umad_write computes data_len from user-controlled count and the MAD header sizes. With a mismatched user MAD header size and RMPP header length, data_len can become negative and reach ib_create_send_mad(). This can make the padding calculation exceed the segment size and trigger an out-of-bounds memset in alloc_send_rmpp_list().  Add an explicit check to reject negative data_len before creating the send buffer.  KASAN splat: [  211.363464] BUG: KASAN: slab-out-of-bounds in ib_create_send_mad+0xa01/0x11b0 [  211.364077] Write of size 220 at addr ffff88800c3fa1f8 by task spray_thread/102 [  211.365867] ib_create_send_mad+0xa01/0x11b0 [  211.365887] ib_umad_write+0x853/0x1c80",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-18 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-23242",
                        "url": "https://ubuntu.com/security/CVE-2026-23242",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/siw: Fix potential NULL pointer dereference in header processing  If siw_get_hdr() returns -EINVAL before set_rx_fpdu_context(), qp->rx_fpdu can be NULL. The error path in siw_tcp_rx_data() dereferences qp->rx_fpdu->more_ddp_segs without checking, which may lead to a NULL pointer deref. Only check more_ddp_segs when rx_fpdu is present.  KASAN splat: [  101.384271] KASAN: null-ptr-deref in range [0x00000000000000c0-0x00000000000000c7] [  101.385869] RIP: 0010:siw_tcp_rx_data+0x13ad/0x1e50",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-18 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2025-71233",
                        "url": "https://ubuntu.com/security/CVE-2025-71233",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  PCI: endpoint: Avoid creating sub-groups asynchronously  The asynchronous creation of sub-groups by a delayed work could lead to a NULL pointer dereference when the driver directory is removed before the work completes.  The crash can be easily reproduced with the following commands:    # cd /sys/kernel/config/pci_ep/functions/pci_epf_test   # for i in {1..20}; do mkdir test && rmdir test; done    BUG: kernel NULL pointer dereference, address: 0000000000000088   ...   Call Trace:    configfs_register_group+0x3d/0x190    pci_epf_cfs_work+0x41/0x110    process_one_work+0x18f/0x350    worker_thread+0x25a/0x3a0  Fix this issue by using configfs_add_default_group() API which does not have the deadlock problem as configfs_register_group() and does not require the delayed work handler.  [mani: slightly reworded the description and added stable list]",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-02-18 16:22:00 UTC"
                    },
                    {
                        "cve": "CVE-2025-71231",
                        "url": "https://ubuntu.com/security/CVE-2025-71231",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  crypto: iaa - Fix out-of-bounds index in find_empty_iaa_compression_mode  The local variable 'i' is initialized with -EINVAL, but the for loop immediately overwrites it and -EINVAL is never returned.  If no empty compression mode can be found, the function would return the out-of-bounds index IAA_COMP_MODES_MAX, which would cause an invalid array access in add_iaa_compression_mode().  Fix both issues by returning either a valid index or -EINVAL.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-02-18 16:22:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-23169",
                        "url": "https://ubuntu.com/security/CVE-2026-23169",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mptcp: fix race in mptcp_pm_nl_flush_addrs_doit()  syzbot and Eulgyu Kim reported crashes in mptcp_pm_nl_get_local_id() and/or mptcp_pm_nl_is_backup()  Root cause is list_splice_init() in mptcp_pm_nl_flush_addrs_doit() which is not RCU ready.  list_splice_init_rcu() can not be called here while holding pernet->lock spinlock.  Many thanks to Eulgyu Kim for providing a repro and testing our patches.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-02-14 16:15:00 UTC"
                    },
                    {
                        "cve": "CVE-2025-40005",
                        "url": "https://ubuntu.com/security/CVE-2025-40005",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: cadence-quadspi: Implement refcount to handle unbind during busy  driver support indirect read and indirect write operation with assumption no force device removal(unbind) operation. However force device removal(removal) is still available to root superuser.  Unbinding driver during operation causes kernel crash. This changes ensure driver able to handle such operation for indirect read and indirect write by implementing refcount to track attached devices to the controller and gracefully wait and until attached devices remove operation completed before proceed with removal operation.",
                        "cve_priority": "medium",
                        "cve_public_date": "2025-10-20 16:15:00 UTC"
                    },
                    {
                        "cve": "CVE-2025-71232",
                        "url": "https://ubuntu.com/security/CVE-2025-71232",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  scsi: qla2xxx: Free sp in error path to fix system crash  System crash seen during load/unload test in a loop,  [61110.449331] qla2xxx [0000:27:00.0]-0042:0: Disabled MSI-X. [61110.467494] ============================================================================= [61110.467498] BUG qla2xxx_srbs (Tainted: G           OE    --------  --- ): Objects remaining in qla2xxx_srbs on __kmem_cache_shutdown() [61110.467501] -----------------------------------------------------------------------------  [61110.467502] Slab 0x000000000ffc8162 objects=51 used=1 fp=0x00000000e25d3d85 flags=0x57ffffc0010200(slab|head|node=1|zone=2|lastcpupid=0x1fffff) [61110.467509] CPU: 53 PID: 455206 Comm: rmmod Kdump: loaded Tainted: G          OE    --------  ---  5.14.0-284.11.1.el9_2.x86_64 #1 [61110.467513] Hardware name: HPE ProLiant DL385 Gen10 Plus v2/ProLiant DL385 Gen10 Plus v2, BIOS A42 08/17/2023 [61110.467515] Call Trace: [61110.467516]  <TASK> [61110.467519]  dump_stack_lvl+0x34/0x48 [61110.467526]  slab_err.cold+0x53/0x67 [61110.467534]  __kmem_cache_shutdown+0x16e/0x320 [61110.467540]  kmem_cache_destroy+0x51/0x160 [61110.467544]  qla2x00_module_exit+0x93/0x99 [qla2xxx] [61110.467607]  ? __do_sys_delete_module.constprop.0+0x178/0x280 [61110.467613]  ? syscall_trace_enter.constprop.0+0x145/0x1d0 [61110.467616]  ? do_syscall_64+0x5c/0x90 [61110.467619]  ? exc_page_fault+0x62/0x150 [61110.467622]  ? entry_SYSCALL_64_after_hwframe+0x63/0xcd [61110.467626]  </TASK> [61110.467627] Disabling lock debugging due to kernel taint [61110.467635] Object 0x0000000026f7e6e6 @offset=16000 [61110.467639] ------------[ cut here ]------------ [61110.467639] kmem_cache_destroy qla2xxx_srbs: Slab cache still has objects when called from qla2x00_module_exit+0x93/0x99 [qla2xxx] [61110.467659] WARNING: CPU: 53 PID: 455206 at mm/slab_common.c:520 kmem_cache_destroy+0x14d/0x160 [61110.467718] CPU: 53 PID: 455206 Comm: rmmod Kdump: loaded Tainted: G   B      OE    --------  ---  5.14.0-284.11.1.el9_2.x86_64 #1 [61110.467720] Hardware name: HPE ProLiant DL385 Gen10 Plus v2/ProLiant DL385 Gen10 Plus v2, BIOS A42 08/17/2023 [61110.467721] RIP: 0010:kmem_cache_destroy+0x14d/0x160 [61110.467724] Code: 99 7d 07 00 48 89 ef e8 e1 6a 07 00 eb b3 48 8b 55 60 48 8b 4c 24 20 48 c7 c6 70 fc 66 90 48 c7 c7 f8 ef a1 90 e8 e1 ed 7c 00 <0f> 0b eb 93 c3 cc cc cc cc 66 2e 0f 1f 84 00 00 00 00 00 55 48 89 [61110.467725] RSP: 0018:ffffa304e489fe80 EFLAGS: 00010282 [61110.467727] RAX: 0000000000000000 RBX: ffffffffc0d9a860 RCX: 0000000000000027 [61110.467729] RDX: ffff8fd5ff9598a8 RSI: 0000000000000001 RDI: ffff8fd5ff9598a0 [61110.467730] RBP: ffff8fb6aaf78700 R08: 0000000000000000 R09: 0000000100d863b7 [61110.467731] R10: ffffa304e489fd20 R11: ffffffff913bef48 R12: 0000000040002000 [61110.467731] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [61110.467733] FS:  00007f64c89fb740(0000) GS:ffff8fd5ff940000(0000) knlGS:0000000000000000 [61110.467734] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [61110.467735] CR2: 00007f0f02bfe000 CR3: 00000020ad6dc005 CR4: 0000000000770ee0 [61110.467736] PKRU: 55555554 [61110.467737] Call Trace: [61110.467738]  <TASK> [61110.467739]  qla2x00_module_exit+0x93/0x99 [qla2xxx] [61110.467755]  ? __do_sys_delete_module.constprop.0+0x178/0x280  Free sp in the error path to fix the crash.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-02-18 16:22:00 UTC"
                    },
                    {
                        "cve": "CVE-2025-71235",
                        "url": "https://ubuntu.com/security/CVE-2025-71235",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  scsi: qla2xxx: Delay module unload while fabric scan in progress  System crash seen during load/unload test in a loop.  [105954.384919] RBP: ffff914589838dc0 R08: 0000000000000000 R09: 0000000000000086 [105954.384920] R10: 000000000000000f R11: ffffa31240904be5 R12: ffff914605f868e0 [105954.384921] R13: ffff914605f86910 R14: 0000000000008010 R15: 00000000ddb7c000 [105954.384923] FS:  0000000000000000(0000) GS:ffff9163fec40000(0000) knlGS:0000000000000000 [105954.384925] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [105954.384926] CR2: 000055d31ce1d6a0 CR3: 0000000119f5e001 CR4: 0000000000770ee0 [105954.384928] PKRU: 55555554 [105954.384929] Call Trace: [105954.384931]  <IRQ> [105954.384934]  qla24xx_sp_unmap+0x1f3/0x2a0 [qla2xxx] [105954.384962]  ? qla_async_scan_sp_done+0x114/0x1f0 [qla2xxx] [105954.384980]  ? qla24xx_els_ct_entry+0x4de/0x760 [qla2xxx] [105954.384999]  ? __wake_up_common+0x80/0x190 [105954.385004]  ? qla24xx_process_response_queue+0xc2/0xaa0 [qla2xxx] [105954.385023]  ? qla24xx_msix_rsp_q+0x44/0xb0 [qla2xxx] [105954.385040]  ? __handle_irq_event_percpu+0x3d/0x190 [105954.385044]  ? handle_irq_event+0x58/0xb0 [105954.385046]  ? handle_edge_irq+0x93/0x240 [105954.385050]  ? __common_interrupt+0x41/0xa0 [105954.385055]  ? common_interrupt+0x3e/0xa0 [105954.385060]  ? asm_common_interrupt+0x22/0x40  The root cause of this was that there was a free (dma_free_attrs) in the interrupt context.  There was a device discovery/fabric scan in progress.  A module unload was issued which set the UNLOADING flag.  As part of the discovery, after receiving an interrupt a work queue was scheduled (which involved a work to be queued).  Since the UNLOADING flag is set, the work item was not allocated and the mapped memory had to be freed.  The free occurred in interrupt context leading to system crash.  Delay the driver unload until the fabric scan is complete to avoid the crash.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-02-18 16:22:00 UTC"
                    },
                    {
                        "cve": "CVE-2025-71236",
                        "url": "https://ubuntu.com/security/CVE-2025-71236",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  scsi: qla2xxx: Validate sp before freeing associated memory  System crash with the following signature [154563.214890] nvme nvme2: NVME-FC{1}: controller connect complete [154564.169363] qla2xxx [0000:b0:00.1]-3002:2: nvme: Sched: Set ZIO exchange threshold to 3. [154564.169405] qla2xxx [0000:b0:00.1]-ffffff:2: SET ZIO Activity exchange threshold to 5. [154565.539974] qla2xxx [0000:b0:00.1]-5013:2: RSCN database changed – 0078 0080 0000. [154565.545744] qla2xxx [0000:b0:00.1]-5013:2: RSCN database changed – 0078 00a0 0000. [154565.545857] qla2xxx [0000:b0:00.1]-11a2:2: FEC=enabled (data rate). [154565.552760] qla2xxx [0000:b0:00.1]-11a2:2: FEC=enabled (data rate). [154565.553079] BUG: kernel NULL pointer dereference, address: 00000000000000f8 [154565.553080] #PF: supervisor read access in kernel mode [154565.553082] #PF: error_code(0x0000) - not-present page [154565.553084] PGD 80000010488ab067 P4D 80000010488ab067 PUD 104978a067 PMD 0 [154565.553089] Oops: 0000 1 PREEMPT SMP PTI [154565.553092] CPU: 10 PID: 858 Comm: qla2xxx_2_dpc Kdump: loaded Tainted: G           OE     -------  ---  5.14.0-503.11.1.el9_5.x86_64 #1 [154565.553096] Hardware name: HPE Synergy 660 Gen10/Synergy 660 Gen10 Compute Module, BIOS I43 09/30/2024 [154565.553097] RIP: 0010:qla_fab_async_scan.part.0+0x40b/0x870 [qla2xxx] [154565.553141] Code: 00 00 e8 58 a3 ec d4 49 89 e9 ba 12 20 00 00 4c 89 e6 49 c7 c0 00 ee a8 c0 48 c7 c1 66 c0 a9 c0 bf 00 80 00 10 e8 15 69 00 00 <4c> 8b 8d f8 00 00 00 4d 85 c9 74 35 49 8b 84 24 00 19 00 00 48 8b [154565.553143] RSP: 0018:ffffb4dbc8aebdd0 EFLAGS: 00010286 [154565.553145] RAX: 0000000000000000 RBX: ffff8ec2cf0908d0 RCX: 0000000000000002 [154565.553147] RDX: 0000000000000000 RSI: ffffffffc0a9c896 RDI: ffffb4dbc8aebd47 [154565.553148] RBP: 0000000000000000 R08: ffffb4dbc8aebd45 R09: 0000000000ffff0a [154565.553150] R10: 0000000000000000 R11: 000000000000000f R12: ffff8ec2cf0908d0 [154565.553151] R13: ffff8ec2cf090900 R14: 0000000000000102 R15: ffff8ec2cf084000 [154565.553152] FS:  0000000000000000(0000) GS:ffff8ed27f800000(0000) knlGS:0000000000000000 [154565.553154] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [154565.553155] CR2: 00000000000000f8 CR3: 000000113ae0a005 CR4: 00000000007706f0 [154565.553157] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [154565.553158] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [154565.553159] PKRU: 55555554 [154565.553160] Call Trace: [154565.553162]  <TASK> [154565.553165]  ? show_trace_log_lvl+0x1c4/0x2df [154565.553172]  ? show_trace_log_lvl+0x1c4/0x2df [154565.553177]  ? qla_fab_async_scan.part.0+0x40b/0x870 [qla2xxx] [154565.553215]  ? __die_body.cold+0x8/0xd [154565.553218]  ? page_fault_oops+0x134/0x170 [154565.553223]  ? snprintf+0x49/0x70 [154565.553229]  ? exc_page_fault+0x62/0x150 [154565.553238]  ? asm_exc_page_fault+0x22/0x30  Check for sp being non NULL before freeing any associated memory",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-02-18 16:22:00 UTC"
                    },
                    {
                        "cve": "CVE-2025-71229",
                        "url": "https://ubuntu.com/security/CVE-2025-71229",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: rtw88: Fix alignment fault in rtw_core_enable_beacon()  rtw_core_enable_beacon() reads 4 bytes from an address that is not a multiple of 4. This results in a crash on some systems.  Do 1 byte reads/writes instead.  Unable to handle kernel paging request at virtual address ffff8000827e0522 Mem abort info:   ESR = 0x0000000096000021   EC = 0x25: DABT (current EL), IL = 32 bits   SET = 0, FnV = 0   EA = 0, S1PTW = 0   FSC = 0x21: alignment fault Data abort info:   ISV = 0, ISS = 0x00000021, ISS2 = 0x00000000   CM = 0, WnR = 0, TnD = 0, TagAccess = 0   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000005492000 [ffff8000827e0522] pgd=0000000000000000, p4d=10000001021d9403, pud=10000001021da403, pmd=100000011061c403, pte=00780000f3200f13 Internal error: Oops: 0000000096000021 [#1]  SMP Modules linked in: [...] rtw88_8822ce rtw88_8822c rtw88_pci rtw88_core [...] CPU: 0 UID: 0 PID: 73 Comm: kworker/u32:2 Tainted: G        W          6.17.9 #1-NixOS VOLUNTARY Tainted: [W]=WARN Hardware name: FriendlyElec NanoPC-T6 LTS (DT) Workqueue: phy0 rtw_c2h_work [rtw88_core] pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : rtw_pci_read32+0x18/0x40 [rtw88_pci] lr : rtw_core_enable_beacon+0xe0/0x148 [rtw88_core] sp : ffff800080cc3ca0 x29: ffff800080cc3ca0 x28: ffff0001031fc240 x27: ffff000102100828 x26: ffffd2cb7c9b4088 x25: ffff0001031fc2c0 x24: ffff000112fdef00 x23: ffff000112fdef18 x22: ffff000111c29970 x21: 0000000000000001 x20: 0000000000000001 x19: ffff000111c22040 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000000 x10: 0000000000000000 x9 : ffffd2cb6507c090 x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000 x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000 x2 : 0000000000007f10 x1 : 0000000000000522 x0 : ffff8000827e0522 Call trace:  rtw_pci_read32+0x18/0x40 [rtw88_pci] (P)  rtw_hw_scan_chan_switch+0x124/0x1a8 [rtw88_core]  rtw_fw_c2h_cmd_handle+0x254/0x290 [rtw88_core]  rtw_c2h_work+0x50/0x98 [rtw88_core]  process_one_work+0x178/0x3f8  worker_thread+0x208/0x418  kthread+0x120/0x220  ret_from_fork+0x10/0x20 Code: d28fe202 8b020000 f9524400 8b214000 (b9400000) ---[ end trace 0000000000000000 ]---",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-02-18 16:22:00 UTC"
                    },
                    {
                        "cve": "CVE-2025-71237",
                        "url": "https://ubuntu.com/security/CVE-2025-71237",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  nilfs2: Fix potential block overflow that cause system hang  When a user executes the FITRIM command, an underflow can occur when calculating nblocks if end_block is too small. Since nblocks is of type sector_t, which is u64, a negative nblocks value will become a very large positive integer. This ultimately leads to the block layer function __blkdev_issue_discard() taking an excessively long time to process the bio chain, and the ns_segctor_sem lock remains held for a long period. This prevents other tasks from acquiring the ns_segctor_sem lock, resulting in the hang reported by syzbot in [1].  If the ending block is too small, typically if it is smaller than 4KiB range, depending on the usage of the segment 0, it may be possible to attempt a discard request beyond the device size causing the hang.  Exiting successfully and assign the discarded size (0 in this case) to range->len.  Although the start and len values in the user input range are too small, a conservative strategy is adopted here to safely ignore them, which is equivalent to a no-op; it will not perform any trimming and will not throw an error.  [1] task:segctord state:D stack:28968 pid:6093 tgid:6093  ppid:2 task_flags:0x200040 flags:0x00080000 Call Trace:  rwbase_write_lock+0x3dd/0x750 kernel/locking/rwbase_rt.c:272  nilfs_transaction_lock+0x253/0x4c0 fs/nilfs2/segment.c:357  nilfs_segctor_thread_construct fs/nilfs2/segment.c:2569 [inline]  nilfs_segctor_thread+0x6ec/0xe00 fs/nilfs2/segment.c:2684  [ryusuke: corrected part of the commit message about the consequences]",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-02-18 16:22:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-23229",
                        "url": "https://ubuntu.com/security/CVE-2026-23229",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  crypto: virtio - Add spinlock protection with virtqueue notification  When VM boots with one virtio-crypto PCI device and builtin backend, run openssl benchmark command with multiple processes, such as   openssl speed -evp aes-128-cbc -engine afalg  -seconds 10 -multi 32  openssl processes will hangup and there is error reported like this:  virtio_crypto virtio0: dataq.0:id 3 is not a head!  It seems that the data virtqueue need protection when it is handled for virtio done notification. If the spinlock protection is added in virtcrypto_done_task(), openssl benchmark with multiple processes works well.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-02-18 16:22:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-23222",
                        "url": "https://ubuntu.com/security/CVE-2026-23222",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  crypto: omap - Allocate OMAP_CRYPTO_FORCE_COPY scatterlists correctly  The existing allocation of scatterlists in omap_crypto_copy_sg_lists() was allocating an array of scatterlist pointers, not scatterlist objects, resulting in a 4x too small allocation.  Use sizeof(*new_sg) to get the correct object size.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-02-18 16:22:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-23228",
                        "url": "https://ubuntu.com/security/CVE-2026-23228",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb: server: fix leak of active_num_conn in ksmbd_tcp_new_connection()  On kthread_run() failure in ksmbd_tcp_new_connection(), the transport is freed via free_transport(), which does not decrement active_num_conn, leaking this counter.  Replace free_transport() with ksmbd_tcp_disconnect().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-02-18 16:22:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-23220",
                        "url": "https://ubuntu.com/security/CVE-2026-23220",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ksmbd: fix infinite loop caused by next_smb2_rcv_hdr_off reset in error paths  The problem occurs when a signed request fails smb2 signature verification check. In __process_request(), if check_sign_req() returns an error, set_smb2_rsp_status(work, STATUS_ACCESS_DENIED) is called. set_smb2_rsp_status() set work->next_smb2_rcv_hdr_off as zero. By resetting next_smb2_rcv_hdr_off to zero, the pointer to the next command in the chain is lost. Consequently, is_chained_smb2_message() continues to point to the same request header instead of advancing. If the header's NextCommand field is non-zero, the function returns true, causing __handle_ksmbd_work() to repeatedly process the same failed request in an infinite loop. This results in the kernel log being flooded with \"bad smb2 signature\" messages and high CPU usage.  This patch fixes the issue by changing the return value from SERVER_HANDLER_CONTINUE to SERVER_HANDLER_ABORT. This ensures that the processing loop terminates immediately rather than attempting to continue from an invalidated offset.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-02-18 16:22:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-23230",
                        "url": "https://ubuntu.com/security/CVE-2026-23230",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb: client: split cached_fid bitfields to avoid shared-byte RMW races  is_open, has_lease and on_list are stored in the same bitfield byte in struct cached_fid but are updated in different code paths that may run concurrently. Bitfield assignments generate byte read–modify–write operations (e.g. `orb $mask, addr` on x86_64), so updating one flag can restore stale values of the others.  A possible interleaving is:     CPU1: load old byte (has_lease=1, on_list=1)     CPU2: clear both flags (store 0)     CPU1: RMW store (old | IS_OPEN) -> reintroduces cleared bits  To avoid this class of races, convert these flags to separate bool fields.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-02-18 16:22:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-23272",
                        "url": "https://ubuntu.com/security/CVE-2026-23272",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: nf_tables: unconditionally bump set->nelems before insertion  In case that the set is full, a new element gets published then removed without waiting for the RCU grace period, while RCU reader can be walking over it already.  To address this issue, add the element transaction even if set is full, but toggle the set_full flag to report -ENFILE so the abort path safely unwinds the set to its previous state.  As for element updates, decrement set->nelems to restore it.  A simpler fix is to call synchronize_rcu() in the error path. However, with a large batch adding elements to already maxed-out set, this could cause noticeable slowdown of such batches.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-20 09:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-31418",
                        "url": "https://ubuntu.com/security/CVE-2026-31418",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: ipset: drop logically empty buckets in mtype_del  mtype_del() counts empty slots below n->pos in k, but it only drops the bucket when both n->pos and k are zero. This misses buckets whose live entries have all been removed while n->pos still points past deleted slots.  Treat a bucket as empty when all positions below n->pos are unused and release it directly instead of shrinking it further.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-13 14:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-23392",
                        "url": "https://ubuntu.com/security/CVE-2026-23392",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: nf_tables: release flowtable after rcu grace period on error  Call synchronize_rcu() after unregistering the hooks from error path, since a hook that already refers to this flowtable can be already registered, exposing this flowtable to packet path and nfnetlink_hook control plane.  This error path is rare, it should only happen by reaching the maximum number hooks or by failing to set up to hardware offload, just call synchronize_rcu().  There is a check for already used device hooks by different flowtable that could result in EEXIST at this late stage. The hook parser can be updated to perform this check earlier to this error path really becomes rarely exercised.  Uncovered by KASAN reported as use-after-free from nfnetlink_hook path when dumping hooks.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-03-25 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-23278",
                        "url": "https://ubuntu.com/security/CVE-2026-23278",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: nf_tables: always walk all pending catchall elements  During transaction processing we might have more than one catchall element: 1 live catchall element and 1 pending element that is coming as part of the new batch.  If the map holding the catchall elements is also going away, its required to toggle all catchall elements and not just the first viable candidate.  Otherwise, we get:  WARNING: ./include/net/netfilter/nf_tables.h:1281 at nft_data_release+0xb7/0xe0 [nf_tables], CPU#2: nft/1404  RIP: 0010:nft_data_release+0xb7/0xe0 [nf_tables]  [..]  __nft_set_elem_destroy+0x106/0x380 [nf_tables]  nf_tables_abort_release+0x348/0x8d0 [nf_tables]  nf_tables_abort+0xcf2/0x3ac0 [nf_tables]  nfnetlink_rcv_batch+0x9c9/0x20e0 [..]",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-20 09:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-47337",
                        "url": "https://ubuntu.com/security/CVE-2026-47337",
                        "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a possible NULL pointer dereference in the handling of AF_INET/AF_INET6 socket mediation. The bug can be triggered by an unprivileged local user. This can lead to a kernel oops.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 19:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-47336",
                        "url": "https://ubuntu.com/security/CVE-2026-47336",
                        "cve_description": "Ubuntu Linux 6.8 contains SAUCE patches with a possible use of an uninitialized variable in AppArmor AF_INET/AF_INET6 socket mediation code. The bug can be triggered by an unprivileged local user and could result in incorrect fine-grained mediation of network sockets.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-05-28 19:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-47335",
                        "url": "https://ubuntu.com/security/CVE-2026-47335",
                        "cve_description": "Ubuntu Linux 6.8 contains SAUCE patches with a possible NULL pointer dereference in the handling of AppArmor notifications. The bug can be triggered by an unprivileged local user. This can lead to a kernel panic.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 19:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-47334",
                        "url": "https://ubuntu.com/security/CVE-2026-47334",
                        "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly sleep while holding a spinlock in notification handling code. The bug can be triggered by an unprivileged local user and can result in kernel panic or deadlock.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 19:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-47333",
                        "url": "https://ubuntu.com/security/CVE-2026-47333",
                        "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which can potentially incorrectly compute the size of an internal buffer, leading to a heap memory out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in invalid data being processed by the AppArmor DFA policy engine.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-28 19:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-47332",
                        "url": "https://ubuntu.com/security/CVE-2026-47332",
                        "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly validate the size of an internal structure, leading to an out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in information disclosure from adjacent slab objects.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 19:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-47331",
                        "url": "https://ubuntu.com/security/CVE-2026-47331",
                        "cve_description": "Ubuntu Linux 6.8 contains AppArmor SAUCE patches which fail to acquire a lock when modifying a linked list. An unprivileged local user could trigger the race condition that can lead to a use-after-free (UAF) and, theoretically, arbitrary code execution.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-28 19:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-47330",
                        "url": "https://ubuntu.com/security/CVE-2026-47330",
                        "cve_description": "Ubuntu Linux 6.8, 7.17 and 7.0 contain AppArmor SAUCE patches which can, under certain circumstances, use an uninitialized variable in notification handling code. The bug can be triggered by an unprivileged local user and can result in the incorrect caching of AppArmor notification responses.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-05-28 19:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-47329",
                        "url": "https://ubuntu.com/security/CVE-2026-47329",
                        "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches which fail to validate invalid sizes of the name field in AppAmor notification responses. The bug can be triggered by an unprivileged local user and could result in handling of crafted responses.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-05-28 19:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-47327",
                        "url": "https://ubuntu.com/security/CVE-2026-47327",
                        "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a possible NULL pointer dereference in the handling of AppArmor notifications. The bug can be triggered by an unprivileged local user. This can lead to a kernel oops.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 19:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-47328",
                        "url": "https://ubuntu.com/security/CVE-2026-47328",
                        "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly attempt to free a pointer which was not previously kmalloc()d, while at the same time leaking allocated memory. The bug can be triggered by an unprivileged local user and can result in the corruption of slab metadata and could lead to resource exhaustion.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 19:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-47326",
                        "url": "https://ubuntu.com/security/CVE-2026-47326",
                        "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a memory leak in the handling of big responses to AppArmor notifications. The bug can be triggered by an unprivileged local user. The memory leak could lead to resource exhaustion.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 19:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46300",
                        "url": "https://ubuntu.com/security/CVE-2026-46300",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: skbuff: preserve shared-frag marker during coalescing  skb_try_coalesce() can attach paged frags from @from to @to.  If @from has SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same externally-owned or page-cache-backed frags, but the shared-frag marker is currently lost.  That breaks the invariant relied on by later in-place writers.  In particular, ESP input checks skb_has_shared_frag() before deciding whether an uncloned nonlinear skb can skip skb_cow_data().  If TCP receive coalescing has moved shared frags into an unmarked skb, ESP can see skb_has_shared_frag() as false and decrypt in place over page-cache backed frags.  Propagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged frags.  The tailroom copy path does not need the marker because it copies bytes into @to's linear data rather than transferring frag descriptors.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-23 12:17:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46333",
                        "url": "https://ubuntu.com/security/CVE-2026-46333",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ptrace: slightly saner 'get_dumpable()' logic  The 'dumpability' of a task is fundamentally about the memory image of the task - the concept comes from whether it can core dump or not - and makes no sense when you don't have an associated mm.  And almost all users do in fact use it only for the case where the task has a mm pointer.  But we have one odd special case: ptrace_may_access() uses 'dumpable' to check various other things entirely independently of the MM (typically explicitly using flags like PTRACE_MODE_READ_FSCREDS).  Including for threads that no longer have a VM (and maybe never did, like most kernel threads).  It's not what this flag was designed for, but it is what it is.  The ptrace code does check that the uid/gid matches, so you do have to be uid-0 to see kernel thread details, but this means that the traditional \"drop capabilities\" model doesn't make any difference for this all.  Make it all make a *bit* more sense by saying that if you don't have a MM pointer, we'll use a cached \"last dumpability\" flag if the thread ever had a MM (it will be zero for kernel threads since it is never set), and require a proper CAP_SYS_PTRACE capability to override.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-15 14:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43500",
                        "url": "https://ubuntu.com/security/CVE-2026-43500",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present  The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE handler in rxrpc_verify_response() copy the skb to a linear one before calling into the security ops only when skb_cloned() is true.  An skb that is not cloned but still carries externally-owned paged fragments (e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via __ip_append_data, or a chained skb_has_frag_list()) falls through to the in-place decryption path, which binds the frag pages directly into the AEAD/skcipher SGL via skb_to_sgvec().  Extend the gate to also unshare when skb_has_frag_list() or skb_has_shared_frag() is true.  This catches the splice-loopback vector and other externally-shared frag sources while preserving the zero-copy fast path for skbs whose frags are kernel-private (e.g. NIC page_pool RX, GRO).  The OOM/trace handling already in place is reused.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-11 08:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-31676",
                        "url": "https://ubuntu.com/security/CVE-2026-31676",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  rxrpc: only handle RESPONSE during service challenge  Only process RESPONSE packets while the service connection is still in RXRPC_CONN_SERVICE_CHALLENGING. Check that state under state_lock before running response verification and security initialization, then use a local secured flag to decide whether to queue the secured-connection work after the state transition. This keeps duplicate or late RESPONSE packets from re-running the setup path and removes the unlocked post-transition state test.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-25 09:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43284",
                        "url": "https://ubuntu.com/security/CVE-2026-43284",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  xfrm: esp: avoid in-place decrypt on shared skb frags  MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later paths that may modify packet data can first make a private copy. The IPv4/IPv6 datagram append paths did not set this flag when splicing pages into UDP skbs.  That leaves an ESP-in-UDP packet made from shared pipe pages looking like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW fast path for uncloned skbs without a frag_list and decrypts in place over data that is not owned privately by the skb.  Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching TCP. Also make ESP input fall back to skb_cow_data() when the flag is present, so ESP does not decrypt externally backed frags in place. Private nonlinear skb frags still use the existing fast path.  This intentionally does not change ESP output. In esp_output_head(), the path that appends the ESP trailer to existing skb tailroom without calling skb_cow_data() is not reachable for nonlinear skbs: skb_tailroom() returns zero when skb->data_len is nonzero, while ESP tailen is positive. Thus ESP output will either use the separate destination-frag path or fall back to skb_cow_data().",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-08 08:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-31419",
                        "url": "https://ubuntu.com/security/CVE-2026-31419",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: bonding: fix use-after-free in bond_xmit_broadcast()  bond_xmit_broadcast() reuses the original skb for the last slave (determined by bond_is_last_slave()) and clones it for others. Concurrent slave enslave/release can mutate the slave list during RCU-protected iteration, changing which slave is \"last\" mid-loop. This causes the original skb to be double-consumed (double-freed).  Replace the racy bond_is_last_slave() check with a simple index comparison (i + 1 == slaves_count) against the pre-snapshot slave count taken via READ_ONCE() before the loop.  This preserves the zero-copy optimization for the last slave while making the \"last\" determination stable against concurrent list mutations.  The UAF can trigger the following crash:  ================================================================== BUG: KASAN: slab-use-after-free in skb_clone Read of size 8 at addr ffff888100ef8d40 by task exploit/147  CPU: 1 UID: 0 PID: 147 Comm: exploit Not tainted 7.0.0-rc3+ #4 PREEMPTLAZY Call Trace:  <TASK>  dump_stack_lvl (lib/dump_stack.c:123)  print_report (mm/kasan/report.c:379 mm/kasan/report.c:482)  kasan_report (mm/kasan/report.c:597)  skb_clone (include/linux/skbuff.h:1724 include/linux/skbuff.h:1792 include/linux/skbuff.h:3396 net/core/skbuff.c:2108)  bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5334)  bond_start_xmit (drivers/net/bonding/bond_main.c:5567 drivers/net/bonding/bond_main.c:5593)  dev_hard_start_xmit (include/linux/netdevice.h:5325 include/linux/netdevice.h:5334 net/core/dev.c:3871 net/core/dev.c:3887)  __dev_queue_xmit (include/linux/netdevice.h:3601 net/core/dev.c:4838)  ip6_finish_output2 (include/net/neighbour.h:540 include/net/neighbour.h:554 net/ipv6/ip6_output.c:136)  ip6_finish_output (net/ipv6/ip6_output.c:208 net/ipv6/ip6_output.c:219)  ip6_output (net/ipv6/ip6_output.c:250)  ip6_send_skb (net/ipv6/ip6_output.c:1985)  udp_v6_send_skb (net/ipv6/udp.c:1442)  udpv6_sendmsg (net/ipv6/udp.c:1733)  __sys_sendto (net/socket.c:730 net/socket.c:742 net/socket.c:2206)  __x64_sys_sendto (net/socket.c:2209)  do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)  entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)  </TASK>  Allocated by task 147:  Freed by task 147:  The buggy address belongs to the object at ffff888100ef8c80  which belongs to the cache skbuff_head_cache of size 224 The buggy address is located 192 bytes inside of  freed 224-byte region [ffff888100ef8c80, ffff888100ef8d60)  Memory state around the buggy address:  ffff888100ef8c00: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc  ffff888100ef8c80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff888100ef8d00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc                                                     ^  ffff888100ef8d80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb  ffff888100ef8e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================",
                        "cve_priority": "high",
                        "cve_public_date": "2026-04-13 14:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-31431",
                        "url": "https://ubuntu.com/security/CVE-2026-31431",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  crypto: algif_aead - Revert to operating out-of-place  This mostly reverts commit 72548b093ee3 except for the copying of the associated data.  There is no benefit in operating in-place in algif_aead since the source and destination come from different mappings.  Get rid of all the complexity added for in-place operation and just copy the AD directly.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-04-22 09:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-31533",
                        "url": "https://ubuntu.com/security/CVE-2026-31533",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/tls: fix use-after-free in -EBUSY error path of tls_do_encryption  The -EBUSY handling in tls_do_encryption(), introduced by commit 859054147318 (\"net: tls: handle backlogging of crypto requests\"), has a use-after-free due to double cleanup of encrypt_pending and the scatterlist entry.  When crypto_aead_encrypt() returns -EBUSY, the request is enqueued to the cryptd backlog and the async callback tls_encrypt_done() will be invoked upon completion. That callback unconditionally restores the scatterlist entry (sge->offset, sge->length) and decrements ctx->encrypt_pending. However, if tls_encrypt_async_wait() returns an error, the synchronous error path in tls_do_encryption() performs the same cleanup again, double-decrementing encrypt_pending and double-restoring the scatterlist.  The double-decrement corrupts the encrypt_pending sentinel (initialized to 1), making tls_encrypt_async_wait() permanently skip the wait for pending async callbacks. A subsequent sendmsg can then free the tls_rec via bpf_exec_tx_verdict() while a cryptd callback is still pending, resulting in a use-after-free when the callback fires on the freed record.  Fix this by skipping the synchronous cleanup when the -EBUSY async wait returns an error, since the callback has already handled encrypt_pending and sge restoration.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-23 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-31504",
                        "url": "https://ubuntu.com/security/CVE-2026-31504",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: fix fanout UAF in packet_release() via NETDEV_UP race  `packet_release()` has a race window where `NETDEV_UP` can re-register a socket into a fanout group's `arr[]` array. The re-registration is not cleaned up by `fanout_release()`, leaving a dangling pointer in the fanout array. `packet_release()` does NOT zero `po->num` in its `bind_lock` section. After releasing `bind_lock`, `po->num` is still non-zero and `po->ifindex` still matches the bound device. A concurrent `packet_notifier(NETDEV_UP)` that already found the socket in `sklist` can re-register the hook. For fanout sockets, this re-registration calls `__fanout_link(sk, po)` which adds the socket back into `f->arr[]` and increments `f->num_members`, but does NOT increment `f->sk_ref`.  The fix sets `po->num` to zero in `packet_release` while `bind_lock` is held to prevent NETDEV_UP from linking, preventing the race window.  This bug was found following an additional audit with Claude Code based on CVE-2025-38617.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-04-22 14:16:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [
                    2158431,
                    2158432,
                    2158377,
                    2157195,
                    2157196,
                    1786013,
                    2151948,
                    2154560,
                    2146465,
                    2153556,
                    2152194,
                    2141536,
                    2150809,
                    2150809,
                    2150809,
                    2150809,
                    2150809,
                    2150809,
                    2150809,
                    2150809,
                    2150809,
                    2150809,
                    2148714,
                    2148260,
                    2148260,
                    2148260,
                    2148260,
                    2148260,
                    2148260,
                    2148260,
                    2148260,
                    2148260,
                    2148260,
                    2148260,
                    2148260,
                    2148260,
                    2148260,
                    2148260,
                    2154172,
                    2151747,
                    2151747,
                    2151747,
                    2151747,
                    2151747,
                    2151747,
                    2151747,
                    2151747,
                    2148809,
                    2151747,
                    2151747,
                    2151747,
                    2153962
                ],
                "changes": [
                    {
                        "cves": [],
                        "log": [
                            "",
                            "  * jammy/linux-riscv-6.8: 6.8.0-134.134~22.04.1 -proposed tracker (LP: #2158431)",
                            "",
                            "  [ Ubuntu: 6.8.0-134.134 ]",
                            "",
                            "  * noble/linux: 6.8.0-134.134 -proposed tracker (LP: #2158432)",
                            "  * ext4: writeback causes kernel oops when low on space (LP: #2158377)",
                            "    - ext4: get rid of ppath in get_ext_path()",
                            ""
                        ],
                        "package": "linux-riscv-6.8",
                        "version": "6.8.0-134.134~22.04.1",
                        "urgency": "medium",
                        "distributions": "jammy",
                        "launchpad_bugs_fixed": [
                            2158431,
                            2158432,
                            2158377
                        ],
                        "author": "Alessio Faina <alessio.faina@canonical.com>",
                        "date": "Mon, 29 Jun 2026 16:08:57 +0200"
                    },
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-46244",
                                "url": "https://ubuntu.com/security/CVE-2026-46244",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: nft_inner: Fix IPv6 inner_thoff desync  In nft_inner_parse_l2l3(), when processing inner IPv6 packets, ipv6_find_hdr() correctly computes the transport header offset traversing all extension headers, but the result is immediately overwritten with nhoff + sizeof(_ip6h) (40 bytes), which only accounts for the IPv6 base header. This creates a desync between inner_thoff (wrong — points to extension header start) and l4proto (correct — e.g., IPPROTO_TCP), enabling transport header forgery and potential firewall bypass. This issue affects stable versions from Linux 6.2.  For comparison, the normal (non-inner) IPv6 path correctly preserves ipv6_find_hdr()'s result. Removing the incorrect overwrite ensures that ipv6_find_hdr()'s calculated transport header offset is preserved, thereby fixing the desynchronization.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-03 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43185",
                                "url": "https://ubuntu.com/security/CVE-2026-43185",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ksmbd: fix signededness bug in smb_direct_prepare_negotiation()  smb_direct_prepare_negotiation() casts an unsigned __u32 value from sp->max_recv_size and req->preferred_send_size to a signed int before computing min_t(int, ...). A maliciously provided preferred_send_size of 0x80000000 will return as smaller than max_recv_size, and then be used to set the maximum allowed alowed receive size for the next message.  By sending a second message with a large value (>1420 bytes) the attacker can then achieve a heap buffer overflow.  This fix replaces min_t(int, ...) with min_t(u32)",
                                "cve_priority": "critical",
                                "cve_public_date": "2026-05-06 12:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46289",
                                "url": "https://ubuntu.com/security/CVE-2026-46289",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  lib/scatterlist: fix length calculations in extract_kvec_to_sg  Patch series \"Fix bugs in extract_iter_to_sg()\", v3.  Fix bugs in the kvec and user variants of extract_iter_to_sg.  This series is growing due to useful remarks made by sashiko.dev.  The main bugs are: - The length for an sglist entry when extracting from   a kvec can exceed the number of bytes in the page. This   is obviously not intended. - When extracting a user buffer the sglist is temporarily   used as a scratch buffer for extracted page pointers.   If the sglist already contains some elements this scratch   buffer could overlap with existing entries in the sglist.  The series adds test cases to the kunit_iov_iter test that demonstrate all of these bugs.  Additionally, there is a memory leak fix for the test itself.  The bugs were orignally introduced into kernel v6.3 where the function lived in fs/netfs/iterator.c.  It was later moved to lib/scatterlist.c in v6.5.  Thus the actual fix is only marked for backports to v6.5+.   This patch (of 5):  When extracting from a kvec to a scatterlist, do not cross page boundaries.  The required length was already calculated but not used as intended.  Adjust the copied length if the loop runs out of sglist entries without extracting everything.  While there, return immediately from extract_iter_to_sg if there are no sglist entries at all.  A subsequent commit will add kunit test cases that demonstrate that the patch is necessary.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-08 17:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46119",
                                "url": "https://ubuntu.com/security/CVE-2026-46119",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  libceph: Fix slab-out-of-bounds access in auth message processing  If a (potentially corrupted) message of type CEPH_MSG_AUTH_REPLY contains a positive value in its result field, it is treated as an error code by ceph_handle_auth_reply() and returned to handle_auth_reply(). Thereafter, an attempt is made to send the preallocated message of type CEPH_MSG_AUTH, where the returned value is interpreted as the size of the front segment to send. If the result value in the message is greater than the size of the memory buffer allocated for the front segment, an out-of-bounds access occurs, and the content of the memory region beyond this buffer is sent out.  This patch fixes the issue by treating only negative values in the result field as errors. Positive values are therefore treated as success in the same way as a zero value. Additionally, a BUG_ON is added to __send_prepared_auth_request() comparing the len parameter to front_alloc_len to prevent sending the message if it exceeds the bounds of the allocation and to make it easier to catch any logic flaws leading to this.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46135",
                                "url": "https://ubuntu.com/security/CVE-2026-46135",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  nvmet-tcp: fix race between ICReq handling and queue teardown  nvmet_tcp_handle_icreq() updates queue->state after sending an Initialization Connection Response (ICResp), but it does so without serializing against target-side queue teardown.  If an NVMe/TCP host sends an Initialization Connection Request (ICReq) and immediately closes the connection, target-side teardown may start in softirq context before io_work drains the already buffered ICReq. In that case, nvmet_tcp_schedule_release_queue() sets queue->state to NVMET_TCP_Q_DISCONNECTING and drops the queue reference under state_lock.  If io_work later processes that ICReq, nvmet_tcp_handle_icreq() can still overwrite the state back to NVMET_TCP_Q_LIVE. That defeats the DISCONNECTING-state guard in nvmet_tcp_schedule_release_queue() and allows a later socket state change to re-enter teardown and issue a second kref_put() on an already released queue.  The ICResp send failure path has the same problem. If teardown has already moved the queue to DISCONNECTING, a send error can still overwrite the state with NVMET_TCP_Q_FAILED, again reopening the window for a second teardown path to drop the queue reference.  Fix this by serializing both post-send state transitions with state_lock and bailing out if teardown has already started.  Use -ESHUTDOWN as an internal sentinel for that bail-out path rather than propagating it as a transport error like -ECONNRESET. Keep nvmet_tcp_socket_error() setting rcv_state to NVMET_TCP_RECV_ERR before honoring that sentinel so receive-side parsing stays quiesced until the existing release path completes.",
                                "cve_priority": "critical",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46185",
                                "url": "https://ubuntu.com/security/CVE-2026-46185",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb/client: fix out-of-bounds read in symlink_data()  Since smb2_check_message() returns success without length validation for the symlink error response, in symlink_data() it is possible for iov->iov_len to be smaller than sizeof(struct smb2_err_rsp). If the buffer only contains the base SMB2 header (64 bytes), accessing err->ErrorContextCount (at offset 66) or err->ByteCount later in symlink_data() will cause an out-of-bounds read.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46195",
                                "url": "https://ubuntu.com/security/CVE-2026-46195",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb: client: validate dacloffset before building DACL pointers  parse_sec_desc(), build_sec_desc(), and the chown path in id_mode_to_cifs_acl() all add the server-supplied dacloffset to pntsd before proving a DACL header fits inside the returned security descriptor.  On 32-bit builds a malicious server can return dacloffset near U32_MAX, wrap the derived DACL pointer below end_of_acl, and then slip past the later pointer-based bounds checks. build_sec_desc() and id_mode_to_cifs_acl() can then dereference DACL fields from the wrapped pointer in the chmod/chown rewrite paths.  Validate dacloffset numerically before building any DACL pointer and reuse the same helper at the three DACL entry points.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46115",
                                "url": "https://ubuntu.com/security/CVE-2026-46115",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  block: add pgmap check to biovec_phys_mergeable  biovec_phys_mergeable() is used by the request merge, DMA mapping, and integrity merge paths to decide if two physically contiguous bvec segments can be coalesced into one. It currently has no check for whether the segments belong to different dev_pagemaps.  When zone device memory is registered in multiple chunks, each chunk gets its own dev_pagemap. A single bio can legitimately contain bvecs from different pgmaps -- iov_iter_extract_bvecs() breaks at pgmap boundaries but the outer loop in bio_iov_iter_get_pages() continues filling the same bio. If such bvecs are physically contiguous, biovec_phys_mergeable() will coalesce them, making it impossible to recover the correct pgmap for the merged segment via page_pgmap().  Add a zone_device_pages_have_same_pgmap() check to prevent merging bvec segments that span different pgmaps.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43501",
                                "url": "https://ubuntu.com/security/CVE-2026-43501",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ipv6: rpl: reserve mac_len headroom when recompressed SRH grows  ipv6_rpl_srh_rcv() decompresses an RFC 6554 Source Routing Header, swaps the next segment into ipv6_hdr->daddr, recompresses, then pulls the old header and pushes the new one plus the IPv6 header back.  The recompressed header can be larger than the received one when the swap reduces the common-prefix length the segments share with daddr (CmprI=0, CmprE>0, seg[0][0] != daddr[0] gives the maximum +8 bytes).  pskb_expand_head() was gated on segments_left == 0, so on earlier segments the push consumed unchecked headroom.  Once skb_push() leaves fewer than skb->mac_len bytes in front of data, skb_mac_header_rebuild()'s call to:  \tskb_set_mac_header(skb, -skb->mac_len);  will store (data - head) - mac_len into the u16 mac_header field, which wraps to ~65530, and the following memmove() writes mac_len bytes ~64KiB past skb->head.  A single AF_INET6/SOCK_RAW/IPV6_HDRINCL packet over lo with a two segment type-3 SRH (CmprI=0, CmprE=15) reaches headroom 8 after one pass; KASAN reports a 14-byte OOB write in ipv6_rthdr_rcv.  Fix this by expanding the head whenever the remaining room is less than the push size plus mac_len, and request that much extra so the rebuilt MAC header fits afterwards.",
                                "cve_priority": "critical",
                                "cve_public_date": "2026-05-21 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45988",
                                "url": "https://ubuntu.com/security/CVE-2026-45988",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  rxrpc: Fix re-decryption of RESPONSE packets  If a RESPONSE packet gets a temporary failure during processing, it may end up in a partially decrypted state - and then get requeued for a retry.  Fix this by just discarding the packet; we will send another CHALLENGE packet and thereby elicit a further response.  Similarly, discard an incoming CHALLENGE packet if we get an error whilst generating a RESPONSE; the server will send another CHALLENGE.",
                                "cve_priority": "critical",
                                "cve_public_date": "2026-05-27 14:17:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46043",
                                "url": "https://ubuntu.com/security/CVE-2026-46043",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv  rxe_rcv() currently checks only that the incoming packet is at least header_size(pkt) bytes long before payload_size() is used.  However, payload_size() subtracts both the attacker-controlled BTH pad field and RXE_ICRC_SIZE from pkt->paylen:    payload_size = pkt->paylen - offset[RXE_PAYLOAD] - bth_pad(pkt)                  - RXE_ICRC_SIZE  This means a short packet can still make payload_size() underflow even if it includes enough bytes for the fixed headers. Simply requiring header_size(pkt) + RXE_ICRC_SIZE is not sufficient either, because a packet with a forged non-zero BTH pad can still leave payload_size() negative and pass an underflowed value to later receive-path users.  Fix this by validating pkt->paylen against the full minimum length required by payload_size(): header_size(pkt) + bth_pad(pkt) + RXE_ICRC_SIZE.",
                                "cve_priority": "critical",
                                "cve_public_date": "2026-05-27 14:17:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43493",
                                "url": "https://ubuntu.com/security/CVE-2026-43493",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  crypto: pcrypt - Fix handling of MAY_BACKLOG requests  MAY_BACKLOG requests can return EBUSY.  Handle them by checking for that value and filtering out EINPROGRESS notifications.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-19 12:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43071",
                                "url": "https://ubuntu.com/security/CVE-2026-43071",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  dcache: Limit the minimal number of bucket to two  There is an OOB read problem on dentry_hashtable when user sets 'dhash_entries=1':   BUG: unable to handle page fault for address: ffff888b30b774b0   #PF: supervisor read access in kernel mode   #PF: error_code(0x0000) - not-present page   Oops: Oops: 0000 [#1] SMP PTI   RIP: 0010:__d_lookup+0x56/0x120    Call Trace:     d_lookup.cold+0x16/0x5d     lookup_dcache+0x27/0xf0     lookup_one_qstr_excl+0x2a/0x180     start_dirop+0x55/0xa0     simple_start_creating+0x8d/0xa0     debugfs_start_creating+0x8c/0x180     debugfs_create_dir+0x1d/0x1c0     pinctrl_init+0x6d/0x140     do_one_initcall+0x6d/0x3d0     kernel_init_freeable+0x39f/0x460     kernel_init+0x2a/0x260  There will be only one bucket in dentry_hashtable when dhash_entries is set as one, and d_hash_shift is calculated as 32 by dcache_init(). Then, following process will access more than one buckets(which memory region is not allocated) in dentry_hashtable:  d_lookup   b = d_hash(hash)     dentry_hashtable + ((u32)hashlen >> d_hash_shift)     // The C standard defines the behavior of right shift amounts     // exceeding the bit width of the operand as undefined. The     // result of '(u32)hashlen >> d_hash_shift' becomes 'hashlen',     // so 'b' will point to an unallocated memory region.   hlist_bl_for_each_entry_rcu(b)    hlist_bl_first_rcu(head)     h->first  // read OOB!  Fix it by limiting the minimal number of dentry_hashtable bucket to two, so that 'd_hash_shift' won't exceeds the bit width of type u32.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-05-05 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-31685",
                                "url": "https://ubuntu.com/security/CVE-2026-31685",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: ip6t_eui64: reject invalid MAC header for all packets  `eui64_mt6()` derives a modified EUI-64 from the Ethernet source address and compares it with the low 64 bits of the IPv6 source address.  The existing guard only rejects an invalid MAC header when `par->fragoff != 0`. For packets with `par->fragoff == 0`, `eui64_mt6()` can still reach `eth_hdr(skb)` even when the MAC header is not valid.  Fix this by removing the `par->fragoff != 0` condition so that packets with an invalid MAC header are rejected before accessing `eth_hdr(skb)`.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-25 09:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43117",
                                "url": "https://ubuntu.com/security/CVE-2026-43117",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  btrfs: tracepoints: get correct superblock from dentry in event btrfs_sync_file()  If overlay is used on top of btrfs, dentry->d_sb translates to overlay's super block and fsid assignment will lead to a crash.  Use file_inode(file)->i_sb to always get btrfs_sb.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-06 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43114",
                                "url": "https://ubuntu.com/security/CVE-2026-43114",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: nft_set_pipapo_avx2: don't return non-matching entry on expiry  New test case fails unexpectedly when avx2 matching functions are used.  The test first loads a ranomly generated pipapo set with 'ipv4 . port' key, i.e.  nft -f foo.  This works.  Then, it reloads the set after a flush: (echo flush set t s; cat foo) | nft -f -  This is expected to work, because its the same set after all and it was already loaded once.  But with avx2, this fails: nft reports a clashing element.  The reported clash is of following form:      We successfully re-inserted       a . b       c . d  Then we try to insert a . d  avx2 finds the already existing a . d, which (due to 'flush set') is marked as invalid in the new generation.  It skips the element and moves to next.  Due to incorrect masking, the skip-step finds the next matching element *only considering the first field*,  i.e. we return the already reinserted \"a . b\", even though the last field is different and the entry should not have been matched.  No such error is reported for the generic c implementation (no avx2) or when the last field has to use the 'nft_pipapo_avx2_lookup_slow' fallback.  Bisection points to 7711f4bb4b36 (\"netfilter: nft_set_pipapo: fix range overlap detection\") but that fix merely uncovers this bug.  Before this commit, the wrong element is returned, but erronously reported as a full, identical duplicate.  The root-cause is too early return in the avx2 match functions. When we process the last field, we should continue to process data until the entire input size has been consumed to make sure no stale bits remain in the map.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-06 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-31607",
                                "url": "https://ubuntu.com/security/CVE-2026-31607",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  usbip: validate number_of_packets in usbip_pack_ret_submit()  When a USB/IP client receives a RET_SUBMIT response, usbip_pack_ret_submit() unconditionally overwrites urb->number_of_packets from the network PDU. This value is subsequently used as the loop bound in usbip_recv_iso() and usbip_pad_iso() to iterate over urb->iso_frame_desc[], a flexible array whose size was fixed at URB allocation time based on the *original* number_of_packets from the CMD_SUBMIT.  A malicious USB/IP server can set number_of_packets in the response to a value larger than what was originally submitted, causing a heap out-of-bounds write when usbip_recv_iso() writes to urb->iso_frame_desc[i] beyond the allocated region.  KASAN confirmed this with kernel 7.0.0-rc5:    BUG: KASAN: slab-out-of-bounds in usbip_recv_iso+0x46a/0x640   Write of size 4 at addr ffff888106351d40 by task vhci_rx/69    The buggy address is located 0 bytes to the right of    allocated 320-byte region [ffff888106351c00, ffff888106351d40)  The server side (stub_rx.c) and gadget side (vudc_rx.c) already validate number_of_packets in the CMD_SUBMIT path since commits c6688ef9f297 (\"usbip: fix stub_rx: harden CMD_SUBMIT path to handle malicious input\") and b78d830f0049 (\"usbip: fix vudc_rx: harden CMD_SUBMIT path to handle malicious input\"). The server side validates against USBIP_MAX_ISO_PACKETS because no URB exists yet at that point. On the client side we have the original URB, so we can use the tighter bound: the response must not exceed the original number_of_packets.  This mirrors the existing validation of actual_length against transfer_buffer_length in usbip_recv_xbuff(), which checks the response value against the original allocation size.  Kelvin Mbogo's series (\"usb: usbip: fix integer overflow in usbip_recv_iso()\", v2) hardens the receive-side functions themselves; this patch complements that work by catching the bad value at its source -- in usbip_pack_ret_submit() before the overwrite -- and using the tighter per-URB allocation bound rather than the global USBIP_MAX_ISO_PACKETS limit.  Fix this by checking rpdu->number_of_packets against urb->number_of_packets in usbip_pack_ret_submit() before the overwrite. On violation, clamp to zero so that usbip_recv_iso() and usbip_pad_iso() safely return early.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-04-24 15:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-31659",
                                "url": "https://ubuntu.com/security/CVE-2026-31659",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: reject oversized global TT response buffers  batadv_tt_prepare_tvlv_global_data() builds the allocation length for a global TT response in 16-bit temporaries. When a remote originator advertises a large enough global TT, the TT payload length plus the VLAN header offset can exceed 65535 and wrap before kmalloc().  The full-table response path still uses the original TT payload length when it fills tt_change, so the wrapped allocation is too small and batadv_tt_prepare_tvlv_global_data() writes past the end of the heap object before the later packet-size check runs.  Fix this by rejecting TT responses whose TVLV value length cannot fit in the 16-bit TVLV payload length field.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-04-24 15:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-31649",
                                "url": "https://ubuntu.com/security/CVE-2026-31649",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: stmmac: fix integer underflow in chain mode  The jumbo_frm() chain-mode implementation unconditionally computes      len = nopaged_len - bmax;  where nopaged_len = skb_headlen(skb) (linear bytes only) and bmax is BUF_SIZE_8KiB or BUF_SIZE_2KiB.  However, the caller stmmac_xmit() decides to invoke jumbo_frm() based on skb->len (total length including page fragments):      is_jumbo = stmmac_is_jumbo_frm(priv, skb->len, enh_desc);  When a packet has a small linear portion (nopaged_len <= bmax) but a large total length due to page fragments (skb->len > bmax), the subtraction wraps as an unsigned integer, producing a huge len value (~0xFFFFxxxx).  This causes the while (len != 0) loop to execute hundreds of thousands of iterations, passing skb->data + bmax * i pointers far beyond the skb buffer to dma_map_single().  On IOMMU-less SoCs (the typical deployment for stmmac), this maps arbitrary kernel memory to the DMA engine, constituting a kernel memory disclosure and potential memory corruption from hardware.  Fix this by introducing a buf_len local variable clamped to min(nopaged_len, bmax).  Computing len = nopaged_len - buf_len is then always safe: it is zero when the linear portion fits within a single descriptor, causing the while (len != 0) loop to be skipped naturally, and the fragment loop in stmmac_xmit() handles page fragments afterward.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-24 15:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-31657",
                                "url": "https://ubuntu.com/security/CVE-2026-31657",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: hold claim backbone gateways by reference  batadv_bla_add_claim() can replace claim->backbone_gw and drop the old gateway's last reference while readers still follow the pointer.  The netlink claim dump path dereferences claim->backbone_gw->orig and takes claim->backbone_gw->crc_lock without pinning the underlying backbone gateway. batadv_bla_check_claim() still has the same naked pointer access pattern.  Reuse batadv_bla_claim_get_backbone_gw() in both readers so they operate on a stable gateway reference until the read-side work is complete. This keeps the dump and claim-check paths aligned with the lifetime rules introduced for the other BLA claim readers.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-04-24 15:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-31637",
                                "url": "https://ubuntu.com/security/CVE-2026-31637",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  rxrpc: reject undecryptable rxkad response tickets  rxkad_decrypt_ticket() decrypts the RXKAD response ticket and then parses the buffer as plaintext without checking whether crypto_skcipher_decrypt() succeeded.  A malformed RESPONSE can therefore use a non-block-aligned ticket length, make the decrypt operation fail, and still drive the ticket parser with attacker-controlled bytes.  Check the decrypt result and abort the connection with RXKADBADTICKET when ticket decryption fails.",
                                "cve_priority": "critical",
                                "cve_public_date": "2026-04-24 15:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-31669",
                                "url": "https://ubuntu.com/security/CVE-2026-31669",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mptcp: fix slab-use-after-free in __inet_lookup_established  The ehash table lookups are lockless and rely on SLAB_TYPESAFE_BY_RCU to guarantee socket memory stability during RCU read-side critical sections. Both tcp_prot and tcpv6_prot have their slab caches created with this flag via proto_register().  However, MPTCP's mptcp_subflow_init() copies tcpv6_prot into tcpv6_prot_override during inet_init() (fs_initcall, level 5), before inet6_init() (module_init/device_initcall, level 6) has called proto_register(&tcpv6_prot). At that point, tcpv6_prot.slab is still NULL, so tcpv6_prot_override.slab remains NULL permanently.  This causes MPTCP v6 subflow child sockets to be allocated via kmalloc (falling into kmalloc-4k) instead of the TCPv6 slab cache. The kmalloc-4k cache lacks SLAB_TYPESAFE_BY_RCU, so when these sockets are freed without SOCK_RCU_FREE (which is cleared for child sockets by design), the memory can be immediately reused. Concurrent ehash lookups under rcu_read_lock can then access freed memory, triggering a slab-use-after-free in __inet_lookup_established.  Fix this by splitting the IPv6-specific initialization out of mptcp_subflow_init() into a new mptcp_subflow_v6_init(), called from mptcp_proto_v6_init() before protocol registration. This ensures tcpv6_prot_override.slab correctly inherits the SLAB_TYPESAFE_BY_RCU slab cache.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-04-24 15:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-31668",
                                "url": "https://ubuntu.com/security/CVE-2026-31668",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  seg6: separate dst_cache for input and output paths in seg6 lwtunnel  The seg6 lwtunnel uses a single dst_cache per encap route, shared between seg6_input_core() and seg6_output_core(). These two paths can perform the post-encap SID lookup in different routing contexts (e.g., ip rules matching on the ingress interface, or VRF table separation). Whichever path runs first populates the cache, and the other reuses it blindly, bypassing its own lookup.  Fix this by splitting the cache into cache_input and cache_output, so each path maintains its own cached dst independently.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-24 15:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43011",
                                "url": "https://ubuntu.com/security/CVE-2026-43011",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/x25: Fix potential double free of skb  When alloc_skb fails in x25_queue_rx_frame it calls kfree_skb(skb) at line 48 and returns 1 (error). This error propagates back through the call chain:  x25_queue_rx_frame returns 1     |     v x25_state3_machine receives the return value 1 and takes the else branch at line 278, setting queued=0 and returning 0     |     v x25_process_rx_frame returns queued=0     |     v x25_backlog_rcv at line 452 sees queued=0 and calls kfree_skb(skb) again  This would free the same skb twice. Looking at x25_backlog_rcv:  net/x25/x25_in.c:x25_backlog_rcv() {     ...     queued = x25_process_rx_frame(sk, skb);     ...     if (!queued)         kfree_skb(skb); }",
                                "cve_priority": "critical",
                                "cve_public_date": "2026-05-01 15:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43037",
                                "url": "https://ubuntu.com/security/CVE-2026-43037",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ip6_tunnel: clear skb2->cb[] in ip4ip6_err()  Oskar Kjos reported the following problem.  ip4ip6_err() calls icmp_send() on a cloned skb whose cb[] was written by the IPv6 receive path as struct inet6_skb_parm. icmp_send() passes IPCB(skb2) to __ip_options_echo(), which interprets that cb[] region as struct inet_skb_parm (IPv4). The layouts differ: inet6_skb_parm.nhoff at offset 14 overlaps inet_skb_parm.opt.rr, producing a non-zero rr value. __ip_options_echo() then reads optlen from attacker-controlled packet data at sptr[rr+1] and copies that many bytes into dopt->__data, a fixed 40-byte stack buffer (IP_OPTIONS_DATA_FIXED_SIZE).  To fix this we clear skb2->cb[], as suggested by Oskar Kjos.  Also add minimal IPv4 header validation (version == 4, ihl >= 5).",
                                "cve_priority": "critical",
                                "cve_public_date": "2026-05-01 15:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43341",
                                "url": "https://ubuntu.com/security/CVE-2026-43341",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/ipv6: ioam6: prevent schema length wraparound in trace fill  ioam6_fill_trace_data() stores the schema contribution to the trace length in a u8. With bit 22 enabled and the largest schema payload, sclen becomes 1 + 1020 / 4, wraps from 256 to 0, and bypasses the remaining-space check. __ioam6_fill_trace_data() then positions the write cursor without reserving the schema area but still copies the 4-byte schema header and the full schema payload, overrunning the trace buffer.  Keep sclen in an unsigned int so the remaining-space check and the write cursor calculation both see the full schema length.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-08 14:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43038",
                                "url": "https://ubuntu.com/security/CVE-2026-43038",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ipv6: icmp: clear skb2->cb[] in ip6_err_gen_icmpv6_unreach()  Sashiko AI-review observed:    In ip6_err_gen_icmpv6_unreach(), the skb is an outer IPv4 ICMP error packet   where its cb contains an IPv4 inet_skb_parm. When skb is cloned into skb2   and passed to icmp6_send(), it uses IP6CB(skb2).    IP6CB interprets the IPv4 inet_skb_parm as an inet6_skb_parm. The cipso   offset in inet_skb_parm.opt directly overlaps with dsthao in inet6_skb_parm   at offset 18.    If an attacker sends a forged ICMPv4 error with a CIPSO IP option, dsthao   would be a non-zero offset. Inside icmp6_send(), mip6_addr_swap() is called   and uses ipv6_find_tlv(skb, opt->dsthao, IPV6_TLV_HAO).    This would scan the inner, attacker-controlled IPv6 packet starting at that   offset, potentially returning a fake TLV without checking if the remaining   packet length can hold the full 18-byte struct ipv6_destopt_hao.    Could mip6_addr_swap() then perform a 16-byte swap that extends past the end   of the packet data into skb_shared_info?    Should the cb array also be cleared in ip6_err_gen_icmpv6_unreach() and   ip6ip6_err() to prevent this?  This patch implements the first suggestion.  I am not sure if ip6ip6_err() needs to be changed. A separate patch would be better anyway.",
                                "cve_priority": "critical",
                                "cve_public_date": "2026-05-01 15:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-31682",
                                "url": "https://ubuntu.com/security/CVE-2026-31682",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  bridge: br_nd_send: linearize skb before parsing ND options  br_nd_send() parses neighbour discovery options from ns->opt[] and assumes that these options are in the linear part of request.  Its callers only guarantee that the ICMPv6 header and target address are available, so the option area can still be non-linear. Parsing ns->opt[] in that case can access data past the linear buffer.  Linearize request before option parsing and derive ns from the linear network header.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-25 09:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-31436",
                                "url": "https://ubuntu.com/security/CVE-2026-31436",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  dmaengine: idxd: fix possible wrong descriptor completion in llist_abort_desc()  At the end of this function, d is the traversal cursor of flist, but the code completes found instead. This can lead to issues such as NULL pointer dereferences, double completion, or descriptor leaks.  Fix this by completing d instead of found in the final list_for_each_entry_safe() loop.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-04-22 14:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43384",
                                "url": "https://ubuntu.com/security/CVE-2026-43384",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/tcp-ao: Fix MAC comparison to be constant-time  To prevent timing attacks, MACs need to be compared in constant time.  Use the appropriate helper function for this.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-08 15:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-31448",
                                "url": "https://ubuntu.com/security/CVE-2026-31448",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ext4: avoid infinite loops caused by residual data  On the mkdir/mknod path, when mapping logical blocks to physical blocks, if inserting a new extent into the extent tree fails (in this example, because the file system disabled the huge file feature when marking the inode as dirty), ext4_ext_map_blocks() only calls ext4_free_blocks() to reclaim the physical block without deleting the corresponding data in the extent tree. This causes subsequent mkdir operations to reference the previously reclaimed physical block number again, even though this physical block is already being used by the xattr block. Therefore, a situation arises where both the directory and xattr are using the same buffer head block in memory simultaneously.  The above causes ext4_xattr_block_set() to enter an infinite loop about \"inserted\" and cannot release the inode lock, ultimately leading to the 143s blocking problem mentioned in [1].  If the metadata is corrupted, then trying to remove some extent space can do even more harm. Also in case EXT4_GET_BLOCKS_DELALLOC_RESERVE was passed, remove space wrongly update quota information. Jan Kara suggests distinguishing between two cases:  1) The error is ENOSPC or EDQUOT - in this case the filesystem is fully consistent and we must maintain its consistency including all the accounting. However these errors can happen only early before we've inserted the extent into the extent tree. So current code works correctly for this case.  2) Some other error - this means metadata is corrupted. We should strive to do as few modifications as possible to limit damage. So I'd just skip freeing of allocated blocks.  [1] INFO: task syz.0.17:5995 blocked for more than 143 seconds. Call Trace:  inode_lock_nested include/linux/fs.h:1073 [inline]  __start_dirop fs/namei.c:2923 [inline]  start_dirop fs/namei.c:2934 [inline]",
                                "cve_priority": "low",
                                "cve_public_date": "2026-04-22 14:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-31478",
                                "url": "https://ubuntu.com/security/CVE-2026-31478",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ksmbd: replace hardcoded hdr2_len with offsetof() in smb2_calc_max_out_buf_len()  After this commit (e2b76ab8b5c9 \"ksmbd: add support for read compound\"), response buffer management was changed to use dynamic iov array. In the new design, smb2_calc_max_out_buf_len() expects the second argument (hdr2_len) to be the offset of ->Buffer field in the response structure, not a hardcoded magic number. Fix the remaining call sites to use the correct offsetof() value.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-04-22 14:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-23428",
                                "url": "https://ubuntu.com/security/CVE-2026-23428",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ksmbd: fix use-after-free of share_conf in compound request  smb2_get_ksmbd_tcon() reuses work->tcon in compound requests without validating tcon->t_state. ksmbd_tree_conn_lookup() checks t_state == TREE_CONNECTED on the initial lookup path, but the compound reuse path bypasses this check entirely.  If a prior command in the compound (SMB2_TREE_DISCONNECT) sets t_state to TREE_DISCONNECTED and frees share_conf via ksmbd_share_config_put(), subsequent commands dereference the freed share_conf through work->tcon->share_conf.  KASAN report:  [    4.144653] ================================================================== [    4.145059] BUG: KASAN: slab-use-after-free in smb2_write+0xc74/0xe70 [    4.145415] Read of size 4 at addr ffff88810430c194 by task kworker/1:1/44 [    4.145772] [    4.145867] CPU: 1 UID: 0 PID: 44 Comm: kworker/1:1 Not tainted 7.0.0-rc3+ #60 PREEMPTLAZY [    4.145871] Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [    4.145875] Workqueue: ksmbd-io handle_ksmbd_work [    4.145888] Call Trace: [    4.145892]  <TASK> [    4.145894]  dump_stack_lvl+0x64/0x80 [    4.145910]  print_report+0xce/0x660 [    4.145919]  ? __pfx__raw_spin_lock_irqsave+0x10/0x10 [    4.145928]  ? smb2_write+0xc74/0xe70 [    4.145931]  kasan_report+0xce/0x100 [    4.145934]  ? smb2_write+0xc74/0xe70 [    4.145937]  smb2_write+0xc74/0xe70 [    4.145939]  ? __pfx_smb2_write+0x10/0x10 [    4.145942]  ? _raw_spin_unlock+0xe/0x30 [    4.145945]  ? ksmbd_smb2_check_message+0xeb2/0x24c0 [    4.145948]  ? smb2_tree_disconnect+0x31c/0x480 [    4.145951]  handle_ksmbd_work+0x40f/0x1080 [    4.145953]  process_one_work+0x5fa/0xef0 [    4.145962]  ? assign_work+0x122/0x3e0 [    4.145964]  worker_thread+0x54b/0xf70 [    4.145967]  ? __pfx_worker_thread+0x10/0x10 [    4.145970]  kthread+0x346/0x470 [    4.145976]  ? recalc_sigpending+0x19b/0x230 [    4.145980]  ? __pfx_kthread+0x10/0x10 [    4.145984]  ret_from_fork+0x4fb/0x6c0 [    4.145992]  ? __pfx_ret_from_fork+0x10/0x10 [    4.145995]  ? __switch_to+0x36c/0xbe0 [    4.145999]  ? __pfx_kthread+0x10/0x10 [    4.146003]  ret_from_fork_asm+0x1a/0x30 [    4.146013]  </TASK> [    4.146014] [    4.149858] Allocated by task 44: [    4.149953]  kasan_save_stack+0x33/0x60 [    4.150061]  kasan_save_track+0x14/0x30 [    4.150169]  __kasan_kmalloc+0x8f/0xa0 [    4.150274]  ksmbd_share_config_get+0x1dd/0xdd0 [    4.150401]  ksmbd_tree_conn_connect+0x7e/0x600 [    4.150529]  smb2_tree_connect+0x2e6/0x1000 [    4.150645]  handle_ksmbd_work+0x40f/0x1080 [    4.150761]  process_one_work+0x5fa/0xef0 [    4.150873]  worker_thread+0x54b/0xf70 [    4.150978]  kthread+0x346/0x470 [    4.151071]  ret_from_fork+0x4fb/0x6c0 [    4.151176]  ret_from_fork_asm+0x1a/0x30 [    4.151286] [    4.151332] Freed by task 44: [    4.151418]  kasan_save_stack+0x33/0x60 [    4.151526]  kasan_save_track+0x14/0x30 [    4.151634]  kasan_save_free_info+0x3b/0x60 [    4.151751]  __kasan_slab_free+0x43/0x70 [    4.151861]  kfree+0x1ca/0x430 [    4.151952]  __ksmbd_tree_conn_disconnect+0xc8/0x190 [    4.152088]  smb2_tree_disconnect+0x1cd/0x480 [    4.152211]  handle_ksmbd_work+0x40f/0x1080 [    4.152326]  process_one_work+0x5fa/0xef0 [    4.152438]  worker_thread+0x54b/0xf70 [    4.152545]  kthread+0x346/0x470 [    4.152638]  ret_from_fork+0x4fb/0x6c0 [    4.152743]  ret_from_fork_asm+0x1a/0x30 [    4.152853] [    4.152900] The buggy address belongs to the object at ffff88810430c180 [    4.152900]  which belongs to the cache kmalloc-96 of size 96 [    4.153226] The buggy address is located 20 bytes inside of [    4.153226]  freed 96-byte region [ffff88810430c180, ffff88810430c1e0) [    4.153549] [    4.153596] The buggy address belongs to the physical page: [    4.153750] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88810430ce80 pfn:0x10430c [    4.154000] flags: 0x ---truncated---",
                                "cve_priority": "high",
                                "cve_public_date": "2026-04-03 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-23450",
                                "url": "https://ubuntu.com/security/CVE-2026-23450",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/smc: fix NULL dereference and UAF in smc_tcp_syn_recv_sock()  Syzkaller reported a panic in smc_tcp_syn_recv_sock() [1].  smc_tcp_syn_recv_sock() is called in the TCP receive path (softirq) via icsk_af_ops->syn_recv_sock on the clcsock (TCP listening socket). It reads sk_user_data to get the smc_sock pointer. However, when the SMC listen socket is being closed concurrently, smc_close_active() sets clcsock->sk_user_data to NULL under sk_callback_lock, and then the smc_sock itself can be freed via sock_put() in smc_release().  This leads to two issues:  1) NULL pointer dereference: sk_user_data is NULL when    accessed. 2) Use-after-free: sk_user_data is read as non-NULL, but the    smc_sock is freed before its fields (e.g., queued_smc_hs,    ori_af_ops) are accessed.  The race window looks like this (the syzkaller crash [1] triggers via the SYN cookie path: tcp_get_cookie_sock() -> smc_tcp_syn_recv_sock(), but the normal tcp_check_req() path has the same race):    CPU A (softirq)              CPU B (process ctx)    tcp_v4_rcv()     TCP_NEW_SYN_RECV:     sk = req->rsk_listener     sock_hold(sk)     /* No lock on listener */                                smc_close_active():                                  write_lock_bh(cb_lock)                                  sk_user_data = NULL                                  write_unlock_bh(cb_lock)                                  ...                                  smc_clcsock_release()                                  sock_put(smc->sk) x2                                    -> smc_sock freed!     tcp_check_req()       smc_tcp_syn_recv_sock():         smc = user_data(sk)           -> NULL or dangling         smc->queued_smc_hs           -> crash!  Note that the clcsock and smc_sock are two independent objects with separate refcounts. TCP stack holds a reference on the clcsock, which keeps it alive, but this does NOT prevent the smc_sock from being freed.  Fix this by using RCU and refcount_inc_not_zero() to safely access smc_sock. Since smc_tcp_syn_recv_sock() is called in the TCP three-way handshake path, taking read_lock_bh on sk_callback_lock is too heavy and would not survive a SYN flood attack. Using rcu_read_lock() is much more lightweight.  - Set SOCK_RCU_FREE on the SMC listen socket so that   smc_sock freeing is deferred until after the RCU grace   period. This guarantees the memory is still valid when   accessed inside rcu_read_lock(). - Use rcu_read_lock() to protect reading sk_user_data. - Use refcount_inc_not_zero(&smc->sk.sk_refcnt) to pin the   smc_sock. If the refcount has already reached zero (close   path completed), it returns false and we bail out safely.  Note: smc_hs_congested() has a similar lockless read of sk_user_data without rcu_read_lock(), but it only checks for NULL and accesses the global smc_hs_wq, never dereferencing any smc_sock field, so it is not affected.  Reproducer was verified with mdelay injection and smc_run, the issue no longer occurs with this patch applied.  [1] https://syzkaller.appspot.com/bug?extid=827ae2bfb3a3529333e9",
                                "cve_priority": "high",
                                "cve_public_date": "2026-04-03 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-23455",
                                "url": "https://ubuntu.com/security/CVE-2026-23455",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: nf_conntrack_h323: check for zero length in DecodeQ931()  In DecodeQ931(), the UserUserIE code path reads a 16-bit length from the packet, then decrements it by 1 to skip the protocol discriminator byte before passing it to DecodeH323_UserInformation(). If the encoded length is 0, the decrement wraps to -1, which is then passed as a large value to the decoder, leading to an out-of-bounds read.  Add a check to ensure len is positive after the decrement.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-04-03 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-31402",
                                "url": "https://ubuntu.com/security/CVE-2026-31402",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  nfsd: fix heap overflow in NFSv4.0 LOCK replay cache  The NFSv4.0 replay cache uses a fixed 112-byte inline buffer (rp_ibuf[NFSD4_REPLAY_ISIZE]) to store encoded operation responses. This size was calculated based on OPEN responses and does not account for LOCK denied responses, which include the conflicting lock owner as a variable-length field up to 1024 bytes (NFS4_OPAQUE_LIMIT).  When a LOCK operation is denied due to a conflict with an existing lock that has a large owner, nfsd4_encode_operation() copies the full encoded response into the undersized replay buffer via read_bytes_from_xdr_buf() with no bounds check. This results in a slab-out-of-bounds write of up to 944 bytes past the end of the buffer, corrupting adjacent heap memory.  This can be triggered remotely by an unauthenticated attacker with two cooperating NFSv4.0 clients: one sets a lock with a large owner string, then the other requests a conflicting lock to provoke the denial.  We could fix this by increasing NFSD4_REPLAY_ISIZE to allow for a full opaque, but that would increase the size of every stateowner, when most lockowners are not that large.  Instead, fix this by checking the encoded response length against NFSD4_REPLAY_ISIZE before copying into the replay buffer. If the response is too large, set rp_buflen to 0 to skip caching the replay payload. The status is still cached, and the client already received the correct response on the original request.",
                                "cve_priority": "critical",
                                "cve_public_date": "2026-04-03 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43383",
                                "url": "https://ubuntu.com/security/CVE-2026-43383",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/tcp-md5: Fix MAC comparison to be constant-time  To prevent timing attacks, MACs need to be compared in constant time.  Use the appropriate helper function for this.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-08 15:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43378",
                                "url": "https://ubuntu.com/security/CVE-2026-43378",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb: server: fix use-after-free in smb2_open()  The opinfo pointer obtained via rcu_dereference(fp->f_opinfo) is dereferenced after rcu_read_unlock(), creating a use-after-free window.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-08 15:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46243",
                                "url": "https://ubuntu.com/security/CVE-2026-46243",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb: client: reject userspace cifs.spnego descriptions  cifs.spnego key descriptions contain authority-bearing fields such as pid, uid, creduid, and upcall_target that cifs.upcall treats as kernel-originating inputs. However, userspace can also create keys of this type through request_key(2) or add_key(2), allowing those fields to be supplied without CIFS origin.  Only accept cifs.spnego descriptions while CIFS is using its private spnego_cred to request the key.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-01 17:17:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43414",
                                "url": "https://ubuntu.com/security/CVE-2026-43414",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  scsi: qla2xxx: Completely fix fcport double free  In qla24xx_els_dcmd_iocb() sp->free is set to qla2x00_els_dcmd_sp_free(). When an error happens, this function is called by qla2x00_sp_release(), when kref_put() releases the first and the last reference.  qla2x00_els_dcmd_sp_free() frees fcport by calling qla2x00_free_fcport(). Doing it one more time after kref_put() is a bad idea.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-05-08 15:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43407",
                                "url": "https://ubuntu.com/security/CVE-2026-43407",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  libceph: Fix potential out-of-bounds access in ceph_handle_auth_reply()  This patch fixes an out-of-bounds access in ceph_handle_auth_reply() that can be triggered by a message of type CEPH_MSG_AUTH_REPLY. In ceph_handle_auth_reply(), the value of the payload_len field of such a message is stored in a variable of type int. A value greater than INT_MAX leads to an integer overflow and is interpreted as a negative value. This leads to decrementing the pointer address by this value and subsequently accessing it because ceph_decode_need() only checks that the memory access does not exceed the end address of the allocation.  This patch fixes the issue by changing the data type of payload_len to u32. Additionally, the data type of result_msg_len is changed to u32, as it is also a variable holding a non-negative length.  Also, an additional layer of sanity checks is introduced, ensuring that directly after reading it from the message, payload_len and result_msg_len are not greater than the overall segment length.  BUG: KASAN: slab-out-of-bounds in ceph_handle_auth_reply+0x642/0x7a0 [libceph] Read of size 4 at addr ffff88811404df14 by task kworker/20:1/262  CPU: 20 UID: 0 PID: 262 Comm: kworker/20:1 Not tainted 6.19.2 #5 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Workqueue: ceph-msgr ceph_con_workfn [libceph] Call Trace:  <TASK>  dump_stack_lvl+0x76/0xa0  print_report+0xd1/0x620  ? __pfx__raw_spin_lock_irqsave+0x10/0x10  ? kasan_complete_mode_report_info+0x72/0x210  kasan_report+0xe7/0x130  ? ceph_handle_auth_reply+0x642/0x7a0 [libceph]  ? ceph_handle_auth_reply+0x642/0x7a0 [libceph]  __asan_report_load_n_noabort+0xf/0x20  ceph_handle_auth_reply+0x642/0x7a0 [libceph]  mon_dispatch+0x973/0x23d0 [libceph]  ? apparmor_socket_recvmsg+0x6b/0xa0  ? __pfx_mon_dispatch+0x10/0x10 [libceph]  ? __kasan_check_write+0x14/0x30i  ? mutex_unlock+0x7f/0xd0  ? __pfx_mutex_unlock+0x10/0x10  ? __pfx_do_recvmsg+0x10/0x10 [libceph]  ceph_con_process_message+0x1f1/0x650 [libceph]  process_message+0x1e/0x450 [libceph]  ceph_con_v2_try_read+0x2e48/0x6c80 [libceph]  ? __pfx_ceph_con_v2_try_read+0x10/0x10 [libceph]  ? save_fpregs_to_fpstate+0xb0/0x230  ? raw_spin_rq_unlock+0x17/0xa0  ? finish_task_switch.isra.0+0x13b/0x760  ? __switch_to+0x385/0xda0  ? __kasan_check_write+0x14/0x30  ? mutex_lock+0x8d/0xe0  ? __pfx_mutex_lock+0x10/0x10  ceph_con_workfn+0x248/0x10c0 [libceph]  process_one_work+0x629/0xf80  ? __kasan_check_write+0x14/0x30  worker_thread+0x87f/0x1570  ? __pfx__raw_spin_lock_irqsave+0x10/0x10  ? __pfx_try_to_wake_up+0x10/0x10  ? kasan_print_address_stack_frame+0x1f7/0x280  ? __pfx_worker_thread+0x10/0x10  kthread+0x396/0x830  ? __pfx__raw_spin_lock_irq+0x10/0x10  ? __pfx_kthread+0x10/0x10  ? __kasan_check_write+0x14/0x30  ? recalc_sigpending+0x180/0x210  ? __pfx_kthread+0x10/0x10  ret_from_fork+0x3f7/0x610  ? __pfx_ret_from_fork+0x10/0x10  ? __switch_to+0x385/0xda0  ? __pfx_kthread+0x10/0x10  ret_from_fork_asm+0x1a/0x30  </TASK>  [ idryomov: replace if statements with ceph_decode_need() for   payload_len and result_msg_len ]",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-08 15:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43406",
                                "url": "https://ubuntu.com/security/CVE-2026-43406",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  libceph: prevent potential out-of-bounds reads in process_message_header()  If the message frame is (maliciously) corrupted in a way that the length of the control segment ends up being less than the size of the message header or a different frame is made to look like a message frame, out-of-bounds reads may ensue in process_message_header().  Perform an explicit bounds check before decoding the message header.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-08 15:16:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * jammy/linux-riscv-6.8: 6.8.0-131.131~22.04.1 -proposed tracker (LP: #2157195)",
                            "",
                            "  [ Ubuntu: 6.8.0-131.131 ]",
                            "",
                            "  * noble/linux: 6.8.0-131.131 -proposed tracker (LP: #2157196)",
                            "  * Packaging resync (LP: #1786013)",
                            "    - [Packaging] update annotations scripts",
                            "  * CVE-2026-46244",
                            "    - netfilter: nft_inner: Fix IPv6 inner_thoff desync",
                            "  * CVE-2026-43185",
                            "    - ksmbd: fix signededness bug in smb_direct_prepare_negotiation()",
                            "  * CVE-2026-46289",
                            "    - lib/scatterlist: fix length calculations in extract_kvec_to_sg",
                            "  * CVE-2026-46119",
                            "    - libceph: Fix slab-out-of-bounds access in auth message processing",
                            "  * CVE-2026-46135",
                            "    - nvmet-tcp: fix race between ICReq handling and queue teardown",
                            "  * CVE-2026-46185",
                            "    - smb/client: fix out-of-bounds read in symlink_data()",
                            "  * CVE-2026-46195",
                            "    - smb: client: validate dacloffset before building DACL pointers",
                            "  * CVE-2026-46115",
                            "    - block: add pgmap check to biovec_phys_mergeable",
                            "  * CVE-2026-43501",
                            "    - ipv6: rpl: reserve mac_len headroom when recompressed SRH grows",
                            "  * CVE-2026-45988",
                            "    - rxrpc: Fix re-decryption of RESPONSE packets",
                            "  * CVE-2026-46043",
                            "    - RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv",
                            "  * CVE-2026-43493",
                            "    - crypto: pcrypt - Fix handling of MAY_BACKLOG requests",
                            "  * CVE-2026-43071",
                            "    - dcache: Limit the minimal number of bucket to two",
                            "  * CVE-2026-31685",
                            "    - netfilter: ip6t_eui64: reject invalid MAC header for all packets",
                            "  * CVE-2026-43117",
                            "    - btrfs: tracepoints: get correct superblock from dentry in event",
                            "      btrfs_sync_file()",
                            "  * CVE-2026-43114",
                            "    - netfilter: nft_set_pipapo_avx2: don't return non-matching entry on",
                            "      expiry",
                            "  * CVE-2026-31607",
                            "    - usbip: validate number_of_packets in usbip_pack_ret_submit()",
                            "  * CVE-2026-31659",
                            "    - batman-adv: reject oversized global TT response buffers",
                            "  * CVE-2026-31649",
                            "    - net: stmmac: fix integer underflow in chain mode",
                            "  * CVE-2026-31657",
                            "    - batman-adv: hold claim backbone gateways by reference",
                            "  * CVE-2026-31637",
                            "    - rxrpc: reject undecryptable rxkad response tickets",
                            "  * CVE-2026-31669",
                            "    - mptcp: fix slab-use-after-free in __inet_lookup_established",
                            "  * CVE-2026-31668",
                            "    - seg6: separate dst_cache for input and output paths in seg6 lwtunnel",
                            "  * CVE-2026-43011",
                            "    - net/x25: Fix potential double free of skb",
                            "  * CVE-2026-43037",
                            "    - ip6_tunnel: clear skb2->cb[] in ip4ip6_err()",
                            "  * CVE-2026-43341",
                            "    - net/ipv6: ioam6: prevent schema length wraparound in trace fill",
                            "  * CVE-2026-43038",
                            "    - ipv6: icmp: clear skb2->cb[] in ip6_err_gen_icmpv6_unreach()",
                            "  * CVE-2026-31682",
                            "    - bridge: br_nd_send: linearize skb before parsing ND options",
                            "  * CVE-2026-31436",
                            "    - dmaengine: idxd: fix possible wrong descriptor completion in",
                            "      llist_abort_desc()",
                            "  * CVE-2026-43384",
                            "    - net/tcp-ao: Fix MAC comparison to be constant-time",
                            "  * CVE-2026-31448",
                            "    - ext4: get rid of ppath in ext4_find_extent()",
                            "    - ext4: get rid of ppath in ext4_ext_create_new_leaf()",
                            "    - ext4: get rid of ppath in ext4_ext_insert_extent()",
                            "    - ext4: avoid infinite loops caused by residual data",
                            "  * CVE-2026-31478",
                            "    - ksmbd: replace hardcoded hdr2_len with offsetof() in",
                            "      smb2_calc_max_out_buf_len()",
                            "  * CVE-2026-23428",
                            "    - ksmbd: fix use-after-free of share_conf in compound request",
                            "  * CVE-2026-23450",
                            "    - net/smc: fix NULL dereference and UAF in smc_tcp_syn_recv_sock()",
                            "  * CVE-2026-23455",
                            "    - netfilter: nf_conntrack_h323: check for zero length in DecodeQ931()",
                            "  * CVE-2026-31402",
                            "    - nfsd: fix heap overflow in NFSv4.0 LOCK replay cache",
                            "  * CVE-2026-43383",
                            "    - net/tcp-md5: Fix MAC comparison to be constant-time",
                            "  * CVE-2026-43378",
                            "    - smb: server: fix use-after-free in smb2_open()",
                            "  * CVE-2026-46243",
                            "    - smb: client: reject userspace cifs.spnego descriptions",
                            "  * CVE-2026-43414",
                            "    - scsi: qla2xxx: Completely fix fcport double free",
                            "  * CVE-2026-43407",
                            "    - libceph: Fix potential out-of-bounds access in ceph_handle_auth_reply()",
                            "  * CVE-2026-43406",
                            "    - libceph: prevent potential out-of-bounds reads in",
                            "      process_message_header()",
                            ""
                        ],
                        "package": "linux-riscv-6.8",
                        "version": "6.8.0-131.131~22.04.1",
                        "urgency": "medium",
                        "distributions": "jammy",
                        "launchpad_bugs_fixed": [
                            2157195,
                            2157196,
                            1786013
                        ],
                        "author": "Alessio Faina <alessio.faina@canonical.com>",
                        "date": "Tue, 23 Jun 2026 10:45:49 +0200"
                    },
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-23249",
                                "url": "https://ubuntu.com/security/CVE-2026-23249",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  xfs: check for deleted cursors when revalidating two btrees  The free space and inode btree repair functions will rebuild both btrees at the same time, after which it needs to evaluate both btrees to confirm that the corruptions are gone.  However, Jiaming Zhang ran syzbot and produced a crash in the second xchk_allocbt call.  His root-cause analysis is as follows (with minor corrections):   In xrep_revalidate_allocbt(), xchk_allocbt() is called twice (first  for BNOBT, second for CNTBT). The cause of this issue is that the  first call nullified the cursor required by the second call.   Let's first enter xrep_revalidate_allocbt() via following call chain:   xfs_file_ioctl() ->  xfs_ioc_scrubv_metadata() ->  xfs_scrub_metadata() ->  `sc->ops->repair_eval(sc)` ->  xrep_revalidate_allocbt()   xchk_allocbt() is called twice in this function. In the first call:   /* Note that sc->sm->sm_type is XFS_SCRUB_TYPE_BNOPT now */  xchk_allocbt() ->  xchk_btree() ->  `bs->scrub_rec(bs, recp)` ->  xchk_allocbt_rec() ->  xchk_allocbt_xref() ->  xchk_allocbt_xref_other()   since sm_type is XFS_SCRUB_TYPE_BNOBT, pur is set to &sc->sa.cnt_cur.  Kernel called xfs_alloc_get_rec() and returned -EFSCORRUPTED. Call  chain:   xfs_alloc_get_rec() ->  xfs_btree_get_rec() ->  xfs_btree_check_block() ->  (XFS_IS_CORRUPT || XFS_TEST_ERROR), the former is false and the latter  is true, return -EFSCORRUPTED. This should be caused by  ioctl$XFS_IOC_ERROR_INJECTION I guess.   Back to xchk_allocbt_xref_other(), after receiving -EFSCORRUPTED from  xfs_alloc_get_rec(), kernel called xchk_should_check_xref(). In this  function, *curpp (points to sc->sa.cnt_cur) is nullified.   Back to xrep_revalidate_allocbt(), since sc->sa.cnt_cur has been  nullified, it then triggered null-ptr-deref via xchk_allocbt() (second  call) -> xchk_btree().  So.  The bnobt revalidation failed on a cross-reference attempt, so we deleted the cntbt cursor, and then crashed when we tried to revalidate the cntbt.  Therefore, check for a null cntbt cursor before that revalidation, and mark the repair incomplete.  Also we can ignore the second tree entirely if the first tree was rebuilt but is already corrupt.  Apply the same fix to xrep_revalidate_iallocbt because it has the same problem.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-18 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2025-71267",
                                "url": "https://ubuntu.com/security/CVE-2025-71267",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  fs: ntfs3: fix infinite loop triggered by zero-sized ATTR_LIST  We found an infinite loop bug in the ntfs3 file system that can lead to a Denial-of-Service (DoS) condition.  A malformed NTFS image can cause an infinite loop when an ATTR_LIST attribute indicates a zero data size while the driver allocates memory for it.  When ntfs_load_attr_list() processes a resident ATTR_LIST with data_size set to zero, it still allocates memory because of al_aligned(0). This creates an inconsistent state where ni->attr_list.size is zero, but ni->attr_list.le is non-null. This causes ni_enum_attr_ex to incorrectly assume that no attribute list exists and enumerates only the primary MFT record. When it finds ATTR_LIST, the code reloads it and restarts the enumeration, repeating indefinitely. The mount operation never completes, hanging the kernel thread.  This patch adds validation to ensure that data_size is non-zero before memory allocation. When a zero-sized ATTR_LIST is detected, the function returns -EINVAL, preventing a DoS vulnerability.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-18 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2025-71265",
                                "url": "https://ubuntu.com/security/CVE-2025-71265",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  fs: ntfs3: fix infinite loop in attr_load_runs_range on inconsistent metadata  We found an infinite loop bug in the ntfs3 file system that can lead to a Denial-of-Service (DoS) condition.  A malformed NTFS image can cause an infinite loop when an attribute header indicates an empty run list, while directory entries reference it as containing actual data. In NTFS, setting evcn=-1 with svcn=0 is a valid way to represent an empty run list, and run_unpack() correctly handles this by checking if evcn + 1 equals svcn and returning early without parsing any run data. However, this creates a problem when there is metadata inconsistency, where the attribute header claims to be empty (evcn=-1) but the caller expects to read actual data. When run_unpack() immediately returns success upon seeing this condition, it leaves the runs_tree uninitialized with run->runs as a NULL. The calling function attr_load_runs_range() assumes that a successful return means that the runs were loaded and sets clen to 0, expecting the next run_lookup_entry() call to succeed. Because runs_tree remains uninitialized, run_lookup_entry() continues to fail, and the loop increments vcn by zero (vcn += 0), leading to an infinite loop.  This patch adds a retry counter to detect when run_lookup_entry() fails consecutively after attr_load_runs_vcn(). If the run is still not found on the second attempt, it indicates corrupted metadata and returns -EINVAL, preventing the Denial-of-Service (DoS) vulnerability.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-18 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2025-71266",
                                "url": "https://ubuntu.com/security/CVE-2025-71266",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  fs: ntfs3: check return value of indx_find to avoid infinite loop  We found an infinite loop bug in the ntfs3 file system that can lead to a Denial-of-Service (DoS) condition.  A malformed dentry in the ntfs3 filesystem can cause the kernel to hang during the lookup operations. By setting the HAS_SUB_NODE flag in an INDEX_ENTRY within a directory's INDEX_ALLOCATION block and manipulating the VCN pointer, an attacker can cause the indx_find() function to repeatedly read the same block, allocating 4 KB of memory each time. The kernel lacks VCN loop detection and depth limits, causing memory exhaustion and an OOM crash.  This patch adds a return value check for fnd_push() to prevent a memory exhaustion vulnerability caused by infinite loops. When the index exceeds the size of the fnd->nodes array, fnd_push() returns -EINVAL. The indx_find() function checks this return value and stops processing, preventing further memory allocation.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-18 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-23241",
                                "url": "https://ubuntu.com/security/CVE-2026-23241",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  audit: add missing syscalls to read class  The \"at\" variant of getxattr() and listxattr() are missing from the audit read class. Calling getxattrat() or listxattrat() on a file to read its extended attributes will bypass audit rules such as:  -w /tmp/test -p rwa -k test_rwa  The current patch adds missing syscalls to the audit read class.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-17 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2025-71239",
                                "url": "https://ubuntu.com/security/CVE-2025-71239",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  audit: add fchmodat2() to change attributes class  fchmodat2(), introduced in version 6.6 is currently not in the change attribute class of audit. Calling fchmodat2() to change a file attribute in the same fashion than chmod() or fchmodat() will bypass audit rules such as:  -w /tmp/test -p rwa -k test_rwa  The current patch adds fchmodat2() to the change attributes class.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-17 10:15:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-31411",
                                "url": "https://ubuntu.com/security/CVE-2026-31411",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: atm: fix crash due to unvalidated vcc pointer in sigd_send()  Reproducer available at [1].  The ATM send path (sendmsg -> vcc_sendmsg -> sigd_send) reads the vcc pointer from msg->vcc and uses it directly without any validation. This pointer comes from userspace via sendmsg() and can be arbitrarily forged:      int fd = socket(AF_ATMSVC, SOCK_DGRAM, 0);     ioctl(fd, ATMSIGD_CTRL);  // become ATM signaling daemon     struct msghdr msg = { .msg_iov = &iov, ... };     *(unsigned long *)(buf + 4) = 0xdeadbeef;  // fake vcc pointer     sendmsg(fd, &msg, 0);  // kernel dereferences 0xdeadbeef  In normal operation, the kernel sends the vcc pointer to the signaling daemon via sigd_enq() when processing operations like connect(), bind(), or listen(). The daemon is expected to return the same pointer when responding. However, a malicious daemon can send arbitrary pointer values.  Fix this by introducing find_get_vcc() which validates the pointer by searching through vcc_hash (similar to how sigd_close() iterates over all VCCs), and acquires a reference via sock_hold() if found.  Since struct atm_vcc embeds struct sock as its first member, they share the same lifetime. Therefore using sock_hold/sock_put is sufficient to keep the vcc alive while it is being used.  Note that there may be a race with sigd_close() which could mark the vcc with various flags (e.g., ATM_VF_RELEASED) after find_get_vcc() returns. However, sock_hold() guarantees the memory remains valid, so this race only affects the logical state, not memory safety.  [1]: https://gist.github.com/mrpre/1ba5949c45529c511152e2f4c755b0f3",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-08 14:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-23243",
                                "url": "https://ubuntu.com/security/CVE-2026-23243",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/umad: Reject negative data_len in ib_umad_write  ib_umad_write computes data_len from user-controlled count and the MAD header sizes. With a mismatched user MAD header size and RMPP header length, data_len can become negative and reach ib_create_send_mad(). This can make the padding calculation exceed the segment size and trigger an out-of-bounds memset in alloc_send_rmpp_list().  Add an explicit check to reject negative data_len before creating the send buffer.  KASAN splat: [  211.363464] BUG: KASAN: slab-out-of-bounds in ib_create_send_mad+0xa01/0x11b0 [  211.364077] Write of size 220 at addr ffff88800c3fa1f8 by task spray_thread/102 [  211.365867] ib_create_send_mad+0xa01/0x11b0 [  211.365887] ib_umad_write+0x853/0x1c80",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-18 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-23242",
                                "url": "https://ubuntu.com/security/CVE-2026-23242",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/siw: Fix potential NULL pointer dereference in header processing  If siw_get_hdr() returns -EINVAL before set_rx_fpdu_context(), qp->rx_fpdu can be NULL. The error path in siw_tcp_rx_data() dereferences qp->rx_fpdu->more_ddp_segs without checking, which may lead to a NULL pointer deref. Only check more_ddp_segs when rx_fpdu is present.  KASAN splat: [  101.384271] KASAN: null-ptr-deref in range [0x00000000000000c0-0x00000000000000c7] [  101.385869] RIP: 0010:siw_tcp_rx_data+0x13ad/0x1e50",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-18 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2025-71233",
                                "url": "https://ubuntu.com/security/CVE-2025-71233",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  PCI: endpoint: Avoid creating sub-groups asynchronously  The asynchronous creation of sub-groups by a delayed work could lead to a NULL pointer dereference when the driver directory is removed before the work completes.  The crash can be easily reproduced with the following commands:    # cd /sys/kernel/config/pci_ep/functions/pci_epf_test   # for i in {1..20}; do mkdir test && rmdir test; done    BUG: kernel NULL pointer dereference, address: 0000000000000088   ...   Call Trace:    configfs_register_group+0x3d/0x190    pci_epf_cfs_work+0x41/0x110    process_one_work+0x18f/0x350    worker_thread+0x25a/0x3a0  Fix this issue by using configfs_add_default_group() API which does not have the deadlock problem as configfs_register_group() and does not require the delayed work handler.  [mani: slightly reworded the description and added stable list]",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-02-18 16:22:00 UTC"
                            },
                            {
                                "cve": "CVE-2025-71231",
                                "url": "https://ubuntu.com/security/CVE-2025-71231",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  crypto: iaa - Fix out-of-bounds index in find_empty_iaa_compression_mode  The local variable 'i' is initialized with -EINVAL, but the for loop immediately overwrites it and -EINVAL is never returned.  If no empty compression mode can be found, the function would return the out-of-bounds index IAA_COMP_MODES_MAX, which would cause an invalid array access in add_iaa_compression_mode().  Fix both issues by returning either a valid index or -EINVAL.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-02-18 16:22:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-23169",
                                "url": "https://ubuntu.com/security/CVE-2026-23169",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mptcp: fix race in mptcp_pm_nl_flush_addrs_doit()  syzbot and Eulgyu Kim reported crashes in mptcp_pm_nl_get_local_id() and/or mptcp_pm_nl_is_backup()  Root cause is list_splice_init() in mptcp_pm_nl_flush_addrs_doit() which is not RCU ready.  list_splice_init_rcu() can not be called here while holding pernet->lock spinlock.  Many thanks to Eulgyu Kim for providing a repro and testing our patches.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-02-14 16:15:00 UTC"
                            },
                            {
                                "cve": "CVE-2025-40005",
                                "url": "https://ubuntu.com/security/CVE-2025-40005",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: cadence-quadspi: Implement refcount to handle unbind during busy  driver support indirect read and indirect write operation with assumption no force device removal(unbind) operation. However force device removal(removal) is still available to root superuser.  Unbinding driver during operation causes kernel crash. This changes ensure driver able to handle such operation for indirect read and indirect write by implementing refcount to track attached devices to the controller and gracefully wait and until attached devices remove operation completed before proceed with removal operation.",
                                "cve_priority": "medium",
                                "cve_public_date": "2025-10-20 16:15:00 UTC"
                            },
                            {
                                "cve": "CVE-2025-71232",
                                "url": "https://ubuntu.com/security/CVE-2025-71232",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  scsi: qla2xxx: Free sp in error path to fix system crash  System crash seen during load/unload test in a loop,  [61110.449331] qla2xxx [0000:27:00.0]-0042:0: Disabled MSI-X. [61110.467494] ============================================================================= [61110.467498] BUG qla2xxx_srbs (Tainted: G           OE    --------  --- ): Objects remaining in qla2xxx_srbs on __kmem_cache_shutdown() [61110.467501] -----------------------------------------------------------------------------  [61110.467502] Slab 0x000000000ffc8162 objects=51 used=1 fp=0x00000000e25d3d85 flags=0x57ffffc0010200(slab|head|node=1|zone=2|lastcpupid=0x1fffff) [61110.467509] CPU: 53 PID: 455206 Comm: rmmod Kdump: loaded Tainted: G          OE    --------  ---  5.14.0-284.11.1.el9_2.x86_64 #1 [61110.467513] Hardware name: HPE ProLiant DL385 Gen10 Plus v2/ProLiant DL385 Gen10 Plus v2, BIOS A42 08/17/2023 [61110.467515] Call Trace: [61110.467516]  <TASK> [61110.467519]  dump_stack_lvl+0x34/0x48 [61110.467526]  slab_err.cold+0x53/0x67 [61110.467534]  __kmem_cache_shutdown+0x16e/0x320 [61110.467540]  kmem_cache_destroy+0x51/0x160 [61110.467544]  qla2x00_module_exit+0x93/0x99 [qla2xxx] [61110.467607]  ? __do_sys_delete_module.constprop.0+0x178/0x280 [61110.467613]  ? syscall_trace_enter.constprop.0+0x145/0x1d0 [61110.467616]  ? do_syscall_64+0x5c/0x90 [61110.467619]  ? exc_page_fault+0x62/0x150 [61110.467622]  ? entry_SYSCALL_64_after_hwframe+0x63/0xcd [61110.467626]  </TASK> [61110.467627] Disabling lock debugging due to kernel taint [61110.467635] Object 0x0000000026f7e6e6 @offset=16000 [61110.467639] ------------[ cut here ]------------ [61110.467639] kmem_cache_destroy qla2xxx_srbs: Slab cache still has objects when called from qla2x00_module_exit+0x93/0x99 [qla2xxx] [61110.467659] WARNING: CPU: 53 PID: 455206 at mm/slab_common.c:520 kmem_cache_destroy+0x14d/0x160 [61110.467718] CPU: 53 PID: 455206 Comm: rmmod Kdump: loaded Tainted: G   B      OE    --------  ---  5.14.0-284.11.1.el9_2.x86_64 #1 [61110.467720] Hardware name: HPE ProLiant DL385 Gen10 Plus v2/ProLiant DL385 Gen10 Plus v2, BIOS A42 08/17/2023 [61110.467721] RIP: 0010:kmem_cache_destroy+0x14d/0x160 [61110.467724] Code: 99 7d 07 00 48 89 ef e8 e1 6a 07 00 eb b3 48 8b 55 60 48 8b 4c 24 20 48 c7 c6 70 fc 66 90 48 c7 c7 f8 ef a1 90 e8 e1 ed 7c 00 <0f> 0b eb 93 c3 cc cc cc cc 66 2e 0f 1f 84 00 00 00 00 00 55 48 89 [61110.467725] RSP: 0018:ffffa304e489fe80 EFLAGS: 00010282 [61110.467727] RAX: 0000000000000000 RBX: ffffffffc0d9a860 RCX: 0000000000000027 [61110.467729] RDX: ffff8fd5ff9598a8 RSI: 0000000000000001 RDI: ffff8fd5ff9598a0 [61110.467730] RBP: ffff8fb6aaf78700 R08: 0000000000000000 R09: 0000000100d863b7 [61110.467731] R10: ffffa304e489fd20 R11: ffffffff913bef48 R12: 0000000040002000 [61110.467731] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [61110.467733] FS:  00007f64c89fb740(0000) GS:ffff8fd5ff940000(0000) knlGS:0000000000000000 [61110.467734] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [61110.467735] CR2: 00007f0f02bfe000 CR3: 00000020ad6dc005 CR4: 0000000000770ee0 [61110.467736] PKRU: 55555554 [61110.467737] Call Trace: [61110.467738]  <TASK> [61110.467739]  qla2x00_module_exit+0x93/0x99 [qla2xxx] [61110.467755]  ? __do_sys_delete_module.constprop.0+0x178/0x280  Free sp in the error path to fix the crash.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-02-18 16:22:00 UTC"
                            },
                            {
                                "cve": "CVE-2025-71235",
                                "url": "https://ubuntu.com/security/CVE-2025-71235",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  scsi: qla2xxx: Delay module unload while fabric scan in progress  System crash seen during load/unload test in a loop.  [105954.384919] RBP: ffff914589838dc0 R08: 0000000000000000 R09: 0000000000000086 [105954.384920] R10: 000000000000000f R11: ffffa31240904be5 R12: ffff914605f868e0 [105954.384921] R13: ffff914605f86910 R14: 0000000000008010 R15: 00000000ddb7c000 [105954.384923] FS:  0000000000000000(0000) GS:ffff9163fec40000(0000) knlGS:0000000000000000 [105954.384925] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [105954.384926] CR2: 000055d31ce1d6a0 CR3: 0000000119f5e001 CR4: 0000000000770ee0 [105954.384928] PKRU: 55555554 [105954.384929] Call Trace: [105954.384931]  <IRQ> [105954.384934]  qla24xx_sp_unmap+0x1f3/0x2a0 [qla2xxx] [105954.384962]  ? qla_async_scan_sp_done+0x114/0x1f0 [qla2xxx] [105954.384980]  ? qla24xx_els_ct_entry+0x4de/0x760 [qla2xxx] [105954.384999]  ? __wake_up_common+0x80/0x190 [105954.385004]  ? qla24xx_process_response_queue+0xc2/0xaa0 [qla2xxx] [105954.385023]  ? qla24xx_msix_rsp_q+0x44/0xb0 [qla2xxx] [105954.385040]  ? __handle_irq_event_percpu+0x3d/0x190 [105954.385044]  ? handle_irq_event+0x58/0xb0 [105954.385046]  ? handle_edge_irq+0x93/0x240 [105954.385050]  ? __common_interrupt+0x41/0xa0 [105954.385055]  ? common_interrupt+0x3e/0xa0 [105954.385060]  ? asm_common_interrupt+0x22/0x40  The root cause of this was that there was a free (dma_free_attrs) in the interrupt context.  There was a device discovery/fabric scan in progress.  A module unload was issued which set the UNLOADING flag.  As part of the discovery, after receiving an interrupt a work queue was scheduled (which involved a work to be queued).  Since the UNLOADING flag is set, the work item was not allocated and the mapped memory had to be freed.  The free occurred in interrupt context leading to system crash.  Delay the driver unload until the fabric scan is complete to avoid the crash.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-02-18 16:22:00 UTC"
                            },
                            {
                                "cve": "CVE-2025-71236",
                                "url": "https://ubuntu.com/security/CVE-2025-71236",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  scsi: qla2xxx: Validate sp before freeing associated memory  System crash with the following signature [154563.214890] nvme nvme2: NVME-FC{1}: controller connect complete [154564.169363] qla2xxx [0000:b0:00.1]-3002:2: nvme: Sched: Set ZIO exchange threshold to 3. [154564.169405] qla2xxx [0000:b0:00.1]-ffffff:2: SET ZIO Activity exchange threshold to 5. [154565.539974] qla2xxx [0000:b0:00.1]-5013:2: RSCN database changed – 0078 0080 0000. [154565.545744] qla2xxx [0000:b0:00.1]-5013:2: RSCN database changed – 0078 00a0 0000. [154565.545857] qla2xxx [0000:b0:00.1]-11a2:2: FEC=enabled (data rate). [154565.552760] qla2xxx [0000:b0:00.1]-11a2:2: FEC=enabled (data rate). [154565.553079] BUG: kernel NULL pointer dereference, address: 00000000000000f8 [154565.553080] #PF: supervisor read access in kernel mode [154565.553082] #PF: error_code(0x0000) - not-present page [154565.553084] PGD 80000010488ab067 P4D 80000010488ab067 PUD 104978a067 PMD 0 [154565.553089] Oops: 0000 1 PREEMPT SMP PTI [154565.553092] CPU: 10 PID: 858 Comm: qla2xxx_2_dpc Kdump: loaded Tainted: G           OE     -------  ---  5.14.0-503.11.1.el9_5.x86_64 #1 [154565.553096] Hardware name: HPE Synergy 660 Gen10/Synergy 660 Gen10 Compute Module, BIOS I43 09/30/2024 [154565.553097] RIP: 0010:qla_fab_async_scan.part.0+0x40b/0x870 [qla2xxx] [154565.553141] Code: 00 00 e8 58 a3 ec d4 49 89 e9 ba 12 20 00 00 4c 89 e6 49 c7 c0 00 ee a8 c0 48 c7 c1 66 c0 a9 c0 bf 00 80 00 10 e8 15 69 00 00 <4c> 8b 8d f8 00 00 00 4d 85 c9 74 35 49 8b 84 24 00 19 00 00 48 8b [154565.553143] RSP: 0018:ffffb4dbc8aebdd0 EFLAGS: 00010286 [154565.553145] RAX: 0000000000000000 RBX: ffff8ec2cf0908d0 RCX: 0000000000000002 [154565.553147] RDX: 0000000000000000 RSI: ffffffffc0a9c896 RDI: ffffb4dbc8aebd47 [154565.553148] RBP: 0000000000000000 R08: ffffb4dbc8aebd45 R09: 0000000000ffff0a [154565.553150] R10: 0000000000000000 R11: 000000000000000f R12: ffff8ec2cf0908d0 [154565.553151] R13: ffff8ec2cf090900 R14: 0000000000000102 R15: ffff8ec2cf084000 [154565.553152] FS:  0000000000000000(0000) GS:ffff8ed27f800000(0000) knlGS:0000000000000000 [154565.553154] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [154565.553155] CR2: 00000000000000f8 CR3: 000000113ae0a005 CR4: 00000000007706f0 [154565.553157] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [154565.553158] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [154565.553159] PKRU: 55555554 [154565.553160] Call Trace: [154565.553162]  <TASK> [154565.553165]  ? show_trace_log_lvl+0x1c4/0x2df [154565.553172]  ? show_trace_log_lvl+0x1c4/0x2df [154565.553177]  ? qla_fab_async_scan.part.0+0x40b/0x870 [qla2xxx] [154565.553215]  ? __die_body.cold+0x8/0xd [154565.553218]  ? page_fault_oops+0x134/0x170 [154565.553223]  ? snprintf+0x49/0x70 [154565.553229]  ? exc_page_fault+0x62/0x150 [154565.553238]  ? asm_exc_page_fault+0x22/0x30  Check for sp being non NULL before freeing any associated memory",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-02-18 16:22:00 UTC"
                            },
                            {
                                "cve": "CVE-2025-71229",
                                "url": "https://ubuntu.com/security/CVE-2025-71229",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: rtw88: Fix alignment fault in rtw_core_enable_beacon()  rtw_core_enable_beacon() reads 4 bytes from an address that is not a multiple of 4. This results in a crash on some systems.  Do 1 byte reads/writes instead.  Unable to handle kernel paging request at virtual address ffff8000827e0522 Mem abort info:   ESR = 0x0000000096000021   EC = 0x25: DABT (current EL), IL = 32 bits   SET = 0, FnV = 0   EA = 0, S1PTW = 0   FSC = 0x21: alignment fault Data abort info:   ISV = 0, ISS = 0x00000021, ISS2 = 0x00000000   CM = 0, WnR = 0, TnD = 0, TagAccess = 0   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000005492000 [ffff8000827e0522] pgd=0000000000000000, p4d=10000001021d9403, pud=10000001021da403, pmd=100000011061c403, pte=00780000f3200f13 Internal error: Oops: 0000000096000021 [#1]  SMP Modules linked in: [...] rtw88_8822ce rtw88_8822c rtw88_pci rtw88_core [...] CPU: 0 UID: 0 PID: 73 Comm: kworker/u32:2 Tainted: G        W          6.17.9 #1-NixOS VOLUNTARY Tainted: [W]=WARN Hardware name: FriendlyElec NanoPC-T6 LTS (DT) Workqueue: phy0 rtw_c2h_work [rtw88_core] pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : rtw_pci_read32+0x18/0x40 [rtw88_pci] lr : rtw_core_enable_beacon+0xe0/0x148 [rtw88_core] sp : ffff800080cc3ca0 x29: ffff800080cc3ca0 x28: ffff0001031fc240 x27: ffff000102100828 x26: ffffd2cb7c9b4088 x25: ffff0001031fc2c0 x24: ffff000112fdef00 x23: ffff000112fdef18 x22: ffff000111c29970 x21: 0000000000000001 x20: 0000000000000001 x19: ffff000111c22040 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000000 x10: 0000000000000000 x9 : ffffd2cb6507c090 x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000 x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000 x2 : 0000000000007f10 x1 : 0000000000000522 x0 : ffff8000827e0522 Call trace:  rtw_pci_read32+0x18/0x40 [rtw88_pci] (P)  rtw_hw_scan_chan_switch+0x124/0x1a8 [rtw88_core]  rtw_fw_c2h_cmd_handle+0x254/0x290 [rtw88_core]  rtw_c2h_work+0x50/0x98 [rtw88_core]  process_one_work+0x178/0x3f8  worker_thread+0x208/0x418  kthread+0x120/0x220  ret_from_fork+0x10/0x20 Code: d28fe202 8b020000 f9524400 8b214000 (b9400000) ---[ end trace 0000000000000000 ]---",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-02-18 16:22:00 UTC"
                            },
                            {
                                "cve": "CVE-2025-71237",
                                "url": "https://ubuntu.com/security/CVE-2025-71237",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  nilfs2: Fix potential block overflow that cause system hang  When a user executes the FITRIM command, an underflow can occur when calculating nblocks if end_block is too small. Since nblocks is of type sector_t, which is u64, a negative nblocks value will become a very large positive integer. This ultimately leads to the block layer function __blkdev_issue_discard() taking an excessively long time to process the bio chain, and the ns_segctor_sem lock remains held for a long period. This prevents other tasks from acquiring the ns_segctor_sem lock, resulting in the hang reported by syzbot in [1].  If the ending block is too small, typically if it is smaller than 4KiB range, depending on the usage of the segment 0, it may be possible to attempt a discard request beyond the device size causing the hang.  Exiting successfully and assign the discarded size (0 in this case) to range->len.  Although the start and len values in the user input range are too small, a conservative strategy is adopted here to safely ignore them, which is equivalent to a no-op; it will not perform any trimming and will not throw an error.  [1] task:segctord state:D stack:28968 pid:6093 tgid:6093  ppid:2 task_flags:0x200040 flags:0x00080000 Call Trace:  rwbase_write_lock+0x3dd/0x750 kernel/locking/rwbase_rt.c:272  nilfs_transaction_lock+0x253/0x4c0 fs/nilfs2/segment.c:357  nilfs_segctor_thread_construct fs/nilfs2/segment.c:2569 [inline]  nilfs_segctor_thread+0x6ec/0xe00 fs/nilfs2/segment.c:2684  [ryusuke: corrected part of the commit message about the consequences]",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-02-18 16:22:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-23229",
                                "url": "https://ubuntu.com/security/CVE-2026-23229",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  crypto: virtio - Add spinlock protection with virtqueue notification  When VM boots with one virtio-crypto PCI device and builtin backend, run openssl benchmark command with multiple processes, such as   openssl speed -evp aes-128-cbc -engine afalg  -seconds 10 -multi 32  openssl processes will hangup and there is error reported like this:  virtio_crypto virtio0: dataq.0:id 3 is not a head!  It seems that the data virtqueue need protection when it is handled for virtio done notification. If the spinlock protection is added in virtcrypto_done_task(), openssl benchmark with multiple processes works well.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-02-18 16:22:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-23222",
                                "url": "https://ubuntu.com/security/CVE-2026-23222",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  crypto: omap - Allocate OMAP_CRYPTO_FORCE_COPY scatterlists correctly  The existing allocation of scatterlists in omap_crypto_copy_sg_lists() was allocating an array of scatterlist pointers, not scatterlist objects, resulting in a 4x too small allocation.  Use sizeof(*new_sg) to get the correct object size.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-02-18 16:22:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-23228",
                                "url": "https://ubuntu.com/security/CVE-2026-23228",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb: server: fix leak of active_num_conn in ksmbd_tcp_new_connection()  On kthread_run() failure in ksmbd_tcp_new_connection(), the transport is freed via free_transport(), which does not decrement active_num_conn, leaking this counter.  Replace free_transport() with ksmbd_tcp_disconnect().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-02-18 16:22:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-23220",
                                "url": "https://ubuntu.com/security/CVE-2026-23220",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ksmbd: fix infinite loop caused by next_smb2_rcv_hdr_off reset in error paths  The problem occurs when a signed request fails smb2 signature verification check. In __process_request(), if check_sign_req() returns an error, set_smb2_rsp_status(work, STATUS_ACCESS_DENIED) is called. set_smb2_rsp_status() set work->next_smb2_rcv_hdr_off as zero. By resetting next_smb2_rcv_hdr_off to zero, the pointer to the next command in the chain is lost. Consequently, is_chained_smb2_message() continues to point to the same request header instead of advancing. If the header's NextCommand field is non-zero, the function returns true, causing __handle_ksmbd_work() to repeatedly process the same failed request in an infinite loop. This results in the kernel log being flooded with \"bad smb2 signature\" messages and high CPU usage.  This patch fixes the issue by changing the return value from SERVER_HANDLER_CONTINUE to SERVER_HANDLER_ABORT. This ensures that the processing loop terminates immediately rather than attempting to continue from an invalidated offset.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-02-18 16:22:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-23230",
                                "url": "https://ubuntu.com/security/CVE-2026-23230",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb: client: split cached_fid bitfields to avoid shared-byte RMW races  is_open, has_lease and on_list are stored in the same bitfield byte in struct cached_fid but are updated in different code paths that may run concurrently. Bitfield assignments generate byte read–modify–write operations (e.g. `orb $mask, addr` on x86_64), so updating one flag can restore stale values of the others.  A possible interleaving is:     CPU1: load old byte (has_lease=1, on_list=1)     CPU2: clear both flags (store 0)     CPU1: RMW store (old | IS_OPEN) -> reintroduces cleared bits  To avoid this class of races, convert these flags to separate bool fields.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-02-18 16:22:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-23272",
                                "url": "https://ubuntu.com/security/CVE-2026-23272",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: nf_tables: unconditionally bump set->nelems before insertion  In case that the set is full, a new element gets published then removed without waiting for the RCU grace period, while RCU reader can be walking over it already.  To address this issue, add the element transaction even if set is full, but toggle the set_full flag to report -ENFILE so the abort path safely unwinds the set to its previous state.  As for element updates, decrement set->nelems to restore it.  A simpler fix is to call synchronize_rcu() in the error path. However, with a large batch adding elements to already maxed-out set, this could cause noticeable slowdown of such batches.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-20 09:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-31418",
                                "url": "https://ubuntu.com/security/CVE-2026-31418",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: ipset: drop logically empty buckets in mtype_del  mtype_del() counts empty slots below n->pos in k, but it only drops the bucket when both n->pos and k are zero. This misses buckets whose live entries have all been removed while n->pos still points past deleted slots.  Treat a bucket as empty when all positions below n->pos are unused and release it directly instead of shrinking it further.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-13 14:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-23392",
                                "url": "https://ubuntu.com/security/CVE-2026-23392",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: nf_tables: release flowtable after rcu grace period on error  Call synchronize_rcu() after unregistering the hooks from error path, since a hook that already refers to this flowtable can be already registered, exposing this flowtable to packet path and nfnetlink_hook control plane.  This error path is rare, it should only happen by reaching the maximum number hooks or by failing to set up to hardware offload, just call synchronize_rcu().  There is a check for already used device hooks by different flowtable that could result in EEXIST at this late stage. The hook parser can be updated to perform this check earlier to this error path really becomes rarely exercised.  Uncovered by KASAN reported as use-after-free from nfnetlink_hook path when dumping hooks.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-03-25 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-23278",
                                "url": "https://ubuntu.com/security/CVE-2026-23278",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: nf_tables: always walk all pending catchall elements  During transaction processing we might have more than one catchall element: 1 live catchall element and 1 pending element that is coming as part of the new batch.  If the map holding the catchall elements is also going away, its required to toggle all catchall elements and not just the first viable candidate.  Otherwise, we get:  WARNING: ./include/net/netfilter/nf_tables.h:1281 at nft_data_release+0xb7/0xe0 [nf_tables], CPU#2: nft/1404  RIP: 0010:nft_data_release+0xb7/0xe0 [nf_tables]  [..]  __nft_set_elem_destroy+0x106/0x380 [nf_tables]  nf_tables_abort_release+0x348/0x8d0 [nf_tables]  nf_tables_abort+0xcf2/0x3ac0 [nf_tables]  nfnetlink_rcv_batch+0x9c9/0x20e0 [..]",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-20 09:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-47337",
                                "url": "https://ubuntu.com/security/CVE-2026-47337",
                                "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a possible NULL pointer dereference in the handling of AF_INET/AF_INET6 socket mediation. The bug can be triggered by an unprivileged local user. This can lead to a kernel oops.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 19:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-47336",
                                "url": "https://ubuntu.com/security/CVE-2026-47336",
                                "cve_description": "Ubuntu Linux 6.8 contains SAUCE patches with a possible use of an uninitialized variable in AppArmor AF_INET/AF_INET6 socket mediation code. The bug can be triggered by an unprivileged local user and could result in incorrect fine-grained mediation of network sockets.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-05-28 19:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-47335",
                                "url": "https://ubuntu.com/security/CVE-2026-47335",
                                "cve_description": "Ubuntu Linux 6.8 contains SAUCE patches with a possible NULL pointer dereference in the handling of AppArmor notifications. The bug can be triggered by an unprivileged local user. This can lead to a kernel panic.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 19:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-47334",
                                "url": "https://ubuntu.com/security/CVE-2026-47334",
                                "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly sleep while holding a spinlock in notification handling code. The bug can be triggered by an unprivileged local user and can result in kernel panic or deadlock.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 19:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-47333",
                                "url": "https://ubuntu.com/security/CVE-2026-47333",
                                "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which can potentially incorrectly compute the size of an internal buffer, leading to a heap memory out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in invalid data being processed by the AppArmor DFA policy engine.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-28 19:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-47332",
                                "url": "https://ubuntu.com/security/CVE-2026-47332",
                                "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly validate the size of an internal structure, leading to an out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in information disclosure from adjacent slab objects.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 19:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-47331",
                                "url": "https://ubuntu.com/security/CVE-2026-47331",
                                "cve_description": "Ubuntu Linux 6.8 contains AppArmor SAUCE patches which fail to acquire a lock when modifying a linked list. An unprivileged local user could trigger the race condition that can lead to a use-after-free (UAF) and, theoretically, arbitrary code execution.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-28 19:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-47330",
                                "url": "https://ubuntu.com/security/CVE-2026-47330",
                                "cve_description": "Ubuntu Linux 6.8, 7.17 and 7.0 contain AppArmor SAUCE patches which can, under certain circumstances, use an uninitialized variable in notification handling code. The bug can be triggered by an unprivileged local user and can result in the incorrect caching of AppArmor notification responses.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-05-28 19:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-47329",
                                "url": "https://ubuntu.com/security/CVE-2026-47329",
                                "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches which fail to validate invalid sizes of the name field in AppAmor notification responses. The bug can be triggered by an unprivileged local user and could result in handling of crafted responses.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-05-28 19:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-47327",
                                "url": "https://ubuntu.com/security/CVE-2026-47327",
                                "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a possible NULL pointer dereference in the handling of AppArmor notifications. The bug can be triggered by an unprivileged local user. This can lead to a kernel oops.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 19:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-47328",
                                "url": "https://ubuntu.com/security/CVE-2026-47328",
                                "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly attempt to free a pointer which was not previously kmalloc()d, while at the same time leaking allocated memory. The bug can be triggered by an unprivileged local user and can result in the corruption of slab metadata and could lead to resource exhaustion.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 19:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-47326",
                                "url": "https://ubuntu.com/security/CVE-2026-47326",
                                "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a memory leak in the handling of big responses to AppArmor notifications. The bug can be triggered by an unprivileged local user. The memory leak could lead to resource exhaustion.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 19:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46300",
                                "url": "https://ubuntu.com/security/CVE-2026-46300",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: skbuff: preserve shared-frag marker during coalescing  skb_try_coalesce() can attach paged frags from @from to @to.  If @from has SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same externally-owned or page-cache-backed frags, but the shared-frag marker is currently lost.  That breaks the invariant relied on by later in-place writers.  In particular, ESP input checks skb_has_shared_frag() before deciding whether an uncloned nonlinear skb can skip skb_cow_data().  If TCP receive coalescing has moved shared frags into an unmarked skb, ESP can see skb_has_shared_frag() as false and decrypt in place over page-cache backed frags.  Propagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged frags.  The tailroom copy path does not need the marker because it copies bytes into @to's linear data rather than transferring frag descriptors.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-23 12:17:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46333",
                                "url": "https://ubuntu.com/security/CVE-2026-46333",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ptrace: slightly saner 'get_dumpable()' logic  The 'dumpability' of a task is fundamentally about the memory image of the task - the concept comes from whether it can core dump or not - and makes no sense when you don't have an associated mm.  And almost all users do in fact use it only for the case where the task has a mm pointer.  But we have one odd special case: ptrace_may_access() uses 'dumpable' to check various other things entirely independently of the MM (typically explicitly using flags like PTRACE_MODE_READ_FSCREDS).  Including for threads that no longer have a VM (and maybe never did, like most kernel threads).  It's not what this flag was designed for, but it is what it is.  The ptrace code does check that the uid/gid matches, so you do have to be uid-0 to see kernel thread details, but this means that the traditional \"drop capabilities\" model doesn't make any difference for this all.  Make it all make a *bit* more sense by saying that if you don't have a MM pointer, we'll use a cached \"last dumpability\" flag if the thread ever had a MM (it will be zero for kernel threads since it is never set), and require a proper CAP_SYS_PTRACE capability to override.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-15 14:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43500",
                                "url": "https://ubuntu.com/security/CVE-2026-43500",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present  The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE handler in rxrpc_verify_response() copy the skb to a linear one before calling into the security ops only when skb_cloned() is true.  An skb that is not cloned but still carries externally-owned paged fragments (e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via __ip_append_data, or a chained skb_has_frag_list()) falls through to the in-place decryption path, which binds the frag pages directly into the AEAD/skcipher SGL via skb_to_sgvec().  Extend the gate to also unshare when skb_has_frag_list() or skb_has_shared_frag() is true.  This catches the splice-loopback vector and other externally-shared frag sources while preserving the zero-copy fast path for skbs whose frags are kernel-private (e.g. NIC page_pool RX, GRO).  The OOM/trace handling already in place is reused.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-11 08:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-31676",
                                "url": "https://ubuntu.com/security/CVE-2026-31676",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  rxrpc: only handle RESPONSE during service challenge  Only process RESPONSE packets while the service connection is still in RXRPC_CONN_SERVICE_CHALLENGING. Check that state under state_lock before running response verification and security initialization, then use a local secured flag to decide whether to queue the secured-connection work after the state transition. This keeps duplicate or late RESPONSE packets from re-running the setup path and removes the unlocked post-transition state test.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-25 09:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43284",
                                "url": "https://ubuntu.com/security/CVE-2026-43284",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  xfrm: esp: avoid in-place decrypt on shared skb frags  MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later paths that may modify packet data can first make a private copy. The IPv4/IPv6 datagram append paths did not set this flag when splicing pages into UDP skbs.  That leaves an ESP-in-UDP packet made from shared pipe pages looking like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW fast path for uncloned skbs without a frag_list and decrypts in place over data that is not owned privately by the skb.  Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching TCP. Also make ESP input fall back to skb_cow_data() when the flag is present, so ESP does not decrypt externally backed frags in place. Private nonlinear skb frags still use the existing fast path.  This intentionally does not change ESP output. In esp_output_head(), the path that appends the ESP trailer to existing skb tailroom without calling skb_cow_data() is not reachable for nonlinear skbs: skb_tailroom() returns zero when skb->data_len is nonzero, while ESP tailen is positive. Thus ESP output will either use the separate destination-frag path or fall back to skb_cow_data().",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-08 08:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-31419",
                                "url": "https://ubuntu.com/security/CVE-2026-31419",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: bonding: fix use-after-free in bond_xmit_broadcast()  bond_xmit_broadcast() reuses the original skb for the last slave (determined by bond_is_last_slave()) and clones it for others. Concurrent slave enslave/release can mutate the slave list during RCU-protected iteration, changing which slave is \"last\" mid-loop. This causes the original skb to be double-consumed (double-freed).  Replace the racy bond_is_last_slave() check with a simple index comparison (i + 1 == slaves_count) against the pre-snapshot slave count taken via READ_ONCE() before the loop.  This preserves the zero-copy optimization for the last slave while making the \"last\" determination stable against concurrent list mutations.  The UAF can trigger the following crash:  ================================================================== BUG: KASAN: slab-use-after-free in skb_clone Read of size 8 at addr ffff888100ef8d40 by task exploit/147  CPU: 1 UID: 0 PID: 147 Comm: exploit Not tainted 7.0.0-rc3+ #4 PREEMPTLAZY Call Trace:  <TASK>  dump_stack_lvl (lib/dump_stack.c:123)  print_report (mm/kasan/report.c:379 mm/kasan/report.c:482)  kasan_report (mm/kasan/report.c:597)  skb_clone (include/linux/skbuff.h:1724 include/linux/skbuff.h:1792 include/linux/skbuff.h:3396 net/core/skbuff.c:2108)  bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5334)  bond_start_xmit (drivers/net/bonding/bond_main.c:5567 drivers/net/bonding/bond_main.c:5593)  dev_hard_start_xmit (include/linux/netdevice.h:5325 include/linux/netdevice.h:5334 net/core/dev.c:3871 net/core/dev.c:3887)  __dev_queue_xmit (include/linux/netdevice.h:3601 net/core/dev.c:4838)  ip6_finish_output2 (include/net/neighbour.h:540 include/net/neighbour.h:554 net/ipv6/ip6_output.c:136)  ip6_finish_output (net/ipv6/ip6_output.c:208 net/ipv6/ip6_output.c:219)  ip6_output (net/ipv6/ip6_output.c:250)  ip6_send_skb (net/ipv6/ip6_output.c:1985)  udp_v6_send_skb (net/ipv6/udp.c:1442)  udpv6_sendmsg (net/ipv6/udp.c:1733)  __sys_sendto (net/socket.c:730 net/socket.c:742 net/socket.c:2206)  __x64_sys_sendto (net/socket.c:2209)  do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)  entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)  </TASK>  Allocated by task 147:  Freed by task 147:  The buggy address belongs to the object at ffff888100ef8c80  which belongs to the cache skbuff_head_cache of size 224 The buggy address is located 192 bytes inside of  freed 224-byte region [ffff888100ef8c80, ffff888100ef8d60)  Memory state around the buggy address:  ffff888100ef8c00: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc  ffff888100ef8c80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff888100ef8d00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc                                                     ^  ffff888100ef8d80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb  ffff888100ef8e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================",
                                "cve_priority": "high",
                                "cve_public_date": "2026-04-13 14:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-31431",
                                "url": "https://ubuntu.com/security/CVE-2026-31431",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  crypto: algif_aead - Revert to operating out-of-place  This mostly reverts commit 72548b093ee3 except for the copying of the associated data.  There is no benefit in operating in-place in algif_aead since the source and destination come from different mappings.  Get rid of all the complexity added for in-place operation and just copy the AD directly.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-04-22 09:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-31533",
                                "url": "https://ubuntu.com/security/CVE-2026-31533",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/tls: fix use-after-free in -EBUSY error path of tls_do_encryption  The -EBUSY handling in tls_do_encryption(), introduced by commit 859054147318 (\"net: tls: handle backlogging of crypto requests\"), has a use-after-free due to double cleanup of encrypt_pending and the scatterlist entry.  When crypto_aead_encrypt() returns -EBUSY, the request is enqueued to the cryptd backlog and the async callback tls_encrypt_done() will be invoked upon completion. That callback unconditionally restores the scatterlist entry (sge->offset, sge->length) and decrements ctx->encrypt_pending. However, if tls_encrypt_async_wait() returns an error, the synchronous error path in tls_do_encryption() performs the same cleanup again, double-decrementing encrypt_pending and double-restoring the scatterlist.  The double-decrement corrupts the encrypt_pending sentinel (initialized to 1), making tls_encrypt_async_wait() permanently skip the wait for pending async callbacks. A subsequent sendmsg can then free the tls_rec via bpf_exec_tx_verdict() while a cryptd callback is still pending, resulting in a use-after-free when the callback fires on the freed record.  Fix this by skipping the synchronous cleanup when the -EBUSY async wait returns an error, since the callback has already handled encrypt_pending and sge restoration.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-23 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-31504",
                                "url": "https://ubuntu.com/security/CVE-2026-31504",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: fix fanout UAF in packet_release() via NETDEV_UP race  `packet_release()` has a race window where `NETDEV_UP` can re-register a socket into a fanout group's `arr[]` array. The re-registration is not cleaned up by `fanout_release()`, leaving a dangling pointer in the fanout array. `packet_release()` does NOT zero `po->num` in its `bind_lock` section. After releasing `bind_lock`, `po->num` is still non-zero and `po->ifindex` still matches the bound device. A concurrent `packet_notifier(NETDEV_UP)` that already found the socket in `sklist` can re-register the hook. For fanout sockets, this re-registration calls `__fanout_link(sk, po)` which adds the socket back into `f->arr[]` and increments `f->num_members`, but does NOT increment `f->sk_ref`.  The fix sets `po->num` to zero in `packet_release` while `bind_lock` is held to prevent NETDEV_UP from linking, preventing the race window.  This bug was found following an additional audit with Claude Code based on CVE-2025-38617.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-04-22 14:16:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * jammy/linux-riscv-6.8: 6.8.0-130.130~22.04.1 -proposed tracker (LP: #2151948)",
                            "",
                            "  [ Ubuntu: 6.8.0-130.130 ]",
                            "",
                            "  * noble/linux: 6.8.0-130.130 -proposed tracker (LP: #2154560)",
                            "  * Noble update: upstream stable patchset 2026-03-26 (LP: #2146465)",
                            "    - Revert \"UBUNTU: SAUCE: Fix skb_vlan_inet_prepare() usage\"",
                            "  * Kernel regression (6.8.0-117.generic) (LP: #2153556)",
                            "    - net: bonding: update the slave array for broadcast mode",
                            "    - bonding: do not set usable_slaves for broadcast mode",
                            "  * perf_cpu_map__merge fails to compile on ppc46el, s390x on noble linux",
                            "    (LP: #2152194)",
                            "    - SAUCE: temporary fix attempt for size eceed",
                            "  * Some powerpc test from ubuntu_kernel_selftests timeout with 45 seconds",
                            "    (LP: #2141536)",
                            "    - selftests/powerpc: Lower run time of count_stcx_fail test",
                            "    - selftests/powerpc: Give all tests 2 minutes timeout",
                            "  * Noble update: upstream stable patchset 2026-05-01 (LP: #2150809)",
                            "    - auxdisplay: arm-charlcd: fix release_mem_region() size",
                            "    - hfsplus: return error when node already exists in hfs_bnode_create",
                            "    - rcu: s/boost_kthread_mutex/kthread_mutex",
                            "    - rcu/exp: Move expedited kthread worker creation functions above",
                            "      rcutree_prepare_cpu()",
                            "    - rcu: Refactor expedited handling check in rcu_read_unlock_special()",
                            "    - rcu: Remove local_irq_save/restore() in",
                            "      rcu_preempt_deferred_qs_handler()",
                            "    - rcu: Fix rcu_read_unlock() deadloop due to softirq",
                            "    - audit: move the compat_xxx_class[] extern declarations to audit_arch.h",
                            "    - i3c: Move device name assignment after i3c_bus_init",
                            "    - fs: add <linux/init_task.h> for 'init_fs'",
                            "    - i3c: master: Update hot-join flag only on success",
                            "    - gfs2: Retries missing in gfs2_{rename,exchange}",
                            "    - gfs2: Fix use-after-free in iomap inline data write path",
                            "    - i3c: dw: Initialize spinlock to avoid upsetting lockdep",
                            "    - tpm: tpm_i2c_infineon: Fix locality leak on get_burstcount() failure",
                            "    - tpm: st33zp24: Fix missing cleanup on get_burstcount() error",
                            "    - btrfs: qgroup: return correct error when deleting qgroup relation item",
                            "    - btrfs: fix block_group_tree dirty_list corruption",
                            "    - smb: client: fix potential UAF and double free in smb2_open_file()",
                            "    - xen/virtio: Don't use grant-dma-ops when running as Dom0",
                            "    - ACPICA: Fix NULL pointer dereference in acpi_ev_address_space_dispatch()",
                            "    - io_uring/sync: validate passed in offset",
                            "    - cpuidle: menu: Cleanup after loadavg removal",
                            "    - cpuidle: governors: menu: Always check timers with tick stopped",
                            "    - md/raid10: fix any_working flag handling in raid10_sync_request",
                            "    - iomap: fix submission side handling of completion side errors",
                            "    - ublk: Validate SQE128 flag before accessing the cmd",
                            "    - x86/xen: make some functions static",
                            "    - Partial revert \"x86/xen: fix balloon target initialization for PVH dom0\"",
                            "    - PM: wakeup: Handle empty list in wakeup_sources_walk_start()",
                            "    - perf: arm_spe: Properly set hw.state on failures",
                            "    - PM: sleep: wakeirq: harden dev_pm_clear_wake_irq() against races",
                            "    - s390/cio: Fix device lifecycle handling in css_alloc_subchannel()",
                            "    - crypto: qat - fix warning on adf_pfvf_pf_proto.c",
                            "    - selftests/bpf: veristat: fix printing order in output_stats()",
                            "    - libbpf: Fix OOB read in btf_dump_get_bitfield_value",
                            "    - ARM: VDSO: Patch out __vdso_clock_getres() if unavailable",
                            "    - crypto: cavium - fix dma_free_coherent() size",
                            "    - crypto: octeontx - fix dma_free_coherent() size",
                            "    - crypto: hisilicon/zip - adjust the way to obtain the req in the callback",
                            "      function",
                            "    - crypto: hisilicon/sec2 - support skcipher/aead fallback for hardware",
                            "      queue unavailable",
                            "    - hrtimer: Fix trace oddity",
                            "    - bpf, sockmap: Fix incorrect copied_seq calculation",
                            "    - bpf, sockmap: Fix FIONREAD for sockmap",
                            "    - crypto: hisilicon/trng - modifying the order of header files",
                            "    - crypto: hisilicon/trng - support tfms sharing the device",
                            "    - bpf: Fix bpf_xdp_store_bytes proto for read-only arg",
                            "    - scsi: efct: Use IRQF_ONESHOT and default primary handler",
                            "    - EDAC/altera: Remove IRQF_ONESHOT",
                            "    - mfd: wm8350-core: Use IRQF_ONESHOT",
                            "    - sched/rt: Skip currently executing CPU in rto_next_cpu()",
                            "    - pstore/ram: fix buffer overflow in persistent_ram_save_old()",
                            "    - soc: qcom: smem: handle ENOMEM error during probe",
                            "    - EDAC/i5000: Fix snprintf() size calculation in calculate_dimm_size()",
                            "    - EDAC/i5400: Fix snprintf() limit calculation in calculate_dimm_size()",
                            "    - arm64: dts: tqma8mpql-mba8mpxl: Fix HDMI CEC pad control settings",
                            "    - clk: qcom: Return correct error code in qcom_cc_probe_by_index()",
                            "    - arm64: dts: qcom: sdm630: fix gpu_speed_bin size",
                            "    - arm64: dts: qcom: sdm845-oneplus: Don't mark ts supply boot-on",
                            "    - ARM: dts: allwinner: sun5i-a13-utoo-p66: delete \"power-gpios\" property",
                            "    - powerpc/uaccess: Move barrier_nospec() out of",
                            "      allow_read_{from/write}_user()",
                            "    - soc: qcom: cmd-db: Use devm_memremap() to fix memory leak in",
                            "      cmd_db_dev_probe",
                            "    - soc: mediatek: svs: Fix memory leak in svs_enable_debug_write()",
                            "    - powerpc/eeh: fix recursive pci_lock_rescan_remove locking in EEH event",
                            "      handling",
                            "    - ARM: dts: lpc32xx: Set motor PWM #pwm-cells property value to 3 cells",
                            "    - arm: dts: lpc32xx: add clocks property to Motor Control PWM device tree",
                            "      node",
                            "    - arm64: dts: amlogic: axg: assign the MMC signal clocks",
                            "    - arm64: dts: amlogic: gx: assign the MMC signal clocks",
                            "    - arm64: dts: amlogic: g12: assign the MMC B and C signal clocks",
                            "    - arm64: dts: amlogic: g12: assign the MMC A signal clock",
                            "    - arm64: dts: qcom: sdm845-db845c: drop CS from SPIO0",
                            "    - arm64: dts: qcom: sdm845-db845c: specify power for WiFi CH1",
                            "    - arm64: dts: qcom: sm6115: Add CX_MEM/DBGC GPU regions",
                            "    - workqueue: Factor out assign_rescuer_work()",
                            "    - workqueue: Only assign rescuer work when really needed",
                            "    - workqueue: Process rescuer work items one-by-one using a cursor",
                            "    - smack: /smack/doi must be > 0",
                            "    - smack: /smack/doi: accept previously used values",
                            "    - ASoC: nau8821: Consistently clear interrupts before unmasking",
                            "    - ASoC: nau8821: Avoid unnecessary blocking in IRQ handler",
                            "    - ASoC: nau8821: Fixup nau8821_enable_jack_detect()",
                            "    - drm/amdgpu: Use explicit VCN instance 0 in SR-IOV init",
                            "    - drm/msm/disp/dpu: add merge3d support for sc7280",
                            "    - regulator: core: move supply check earlier in set_machine_constraints()",
                            "    - HID: playstation: Add missing check for input_ff_create_memless",
                            "    - drm/msm/dpu: fix CMD panels on DPU 1.x - 3.x",
                            "    - media: ccs: Accommodate C-PHY into the calculation",
                            "    - drm/msm/a2xx: fix pixel shader start on A225",
                            "    - platform/chrome: cros_typec_switch: Don't touch struct",
                            "      fwnode_handle::dev",
                            "    - media: uvcvideo: Fix allocation for small frame sizes",
                            "    - platform/chrome: cros_ec_lightbar: Fix response size initialization",
                            "    - spi: tools: Add include folder to .gitignore",
                            "    - Revert \"hwmon: (ibmpex) fix use-after-free in high/low store\"",
                            "    - PCI: mediatek: Fix IRQ domain leak when MSI allocation fails",
                            "    - Documentation: PCI: endpoint: Fix ntb/vntb copy & paste errors",
                            "    - PCI/PM: Avoid redundant delays on D3hot->D3cold",
                            "    - PCI/P2PDMA: Release per-CPU pgmap ref when vm_insert_page() fails",
                            "    - Documentation: tracing: Add ring-buffer mapping",
                            "    - docs: fix WARNING document not included in any toctree",
                            "    - Documentation: trace: Refactor toctree",
                            "    - Documentation: tracing: Add PCI tracepoint documentation",
                            "    - PCI: Do not attempt to set ExtTag for VFs",
                            "    - PCI/portdrv: Fix potential resource leak",
                            "    - quota: fix livelock between quotactl and freeze_super",
                            "    - net: mctp-i2c: fix duplicate reception of old data",
                            "    - mctp i2c: initialise event handler read bytes",
                            "    - wifi: cfg80211: stop NAN and P2P in cfg80211_leave",
                            "    - netfilter: nf_tables: reset table validation state on abort",
                            "    - netfilter: nf_conncount: make nf_conncount_gc_list() to disable BH",
                            "    - netfilter: nf_conncount: increase the connection clean up limit to 64",
                            "    - netfilter: nft_compat: add more restrictions on netlink attributes",
                            "    - netfilter: nf_conncount: fix tracking of connections from localhost",
                            "    - module: add helper function for reading module_buildid()",
                            "    - kallsyms/ftrace: set module buildid in ftrace_mod_address_lookup()",
                            "    - PCI: Mark 3ware-9650SA Root Port Extended Tags as broken",
                            "    - iommu/vt-d: Flush cache for PASID table before using it",
                            "    - dm: use bio_clone_blkg_association",
                            "    - nfsd: never defer requests during idmap lookup",
                            "    - fat: avoid parent link count underflow in rmdir",
                            "    - tcp: tcp_tx_timestamp() must look at the rtx queue",
                            "    - wifi: ath10k: sdio: add missing lock protection in",
                            "      ath10k_sdio_fw_crashed_dump()",
                            "    - PCI: Initialize RCB from pci_configure_device()",
                            "    - PCI: Add PCIE_MSG_CODE_ASSERT_INTx message macros",
                            "    - PCI: Add defines for bridge window indexing",
                            "    - PCI/ACPI: Restrict program_hpx_type2() to AER bits",
                            "    - ipc: don't audit capability check in ipc_permissions()",
                            "    - ucount: check for CAP_SYS_RESOURCE using ns_capable_noaudit()",
                            "    - of: unittest: fix possible null-pointer dereferences in",
                            "      of_unittest_property_copy()",
                            "    - mptcp: fix receive space timestamp initialization",
                            "    - octeontx2-af: Fix PF driver crash with kexec kernel booting",
                            "    - bonding: only set speed/duplex to unknown, if getting speed failed",
                            "    - inet: RAW sockets using IPPROTO_RAW MUST drop incoming ICMP",
                            "    - nfc: hci: shdlc: Stop timers and work before freeing context",
                            "    - netfilter: nft_set_hash: fix get operation on big endian",
                            "    - netfilter: nft_counter: fix reset of counters on 32bit archs",
                            "    - netfilter: nft_set_rbtree: check for partial overlaps in anonymous sets",
                            "    - PCI: Add ACS quirk for Pericom PI7C9X2G404 switches [12d8:b404]",
                            "    - net: hns3: fix double free issue for tx spare buffer",
                            "    - procfs: fix missing RCU protection when reading real_parent in",
                            "      do_task_stat()",
                            "    - smb: client: correct value for smbd_max_fragmented_recv_size",
                            "    - net: sunhme: Fix sbus regression",
                            "    - net: Add skb_dstref_steal and skb_dstref_restore",
                            "    - net: Switch to skb_dstref_steal/skb_dstref_restore for ip_route_input",
                            "      callers",
                            "    - xfrm: fix ip_rt_bug race in icmp_route_lookup reverse path",
                            "    - serial: caif: fix use-after-free in caif_serial ldisc_close()",
                            "    - octeon_ep: disable per ring interrupts",
                            "    - octeon_ep: ensure dbell BADDR updation",
                            "    - ionic: Rate limit unknown xcvr type messages",
                            "    - octeontx2-pf: Unregister devlink on probe failure",
                            "    - RDMA/rtrs: server: remove dead code",
                            "    - IB/cache: update gid cache on client reregister event",
                            "    - RDMA/hns: Fix WQ_MEM_RECLAIM warning",
                            "    - RDMA/hns: Notify ULP of remaining soft-WCs during reset",
                            "    - power: supply: ab8500: Fix use-after-free in power_supply_changed()",
                            "    - power: supply: act8945a: Fix use-after-free in power_supply_changed()",
                            "    - power: supply: bq256xx: Fix use-after-free in power_supply_changed()",
                            "    - power: supply: bq25980: Fix use-after-free in power_supply_changed()",
                            "    - power: supply: cpcap-battery: Fix use-after-free in",
                            "      power_supply_changed()",
                            "    - power: supply: goldfish: Fix use-after-free in power_supply_changed()",
                            "    - power: supply: rt9455: Fix use-after-free in power_supply_changed()",
                            "    - power: supply: sbs-battery: Fix use-after-free in power_supply_changed()",
                            "    - power: reset: nvmem-reboot-mode: respect cell size for nvmem_cell_write",
                            "    - power: supply: bq27xxx: fix wrong errno when bus ops are unsupported",
                            "    - power: supply: wm97xx: Fix NULL pointer dereference in",
                            "      power_supply_changed()",
                            "    - RDMA/rtrs-srv: fix SG mapping",
                            "    - RDMA/rxe: Fix double free in rxe_srq_from_init",
                            "    - tools/power/x86/intel-speed-select: Fix file descriptor leak in",
                            "      isolate_cpus()",
                            "    - mtd: rawnand: cadence: Fix return type of CDMA send-and-wait helper",
                            "    - crypto: ccp - Add an S4 restore flow",
                            "    - crypto: ccp - Factor out ring destroy handling to a helper",
                            "    - crypto: ccp - Send PSP_CMD_TEE_RING_DESTROY when PSP_CMD_TEE_RING_INIT",
                            "      fails",
                            "    - mtd: parsers: Fix memory leak in mtd_parser_tplink_safeloader_parse()",
                            "    - RDMA/uverbs: Validate wqe_size before using it in ib_uverbs_post_send",
                            "    - RDMA/rxe: Fix race condition in QP timer handlers",
                            "    - svcrdma: Increase the per-transport rw_ctx count",
                            "    - svcrdma: Reduce the number of rdma_rw contexts per-QP",
                            "    - RDMA/core: add rdma_rw_max_sge() helper for SQ sizing",
                            "    - cxl: Fix premature commit_end increment on decoder commit failure",
                            "    - mtd: parsers: ofpart: fix OF node refcount leak in",
                            "      parse_fixed_partitions()",
                            "    - mtd: spinand: Fix kernel doc",
                            "    - power: supply: qcom_battmgr: Recognize \"LiP\" as lithium-polymer",
                            "    - RDMA/uverbs: Add __GFP_NOWARN to ib_uverbs_unmarshall_recv() kmalloc",
                            "    - pNFS: fix a missing wake up while waiting on NFS_LAYOUT_DRAIN",
                            "    - scsi: smartpqi: Fix memory leak in pqi_report_phys_luns()",
                            "    - scsi: ufs: host: mediatek: Require CONFIG_PM",
                            "    - scsi: csiostor: Fix dereference of null pointer rn",
                            "    - nvdimm: virtio_pmem: serialize flush requests",
                            "    - fs/nfs: Fix readdir slow-start regression",
                            "    - tracing: Properly process error handling in event_hist_trigger_parse()",
                            "    - tracing: Remove duplicate ENABLE_EVENT_STR and DISABLE_EVENT_STR macros",
                            "    - fbdev: of_display_timing: Fix device node reference leak in",
                            "      of_get_display_timings()",
                            "    - fbdev: au1200fb: Fix a memory leak in au1200fb_drv_probe()",
                            "    - clk: qcom: gcc-sm8550: Use floor ops for SDCC RCGs",
                            "    - clk: qcom: rcg2: compute 2d using duty fraction directly",
                            "    - clk: meson: gxbb: Limit the HDMI PLL OD to /4 on GXL/GXM SoCs",
                            "    - clk: qcom: gcc-sm8450: Update the SDCC RCGs to use shared_floor_ops",
                            "    - clk: qcom: gcc-sdx75: Update the SDCC RCGs to use shared_floor_ops",
                            "    - clk: qcom: gcc-qdu1000: Update the SDCC RCGs to use shared_floor_ops",
                            "    - clk: qcom: gcc-msm8953: Remove ALWAYS_ON flag from cpp_gdsc",
                            "    - clk: qcom: gcc-msm8917: Remove ALWAYS_ON flag from cpp_gdsc",
                            "    - clk: qcom: gcc-ipq5018: flag sleep clock as critical",
                            "    - clk: Move clk_{save,restore}_context() to COMMON_CLK section",
                            "    - clk: qcom: dispcc-sdm845: Enable parents for pixel clocks",
                            "    - clk: qcom: gfx3d: add parent to parent request map",
                            "    - clk: mediatek: Fix error handling in runtime PM setup",
                            "    - dmaengine: mediatek: uart-apdma: Fix above 4G addressing TX/RX",
                            "    - dma: dma-axi-dmac: fix SW cyclic transfers",
                            "    - staging: greybus: lights: avoid NULL deref",
                            "    - serial: imx: change SERIAL_IMX_CONSOLE to bool",
                            "    - serial: SH_SCI: improve \"DMA support\" prompt",
                            "    - mmc: rtsx_pci_sdmmc: increase power-on settling delay to 5ms",
                            "    - iio: pressure: mprls0025pa: fix scan_type struct",
                            "    - watchdog: starfive-wdt: Fix PM reference leak in probe error path",
                            "    - coresight: etm3x: Fix cpulocked warning on cpuhp",
                            "    - Revert \"mmc: rtsx_pci_sdmmc: increase power-on settling delay to 5ms\"",
                            "    - mfd: arizona: Fix regulator resource leak on",
                            "      wm5102_clear_write_sequencer() failure",
                            "    - mfd: simple-mfd-i2c: Add MAX77705 support",
                            "    - mfd: simple-mfd-i2c: Add compatible strings for Layerscape QIXIS FPGA",
                            "    - mfd: simple-mfd-i2c: Add SpacemiT P1 support",
                            "    - mfd: simple-mfd-i2c: Keep compatible strings in alphabetical order",
                            "    - mfd: simple-mfd-i2c: Add Delta TN48M CPLD support",
                            "    - [Config] Disable new Delta TN48M CPLD support by default",
                            "    - drivers: iio: mpu3050: use dev_err_probe for regulator request",
                            "    - usb: bdc: fix sleep during atomic",
                            "    - pinctrl: equilibrium: Fix device node reference leak in pinbank_init()",
                            "    - ovl: Fix uninit-value in ovl_fill_real",
                            "    - iio: sca3000: Fix a resource leak in sca3000_probe()",
                            "    - pinctrl: qcom: sm8250-lpass-lpi: Fix i2s2_data_groups definition",
                            "    - pinctrl: single: fix refcount leak in pcs_add_gpio_func()",
                            "    - leds: qcom-lpg: Check the return value of regmap_bulk_write()",
                            "    - backlight: qcom-wled: Support ovp values for PMI8994",
                            "    - backlight: qcom-wled: Change PM8950 WLED configurations",
                            "    - dmaengine: fsl-edma: don't explicitly disable clocks in .remove()",
                            "    - io_uring/cancel: de-unionize file and user_data in struct io_cancel_data",
                            "    - fs/ntfs3: prevent infinite loops caused by the next valid being the same",
                            "    - fs/ntfs3: Fix slab-out-of-bounds read in DeleteIndexEntryRoot",
                            "    - ACPI: CPPC: Fix remaining for_each_possible_cpu() to use online CPUs",
                            "    - powercap: intel_rapl_tpmi: Remove FW_BUG from invalid version check",
                            "    - kbuild: Add objtool to top-level clean target",
                            "    - selftests/memfd: delete unused declarations",
                            "    - selftests/memfd: use IPC semaphore instead of SIGSTOP/SIGCONT",
                            "    - ACPI: PM: Add unused power resource quirk for THUNDEROBOT ZERO",
                            "    - cpuidle: Skip governor when only one idle state is available",
                            "    - selftests: mlxsw: tc_restrictions: Fix test failure with new iproute2",
                            "    - net: sparx5/lan969x: fix DWRR cost max to match hardware register width",
                            "    - net: mscc: ocelot: extract ocelot_xmit_timestamp() helper",
                            "    - net: mscc: ocelot: split xmit into FDMA and register injection paths",
                            "    - net: mscc: ocelot: add missing lock protection in ocelot_port_xmit_inj()",
                            "    - ipv6: Fix out-of-bound access in fib6_add_rt2node().",
                            "    - net: sparx5/lan969x: fix PTP clock max_adj value",
                            "    - net: usb: catc: enable basic endpoint checking",
                            "    - xen-netback: reject zero-queue configuration from guest",
                            "    - net/rds: rds_sendmsg should not discard payload_len",
                            "    - net: bridge: mcast: always update mdb_n_entries for vlan contexts",
                            "    - selftests: forwarding: vxlan_bridge_1d: fix test failure with",
                            "      br_netfilter enabled",
                            "    - selftests: forwarding: vxlan_bridge_1d_ipv6: fix test failure with",
                            "      br_netfilter enabled",
                            "    - netfilter: nf_conntrack_h323: don't pass uninitialised l3num value",
                            "    - net: remove WARN_ON_ONCE when accessing forward path array",
                            "    - ipv6: fix a race in ip6_sock_set_v6only()",
                            "    - bpftool: Fix truncated netlink dumps",
                            "    - ping: annotate data-races in ping_lookup()",
                            "    - icmp: move icmp_global.credit and icmp_global.stamp to per netns storage",
                            "    - icmp: icmp_msgs_per_sec and icmp_msgs_burst sysctls become per netns",
                            "    - icmp: prevent possible overflow in icmp_global_allow()",
                            "    - cache: add __cacheline_group_{begin, end}_aligned() (+ couple more)",
                            "    - inet: move icmp_global_{credit,stamp} to a separate cache line",
                            "    - octeontx2-af: Fix default entries mcam entry action",
                            "    - bonding: alb: fix UAF in rlb_arp_recv during bond up/down",
                            "    - net/mlx5: Fix multiport device check over light SFs",
                            "    - apparmor: fix NULL sock in aa_sock_file_perm",
                            "    - apparmor: return -ENOMEM in unpack_perms_table upon alloc failure",
                            "    - apparmor: fix rlimit for posix cpu timers",
                            "    - apparmor: remove apply_modes_to_perms from label_match",
                            "    - apparmor: make label_match return a consistent value",
                            "    - apparmor: fix invalid deref of rawdata when export_binary is unset",
                            "    - apparmor: fix aa_label to return state from compount and component match",
                            "    - drm/amdgpu: Fix memory leak in amdgpu_acpi_enumerate_xcc()",
                            "    - drm/amdgpu: Fix memory leak in amdgpu_ras_init()",
                            "    - drm/i915/acpi: free _DSM package when no connectors",
                            "    - ASoC: codecs: aw88261: Fix erroneous bitmask logic in Awinic init",
                            "    - drm/amdkfd: fix debug watchpoints for logical devices",
                            "    - drm/amdkfd: Fix watch_id bounds checking in debug address watch v2",
                            "    - spi: wpcm-fiu: Use devm_platform_ioremap_resource_byname()",
                            "    - spi: wpcm-fiu: Fix uninitialized res",
                            "    - spi: wpcm-fiu: Simplify with dev_err_probe()",
                            "    - spi: wpcm-fiu: Fix potential NULL pointer dereference in",
                            "      wpcm_fiu_probe()",
                            "    - s390/kexec: Make KEXEC_SIG available when CONFIG_MODULES=n",
                            "    - efi: Fix reservation of unaccepted memory table",
                            "    - btrfs: fix invalid leaf access in btrfs_quota_enable() if ref key not",
                            "      found",
                            "    - x86/hyperv: Fix error pointer dereference",
                            "    - ASoC: rockchip: i2s-tdm: Use param rate if not provided by set_sysclk",
                            "    - drm/amd/display: Use same max plane scaling limits for all 64 bpp",
                            "      formats",
                            "    - MIPS: Work around LLVM bug when gp is used as global register variable",
                            "    - ext4: don't cache extent during splitting extent",
                            "    - ext4: fix memory leak in ext4_ext_shift_extents()",
                            "    - ext4: use optimized mballoc scanning regardless of inode format",
                            "    - ata: pata_ftide010: Fix some DMA timings",
                            "    - ata: libata-scsi: refactor ata_scsi_translate()",
                            "    - SUNRPC: auth_gss: fix memory leaks in XDR decoding error paths",
                            "    - SUNRPC: fix gss_auth kref leak in gss_alloc_msg error path",
                            "    - ASoC: dt-bindings: asahi-kasei,ak4458: Fix the supply names",
                            "    - ASoC: dt-bindings: asahi-kasei,ak5558: Fix the supply names",
                            "    - perf test stat: Update test expectations and events",
                            "    - perf test stat tests: Fix for virtualized machines",
                            "    - perf unwind-libdw: Fix invalid reference counts",
                            "    - perf callchain: Fix srcline printing with inlines",
                            "    - libsubcmd: Fix null intersection case in exclude_cmds()",
                            "    - libperf: Don't remove -g when EXTRA_CFLAGS are used",
                            "    - libperf build: Always place libperf includes first",
                            "    - rtc: interface: Alarm race handling should not discard preceding error",
                            "    - hfsplus: fix volume corruption issue for generic/498",
                            "    - fs/buffer: add alert in try_to_free_buffers() for folios without buffers",
                            "    - hfsplus: pretend special inodes as regular files",
                            "    - i3c: master: svc: Initialize 'dev' to NULL in svc_i3c_master_ibi_isr()",
                            "    - minix: Add required sanity checking to minix_check_superblock()",
                            "    - btrfs: handle user interrupt properly in btrfs_trim_fs()",
                            "    - smb: client: add proper locking around ses->iface_last_update",
                            "    - gfs2: fiemap page fault fix",
                            "    - smb: client: prevent races in ->query_interfaces()",
                            "    - tools/power cpupower: Reset errno before strtoull()",
                            "    - s390/purgatory: Add -Wno-default-const-init-unsafe to KBUILD_CFLAGS",
                            "    - perf/arm-cmn: Support CMN-600AE",
                            "    - arm64: Add support for TSV110 Spectre-BHB mitigation",
                            "    - rnbd-srv: Zero the rsp buffer before using it",
                            "    - x86/xen/pvh: Enable PAE mode for 32-bit guest only when CONFIG_X86_PAE",
                            "      is set",
                            "    - EFI/CPER: don't dump the entire memory region",
                            "    - APEI/GHES: ensure that won't go past CPER allocated record",
                            "    - EFI/CPER: don't go past the ARM processor CPER record buffer",
                            "    - ACPI: processor: Fix NULL-pointer dereference in",
                            "      acpi_processor_errata_piix4()",
                            "    - ACPICA: Abort AML bytecode execution when executing AML_FATAL_OP",
                            "    - md-cluster: fix NULL pointer dereference in process_metadata_update",
                            "    - cpufreq: dt-platdev: Block the driver from probing on more QC platforms",
                            "    - s390/perf: Disable register readout on sampling events",
                            "    - perf/cxlpmu: Replace IRQF_ONESHOT with IRQF_NO_THREAD",
                            "    - xenbus: Use .freeze/.thaw to handle xenbus devices",
                            "    - blk-mq-debugfs: add missing debugfs_mutex in",
                            "      blk_mq_debugfs_register_hctxs()",
                            "    - sparc: Synchronize user stack on fork and clone",
                            "    - sparc: don't reference obsolete termio struct for TC* constants",
                            "    - bpf: verifier improvement in 32bit shift sign extension pattern",
                            "    - clocksource/drivers/sh_tmu: Always leave device running after probe",
                            "    - clocksource/drivers/timer-integrator-ap: Add missing Kconfig dependency",
                            "      on OF",
                            "    - PCI/MSI: Unmap MSI-X region on error",
                            "    - crypto: hisilicon/qm - move the barrier before writing to the mailbox",
                            "      register",
                            "    - mailbox: bcm-ferxrm-mailbox: Use default primary handler",
                            "    - char: tpm: cr50: Remove IRQF_ONESHOT",
                            "    - pstore: ram_core: fix incorrect success return when vmap() fails",
                            "    - arm64: tegra: smaug: Add usb-role-switch support",
                            "    - parisc: Prevent interrupts during reboot",
                            "    - drm/display/dp_mst: Add protection against 0 vcpi",
                            "    - spi-geni-qcom: initialize mode related registers to 0",
                            "    - spi-geni-qcom: use xfer->bits_per_word for can_dma()",
                            "    - media: dvb-core: dmxdevfilter must always flush bufs",
                            "    - spi: stm32: fix Overrun issue at < 8bpw",
                            "    - drm/v3d: Set DMA segment size to avoid debug warnings",
                            "    - media: omap3isp: isp_video_mbus_to_pix/pix_to_mbus fixes",
                            "    - media: omap3isp: isppreview: always clamp in preview_try_format()",
                            "    - media: omap3isp: set initial format",
                            "    - media: mediatek: vcodec: Don't try to decode 422/444 VP9",
                            "    - drm/amdgpu: add support for HDP IP version 6.1.1",
                            "    - drm/amdgpu: avoid a warning in timedout job handler",
                            "    - HID: apple: Add \"SONiX KN85 Keyboard\" to the list of non-apple keyboards",
                            "    - ASoC: wm8962: Add WM8962_ADC_MONOMIX to \"3D Coefficients\" mask",
                            "    - ASoC: wm8962: Don't report a microphone if it's shorted to ground on",
                            "      plug",
                            "    - spi: spi-mem: Limit octal DTR constraints to octal DTR situations",
                            "    - media: amphion: Clear last_buffer_dequeued flag for DEC_CMD_START",
                            "    - media: adv7180: fix frame interval in progressive mode",
                            "    - media: pvrusb2: fix URB leak in pvr2_send_request_ex",
                            "    - media: solo6x10: Check for out of bounds chip_id",
                            "    - media: cx25821: Fix a resource leak in cx25821_dev_setup()",
                            "    - media: v4l2-async: Fix error handling on steps after finding a match",
                            "    - drm/amdkfd: Fix GART PTE for non-4K pagesize in svm_migrate_gart_map()",
                            "    - drm: Account property blob allocations to memcg",
                            "    - hyper-v: Mark inner union in hv_kvp_exchg_msg_value as packed",
                            "    - virt: vbox: uapi: Mark inner unions in packed structs as packed",
                            "    - drm/atmel-hlcdc: fix memory leak from the atomic_destroy_state callback",
                            "    - drm/atmel-hlcdc: don't reject the commit if the src rect has fractional",
                            "      parts",
                            "    - drm/atmel-hlcdc: fix use-after-free of drm_crtc_commit after release",
                            "    - media: rkisp1: Fix filter mode register configuration",
                            "    - HID: multitouch: add eGalaxTouch EXC3188 support",
                            "    - HID: elecom: Add support for ELECOM HUGE Plus M-HT1MRBK",
                            "    - ALSA: hda/conexant: Add headset mic fix for MECHREVO Wujie 15X Pro",
                            "    - gpio: aspeed-sgpio: Change the macro to support deferred probe",
                            "    - ASoC: sunxi: sun50i-dmic: Add missing check for devm_regmap_init_mmio",
                            "    - spi: spi-mem: Protect dirmap_create() with spi_mem_access_start/end",
                            "    - ASoC: codecs: max98390: Check return value of devm_gpiod_get_optional()",
                            "      in max98390_i2c_probe()",
                            "    - hwmon: (nct6775) Add ASUS Pro WS WRX90E-SAGE SE",
                            "    - hwmon: (f71882fg) Add F81968 support",
                            "    - ASoC: es8328: Add error unwind in resume",
                            "    - modpost: Amend ppc64 save/restfpr symnames for -Os build",
                            "    - ALSA: usb-audio: Add iface reset and delay quirk for AB13X USB Audio",
                            "    - jfs: Add missing set_freezable() for freezable kthread",
                            "    - jfs: nlink overflow in jfs_rename",
                            "    - wifi: rtw88: fix DTIM period handling when conf->dtim_period is zero",
                            "    - wifi: rtw88: 8822b: Avoid WARNING in rtw8822b_config_trx_mode()",
                            "    - wifi: rtw88: rtw8821cu: Add ID for Mercusys MU6H",
                            "    - dm: replace -EEXIST with -EBUSY",
                            "    - dm: remove fake timeout to avoid leak request",
                            "    - iommu/arm-smmu-v3: Improve CMDQ lock fairness and efficiency",
                            "    - wifi: libertas: fix WARNING in usb_tx_block",
                            "    - iommu/amd: move wait_on_sem() out of spinlock",
                            "    - wifi: rtw89: wow: add reason codes for disassociation in WoWLAN mode",
                            "    - PCI: dw-rockchip: Disable BAR 0 and BAR 1 for Root Port",
                            "    - wifi: ath11k: add pm quirk for Thinkpad Z13/Z16 Gen1",
                            "    - wifi: ath12k: fix preferred hardware mode calculation",
                            "    - ipv6: annotate data-races in ip6_multipath_hash_{policy,fields}()",
                            "    - ipv6: exthdrs: annotate data-race over multiple sysctl",
                            "    - ext4: mark group add fast-commit ineligible",
                            "    - ext4: move ext4_percpu_param_init() before ext4_mb_init()",
                            "    - ext4: mark group extend fast-commit ineligible",
                            "    - netfilter: nf_conntrack: Add allow_clash to generic protocol handler",
                            "    - netfilter: xt_tcpmss: check remaining length before reading optlen",
                            "    - openrisc: define arch-specific version of nop()",
                            "    - net: usb: r8152: fix transmit queue timeout",
                            "    - wifi: iwlwifi: mvm: check the validity of noa_len",
                            "    - net/rds: No shortcut out of RDS_CONN_ERROR",
                            "    - gro: change the BUG_ON() in gro_pull_from_frag0()",
                            "    - ipv4: igmp: annotate data-races around idev->mr_maxdelay",
                            "    - net: hns3: extend HCLGE_FD_AD_QID to 11 bits",
                            "    - wifi: iwlegacy: add missing mutex protection in il4965_store_tx_power()",
                            "    - wifi: iwlegacy: add missing mutex protection in",
                            "      il3945_store_measurement()",
                            "    - ipv4: fib: Annotate access to struct fib_alias.fa_state.",
                            "    - Bluetooth: hci_conn: Set link_policy on incoming ACL connections",
                            "    - Bluetooth: hci_conn: use mod_delayed_work for active mode timeout",
                            "    - Bluetooth: btusb: Add new VID/PID for RTL8852CE",
                            "    - Bluetooth: btusb: Add device ID for Realtek RTL8761BU",
                            "    - octeontx2-af: Workaround SQM/PSE stalls by disabling sticky",
                            "    - wifi: rtw89: pci: restore LDO setting after device resume",
                            "    - wifi: ath10k: fix lock protection in",
                            "      ath10k_wmi_event_peer_sta_ps_state_chg()",
                            "    - net: usb: sr9700: remove code to drive nonexistent multicast filter",
                            "    - vmw_vsock: bypass false-positive Wnonnull warning with gcc-16",
                            "    - net/rds: Clear reconnect pending bit",
                            "    - PCI: Mark ASM1164 SATA controller to avoid bus reset",
                            "    - PCI: Fix pci_slot_lock () device locking",
                            "    - PCI: Enable ACS after configuring IOMMU for OF platforms",
                            "    - PCI: Add ACS quirk for Qualcomm Hamoa & Glymur",
                            "    - PCI: Mark Nvidia GB10 to avoid bus reset",
                            "    - myri10ge: avoid uninitialized variable use",
                            "    - nfc: nxp-nci: remove interrupt trigger type",
                            "    - RDMA/rtrs-clt: For conn rejection use actual err number",
                            "    - ata: libata: avoid long timeouts on hot-unplugged SATA DAS",
                            "    - hisi_acc_vfio_pci: update status after RAS error",
                            "    - scsi: buslogic: Reduce stack usage",
                            "    - vhost: fix caching attributes of MMIO regions by setting them explicitly",
                            "    - tracing: Fix false sharing in hwlat get_sample()",
                            "    - remoteproc: imx_dsp_rproc: Skip RP_MBOX_SUSPEND_SYSTEM when mailbox TX",
                            "      channel is uninitialized",
                            "    - mailbox: pcc: Remove spurious IRQF_ONESHOT usage",
                            "    - mailbox: imx: Skip the suspend flag for i.MX7ULP",
                            "    - mailbox: sprd: mask interrupts that are not handled",
                            "    - remoteproc: mediatek: Break lock dependency to `prepare_lock`",
                            "    - mailbox: sprd: clear delivery flag before handling TX done",
                            "    - clk: microchip: core: correct return value on *_get_parent()",
                            "    - m68k: nommu: fix memmove() with differently aligned src and dest for",
                            "      68000",
                            "    - soundwire: dmi-quirks: add mapping for Avell B.ON (OEM rebranded of",
                            "      NUC15)",
                            "    - staging: rtl8723bs: fix missing status update on sdio_alloc_irq()",
                            "      failure",
                            "    - serial: 8250_dw: handle clock enable errors in runtime_resume",
                            "    - usb: typec: ucsi: psy: Fix voltage and current max for non-Fixed PDOs",
                            "    - fpga: of-fpga-region: Fail if any bridge is missing",
                            "    - dmaengine: sun6i: Choose appropriate burst length under maxburst",
                            "    - dmaengine: stm32-mdma: initialize m2m_hw_period and ccr to fix warnings",
                            "    - misc: bcm_vk: Fix possible null-pointer dereferences in bcm_vk_read()",
                            "    - misc: eeprom: Fix EWEN/EWDS/ERAL commands for 93xx56 and 93xx66",
                            "    - staging: rtl8723bs: fix memory leak on failure path",
                            "    - serial: 8250: 8250_omap.c: Clear DMA RX running status only after DMA",
                            "      termination is done",
                            "    - fix it87_wdt early reboot by reporting running timer",
                            "    - binder: don't use %pK through printk",
                            "    - watchdog: imx7ulp_wdt: handle the nowayout option",
                            "    - phy: mvebu-cp110-utmi: fix dr_mode property read from dts",
                            "    - phy: fsl-imx8mq-usb: disable bind/unbind platform driver feature",
                            "    - Revert \"mfd: da9052-spi: Change read-mask to write-mask\"",
                            "    - iio: Use IRQF_NO_THREAD",
                            "    - iio: magnetometer: Remove IRQF_ONESHOT",
                            "    - MIPS: Loongson: Make cpumask_of_node() robust against NUMA_NO_NODE",
                            "    - fs/ntfs3: drop preallocated clusters for sparse and compressed files",
                            "    - fs/ntfs3: avoid calling run_get_entry() when run == NULL in",
                            "      ntfs_read_run_nb_ra()",
                            "    - ceph: supply snapshot context in ceph_uninline_data()",
                            "    - libceph: define and enforce CEPH_MAX_KEY_LEN",
                            "    - thermal: int340x: Fix sysfs group leak on DLVR registration failure",
                            "    - include: uapi: netfilter_bridge.h: Cover for musl libc",
                            "    - ARM: 9467/1: mm: Don't use %pK through printk",
                            "    - drm/amd/display: Avoid updating surface with the same surface under MPO",
                            "    - drm/amdgpu: Adjust usleep_range in fence wait",
                            "    - ALSA: usb-audio: Update the number of packets properly at receiving",
                            "    - drm/amdgpu: Add HAINAN clock adjustment",
                            "    - drm/radeon: Add HAINAN clock adjustment",
                            "    - ALSA: usb-audio: Add sanity check for OOB writes at silencing",
                            "    - btrfs: replace BUG() with error handling in __btrfs_balance()",
                            "    - drm/amd/display: Remove conditional for shaper 3DLUT power-on",
                            "    - rtc: zynqmp: correct frequency value",
                            "    - ntb: ntb_hw_switchtec: Fix array-index-out-of-bounds access",
                            "    - ntb: ntb_hw_switchtec: Fix shift-out-of-bounds for 0 mw lut",
                            "    - xfrm6: fix uninitialized saddr in xfrm6_get_saddr()",
                            "    - xfrm: skip templates check for packet offload tunnel mode",
                            "    - ipmi: ipmb: initialise event handler read bytes",
                            "    - xfrm: always flush state and policy upon NETDEV_UNREGISTER event",
                            "    - net: usb: kaweth: remove TX queue manipulation in kaweth_set_rx_mode",
                            "    - net: usb: lan78xx: scan all MDIO addresses on LAN7801",
                            "    - net: ixp4xx_eth: convert to ndo_hwtstamp_get() and ndo_hwtstamp_set()",
                            "    - net: ethernet: xscale: Check for PTP support properly",
                            "    - wifi: cfg80211: wext: fix IGTK key ID off-by-one",
                            "    - Remove WARN_ALL_UNSEEDED_RANDOM kernel config option",
                            "    - [Config] Remove WARN_ALL_UNSEEDED_RANDOM",
                            "    - Bluetooth: L2CAP: Fix invalid response to L2CAP_ECRED_RECONF_REQ",
                            "    - Bluetooth: hci_qca: Cleanup on all setup failures",
                            "    - Bluetooth: L2CAP: Fix response to L2CAP_ECRED_CONN_REQ",
                            "    - Bluetooth: L2CAP: Fix not checking output MTU is acceptable on",
                            "      L2CAP_ECRED_CONN_REQ",
                            "    - Bluetooth: L2CAP: Fix missing key size check for L2CAP_LE_CONN_REQ",
                            "    - tipc: fix duplicate publication key in tipc_service_insert_publ()",
                            "    - RDMA/core: Fix stale RoCE GIDs during netdev events at registration",
                            "    - net: wan: farsync: Fix use-after-free bugs caused by unfinished tasklets",
                            "    - RDMA/efa: Fix typo in efa_alloc_mr()",
                            "    - net: usb: pegasus: enable basic endpoint checking",
                            "    - RDMA/umem: Fix double dma_buf_unpin in failure path",
                            "    - net/mlx5: DR, Fix circular locking dependency in dump",
                            "    - net/mlx5: Fix missing devlink lock in SRIOV enable error path",
                            "    - net: consume xmit errors of GSO frames",
                            "    - dpaa2-switch: validate num_ifs to prevent out-of-bounds write",
                            "    - netfilter: nf_conntrack_h323: fix OOB read in decode_choice()",
                            "    - rpmsg: core: fix race in driver_override_show() and use core helper",
                            "    - clk: renesas: rzg2l: Fix intin variable size",
                            "    - clk: renesas: rzg2l: Select correct div round macro",
                            "    - ASoC: SOF: ipc4-control: If there is no data do not send bytes update",
                            "    - ASoC: SOF: ipc4-topology: Correct the allocation size for bytes controls",
                            "    - ASoC: SOF: ipc4-control: Use the correct size for",
                            "      scontrol->ipc_control_data",
                            "    - ASoC: SOF: ipc4-control: Keep the payload size up to date",
                            "    - fpga: dfl: use subsys_initcall to allow built-in drivers to be added",
                            "    - dm-verity: correctly handle dm_bufio_client_create() failure",
                            "    - media: mediatek: encoder: Fix uninitialized scalar variable issue",
                            "    - media: mtk-mdp: Fix error handling in probe function",
                            "    - media: mtk-mdp: Fix a reference leak bug in mtk_mdp_remove()",
                            "    - media: verisilicon: AV1: Fix enable cdef computation",
                            "    - media: verisilicon: AV1: Fix tx mode bit setting",
                            "    - ARM: omap2: Fix reference count leaks in omap_control_init()",
                            "    - KVM: nSVM: Remove a user-triggerable WARN on nested_svm_load_cr3()",
                            "      succeeding",
                            "    - arm64: Disable branch profiling for all arm64 code",
                            "    - HID: hid-pl: handle probe errors",
                            "    - HID: magicmouse: Do not crash on missing msc->input",
                            "    - HID: prodikeys: Check presence of pm->input_ep82",
                            "    - HID: logitech-hidpp: Check maxfield in hidpp_get_report_length()",
                            "    - arm64: dts: apple: t8112-j473: Keep the HDMI port powered on",
                            "    - media: verisilicon: AV1: Set IDR flag for intra_only frame type",
                            "    - media: radio-keene: fix memory leak in error path",
                            "    - media: cx88: Add missing unmap in snd_cx88_hw_params()",
                            "    - media: cx23885: Add missing unmap in snd_cx23885_hw_params()",
                            "    - media: cx25821: Add missing unmap in snd_cx25821_hw_params()",
                            "    - media: i2c/tw9903: Fix potential memory leak in tw9903_probe()",
                            "    - media: i2c/tw9906: Fix potential memory leak in tw9906_probe()",
                            "    - media: i2c: ov01a10: Fix the horizontal flip control",
                            "    - media: i2c: ov01a10: Fix reported pixel-rate value",
                            "    - media: i2c: ov01a10: Fix analogue gain range",
                            "    - media: i2c: ov01a10: Add missing v4l2_subdev_cleanup() calls",
                            "    - media: i2c: ov01a10: Fix test-pattern disabling",
                            "    - media: qcom: camss: vfe: Fix out-of-bounds access in",
                            "      vfe_isr_reg_update()",
                            "    - media: ccs: Avoid possible division by zero",
                            "    - media: i2c: ov5647: Initialize subdev before controls",
                            "    - media: i2c: ov5647: Correct pixel array offset",
                            "    - media: i2c: ov5647: Correct minimum VBLANK value",
                            "    - media: i2c: ov5647: Sensor should report RAW color space",
                            "    - media: i2c: ov5647: Fix PIXEL_RATE value for VGA mode",
                            "    - media: i2c: ov5647: use our own mutex for the ctrl lock",
                            "    - dm-integrity: fix a typo in the code for write/discard race",
                            "    - dm: clear cloned request bio pointer when last clone bio completes",
                            "    - soc: ti: k3-socinfo: Fix regmap leak on probe failure",
                            "    - soc: ti: pruss: Fix double free in pruss_clk_mux_setup()",
                            "    - KVM: nSVM: Always use vmcb01 in VMLOAD/VMSAVE emulation",
                            "    - clk: clk-apple-nco: Add \"apple,t8103-nco\" compatible",
                            "    - media: i2c: ov01a10: Fix digital gain range",
                            "    - clk: tegra: tegra124-emc: Fix potential memory leak in",
                            "      tegra124_clk_register_emc()",
                            "    - s390/pci: Handle futile config accesses of disabled devices directly",
                            "    - dm-integrity: fix recalculation in bitmap mode",
                            "    - dm-unstripe: fix mapping bug when there are multiple targets in a table",
                            "    - arm64: dts: rockchip: Do not enable hdmi_sound node on Pinebook Pro",
                            "    - media: venus: vdec: fix error state assignment for zero bytesused",
                            "    - media: venus: vdec: restrict EOS addr quirk to IRIS2 only",
                            "    - drm: of: drm_of_panel_bridge_remove(): fix device_node leak",
                            "    - mm, page_alloc, thp: prevent reclaim for __GFP_THISNODE THP allocations",
                            "    - selftests/mm/charge_reserved_hugetlb: drop mount size for hugetlbfs",
                            "    - xfs: mark data structures corrupt on EIO and ENODATA",
                            "    - media: verisilicon: AV1: Fix tile info buffer size",
                            "    - iommu/vt-d: Flush dev-IOTLB only when PCIe device is accessible in",
                            "      scalable mode",
                            "    - mfd: core: Add locking around 'mfd_of_node_list'",
                            "    - xfs: delete attr leaf freemap entries when empty",
                            "    - xfs: fix freemap adjustments when adding xattrs to leaf blocks",
                            "    - xfs: fix remote xattr valuelblk check",
                            "    - KVM: x86: Add SRCU protection for reading PDPTRs in __get_sregs2()",
                            "    - PCI: endpoint: Fix swapped parameters in",
                            "      pci_{primary/secondary}_epc_epf_unlink() functions",
                            "    - md/bitmap: fix GPF in write_page caused by resize race",
                            "    - nfsd: fix return error code for nfsd_map_name_to_[ug]id",
                            "    - nvmem: Drop OF node reference on nvmem_add_one_cell() failure",
                            "    - usb: gadget: tegra-xudc: Add handling for BLCG_COREPLL_PWRDN",
                            "    - bus: fsl-mc: fix an error handling in fsl_mc_device_add()",
                            "    - dm mpath: make pg_init_delay_msecs settable",
                            "    - tools: Fix bitfield dependency failure",
                            "    - powerpc/smp: Add check for kcalloc() failure in parse_thread_groups()",
                            "    - iio: gyro: itg3200: Fix unchecked return value in read_raw",
                            "    - mm/highmem: fix __kmap_to_page() build error",
                            "    - rapidio: replace rio_free_net() with kfree() in rio_scan_alloc_net()",
                            "    - ocfs2: fix reflink preserve cleanup issue",
                            "    - kexec: derive purgatory entry from symbol",
                            "    - Revert \"PCI/IOV: Add PCI rescan-remove locking when enabling/disabling",
                            "      SR-IOV\"",
                            "    - PCI/IOV: Fix race between SR-IOV enable/disable and hotplug",
                            "    - arm64: Fix non-atomic __READ_ONCE() with CONFIG_LTO=y",
                            "    - btrfs: continue trimming remaining devices on failure",
                            "    - remoteproc: imx_rproc: Fix invalid loaded resource table detection",
                            "    - perf/arm-cmn: Reject unsupported hardware configurations",
                            "    - scsi: ufs: core: Flush exception handling work when RPM level is zero",
                            "    - usb: dwc3: gadget: Move vbus draw to workqueue context",
                            "    - usb: dwc2: fix resume failure if dr_mode is host",
                            "    - mtd: rawnand: pl353: Fix software ECC support",
                            "    - tipc: fix RCU dereference race in tipc_aead_users_dec()",
                            "    - drm/amdkfd: Fix out-of-bounds write in kfd_event_page_set()",
                            "    - net: cpsw_new: Fix unnecessary netdev unregistration in cpsw_probe()",
                            "      error path",
                            "    - PCI: Fix pci_slot_trylock() error handling",
                            "    - parisc: kernel: replace kfree() with put_device() in create_tree_node()",
                            "    - staging: rtl8723bs: fix null dereference in find_network",
                            "    - cifs: Fix locking usage for tcon fields",
                            "    - MIPS: rb532: Fix MMIO UART resource registration",
                            "    - ceph: supply snapshot context in ceph_zero_partial_object()",
                            "    - LoongArch: Make cpumask_of_node() robust against NUMA_NO_NODE",
                            "    - LoongArch: Prefer top-down allocation after arch_mem_init()",
                            "    - LoongArch: Guard percpu handler under !CONFIG_PREEMPT_RT",
                            "    - LoongArch: Disable instrumentation for setup_ptwalker()",
                            "    - net: ethernet: marvell: skge: remove incorrect conflicting PCI ID",
                            "    - net: wan/fsl_ucc_hdlc: Fix dma_free_coherent() in uhdlc_memclean()",
                            "    - octeontx2-af: CGX: fix bitmap leaks",
                            "    - net: macb: Fix tx/rx malfunction after phy link down and up",
                            "    - tracing: Fix to set write permission to per-cpu buffer_size_kb",
                            "    - io_uring/filetable: clamp alloc_hint to the configured alloc range",
                            "    - net: intel: fix PCI device ID conflict between i40e and ipw2200",
                            "    - atm: fore200e: fix use-after-free in tasklets during device removal",
                            "    - ipv6: ioam: fix heap buffer overflow in __ioam6_fill_trace_data()",
                            "    - fbcon: check return value of con2fb_acquire_newinfo()",
                            "    - fbdev: vt8500lcdfb: fix missing dma_free_coherent()",
                            "    - fbdev: of: display_timing: fix refcount leak in of_get_display_timings()",
                            "    - fbdev: ffb: fix corrupted video output on Sun FFB1",
                            "    - fbcon: Remove struct fbcon_display.inverse",
                            "    - cifs: some missing initializations on replay",
                            "    - ASoC: amd: yc: Add DMI quirk for ASUS Vivobook Pro 15X M6501RR",
                            "    - net: ethernet: ec_bhf: Fix dma_free_coherent() dma handle",
                            "    - net/sched: act_skbedit: fix divide-by-zero in tcf_skbedit_hash()",
                            "    - x86/kexec: Copy ACPI root pointer address from config table",
                            "    - arm64: Force the use of CNTVCT_EL0 in __delay()",
                            "    - net: nfc: nci: Fix parameter validation for packet data",
                            "    - tracing: Fix checking of freed trace_event_file for hist files",
                            "    - tracing: Wake up poll waiters for hist files when removing an event",
                            "    - NTB: ntb_transport: Fix too small buffer for debugfs_name",
                            "    - drm/i915/wakeref: clean up INTEL_WAKEREF_PUT_* flag macros",
                            "    - arm64: Fix sampling the \"stable\" virtual counter in preemptible section",
                            "    - gfs2: Fix slab-use-after-free in qd_put",
                            "    - io_uring: use release-acquire ordering for IORING_SETUP_R_DISABLED",
                            "    - thermal: intel: x86_pkg_temp_thermal: Handle invalid temperature",
                            "    - OPP: Return correct value in dev_pm_opp_get_level",
                            "    - cpufreq: scmi: Fix device_node reference leak in scmi_cpu_domain_id()",
                            "    - perf/x86/core: Do not set bit width for unavailable counters",
                            "    - genirq: Set IRQF_COND_ONESHOT in devm_request_irq().",
                            "    - platform/x86: int0002: Remove IRQF_ONESHOT from request_irq()",
                            "    - media: pci: mg4b: Use IRQF_NO_THREAD",
                            "    - firmware: arm_ffa: Correct 32-bit response handling in",
                            "      NOTIFICATION_INFO_GET",
                            "    - arm64: dts: qcom: msm8994-octagon: Fix Analog Devices vendor prefix of",
                            "      AD7147",
                            "    - arm64: dts: mediatek: mt8183-jacuzzi-pico6: Fix typo in pinmux node",
                            "    - arm64: dts: qcom: qrb4210-rb2: Fix UART3 wakeup IRQ storm",
                            "    - arm64: dts: qcom: x1e: bus is 40-bits (fix 64GB models)",
                            "    - media: chips-media: wave5: Fix memory leak on codec_info allocation",
                            "      failure",
                            "    - drm/amd: Drop \"amdgpu kernel modesetting enabled\" message",
                            "    - drm/amdkfd: Fix signal_eviction_fence() bool return value",
                            "    - drm/xe: Unregister drm device on probe error",
                            "    - HID: intel-ish-hid: fix NULL-ptr-deref in ishtp_bus_remove_all_clients",
                            "    - wifi: cfg80211: Fix use_for flag update on BSS refresh",
                            "    - PCI: Check parent for NULL in of_pci_bus_release_domain_nr()",
                            "    - netfilter: nfnetlink_queue: optimize verdict lookup with hash table",
                            "    - netfilter: nfnetlink_queue: do shared-unconfirmed check before",
                            "      segmentation",
                            "    - netfilter: nft_set_rbtree: fix bogus EEXIST with NLM_F_CREATE with null",
                            "      interval",
                            "    - power: supply: pm8916_bms_vm: Fix use-after-free in",
                            "      power_supply_changed()",
                            "    - power: supply: pm8916_lbc: Fix use-after-free in power_supply_changed()",
                            "    - RDMA/mlx5: Fix UMR hang in LAG error state unload",
                            "    - IB/mlx5: Fix port speed query for representors",
                            "    - platform/x86/amd/pmf: Prevent TEE errors after hibernate",
                            "    - crypto: ccp - Declare PSP dead if PSP_CMD_TEE_RING_INIT fails",
                            "    - power: supply: pm8916_lbc: Fix use-after-free for extcon in IRQ handler",
                            "    - clk: qcom: gcc-sm8650: Use floor ops for SDCC RCGs",
                            "    - clk: qcom: gcc-sm4450: Update the SDCC RCGs to use shared_floor_ops",
                            "    - clk: qcom: gcc-x1e80100: Update the SDCC RCGs to use shared_floor_ops",
                            "    - dma: dma-axi-dmac: fix HW scatter-gather not looking at the queue",
                            "    - iio: pressure: mprls0025pa: fix interrupt flag",
                            "    - objpool: fix the overestimation of object pooling metadata size",
                            "    - ipvs: do not keep dest_dst if dev is going down",
                            "    - net/mlx5e: Use unsigned for mlx5e_get_max_num_channels",
                            "    - AppArmor: Allow apparmor to handle unaligned dfa tables",
                            "    - apparmor: Fix & Optimize table creation from possibly unaligned memory",
                            "    - apparmor: avoid per-cpu hold underflow in aa_get_buffer",
                            "    - drm/amd/display: Fix out-of-bounds stream encoder index v3",
                            "    - btrfs: use the correct type to initialize block reserve for delayed refs",
                            "    - Drivers: hv: vmbus: Use kthread for vmbus interrupts on PREEMPT_RT",
                            "    - i3c: mipi-i3c-hci: Reset RING_OPERATION1 fields during init",
                            "    - APEI/GHES: ARM processor Error: don't go past allocated memory",
                            "    - ACPI: resource: Add JWIPC JVC9100 to irq1_level_low_skip_override[]",
                            "    - powercap: intel_rapl: Add PL4 support for Ice Lake",
                            "    - alpha: fix user-space corruption during memory compaction",
                            "    - ACPI: x86: s2idle: Invoke Microsoft _DSM Function 9 (Turn On Display)",
                            "    - ACPI: battery: fix incorrect charging status when current is zero",
                            "    - perf/x86/msr: Add Airmont NP",
                            "    - perf/x86/cstate: Add Airmont NP",
                            "    - bpf: Recognize special arithmetic shift in the verifier",
                            "    - firmware: arm_ffa: Unmap Rx/Tx buffers on init failure",
                            "    - gpu/panel-edp: add AUO panel entry for B140HAN06.4",
                            "    - drm/amdgpu: fix NULL pointer issue buffer funcs",
                            "    - ASoC: SOF: ipc4: Support for sending payload along with LARGE_CONFIG_GET",
                            "    - media: chips-media: wave5: Fix conditional in start_streaming",
                            "    - media: chips-media: wave5: Process ready frames when CMD_STOP sent to",
                            "      Encoder",
                            "    - drm/amd/display: Fix dsc eDP issue",
                            "    - drm/panel: Fix a possible null-pointer dereference in",
                            "      jdi_panel_dsi_remove()",
                            "    - media: mt9m114: Avoid a reset low spike during probe()",
                            "    - media: mt9m114: Return -EPROBE_DEFER if no endpoint is found",
                            "    - ALSA: hda/realtek: add HP Victus 16-e0xxx mute LED quirk",
                            "    - PCI: Add Intel Nova Lake audio Device ID",
                            "    - drm/amd/display: Disable FEC when powering down encoders",
                            "    - drm/amd/display: avoid dig reg access timeout on usb4 link training fail",
                            "    - hwmon: (dell-smm) Add support for Dell OptiPlex 7080",
                            "    - HID: logitech-hidpp: Add support for Logitech K980",
                            "    - ASoC: SOF: Intel: hda: Fix NULL pointer dereference",
                            "    - spi: geni-qcom: Fix abort sequence execution for serial engine errors",
                            "    - ALSA: hda/realtek - Enable mute LEDs on HP ENVY x360 15-es0xxx",
                            "    - wifi: rtw89: 8922a: set random mac if efuse contains zeroes",
                            "    - wifi: rtw89: ser: enable error IMR after recovering from L1",
                            "    - wifi: rtw88: Use devm_kmemdup() in rtw_set_supported_band()",
                            "    - wifi: rtw89: mac: correct page number for CSI response",
                            "    - wifi: ath11k: Fix failure to connect to a 6 GHz AP",
                            "    - ipv6: annotate data-races over sysctl.flowlabel_reflect",
                            "    - ext4: use reserved metadata blocks when splitting extent on endio",
                            "    - Bluetooth: btusb: Add support for MediaTek7920 0489:e158",
                            "    - net: sfp: add quirk for Lantech 8330-265D",
                            "    - PCI/AER: Clear stale errors on reporting agents upon probe",
                            "    - scsi: ufs: mediatek: Fix page faults in ufs_mtk_clk_scale() trace event",
                            "    - riscv: vector: init vector context with proper vlenb",
                            "    - HID: i2c-hid: Add FocalTech FT8112",
                            "    - 9p/xen: protect xen_9pfs_front_free against concurrent calls",
                            "    - soundwire: intel_auxdevice: add cs42l45 codec to wake_capable_list",
                            "    - most: remove usage of the deprecated ida_simple_xx() API",
                            "    - most: core: fix resource leak in most_register_interface error paths",
                            "    - usb: chipidea: udc: fix DMA and SG cleanup in _ep_nuke()",
                            "    - serial: 8250: 8250_omap.c: Add support for handling UART error",
                            "      conditions",
                            "    - mfd: intel-lpss: Add Intel Nova Lake-S PCI IDs",
                            "    - ACPI: x86: Force enabling of PWM2 on the Yogabook YB1-X90",
                            "    - drm/amd/display: Fix writeback on DCN 3.2+",
                            "    - drm/amd/display: Fix system resume lag issue",
                            "    - drm/amd/display: bypass post csc for additional color spaces in dal",
                            "    - spi: spidev: fix lock inversion between spi_lock and buf_lock",
                            "    - Bluetooth: L2CAP: Avoid -Wflex-array-member-not-at-end warnings",
                            "    - Bluetooth: L2CAP: Fix result of L2CAP_ECRED_CONN_RSP when MTU is too",
                            "      short",
                            "    - kcm: fix zero-frag skb in frag_list on partial sendmsg error",
                            "    - net/mlx5: E-switch, Clear legacy flag when moving to switchdev",
                            "    - net/mlx5e: Separate address related variables to be in struct",
                            "    - net/mlx5e: Support routed networks during IPsec MACs initialization",
                            "    - net/mlx5e: Fix \"scheduling while atomic\" in IPsec MAC address query",
                            "    - drm/tests: shmem: Swap names of export tests",
                            "    - KVM: x86: Return \"unsupported\" instead of \"invalid\" on access to",
                            "      unsupported PV MSR",
                            "    - media: amphion: Drop min_queued_buffers assignment",
                            "    - media: rockchip: rga: Fix possible ERR_PTR dereference in rga_buf_init()",
                            "    - media: i2c: ov01a10: Fix passing stream instead of pad to",
                            "      v4l2_subdev_state_get_format()",
                            "    - media: ccs: Fix setting initial sub-device state",
                            "    - platform/x86: ISST: Add missing write block check",
                            "    - bus: omap-ocp2scp: fix OF populate on driver rebind",
                            "    - media: stm32: dcmipp: bytecap: clear all interrupts upon stream stop",
                            "    - drm/buddy: Prevent BUG_ON by validating rounded allocation",
                            "    - xfs: remove xfs_attr_leaf_hasname",
                            "    - mfd: qcom-pm8xxx: Fix OF populate on driver rebind",
                            "    - mfd: omap-usb-host: Fix OF populate on driver rebind",
                            "    - xfs: fix the xattr scrub to detect freemap/entries array collisions",
                            "    - pinctrl: intel: Add code name documentation",
                            "    - vhost: move vdpa group bound check to vhost_vdpa",
                            "    - clk: rs9: Reserve 8 struct clk_hw slots for for 9FGV0841",
                            "    - mm/slab: use unsigned long for orig_size to ensure proper metadata align",
                            "    - drm/amd/display: Increase DCN35 SR enter/exit latency",
                            "    - drm/amdgpu: fix sync handling in amdgpu_dma_buf_move_notify",
                            "    - mm: numa_memblks: Identify the accurate NUMA ID of CFMW",
                            "    - drm/amdgpu: keep vga memory on MacBooks with switchable graphics",
                            "    - most: core: fix leak on early registration failure",
                            "    - Bluetooth: L2CAP: Fix stack-out-of-bounds read in l2cap_ecred_conn_req",
                            "    - Upstream stable to v6.6.128, v6.12.75",
                            "  * Noble update: upstream stable patchset 2026-05-01 (LP: #2150809) //",
                            "    CVE-2026-23249",
                            "    - xfs: check for deleted cursors when revalidating two btrees",
                            "  * Noble update: upstream stable patchset 2026-05-01 (LP: #2150809) //",
                            "    CVE-2025-71267",
                            "    - fs: ntfs3: fix infinite loop triggered by zero-sized ATTR_LIST",
                            "  * Noble update: upstream stable patchset 2026-05-01 (LP: #2150809) //",
                            "    CVE-2025-71265",
                            "    - fs: ntfs3: fix infinite loop in attr_load_runs_range on inconsistent",
                            "      metadata",
                            "  * Noble update: upstream stable patchset 2026-05-01 (LP: #2150809) //",
                            "    CVE-2025-71266",
                            "    - fs: ntfs3: check return value of indx_find to avoid infinite loop",
                            "  * Noble update: upstream stable patchset 2026-05-01 (LP: #2150809) //",
                            "    CVE-2026-23241",
                            "    - audit: add missing syscalls to read class",
                            "  * Noble update: upstream stable patchset 2026-05-01 (LP: #2150809) //",
                            "    CVE-2025-71239",
                            "    - audit: add fchmodat2() to change attributes class",
                            "  * Noble update: upstream stable patchset 2026-05-01 (LP: #2150809) //",
                            "    CVE-2026-31411",
                            "    - net: atm: fix crash due to unvalidated vcc pointer in sigd_send()",
                            "  * Noble update: upstream stable patchset 2026-05-01 (LP: #2150809) //",
                            "    CVE-2026-23243",
                            "    - RDMA/umad: Reject negative data_len in ib_umad_write",
                            "  * Noble update: upstream stable patchset 2026-05-01 (LP: #2150809) //",
                            "    CVE-2026-23242",
                            "    - RDMA/siw: Fix potential NULL pointer dereference in header processing",
                            "  * Noble update: upstream stable patchset 2026-04-17 (LP: #2148714)",
                            "    - scsi: qla2xxx: Fix bsg_done() causing double free",
                            "    - PCI: endpoint: Remove unused field in struct pci_epf_group",
                            "    - bus: fsl-mc: Replace snprintf and sprintf with sysfs_emit in sysfs show",
                            "      functions",
                            "    - bus: fsl-mc: fix use-after-free in driver_override_show()",
                            "    - ASoC: amd: yc: Add ASUS ExpertBook PM1503CDA to quirks list",
                            "    - gpio: sprd: Change sprd_gpio lock to raw_spin_lock",
                            "    - ALSA: hda/realtek: Add quirk for Inspur S14-G1",
                            "    - ASoC: cs35l45: Corrects ASP_TX5 DAPM widget channel",
                            "    - romfs: check sb_set_blocksize() return value",
                            "    - drm/tegra: hdmi: sor: Fix error: variable ‘j’ set but not used",
                            "    - platform/x86: classmate-laptop: Add missing NULL pointer checks",
                            "    - ASoC: Intel: sof_es8336: Add DMI quirk for Huawei BOD-WXX9",
                            "    - ASoC: amd: yc: Add quirk for HP 200 G2a 16",
                            "    - platform/x86/amd/pmc: Add quirk for MECHREVO Wujie 15X Pro",
                            "    - platform/x86: panasonic-laptop: Fix sysfs group leak in error path",
                            "    - ASoC: cs42l43: Correct handling of 3-pole jack load detection",
                            "    - ASoC: fsl_xcvr: fix missing lock in fsl_xcvr_mode_put()",
                            "    - gpiolib: acpi: Fix gpio count with string references",
                            "    - LoongArch: Rework KASAN initialization for PTW-enabled systems",
                            "    - Revert \"wireguard: device: enable threaded NAPI\"",
                            "    - mm/hugetlb: fix copy_hugetlb_page_range() to use ->pt_share_count",
                            "    - mm/hugetlb: fix hugetlb_pmd_shared()",
                            "    - mm/hugetlb: fix two comments related to huge_pmd_unshare()",
                            "    - mm/hugetlb: fix excessive IPI broadcasts when unsharing PMD tables using",
                            "      mmu_gather",
                            "    - cpuset: Fix missing adaptation for cpuset_is_populated",
                            "    - LoongArch: Add writecombine support for DMW-based ioremap()",
                            "    - fbdev: rivafb: fix divide error in nv3_arb()",
                            "    - fbdev: smscufx: properly copy ioctl memory to kernelspace",
                            "    - f2fs: fix to add gc count stat in f2fs_gc_range",
                            "    - f2fs: fix out-of-bounds access in sysfs attribute read/write",
                            "    - f2fs: fix IS_CHECKPOINTED flag inconsistency issue caused by concurrent",
                            "      atomic commit and checkpoint writes",
                            "    - f2fs: fix to avoid UAF in f2fs_write_end_io()",
                            "    - f2fs: fix to avoid mapping wrong physical block for swapfile",
                            "    - USB: serial: option: add Telit FN920C04 RNDIS compositions",
                            "    - bnxt_en: Change FW message timeout warning",
                            "    - bnxt_en: hide CONFIG_DETECT_HUNG_TASK specific code",
                            "    - ALSA: hda/realtek: Enable headset mic for Acer Nitro 5",
                            "    - drm/amd/display: remove assert around dpp_base replacement",
                            "    - ASoC: fsl_xcvr: Revert fix missing lock in fsl_xcvr_mode_put()",
                            "    - Upstream stable to v6.6.126, v6.6.127, v6.12.73, v6.12.74",
                            "  * Noble update: upstream stable patchset 2026-04-13 (LP: #2148260)",
                            "    - Bluetooth: btusb: Add USB ID 7392:e611 for Edimax EW-7611UXB",
                            "    - crypto: octeontx - Fix length check to avoid truncation in",
                            "      ucode_load_store",
                            "    - crypto: virtio - Remove duplicated virtqueue_kick in",
                            "      virtio_crypto_skcipher_crypt_req",
                            "    - scsi: qla2xxx: Allow recovery for tape devices",
                            "    - scsi: qla2xxx: Query FW again before proceeding with login",
                            "    - Revert \"netfilter: nf_tables: missing objects with no memcg accounting\"",
                            "    - netfilter: nf_tables: missing objects with no memcg accounting",
                            "    - vsock/test: verify socket options after setting them",
                            "    - selftests: mptcp: pm: ensure unknown flags are ignored",
                            "    - gpio: omap: do not register driver in probe()",
                            "    - net: tunnel: make skb_vlan_inet_prepare() return drop reasons",
                            "    - Upstream stable to v6.6.125, v6.12.71, v6.12.72",
                            "  * Noble update: upstream stable patchset 2026-04-13 (LP: #2148260) //",
                            "    CVE-2025-71233",
                            "    - PCI: endpoint: Avoid creating sub-groups asynchronously",
                            "  * Noble update: upstream stable patchset 2026-04-13 (LP: #2148260) //",
                            "    CVE-2025-71231",
                            "    - crypto: iaa - Fix out-of-bounds index in find_empty_iaa_compression_mode",
                            "  * Noble update: upstream stable patchset 2026-04-13 (LP: #2148260) //",
                            "    CVE-2026-23169",
                            "    - mptcp: fix race in mptcp_pm_nl_flush_addrs_doit()",
                            "  * Noble update: upstream stable patchset 2026-04-13 (LP: #2148260) //",
                            "    CVE-2025-40005",
                            "    - spi: cadence-quadspi: Implement refcount to handle unbind during busy",
                            "  * Noble update: upstream stable patchset 2026-04-13 (LP: #2148260) //",
                            "    CVE-2025-71232",
                            "    - scsi: qla2xxx: Free sp in error path to fix system crash",
                            "  * Noble update: upstream stable patchset 2026-04-13 (LP: #2148260) //",
                            "    CVE-2025-71235",
                            "    - scsi: qla2xxx: Delay module unload while fabric scan in progress",
                            "  * Noble update: upstream stable patchset 2026-04-13 (LP: #2148260) //",
                            "    CVE-2025-71236",
                            "    - scsi: qla2xxx: Validate sp before freeing associated memory",
                            "  * Noble update: upstream stable patchset 2026-04-13 (LP: #2148260) //",
                            "    CVE-2025-71229",
                            "    - wifi: rtw88: Fix alignment fault in rtw_core_enable_beacon()",
                            "  * Noble update: upstream stable patchset 2026-04-13 (LP: #2148260) //",
                            "    CVE-2025-71237",
                            "    - nilfs2: Fix potential block overflow that cause system hang",
                            "  * Noble update: upstream stable patchset 2026-04-13 (LP: #2148260) //",
                            "    CVE-2026-23229",
                            "    - crypto: virtio - Add spinlock protection with virtqueue notification",
                            "  * Noble update: upstream stable patchset 2026-04-13 (LP: #2148260) //",
                            "    CVE-2026-23222",
                            "    - crypto: omap - Allocate OMAP_CRYPTO_FORCE_COPY scatterlists correctly",
                            "  * Noble update: upstream stable patchset 2026-04-13 (LP: #2148260) //",
                            "    CVE-2026-23228",
                            "    - smb: server: fix leak of active_num_conn in ksmbd_tcp_new_connection()",
                            "  * Noble update: upstream stable patchset 2026-04-13 (LP: #2148260) //",
                            "    CVE-2026-23220",
                            "    - ksmbd: fix infinite loop caused by next_smb2_rcv_hdr_off reset in error",
                            "      paths",
                            "  * Noble update: upstream stable patchset 2026-04-13 (LP: #2148260) //",
                            "    CVE-2026-23230",
                            "    - smb: client: split cached_fid bitfields to avoid shared-byte RMW races",
                            "  * CVE-2026-23272",
                            "    - netfilter: nf_tables: unconditionally bump set->nelems before insertion",
                            "  * CVE-2026-31418",
                            "    - netfilter: ipset: drop logically empty buckets in mtype_del",
                            "  * CVE-2026-23392",
                            "    - netfilter: nf_tables: release flowtable after rcu grace period on error",
                            "  * CVE-2026-23278",
                            "    - netfilter: nf_tables: always walk all pending catchall elements",
                            "  * GRO managed-frag use-after-free leading to local privilege escalation",
                            "    (LP: #2154172)",
                            "    - net: gro: don't merge zcopy skbs",
                            "  * AppArmor Vulnerabilities  (LP: #2151747)",
                            "    - apparmor: Fix incorrect profile->signal range check",
                            "    - SAUCE: apparmor: pass big_resp to handler",
                            "    - SAUCE: apparmor: remove redundant kref_init for listener->count",
                            "    - SAUCE: apparmor: fix NULL pointer dereference in unpack_pdb",
                            "  * AppArmor Vulnerabilities  (LP: #2151747) // CVE-2026-47337",
                            "    - SAUCE: apparmor: fix NULL pointer dereference in bind_map_addr",
                            "  * AppArmor Vulnerabilities  (LP: #2151747) // CVE-2026-47336",
                            "    - SAUCE: apparmor: fix use of unintialized variable in net opt level",
                            "  * AppArmor Vulnerabilities  (LP: #2151747) // CVE-2026-47335",
                            "    - SAUCE: apparmor: fix possible NULL pointer dereference by adding a NULL",
                            "      check",
                            "  * AppArmor Vulnerabilities  (LP: #2151747) // CVE-2026-47334",
                            "    - SAUCE: apparmor: fix sleep prone memory allocation under a spin_lock",
                            "  * AppArmor Vulnerabilities  (LP: #2151747) // CVE-2026-47333",
                            "    - SAUCE: apparmor: fix dfa unpacking size of the notification filter",
                            "  * AppArmor Vulnerabilities  (LP: #2151747) // CVE-2026-47332",
                            "    - SAUCE: apparmor: fix size check against type instead of pointer",
                            "  * AppArmor Vulnerabilities  (LP: #2151747) // CVE-2026-47331",
                            "    - SAUCE: apparmor: fix changing rules list without a lock",
                            "  * apparmor: LLVM/clang build failure due to uninitialized variable in",
                            "    notify.c (LP: #2148809) // CVE-2026-47330",
                            "    - SAUCE: apparmor: initialize variable used in uninitialized context",
                            "  * AppArmor Vulnerabilities  (LP: #2151747) // CVE-2026-47329",
                            "    - SAUCE: apparmor: fix name validation bypass on notification",
                            "  * AppArmor Vulnerabilities  (LP: #2151747) // CVE-2026-47327 //",
                            "    CVE-2026-47328",
                            "    - SAUCE: apparmor: fix glob memory leak after kstrdup",
                            "  * AppArmor Vulnerabilities  (LP: #2151747) // CVE-2026-47326",
                            "    - SAUCE: apparmor: fix inverted NULL check after aa_get_buffer",
                            "  * CVE-2026-46300",
                            "    - net: skbuff: preserve shared-frag marker during coalescing",
                            "    - net: skbuff: propagate shared-frag marker through frag-transfer helpers",
                            "  * net/rds: reset op_nents when zerocopy page pin fails (LP: #2153962)",
                            "    - net/rds: reset op_nents when zerocopy page pin fails",
                            "  * CVE-2026-46333",
                            "    - ptrace: slightly saner 'get_dumpable()' logic",
                            "  * CVE-2026-43500",
                            "    - rxrpc: Fix conn-level packet handling to unshare RESPONSE packets",
                            "    - rxrpc: Parse received packets before dealing with timeouts",
                            "    - rxrpc: Fix potential UAF after skb_unshare() failure",
                            "    - rxrpc: Fix rxrpc_input_call_event() to only unshare DATA packets",
                            "    - rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present",
                            "  * CVE-2026-31676 // CVE-2026-43500",
                            "    - rxrpc: only handle RESPONSE during service challenge",
                            "  * CVE-2026-43284",
                            "    - xfrm: esp: avoid in-place decrypt on shared skb frags",
                            "  * CVE-2026-31419",
                            "    - net: bonding: fix use-after-free in bond_xmit_broadcast()",
                            "  * CVE-2026-31431",
                            "    - crypto: scatterwalk - Backport memcpy_sglist()",
                            "    - crypto: algif_aead - use memcpy_sglist() instead of null skcipher",
                            "    - crypto: algif_aead - Revert to operating out-of-place",
                            "    - crypto: algif_aead - snapshot IV for async AEAD requests",
                            "    - crypto: authenc - use memcpy_sglist() instead of null skcipher",
                            "    - crypto: authencesn - Do not place hiseq at end of dst for out-of-place",
                            "      decryption",
                            "    - crypto: authencesn - Fix src offset when decrypting in-place",
                            "    - crypto: af_alg - Fix page reassignment overflow in af_alg_pull_tsgl",
                            "    - crypto: algif_aead - Fix minimum RX size check for decryption",
                            "  * CVE-2026-31533",
                            "    - net/tls: fix use-after-free in -EBUSY error path of tls_do_encryption",
                            "  * CVE-2026-31504",
                            "    - net: fix fanout UAF in packet_release() via NETDEV_UP race",
                            ""
                        ],
                        "package": "linux-riscv-6.8",
                        "version": "6.8.0-130.130~22.04.1",
                        "urgency": "medium",
                        "distributions": "jammy",
                        "launchpad_bugs_fixed": [
                            2151948,
                            2154560,
                            2146465,
                            2153556,
                            2152194,
                            2141536,
                            2150809,
                            2150809,
                            2150809,
                            2150809,
                            2150809,
                            2150809,
                            2150809,
                            2150809,
                            2150809,
                            2150809,
                            2148714,
                            2148260,
                            2148260,
                            2148260,
                            2148260,
                            2148260,
                            2148260,
                            2148260,
                            2148260,
                            2148260,
                            2148260,
                            2148260,
                            2148260,
                            2148260,
                            2148260,
                            2148260,
                            2154172,
                            2151747,
                            2151747,
                            2151747,
                            2151747,
                            2151747,
                            2151747,
                            2151747,
                            2151747,
                            2148809,
                            2151747,
                            2151747,
                            2151747,
                            2153962
                        ],
                        "author": "Sarah Emery <sarah.emery@canonical.com>",
                        "date": "Wed, 03 Jun 2026 17:23:35 +0200"
                    }
                ],
                "notes": "linux-image-6.8.0-134-generic version '6.8.0-134.134~22.04.1' (source package linux-riscv-6.8 version '6.8.0-134.134~22.04.1') was added. linux-image-6.8.0-134-generic version '6.8.0-134.134~22.04.1' has the same source package name, linux-riscv-6.8, as removed package linux-headers-6.8.0-124-generic. As such we can use the source package version of the removed package, '6.8.0-124.124~22.04.1', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.",
                "is_version_downgrade": false
            },
            {
                "name": "linux-modules-6.8.0-134-generic",
                "from_version": {
                    "source_package_name": "linux-riscv-6.8",
                    "source_package_version": "6.8.0-124.124~22.04.1",
                    "version": null
                },
                "to_version": {
                    "source_package_name": "linux-riscv-6.8",
                    "source_package_version": "6.8.0-134.134~22.04.1",
                    "version": "6.8.0-134.134~22.04.1"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-46244",
                        "url": "https://ubuntu.com/security/CVE-2026-46244",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: nft_inner: Fix IPv6 inner_thoff desync  In nft_inner_parse_l2l3(), when processing inner IPv6 packets, ipv6_find_hdr() correctly computes the transport header offset traversing all extension headers, but the result is immediately overwritten with nhoff + sizeof(_ip6h) (40 bytes), which only accounts for the IPv6 base header. This creates a desync between inner_thoff (wrong — points to extension header start) and l4proto (correct — e.g., IPPROTO_TCP), enabling transport header forgery and potential firewall bypass. This issue affects stable versions from Linux 6.2.  For comparison, the normal (non-inner) IPv6 path correctly preserves ipv6_find_hdr()'s result. Removing the incorrect overwrite ensures that ipv6_find_hdr()'s calculated transport header offset is preserved, thereby fixing the desynchronization.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-03 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43185",
                        "url": "https://ubuntu.com/security/CVE-2026-43185",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ksmbd: fix signededness bug in smb_direct_prepare_negotiation()  smb_direct_prepare_negotiation() casts an unsigned __u32 value from sp->max_recv_size and req->preferred_send_size to a signed int before computing min_t(int, ...). A maliciously provided preferred_send_size of 0x80000000 will return as smaller than max_recv_size, and then be used to set the maximum allowed alowed receive size for the next message.  By sending a second message with a large value (>1420 bytes) the attacker can then achieve a heap buffer overflow.  This fix replaces min_t(int, ...) with min_t(u32)",
                        "cve_priority": "critical",
                        "cve_public_date": "2026-05-06 12:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46289",
                        "url": "https://ubuntu.com/security/CVE-2026-46289",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  lib/scatterlist: fix length calculations in extract_kvec_to_sg  Patch series \"Fix bugs in extract_iter_to_sg()\", v3.  Fix bugs in the kvec and user variants of extract_iter_to_sg.  This series is growing due to useful remarks made by sashiko.dev.  The main bugs are: - The length for an sglist entry when extracting from   a kvec can exceed the number of bytes in the page. This   is obviously not intended. - When extracting a user buffer the sglist is temporarily   used as a scratch buffer for extracted page pointers.   If the sglist already contains some elements this scratch   buffer could overlap with existing entries in the sglist.  The series adds test cases to the kunit_iov_iter test that demonstrate all of these bugs.  Additionally, there is a memory leak fix for the test itself.  The bugs were orignally introduced into kernel v6.3 where the function lived in fs/netfs/iterator.c.  It was later moved to lib/scatterlist.c in v6.5.  Thus the actual fix is only marked for backports to v6.5+.   This patch (of 5):  When extracting from a kvec to a scatterlist, do not cross page boundaries.  The required length was already calculated but not used as intended.  Adjust the copied length if the loop runs out of sglist entries without extracting everything.  While there, return immediately from extract_iter_to_sg if there are no sglist entries at all.  A subsequent commit will add kunit test cases that demonstrate that the patch is necessary.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-08 17:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46119",
                        "url": "https://ubuntu.com/security/CVE-2026-46119",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  libceph: Fix slab-out-of-bounds access in auth message processing  If a (potentially corrupted) message of type CEPH_MSG_AUTH_REPLY contains a positive value in its result field, it is treated as an error code by ceph_handle_auth_reply() and returned to handle_auth_reply(). Thereafter, an attempt is made to send the preallocated message of type CEPH_MSG_AUTH, where the returned value is interpreted as the size of the front segment to send. If the result value in the message is greater than the size of the memory buffer allocated for the front segment, an out-of-bounds access occurs, and the content of the memory region beyond this buffer is sent out.  This patch fixes the issue by treating only negative values in the result field as errors. Positive values are therefore treated as success in the same way as a zero value. Additionally, a BUG_ON is added to __send_prepared_auth_request() comparing the len parameter to front_alloc_len to prevent sending the message if it exceeds the bounds of the allocation and to make it easier to catch any logic flaws leading to this.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46135",
                        "url": "https://ubuntu.com/security/CVE-2026-46135",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  nvmet-tcp: fix race between ICReq handling and queue teardown  nvmet_tcp_handle_icreq() updates queue->state after sending an Initialization Connection Response (ICResp), but it does so without serializing against target-side queue teardown.  If an NVMe/TCP host sends an Initialization Connection Request (ICReq) and immediately closes the connection, target-side teardown may start in softirq context before io_work drains the already buffered ICReq. In that case, nvmet_tcp_schedule_release_queue() sets queue->state to NVMET_TCP_Q_DISCONNECTING and drops the queue reference under state_lock.  If io_work later processes that ICReq, nvmet_tcp_handle_icreq() can still overwrite the state back to NVMET_TCP_Q_LIVE. That defeats the DISCONNECTING-state guard in nvmet_tcp_schedule_release_queue() and allows a later socket state change to re-enter teardown and issue a second kref_put() on an already released queue.  The ICResp send failure path has the same problem. If teardown has already moved the queue to DISCONNECTING, a send error can still overwrite the state with NVMET_TCP_Q_FAILED, again reopening the window for a second teardown path to drop the queue reference.  Fix this by serializing both post-send state transitions with state_lock and bailing out if teardown has already started.  Use -ESHUTDOWN as an internal sentinel for that bail-out path rather than propagating it as a transport error like -ECONNRESET. Keep nvmet_tcp_socket_error() setting rcv_state to NVMET_TCP_RECV_ERR before honoring that sentinel so receive-side parsing stays quiesced until the existing release path completes.",
                        "cve_priority": "critical",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46185",
                        "url": "https://ubuntu.com/security/CVE-2026-46185",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb/client: fix out-of-bounds read in symlink_data()  Since smb2_check_message() returns success without length validation for the symlink error response, in symlink_data() it is possible for iov->iov_len to be smaller than sizeof(struct smb2_err_rsp). If the buffer only contains the base SMB2 header (64 bytes), accessing err->ErrorContextCount (at offset 66) or err->ByteCount later in symlink_data() will cause an out-of-bounds read.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46195",
                        "url": "https://ubuntu.com/security/CVE-2026-46195",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb: client: validate dacloffset before building DACL pointers  parse_sec_desc(), build_sec_desc(), and the chown path in id_mode_to_cifs_acl() all add the server-supplied dacloffset to pntsd before proving a DACL header fits inside the returned security descriptor.  On 32-bit builds a malicious server can return dacloffset near U32_MAX, wrap the derived DACL pointer below end_of_acl, and then slip past the later pointer-based bounds checks. build_sec_desc() and id_mode_to_cifs_acl() can then dereference DACL fields from the wrapped pointer in the chmod/chown rewrite paths.  Validate dacloffset numerically before building any DACL pointer and reuse the same helper at the three DACL entry points.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46115",
                        "url": "https://ubuntu.com/security/CVE-2026-46115",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  block: add pgmap check to biovec_phys_mergeable  biovec_phys_mergeable() is used by the request merge, DMA mapping, and integrity merge paths to decide if two physically contiguous bvec segments can be coalesced into one. It currently has no check for whether the segments belong to different dev_pagemaps.  When zone device memory is registered in multiple chunks, each chunk gets its own dev_pagemap. A single bio can legitimately contain bvecs from different pgmaps -- iov_iter_extract_bvecs() breaks at pgmap boundaries but the outer loop in bio_iov_iter_get_pages() continues filling the same bio. If such bvecs are physically contiguous, biovec_phys_mergeable() will coalesce them, making it impossible to recover the correct pgmap for the merged segment via page_pgmap().  Add a zone_device_pages_have_same_pgmap() check to prevent merging bvec segments that span different pgmaps.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43501",
                        "url": "https://ubuntu.com/security/CVE-2026-43501",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ipv6: rpl: reserve mac_len headroom when recompressed SRH grows  ipv6_rpl_srh_rcv() decompresses an RFC 6554 Source Routing Header, swaps the next segment into ipv6_hdr->daddr, recompresses, then pulls the old header and pushes the new one plus the IPv6 header back.  The recompressed header can be larger than the received one when the swap reduces the common-prefix length the segments share with daddr (CmprI=0, CmprE>0, seg[0][0] != daddr[0] gives the maximum +8 bytes).  pskb_expand_head() was gated on segments_left == 0, so on earlier segments the push consumed unchecked headroom.  Once skb_push() leaves fewer than skb->mac_len bytes in front of data, skb_mac_header_rebuild()'s call to:  \tskb_set_mac_header(skb, -skb->mac_len);  will store (data - head) - mac_len into the u16 mac_header field, which wraps to ~65530, and the following memmove() writes mac_len bytes ~64KiB past skb->head.  A single AF_INET6/SOCK_RAW/IPV6_HDRINCL packet over lo with a two segment type-3 SRH (CmprI=0, CmprE=15) reaches headroom 8 after one pass; KASAN reports a 14-byte OOB write in ipv6_rthdr_rcv.  Fix this by expanding the head whenever the remaining room is less than the push size plus mac_len, and request that much extra so the rebuilt MAC header fits afterwards.",
                        "cve_priority": "critical",
                        "cve_public_date": "2026-05-21 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45988",
                        "url": "https://ubuntu.com/security/CVE-2026-45988",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  rxrpc: Fix re-decryption of RESPONSE packets  If a RESPONSE packet gets a temporary failure during processing, it may end up in a partially decrypted state - and then get requeued for a retry.  Fix this by just discarding the packet; we will send another CHALLENGE packet and thereby elicit a further response.  Similarly, discard an incoming CHALLENGE packet if we get an error whilst generating a RESPONSE; the server will send another CHALLENGE.",
                        "cve_priority": "critical",
                        "cve_public_date": "2026-05-27 14:17:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46043",
                        "url": "https://ubuntu.com/security/CVE-2026-46043",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv  rxe_rcv() currently checks only that the incoming packet is at least header_size(pkt) bytes long before payload_size() is used.  However, payload_size() subtracts both the attacker-controlled BTH pad field and RXE_ICRC_SIZE from pkt->paylen:    payload_size = pkt->paylen - offset[RXE_PAYLOAD] - bth_pad(pkt)                  - RXE_ICRC_SIZE  This means a short packet can still make payload_size() underflow even if it includes enough bytes for the fixed headers. Simply requiring header_size(pkt) + RXE_ICRC_SIZE is not sufficient either, because a packet with a forged non-zero BTH pad can still leave payload_size() negative and pass an underflowed value to later receive-path users.  Fix this by validating pkt->paylen against the full minimum length required by payload_size(): header_size(pkt) + bth_pad(pkt) + RXE_ICRC_SIZE.",
                        "cve_priority": "critical",
                        "cve_public_date": "2026-05-27 14:17:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43493",
                        "url": "https://ubuntu.com/security/CVE-2026-43493",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  crypto: pcrypt - Fix handling of MAY_BACKLOG requests  MAY_BACKLOG requests can return EBUSY.  Handle them by checking for that value and filtering out EINPROGRESS notifications.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-19 12:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43071",
                        "url": "https://ubuntu.com/security/CVE-2026-43071",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  dcache: Limit the minimal number of bucket to two  There is an OOB read problem on dentry_hashtable when user sets 'dhash_entries=1':   BUG: unable to handle page fault for address: ffff888b30b774b0   #PF: supervisor read access in kernel mode   #PF: error_code(0x0000) - not-present page   Oops: Oops: 0000 [#1] SMP PTI   RIP: 0010:__d_lookup+0x56/0x120    Call Trace:     d_lookup.cold+0x16/0x5d     lookup_dcache+0x27/0xf0     lookup_one_qstr_excl+0x2a/0x180     start_dirop+0x55/0xa0     simple_start_creating+0x8d/0xa0     debugfs_start_creating+0x8c/0x180     debugfs_create_dir+0x1d/0x1c0     pinctrl_init+0x6d/0x140     do_one_initcall+0x6d/0x3d0     kernel_init_freeable+0x39f/0x460     kernel_init+0x2a/0x260  There will be only one bucket in dentry_hashtable when dhash_entries is set as one, and d_hash_shift is calculated as 32 by dcache_init(). Then, following process will access more than one buckets(which memory region is not allocated) in dentry_hashtable:  d_lookup   b = d_hash(hash)     dentry_hashtable + ((u32)hashlen >> d_hash_shift)     // The C standard defines the behavior of right shift amounts     // exceeding the bit width of the operand as undefined. The     // result of '(u32)hashlen >> d_hash_shift' becomes 'hashlen',     // so 'b' will point to an unallocated memory region.   hlist_bl_for_each_entry_rcu(b)    hlist_bl_first_rcu(head)     h->first  // read OOB!  Fix it by limiting the minimal number of dentry_hashtable bucket to two, so that 'd_hash_shift' won't exceeds the bit width of type u32.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-05-05 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-31685",
                        "url": "https://ubuntu.com/security/CVE-2026-31685",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: ip6t_eui64: reject invalid MAC header for all packets  `eui64_mt6()` derives a modified EUI-64 from the Ethernet source address and compares it with the low 64 bits of the IPv6 source address.  The existing guard only rejects an invalid MAC header when `par->fragoff != 0`. For packets with `par->fragoff == 0`, `eui64_mt6()` can still reach `eth_hdr(skb)` even when the MAC header is not valid.  Fix this by removing the `par->fragoff != 0` condition so that packets with an invalid MAC header are rejected before accessing `eth_hdr(skb)`.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-25 09:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43117",
                        "url": "https://ubuntu.com/security/CVE-2026-43117",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  btrfs: tracepoints: get correct superblock from dentry in event btrfs_sync_file()  If overlay is used on top of btrfs, dentry->d_sb translates to overlay's super block and fsid assignment will lead to a crash.  Use file_inode(file)->i_sb to always get btrfs_sb.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-06 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43114",
                        "url": "https://ubuntu.com/security/CVE-2026-43114",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: nft_set_pipapo_avx2: don't return non-matching entry on expiry  New test case fails unexpectedly when avx2 matching functions are used.  The test first loads a ranomly generated pipapo set with 'ipv4 . port' key, i.e.  nft -f foo.  This works.  Then, it reloads the set after a flush: (echo flush set t s; cat foo) | nft -f -  This is expected to work, because its the same set after all and it was already loaded once.  But with avx2, this fails: nft reports a clashing element.  The reported clash is of following form:      We successfully re-inserted       a . b       c . d  Then we try to insert a . d  avx2 finds the already existing a . d, which (due to 'flush set') is marked as invalid in the new generation.  It skips the element and moves to next.  Due to incorrect masking, the skip-step finds the next matching element *only considering the first field*,  i.e. we return the already reinserted \"a . b\", even though the last field is different and the entry should not have been matched.  No such error is reported for the generic c implementation (no avx2) or when the last field has to use the 'nft_pipapo_avx2_lookup_slow' fallback.  Bisection points to 7711f4bb4b36 (\"netfilter: nft_set_pipapo: fix range overlap detection\") but that fix merely uncovers this bug.  Before this commit, the wrong element is returned, but erronously reported as a full, identical duplicate.  The root-cause is too early return in the avx2 match functions. When we process the last field, we should continue to process data until the entire input size has been consumed to make sure no stale bits remain in the map.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-06 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-31607",
                        "url": "https://ubuntu.com/security/CVE-2026-31607",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  usbip: validate number_of_packets in usbip_pack_ret_submit()  When a USB/IP client receives a RET_SUBMIT response, usbip_pack_ret_submit() unconditionally overwrites urb->number_of_packets from the network PDU. This value is subsequently used as the loop bound in usbip_recv_iso() and usbip_pad_iso() to iterate over urb->iso_frame_desc[], a flexible array whose size was fixed at URB allocation time based on the *original* number_of_packets from the CMD_SUBMIT.  A malicious USB/IP server can set number_of_packets in the response to a value larger than what was originally submitted, causing a heap out-of-bounds write when usbip_recv_iso() writes to urb->iso_frame_desc[i] beyond the allocated region.  KASAN confirmed this with kernel 7.0.0-rc5:    BUG: KASAN: slab-out-of-bounds in usbip_recv_iso+0x46a/0x640   Write of size 4 at addr ffff888106351d40 by task vhci_rx/69    The buggy address is located 0 bytes to the right of    allocated 320-byte region [ffff888106351c00, ffff888106351d40)  The server side (stub_rx.c) and gadget side (vudc_rx.c) already validate number_of_packets in the CMD_SUBMIT path since commits c6688ef9f297 (\"usbip: fix stub_rx: harden CMD_SUBMIT path to handle malicious input\") and b78d830f0049 (\"usbip: fix vudc_rx: harden CMD_SUBMIT path to handle malicious input\"). The server side validates against USBIP_MAX_ISO_PACKETS because no URB exists yet at that point. On the client side we have the original URB, so we can use the tighter bound: the response must not exceed the original number_of_packets.  This mirrors the existing validation of actual_length against transfer_buffer_length in usbip_recv_xbuff(), which checks the response value against the original allocation size.  Kelvin Mbogo's series (\"usb: usbip: fix integer overflow in usbip_recv_iso()\", v2) hardens the receive-side functions themselves; this patch complements that work by catching the bad value at its source -- in usbip_pack_ret_submit() before the overwrite -- and using the tighter per-URB allocation bound rather than the global USBIP_MAX_ISO_PACKETS limit.  Fix this by checking rpdu->number_of_packets against urb->number_of_packets in usbip_pack_ret_submit() before the overwrite. On violation, clamp to zero so that usbip_recv_iso() and usbip_pad_iso() safely return early.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-04-24 15:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-31659",
                        "url": "https://ubuntu.com/security/CVE-2026-31659",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: reject oversized global TT response buffers  batadv_tt_prepare_tvlv_global_data() builds the allocation length for a global TT response in 16-bit temporaries. When a remote originator advertises a large enough global TT, the TT payload length plus the VLAN header offset can exceed 65535 and wrap before kmalloc().  The full-table response path still uses the original TT payload length when it fills tt_change, so the wrapped allocation is too small and batadv_tt_prepare_tvlv_global_data() writes past the end of the heap object before the later packet-size check runs.  Fix this by rejecting TT responses whose TVLV value length cannot fit in the 16-bit TVLV payload length field.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-04-24 15:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-31649",
                        "url": "https://ubuntu.com/security/CVE-2026-31649",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: stmmac: fix integer underflow in chain mode  The jumbo_frm() chain-mode implementation unconditionally computes      len = nopaged_len - bmax;  where nopaged_len = skb_headlen(skb) (linear bytes only) and bmax is BUF_SIZE_8KiB or BUF_SIZE_2KiB.  However, the caller stmmac_xmit() decides to invoke jumbo_frm() based on skb->len (total length including page fragments):      is_jumbo = stmmac_is_jumbo_frm(priv, skb->len, enh_desc);  When a packet has a small linear portion (nopaged_len <= bmax) but a large total length due to page fragments (skb->len > bmax), the subtraction wraps as an unsigned integer, producing a huge len value (~0xFFFFxxxx).  This causes the while (len != 0) loop to execute hundreds of thousands of iterations, passing skb->data + bmax * i pointers far beyond the skb buffer to dma_map_single().  On IOMMU-less SoCs (the typical deployment for stmmac), this maps arbitrary kernel memory to the DMA engine, constituting a kernel memory disclosure and potential memory corruption from hardware.  Fix this by introducing a buf_len local variable clamped to min(nopaged_len, bmax).  Computing len = nopaged_len - buf_len is then always safe: it is zero when the linear portion fits within a single descriptor, causing the while (len != 0) loop to be skipped naturally, and the fragment loop in stmmac_xmit() handles page fragments afterward.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-24 15:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-31657",
                        "url": "https://ubuntu.com/security/CVE-2026-31657",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: hold claim backbone gateways by reference  batadv_bla_add_claim() can replace claim->backbone_gw and drop the old gateway's last reference while readers still follow the pointer.  The netlink claim dump path dereferences claim->backbone_gw->orig and takes claim->backbone_gw->crc_lock without pinning the underlying backbone gateway. batadv_bla_check_claim() still has the same naked pointer access pattern.  Reuse batadv_bla_claim_get_backbone_gw() in both readers so they operate on a stable gateway reference until the read-side work is complete. This keeps the dump and claim-check paths aligned with the lifetime rules introduced for the other BLA claim readers.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-04-24 15:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-31637",
                        "url": "https://ubuntu.com/security/CVE-2026-31637",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  rxrpc: reject undecryptable rxkad response tickets  rxkad_decrypt_ticket() decrypts the RXKAD response ticket and then parses the buffer as plaintext without checking whether crypto_skcipher_decrypt() succeeded.  A malformed RESPONSE can therefore use a non-block-aligned ticket length, make the decrypt operation fail, and still drive the ticket parser with attacker-controlled bytes.  Check the decrypt result and abort the connection with RXKADBADTICKET when ticket decryption fails.",
                        "cve_priority": "critical",
                        "cve_public_date": "2026-04-24 15:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-31669",
                        "url": "https://ubuntu.com/security/CVE-2026-31669",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mptcp: fix slab-use-after-free in __inet_lookup_established  The ehash table lookups are lockless and rely on SLAB_TYPESAFE_BY_RCU to guarantee socket memory stability during RCU read-side critical sections. Both tcp_prot and tcpv6_prot have their slab caches created with this flag via proto_register().  However, MPTCP's mptcp_subflow_init() copies tcpv6_prot into tcpv6_prot_override during inet_init() (fs_initcall, level 5), before inet6_init() (module_init/device_initcall, level 6) has called proto_register(&tcpv6_prot). At that point, tcpv6_prot.slab is still NULL, so tcpv6_prot_override.slab remains NULL permanently.  This causes MPTCP v6 subflow child sockets to be allocated via kmalloc (falling into kmalloc-4k) instead of the TCPv6 slab cache. The kmalloc-4k cache lacks SLAB_TYPESAFE_BY_RCU, so when these sockets are freed without SOCK_RCU_FREE (which is cleared for child sockets by design), the memory can be immediately reused. Concurrent ehash lookups under rcu_read_lock can then access freed memory, triggering a slab-use-after-free in __inet_lookup_established.  Fix this by splitting the IPv6-specific initialization out of mptcp_subflow_init() into a new mptcp_subflow_v6_init(), called from mptcp_proto_v6_init() before protocol registration. This ensures tcpv6_prot_override.slab correctly inherits the SLAB_TYPESAFE_BY_RCU slab cache.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-04-24 15:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-31668",
                        "url": "https://ubuntu.com/security/CVE-2026-31668",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  seg6: separate dst_cache for input and output paths in seg6 lwtunnel  The seg6 lwtunnel uses a single dst_cache per encap route, shared between seg6_input_core() and seg6_output_core(). These two paths can perform the post-encap SID lookup in different routing contexts (e.g., ip rules matching on the ingress interface, or VRF table separation). Whichever path runs first populates the cache, and the other reuses it blindly, bypassing its own lookup.  Fix this by splitting the cache into cache_input and cache_output, so each path maintains its own cached dst independently.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-24 15:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43011",
                        "url": "https://ubuntu.com/security/CVE-2026-43011",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/x25: Fix potential double free of skb  When alloc_skb fails in x25_queue_rx_frame it calls kfree_skb(skb) at line 48 and returns 1 (error). This error propagates back through the call chain:  x25_queue_rx_frame returns 1     |     v x25_state3_machine receives the return value 1 and takes the else branch at line 278, setting queued=0 and returning 0     |     v x25_process_rx_frame returns queued=0     |     v x25_backlog_rcv at line 452 sees queued=0 and calls kfree_skb(skb) again  This would free the same skb twice. Looking at x25_backlog_rcv:  net/x25/x25_in.c:x25_backlog_rcv() {     ...     queued = x25_process_rx_frame(sk, skb);     ...     if (!queued)         kfree_skb(skb); }",
                        "cve_priority": "critical",
                        "cve_public_date": "2026-05-01 15:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43037",
                        "url": "https://ubuntu.com/security/CVE-2026-43037",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ip6_tunnel: clear skb2->cb[] in ip4ip6_err()  Oskar Kjos reported the following problem.  ip4ip6_err() calls icmp_send() on a cloned skb whose cb[] was written by the IPv6 receive path as struct inet6_skb_parm. icmp_send() passes IPCB(skb2) to __ip_options_echo(), which interprets that cb[] region as struct inet_skb_parm (IPv4). The layouts differ: inet6_skb_parm.nhoff at offset 14 overlaps inet_skb_parm.opt.rr, producing a non-zero rr value. __ip_options_echo() then reads optlen from attacker-controlled packet data at sptr[rr+1] and copies that many bytes into dopt->__data, a fixed 40-byte stack buffer (IP_OPTIONS_DATA_FIXED_SIZE).  To fix this we clear skb2->cb[], as suggested by Oskar Kjos.  Also add minimal IPv4 header validation (version == 4, ihl >= 5).",
                        "cve_priority": "critical",
                        "cve_public_date": "2026-05-01 15:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43341",
                        "url": "https://ubuntu.com/security/CVE-2026-43341",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/ipv6: ioam6: prevent schema length wraparound in trace fill  ioam6_fill_trace_data() stores the schema contribution to the trace length in a u8. With bit 22 enabled and the largest schema payload, sclen becomes 1 + 1020 / 4, wraps from 256 to 0, and bypasses the remaining-space check. __ioam6_fill_trace_data() then positions the write cursor without reserving the schema area but still copies the 4-byte schema header and the full schema payload, overrunning the trace buffer.  Keep sclen in an unsigned int so the remaining-space check and the write cursor calculation both see the full schema length.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-08 14:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43038",
                        "url": "https://ubuntu.com/security/CVE-2026-43038",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ipv6: icmp: clear skb2->cb[] in ip6_err_gen_icmpv6_unreach()  Sashiko AI-review observed:    In ip6_err_gen_icmpv6_unreach(), the skb is an outer IPv4 ICMP error packet   where its cb contains an IPv4 inet_skb_parm. When skb is cloned into skb2   and passed to icmp6_send(), it uses IP6CB(skb2).    IP6CB interprets the IPv4 inet_skb_parm as an inet6_skb_parm. The cipso   offset in inet_skb_parm.opt directly overlaps with dsthao in inet6_skb_parm   at offset 18.    If an attacker sends a forged ICMPv4 error with a CIPSO IP option, dsthao   would be a non-zero offset. Inside icmp6_send(), mip6_addr_swap() is called   and uses ipv6_find_tlv(skb, opt->dsthao, IPV6_TLV_HAO).    This would scan the inner, attacker-controlled IPv6 packet starting at that   offset, potentially returning a fake TLV without checking if the remaining   packet length can hold the full 18-byte struct ipv6_destopt_hao.    Could mip6_addr_swap() then perform a 16-byte swap that extends past the end   of the packet data into skb_shared_info?    Should the cb array also be cleared in ip6_err_gen_icmpv6_unreach() and   ip6ip6_err() to prevent this?  This patch implements the first suggestion.  I am not sure if ip6ip6_err() needs to be changed. A separate patch would be better anyway.",
                        "cve_priority": "critical",
                        "cve_public_date": "2026-05-01 15:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-31682",
                        "url": "https://ubuntu.com/security/CVE-2026-31682",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  bridge: br_nd_send: linearize skb before parsing ND options  br_nd_send() parses neighbour discovery options from ns->opt[] and assumes that these options are in the linear part of request.  Its callers only guarantee that the ICMPv6 header and target address are available, so the option area can still be non-linear. Parsing ns->opt[] in that case can access data past the linear buffer.  Linearize request before option parsing and derive ns from the linear network header.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-25 09:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-31436",
                        "url": "https://ubuntu.com/security/CVE-2026-31436",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  dmaengine: idxd: fix possible wrong descriptor completion in llist_abort_desc()  At the end of this function, d is the traversal cursor of flist, but the code completes found instead. This can lead to issues such as NULL pointer dereferences, double completion, or descriptor leaks.  Fix this by completing d instead of found in the final list_for_each_entry_safe() loop.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-04-22 14:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43384",
                        "url": "https://ubuntu.com/security/CVE-2026-43384",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/tcp-ao: Fix MAC comparison to be constant-time  To prevent timing attacks, MACs need to be compared in constant time.  Use the appropriate helper function for this.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-08 15:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-31448",
                        "url": "https://ubuntu.com/security/CVE-2026-31448",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ext4: avoid infinite loops caused by residual data  On the mkdir/mknod path, when mapping logical blocks to physical blocks, if inserting a new extent into the extent tree fails (in this example, because the file system disabled the huge file feature when marking the inode as dirty), ext4_ext_map_blocks() only calls ext4_free_blocks() to reclaim the physical block without deleting the corresponding data in the extent tree. This causes subsequent mkdir operations to reference the previously reclaimed physical block number again, even though this physical block is already being used by the xattr block. Therefore, a situation arises where both the directory and xattr are using the same buffer head block in memory simultaneously.  The above causes ext4_xattr_block_set() to enter an infinite loop about \"inserted\" and cannot release the inode lock, ultimately leading to the 143s blocking problem mentioned in [1].  If the metadata is corrupted, then trying to remove some extent space can do even more harm. Also in case EXT4_GET_BLOCKS_DELALLOC_RESERVE was passed, remove space wrongly update quota information. Jan Kara suggests distinguishing between two cases:  1) The error is ENOSPC or EDQUOT - in this case the filesystem is fully consistent and we must maintain its consistency including all the accounting. However these errors can happen only early before we've inserted the extent into the extent tree. So current code works correctly for this case.  2) Some other error - this means metadata is corrupted. We should strive to do as few modifications as possible to limit damage. So I'd just skip freeing of allocated blocks.  [1] INFO: task syz.0.17:5995 blocked for more than 143 seconds. Call Trace:  inode_lock_nested include/linux/fs.h:1073 [inline]  __start_dirop fs/namei.c:2923 [inline]  start_dirop fs/namei.c:2934 [inline]",
                        "cve_priority": "low",
                        "cve_public_date": "2026-04-22 14:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-31478",
                        "url": "https://ubuntu.com/security/CVE-2026-31478",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ksmbd: replace hardcoded hdr2_len with offsetof() in smb2_calc_max_out_buf_len()  After this commit (e2b76ab8b5c9 \"ksmbd: add support for read compound\"), response buffer management was changed to use dynamic iov array. In the new design, smb2_calc_max_out_buf_len() expects the second argument (hdr2_len) to be the offset of ->Buffer field in the response structure, not a hardcoded magic number. Fix the remaining call sites to use the correct offsetof() value.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-04-22 14:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-23428",
                        "url": "https://ubuntu.com/security/CVE-2026-23428",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ksmbd: fix use-after-free of share_conf in compound request  smb2_get_ksmbd_tcon() reuses work->tcon in compound requests without validating tcon->t_state. ksmbd_tree_conn_lookup() checks t_state == TREE_CONNECTED on the initial lookup path, but the compound reuse path bypasses this check entirely.  If a prior command in the compound (SMB2_TREE_DISCONNECT) sets t_state to TREE_DISCONNECTED and frees share_conf via ksmbd_share_config_put(), subsequent commands dereference the freed share_conf through work->tcon->share_conf.  KASAN report:  [    4.144653] ================================================================== [    4.145059] BUG: KASAN: slab-use-after-free in smb2_write+0xc74/0xe70 [    4.145415] Read of size 4 at addr ffff88810430c194 by task kworker/1:1/44 [    4.145772] [    4.145867] CPU: 1 UID: 0 PID: 44 Comm: kworker/1:1 Not tainted 7.0.0-rc3+ #60 PREEMPTLAZY [    4.145871] Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [    4.145875] Workqueue: ksmbd-io handle_ksmbd_work [    4.145888] Call Trace: [    4.145892]  <TASK> [    4.145894]  dump_stack_lvl+0x64/0x80 [    4.145910]  print_report+0xce/0x660 [    4.145919]  ? __pfx__raw_spin_lock_irqsave+0x10/0x10 [    4.145928]  ? smb2_write+0xc74/0xe70 [    4.145931]  kasan_report+0xce/0x100 [    4.145934]  ? smb2_write+0xc74/0xe70 [    4.145937]  smb2_write+0xc74/0xe70 [    4.145939]  ? __pfx_smb2_write+0x10/0x10 [    4.145942]  ? _raw_spin_unlock+0xe/0x30 [    4.145945]  ? ksmbd_smb2_check_message+0xeb2/0x24c0 [    4.145948]  ? smb2_tree_disconnect+0x31c/0x480 [    4.145951]  handle_ksmbd_work+0x40f/0x1080 [    4.145953]  process_one_work+0x5fa/0xef0 [    4.145962]  ? assign_work+0x122/0x3e0 [    4.145964]  worker_thread+0x54b/0xf70 [    4.145967]  ? __pfx_worker_thread+0x10/0x10 [    4.145970]  kthread+0x346/0x470 [    4.145976]  ? recalc_sigpending+0x19b/0x230 [    4.145980]  ? __pfx_kthread+0x10/0x10 [    4.145984]  ret_from_fork+0x4fb/0x6c0 [    4.145992]  ? __pfx_ret_from_fork+0x10/0x10 [    4.145995]  ? __switch_to+0x36c/0xbe0 [    4.145999]  ? __pfx_kthread+0x10/0x10 [    4.146003]  ret_from_fork_asm+0x1a/0x30 [    4.146013]  </TASK> [    4.146014] [    4.149858] Allocated by task 44: [    4.149953]  kasan_save_stack+0x33/0x60 [    4.150061]  kasan_save_track+0x14/0x30 [    4.150169]  __kasan_kmalloc+0x8f/0xa0 [    4.150274]  ksmbd_share_config_get+0x1dd/0xdd0 [    4.150401]  ksmbd_tree_conn_connect+0x7e/0x600 [    4.150529]  smb2_tree_connect+0x2e6/0x1000 [    4.150645]  handle_ksmbd_work+0x40f/0x1080 [    4.150761]  process_one_work+0x5fa/0xef0 [    4.150873]  worker_thread+0x54b/0xf70 [    4.150978]  kthread+0x346/0x470 [    4.151071]  ret_from_fork+0x4fb/0x6c0 [    4.151176]  ret_from_fork_asm+0x1a/0x30 [    4.151286] [    4.151332] Freed by task 44: [    4.151418]  kasan_save_stack+0x33/0x60 [    4.151526]  kasan_save_track+0x14/0x30 [    4.151634]  kasan_save_free_info+0x3b/0x60 [    4.151751]  __kasan_slab_free+0x43/0x70 [    4.151861]  kfree+0x1ca/0x430 [    4.151952]  __ksmbd_tree_conn_disconnect+0xc8/0x190 [    4.152088]  smb2_tree_disconnect+0x1cd/0x480 [    4.152211]  handle_ksmbd_work+0x40f/0x1080 [    4.152326]  process_one_work+0x5fa/0xef0 [    4.152438]  worker_thread+0x54b/0xf70 [    4.152545]  kthread+0x346/0x470 [    4.152638]  ret_from_fork+0x4fb/0x6c0 [    4.152743]  ret_from_fork_asm+0x1a/0x30 [    4.152853] [    4.152900] The buggy address belongs to the object at ffff88810430c180 [    4.152900]  which belongs to the cache kmalloc-96 of size 96 [    4.153226] The buggy address is located 20 bytes inside of [    4.153226]  freed 96-byte region [ffff88810430c180, ffff88810430c1e0) [    4.153549] [    4.153596] The buggy address belongs to the physical page: [    4.153750] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88810430ce80 pfn:0x10430c [    4.154000] flags: 0x ---truncated---",
                        "cve_priority": "high",
                        "cve_public_date": "2026-04-03 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-23450",
                        "url": "https://ubuntu.com/security/CVE-2026-23450",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/smc: fix NULL dereference and UAF in smc_tcp_syn_recv_sock()  Syzkaller reported a panic in smc_tcp_syn_recv_sock() [1].  smc_tcp_syn_recv_sock() is called in the TCP receive path (softirq) via icsk_af_ops->syn_recv_sock on the clcsock (TCP listening socket). It reads sk_user_data to get the smc_sock pointer. However, when the SMC listen socket is being closed concurrently, smc_close_active() sets clcsock->sk_user_data to NULL under sk_callback_lock, and then the smc_sock itself can be freed via sock_put() in smc_release().  This leads to two issues:  1) NULL pointer dereference: sk_user_data is NULL when    accessed. 2) Use-after-free: sk_user_data is read as non-NULL, but the    smc_sock is freed before its fields (e.g., queued_smc_hs,    ori_af_ops) are accessed.  The race window looks like this (the syzkaller crash [1] triggers via the SYN cookie path: tcp_get_cookie_sock() -> smc_tcp_syn_recv_sock(), but the normal tcp_check_req() path has the same race):    CPU A (softirq)              CPU B (process ctx)    tcp_v4_rcv()     TCP_NEW_SYN_RECV:     sk = req->rsk_listener     sock_hold(sk)     /* No lock on listener */                                smc_close_active():                                  write_lock_bh(cb_lock)                                  sk_user_data = NULL                                  write_unlock_bh(cb_lock)                                  ...                                  smc_clcsock_release()                                  sock_put(smc->sk) x2                                    -> smc_sock freed!     tcp_check_req()       smc_tcp_syn_recv_sock():         smc = user_data(sk)           -> NULL or dangling         smc->queued_smc_hs           -> crash!  Note that the clcsock and smc_sock are two independent objects with separate refcounts. TCP stack holds a reference on the clcsock, which keeps it alive, but this does NOT prevent the smc_sock from being freed.  Fix this by using RCU and refcount_inc_not_zero() to safely access smc_sock. Since smc_tcp_syn_recv_sock() is called in the TCP three-way handshake path, taking read_lock_bh on sk_callback_lock is too heavy and would not survive a SYN flood attack. Using rcu_read_lock() is much more lightweight.  - Set SOCK_RCU_FREE on the SMC listen socket so that   smc_sock freeing is deferred until after the RCU grace   period. This guarantees the memory is still valid when   accessed inside rcu_read_lock(). - Use rcu_read_lock() to protect reading sk_user_data. - Use refcount_inc_not_zero(&smc->sk.sk_refcnt) to pin the   smc_sock. If the refcount has already reached zero (close   path completed), it returns false and we bail out safely.  Note: smc_hs_congested() has a similar lockless read of sk_user_data without rcu_read_lock(), but it only checks for NULL and accesses the global smc_hs_wq, never dereferencing any smc_sock field, so it is not affected.  Reproducer was verified with mdelay injection and smc_run, the issue no longer occurs with this patch applied.  [1] https://syzkaller.appspot.com/bug?extid=827ae2bfb3a3529333e9",
                        "cve_priority": "high",
                        "cve_public_date": "2026-04-03 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-23455",
                        "url": "https://ubuntu.com/security/CVE-2026-23455",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: nf_conntrack_h323: check for zero length in DecodeQ931()  In DecodeQ931(), the UserUserIE code path reads a 16-bit length from the packet, then decrements it by 1 to skip the protocol discriminator byte before passing it to DecodeH323_UserInformation(). If the encoded length is 0, the decrement wraps to -1, which is then passed as a large value to the decoder, leading to an out-of-bounds read.  Add a check to ensure len is positive after the decrement.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-04-03 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-31402",
                        "url": "https://ubuntu.com/security/CVE-2026-31402",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  nfsd: fix heap overflow in NFSv4.0 LOCK replay cache  The NFSv4.0 replay cache uses a fixed 112-byte inline buffer (rp_ibuf[NFSD4_REPLAY_ISIZE]) to store encoded operation responses. This size was calculated based on OPEN responses and does not account for LOCK denied responses, which include the conflicting lock owner as a variable-length field up to 1024 bytes (NFS4_OPAQUE_LIMIT).  When a LOCK operation is denied due to a conflict with an existing lock that has a large owner, nfsd4_encode_operation() copies the full encoded response into the undersized replay buffer via read_bytes_from_xdr_buf() with no bounds check. This results in a slab-out-of-bounds write of up to 944 bytes past the end of the buffer, corrupting adjacent heap memory.  This can be triggered remotely by an unauthenticated attacker with two cooperating NFSv4.0 clients: one sets a lock with a large owner string, then the other requests a conflicting lock to provoke the denial.  We could fix this by increasing NFSD4_REPLAY_ISIZE to allow for a full opaque, but that would increase the size of every stateowner, when most lockowners are not that large.  Instead, fix this by checking the encoded response length against NFSD4_REPLAY_ISIZE before copying into the replay buffer. If the response is too large, set rp_buflen to 0 to skip caching the replay payload. The status is still cached, and the client already received the correct response on the original request.",
                        "cve_priority": "critical",
                        "cve_public_date": "2026-04-03 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43383",
                        "url": "https://ubuntu.com/security/CVE-2026-43383",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/tcp-md5: Fix MAC comparison to be constant-time  To prevent timing attacks, MACs need to be compared in constant time.  Use the appropriate helper function for this.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-08 15:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43378",
                        "url": "https://ubuntu.com/security/CVE-2026-43378",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb: server: fix use-after-free in smb2_open()  The opinfo pointer obtained via rcu_dereference(fp->f_opinfo) is dereferenced after rcu_read_unlock(), creating a use-after-free window.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-08 15:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46243",
                        "url": "https://ubuntu.com/security/CVE-2026-46243",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb: client: reject userspace cifs.spnego descriptions  cifs.spnego key descriptions contain authority-bearing fields such as pid, uid, creduid, and upcall_target that cifs.upcall treats as kernel-originating inputs. However, userspace can also create keys of this type through request_key(2) or add_key(2), allowing those fields to be supplied without CIFS origin.  Only accept cifs.spnego descriptions while CIFS is using its private spnego_cred to request the key.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-01 17:17:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43414",
                        "url": "https://ubuntu.com/security/CVE-2026-43414",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  scsi: qla2xxx: Completely fix fcport double free  In qla24xx_els_dcmd_iocb() sp->free is set to qla2x00_els_dcmd_sp_free(). When an error happens, this function is called by qla2x00_sp_release(), when kref_put() releases the first and the last reference.  qla2x00_els_dcmd_sp_free() frees fcport by calling qla2x00_free_fcport(). Doing it one more time after kref_put() is a bad idea.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-05-08 15:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43407",
                        "url": "https://ubuntu.com/security/CVE-2026-43407",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  libceph: Fix potential out-of-bounds access in ceph_handle_auth_reply()  This patch fixes an out-of-bounds access in ceph_handle_auth_reply() that can be triggered by a message of type CEPH_MSG_AUTH_REPLY. In ceph_handle_auth_reply(), the value of the payload_len field of such a message is stored in a variable of type int. A value greater than INT_MAX leads to an integer overflow and is interpreted as a negative value. This leads to decrementing the pointer address by this value and subsequently accessing it because ceph_decode_need() only checks that the memory access does not exceed the end address of the allocation.  This patch fixes the issue by changing the data type of payload_len to u32. Additionally, the data type of result_msg_len is changed to u32, as it is also a variable holding a non-negative length.  Also, an additional layer of sanity checks is introduced, ensuring that directly after reading it from the message, payload_len and result_msg_len are not greater than the overall segment length.  BUG: KASAN: slab-out-of-bounds in ceph_handle_auth_reply+0x642/0x7a0 [libceph] Read of size 4 at addr ffff88811404df14 by task kworker/20:1/262  CPU: 20 UID: 0 PID: 262 Comm: kworker/20:1 Not tainted 6.19.2 #5 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Workqueue: ceph-msgr ceph_con_workfn [libceph] Call Trace:  <TASK>  dump_stack_lvl+0x76/0xa0  print_report+0xd1/0x620  ? __pfx__raw_spin_lock_irqsave+0x10/0x10  ? kasan_complete_mode_report_info+0x72/0x210  kasan_report+0xe7/0x130  ? ceph_handle_auth_reply+0x642/0x7a0 [libceph]  ? ceph_handle_auth_reply+0x642/0x7a0 [libceph]  __asan_report_load_n_noabort+0xf/0x20  ceph_handle_auth_reply+0x642/0x7a0 [libceph]  mon_dispatch+0x973/0x23d0 [libceph]  ? apparmor_socket_recvmsg+0x6b/0xa0  ? __pfx_mon_dispatch+0x10/0x10 [libceph]  ? __kasan_check_write+0x14/0x30i  ? mutex_unlock+0x7f/0xd0  ? __pfx_mutex_unlock+0x10/0x10  ? __pfx_do_recvmsg+0x10/0x10 [libceph]  ceph_con_process_message+0x1f1/0x650 [libceph]  process_message+0x1e/0x450 [libceph]  ceph_con_v2_try_read+0x2e48/0x6c80 [libceph]  ? __pfx_ceph_con_v2_try_read+0x10/0x10 [libceph]  ? save_fpregs_to_fpstate+0xb0/0x230  ? raw_spin_rq_unlock+0x17/0xa0  ? finish_task_switch.isra.0+0x13b/0x760  ? __switch_to+0x385/0xda0  ? __kasan_check_write+0x14/0x30  ? mutex_lock+0x8d/0xe0  ? __pfx_mutex_lock+0x10/0x10  ceph_con_workfn+0x248/0x10c0 [libceph]  process_one_work+0x629/0xf80  ? __kasan_check_write+0x14/0x30  worker_thread+0x87f/0x1570  ? __pfx__raw_spin_lock_irqsave+0x10/0x10  ? __pfx_try_to_wake_up+0x10/0x10  ? kasan_print_address_stack_frame+0x1f7/0x280  ? __pfx_worker_thread+0x10/0x10  kthread+0x396/0x830  ? __pfx__raw_spin_lock_irq+0x10/0x10  ? __pfx_kthread+0x10/0x10  ? __kasan_check_write+0x14/0x30  ? recalc_sigpending+0x180/0x210  ? __pfx_kthread+0x10/0x10  ret_from_fork+0x3f7/0x610  ? __pfx_ret_from_fork+0x10/0x10  ? __switch_to+0x385/0xda0  ? __pfx_kthread+0x10/0x10  ret_from_fork_asm+0x1a/0x30  </TASK>  [ idryomov: replace if statements with ceph_decode_need() for   payload_len and result_msg_len ]",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-08 15:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43406",
                        "url": "https://ubuntu.com/security/CVE-2026-43406",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  libceph: prevent potential out-of-bounds reads in process_message_header()  If the message frame is (maliciously) corrupted in a way that the length of the control segment ends up being less than the size of the message header or a different frame is made to look like a message frame, out-of-bounds reads may ensue in process_message_header().  Perform an explicit bounds check before decoding the message header.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-08 15:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-23249",
                        "url": "https://ubuntu.com/security/CVE-2026-23249",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  xfs: check for deleted cursors when revalidating two btrees  The free space and inode btree repair functions will rebuild both btrees at the same time, after which it needs to evaluate both btrees to confirm that the corruptions are gone.  However, Jiaming Zhang ran syzbot and produced a crash in the second xchk_allocbt call.  His root-cause analysis is as follows (with minor corrections):   In xrep_revalidate_allocbt(), xchk_allocbt() is called twice (first  for BNOBT, second for CNTBT). The cause of this issue is that the  first call nullified the cursor required by the second call.   Let's first enter xrep_revalidate_allocbt() via following call chain:   xfs_file_ioctl() ->  xfs_ioc_scrubv_metadata() ->  xfs_scrub_metadata() ->  `sc->ops->repair_eval(sc)` ->  xrep_revalidate_allocbt()   xchk_allocbt() is called twice in this function. In the first call:   /* Note that sc->sm->sm_type is XFS_SCRUB_TYPE_BNOPT now */  xchk_allocbt() ->  xchk_btree() ->  `bs->scrub_rec(bs, recp)` ->  xchk_allocbt_rec() ->  xchk_allocbt_xref() ->  xchk_allocbt_xref_other()   since sm_type is XFS_SCRUB_TYPE_BNOBT, pur is set to &sc->sa.cnt_cur.  Kernel called xfs_alloc_get_rec() and returned -EFSCORRUPTED. Call  chain:   xfs_alloc_get_rec() ->  xfs_btree_get_rec() ->  xfs_btree_check_block() ->  (XFS_IS_CORRUPT || XFS_TEST_ERROR), the former is false and the latter  is true, return -EFSCORRUPTED. This should be caused by  ioctl$XFS_IOC_ERROR_INJECTION I guess.   Back to xchk_allocbt_xref_other(), after receiving -EFSCORRUPTED from  xfs_alloc_get_rec(), kernel called xchk_should_check_xref(). In this  function, *curpp (points to sc->sa.cnt_cur) is nullified.   Back to xrep_revalidate_allocbt(), since sc->sa.cnt_cur has been  nullified, it then triggered null-ptr-deref via xchk_allocbt() (second  call) -> xchk_btree().  So.  The bnobt revalidation failed on a cross-reference attempt, so we deleted the cntbt cursor, and then crashed when we tried to revalidate the cntbt.  Therefore, check for a null cntbt cursor before that revalidation, and mark the repair incomplete.  Also we can ignore the second tree entirely if the first tree was rebuilt but is already corrupt.  Apply the same fix to xrep_revalidate_iallocbt because it has the same problem.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-18 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2025-71267",
                        "url": "https://ubuntu.com/security/CVE-2025-71267",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  fs: ntfs3: fix infinite loop triggered by zero-sized ATTR_LIST  We found an infinite loop bug in the ntfs3 file system that can lead to a Denial-of-Service (DoS) condition.  A malformed NTFS image can cause an infinite loop when an ATTR_LIST attribute indicates a zero data size while the driver allocates memory for it.  When ntfs_load_attr_list() processes a resident ATTR_LIST with data_size set to zero, it still allocates memory because of al_aligned(0). This creates an inconsistent state where ni->attr_list.size is zero, but ni->attr_list.le is non-null. This causes ni_enum_attr_ex to incorrectly assume that no attribute list exists and enumerates only the primary MFT record. When it finds ATTR_LIST, the code reloads it and restarts the enumeration, repeating indefinitely. The mount operation never completes, hanging the kernel thread.  This patch adds validation to ensure that data_size is non-zero before memory allocation. When a zero-sized ATTR_LIST is detected, the function returns -EINVAL, preventing a DoS vulnerability.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-18 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2025-71265",
                        "url": "https://ubuntu.com/security/CVE-2025-71265",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  fs: ntfs3: fix infinite loop in attr_load_runs_range on inconsistent metadata  We found an infinite loop bug in the ntfs3 file system that can lead to a Denial-of-Service (DoS) condition.  A malformed NTFS image can cause an infinite loop when an attribute header indicates an empty run list, while directory entries reference it as containing actual data. In NTFS, setting evcn=-1 with svcn=0 is a valid way to represent an empty run list, and run_unpack() correctly handles this by checking if evcn + 1 equals svcn and returning early without parsing any run data. However, this creates a problem when there is metadata inconsistency, where the attribute header claims to be empty (evcn=-1) but the caller expects to read actual data. When run_unpack() immediately returns success upon seeing this condition, it leaves the runs_tree uninitialized with run->runs as a NULL. The calling function attr_load_runs_range() assumes that a successful return means that the runs were loaded and sets clen to 0, expecting the next run_lookup_entry() call to succeed. Because runs_tree remains uninitialized, run_lookup_entry() continues to fail, and the loop increments vcn by zero (vcn += 0), leading to an infinite loop.  This patch adds a retry counter to detect when run_lookup_entry() fails consecutively after attr_load_runs_vcn(). If the run is still not found on the second attempt, it indicates corrupted metadata and returns -EINVAL, preventing the Denial-of-Service (DoS) vulnerability.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-18 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2025-71266",
                        "url": "https://ubuntu.com/security/CVE-2025-71266",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  fs: ntfs3: check return value of indx_find to avoid infinite loop  We found an infinite loop bug in the ntfs3 file system that can lead to a Denial-of-Service (DoS) condition.  A malformed dentry in the ntfs3 filesystem can cause the kernel to hang during the lookup operations. By setting the HAS_SUB_NODE flag in an INDEX_ENTRY within a directory's INDEX_ALLOCATION block and manipulating the VCN pointer, an attacker can cause the indx_find() function to repeatedly read the same block, allocating 4 KB of memory each time. The kernel lacks VCN loop detection and depth limits, causing memory exhaustion and an OOM crash.  This patch adds a return value check for fnd_push() to prevent a memory exhaustion vulnerability caused by infinite loops. When the index exceeds the size of the fnd->nodes array, fnd_push() returns -EINVAL. The indx_find() function checks this return value and stops processing, preventing further memory allocation.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-18 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-23241",
                        "url": "https://ubuntu.com/security/CVE-2026-23241",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  audit: add missing syscalls to read class  The \"at\" variant of getxattr() and listxattr() are missing from the audit read class. Calling getxattrat() or listxattrat() on a file to read its extended attributes will bypass audit rules such as:  -w /tmp/test -p rwa -k test_rwa  The current patch adds missing syscalls to the audit read class.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-17 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2025-71239",
                        "url": "https://ubuntu.com/security/CVE-2025-71239",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  audit: add fchmodat2() to change attributes class  fchmodat2(), introduced in version 6.6 is currently not in the change attribute class of audit. Calling fchmodat2() to change a file attribute in the same fashion than chmod() or fchmodat() will bypass audit rules such as:  -w /tmp/test -p rwa -k test_rwa  The current patch adds fchmodat2() to the change attributes class.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-17 10:15:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-31411",
                        "url": "https://ubuntu.com/security/CVE-2026-31411",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: atm: fix crash due to unvalidated vcc pointer in sigd_send()  Reproducer available at [1].  The ATM send path (sendmsg -> vcc_sendmsg -> sigd_send) reads the vcc pointer from msg->vcc and uses it directly without any validation. This pointer comes from userspace via sendmsg() and can be arbitrarily forged:      int fd = socket(AF_ATMSVC, SOCK_DGRAM, 0);     ioctl(fd, ATMSIGD_CTRL);  // become ATM signaling daemon     struct msghdr msg = { .msg_iov = &iov, ... };     *(unsigned long *)(buf + 4) = 0xdeadbeef;  // fake vcc pointer     sendmsg(fd, &msg, 0);  // kernel dereferences 0xdeadbeef  In normal operation, the kernel sends the vcc pointer to the signaling daemon via sigd_enq() when processing operations like connect(), bind(), or listen(). The daemon is expected to return the same pointer when responding. However, a malicious daemon can send arbitrary pointer values.  Fix this by introducing find_get_vcc() which validates the pointer by searching through vcc_hash (similar to how sigd_close() iterates over all VCCs), and acquires a reference via sock_hold() if found.  Since struct atm_vcc embeds struct sock as its first member, they share the same lifetime. Therefore using sock_hold/sock_put is sufficient to keep the vcc alive while it is being used.  Note that there may be a race with sigd_close() which could mark the vcc with various flags (e.g., ATM_VF_RELEASED) after find_get_vcc() returns. However, sock_hold() guarantees the memory remains valid, so this race only affects the logical state, not memory safety.  [1]: https://gist.github.com/mrpre/1ba5949c45529c511152e2f4c755b0f3",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-08 14:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-23243",
                        "url": "https://ubuntu.com/security/CVE-2026-23243",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/umad: Reject negative data_len in ib_umad_write  ib_umad_write computes data_len from user-controlled count and the MAD header sizes. With a mismatched user MAD header size and RMPP header length, data_len can become negative and reach ib_create_send_mad(). This can make the padding calculation exceed the segment size and trigger an out-of-bounds memset in alloc_send_rmpp_list().  Add an explicit check to reject negative data_len before creating the send buffer.  KASAN splat: [  211.363464] BUG: KASAN: slab-out-of-bounds in ib_create_send_mad+0xa01/0x11b0 [  211.364077] Write of size 220 at addr ffff88800c3fa1f8 by task spray_thread/102 [  211.365867] ib_create_send_mad+0xa01/0x11b0 [  211.365887] ib_umad_write+0x853/0x1c80",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-18 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-23242",
                        "url": "https://ubuntu.com/security/CVE-2026-23242",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/siw: Fix potential NULL pointer dereference in header processing  If siw_get_hdr() returns -EINVAL before set_rx_fpdu_context(), qp->rx_fpdu can be NULL. The error path in siw_tcp_rx_data() dereferences qp->rx_fpdu->more_ddp_segs without checking, which may lead to a NULL pointer deref. Only check more_ddp_segs when rx_fpdu is present.  KASAN splat: [  101.384271] KASAN: null-ptr-deref in range [0x00000000000000c0-0x00000000000000c7] [  101.385869] RIP: 0010:siw_tcp_rx_data+0x13ad/0x1e50",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-18 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2025-71233",
                        "url": "https://ubuntu.com/security/CVE-2025-71233",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  PCI: endpoint: Avoid creating sub-groups asynchronously  The asynchronous creation of sub-groups by a delayed work could lead to a NULL pointer dereference when the driver directory is removed before the work completes.  The crash can be easily reproduced with the following commands:    # cd /sys/kernel/config/pci_ep/functions/pci_epf_test   # for i in {1..20}; do mkdir test && rmdir test; done    BUG: kernel NULL pointer dereference, address: 0000000000000088   ...   Call Trace:    configfs_register_group+0x3d/0x190    pci_epf_cfs_work+0x41/0x110    process_one_work+0x18f/0x350    worker_thread+0x25a/0x3a0  Fix this issue by using configfs_add_default_group() API which does not have the deadlock problem as configfs_register_group() and does not require the delayed work handler.  [mani: slightly reworded the description and added stable list]",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-02-18 16:22:00 UTC"
                    },
                    {
                        "cve": "CVE-2025-71231",
                        "url": "https://ubuntu.com/security/CVE-2025-71231",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  crypto: iaa - Fix out-of-bounds index in find_empty_iaa_compression_mode  The local variable 'i' is initialized with -EINVAL, but the for loop immediately overwrites it and -EINVAL is never returned.  If no empty compression mode can be found, the function would return the out-of-bounds index IAA_COMP_MODES_MAX, which would cause an invalid array access in add_iaa_compression_mode().  Fix both issues by returning either a valid index or -EINVAL.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-02-18 16:22:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-23169",
                        "url": "https://ubuntu.com/security/CVE-2026-23169",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mptcp: fix race in mptcp_pm_nl_flush_addrs_doit()  syzbot and Eulgyu Kim reported crashes in mptcp_pm_nl_get_local_id() and/or mptcp_pm_nl_is_backup()  Root cause is list_splice_init() in mptcp_pm_nl_flush_addrs_doit() which is not RCU ready.  list_splice_init_rcu() can not be called here while holding pernet->lock spinlock.  Many thanks to Eulgyu Kim for providing a repro and testing our patches.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-02-14 16:15:00 UTC"
                    },
                    {
                        "cve": "CVE-2025-40005",
                        "url": "https://ubuntu.com/security/CVE-2025-40005",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: cadence-quadspi: Implement refcount to handle unbind during busy  driver support indirect read and indirect write operation with assumption no force device removal(unbind) operation. However force device removal(removal) is still available to root superuser.  Unbinding driver during operation causes kernel crash. This changes ensure driver able to handle such operation for indirect read and indirect write by implementing refcount to track attached devices to the controller and gracefully wait and until attached devices remove operation completed before proceed with removal operation.",
                        "cve_priority": "medium",
                        "cve_public_date": "2025-10-20 16:15:00 UTC"
                    },
                    {
                        "cve": "CVE-2025-71232",
                        "url": "https://ubuntu.com/security/CVE-2025-71232",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  scsi: qla2xxx: Free sp in error path to fix system crash  System crash seen during load/unload test in a loop,  [61110.449331] qla2xxx [0000:27:00.0]-0042:0: Disabled MSI-X. [61110.467494] ============================================================================= [61110.467498] BUG qla2xxx_srbs (Tainted: G           OE    --------  --- ): Objects remaining in qla2xxx_srbs on __kmem_cache_shutdown() [61110.467501] -----------------------------------------------------------------------------  [61110.467502] Slab 0x000000000ffc8162 objects=51 used=1 fp=0x00000000e25d3d85 flags=0x57ffffc0010200(slab|head|node=1|zone=2|lastcpupid=0x1fffff) [61110.467509] CPU: 53 PID: 455206 Comm: rmmod Kdump: loaded Tainted: G          OE    --------  ---  5.14.0-284.11.1.el9_2.x86_64 #1 [61110.467513] Hardware name: HPE ProLiant DL385 Gen10 Plus v2/ProLiant DL385 Gen10 Plus v2, BIOS A42 08/17/2023 [61110.467515] Call Trace: [61110.467516]  <TASK> [61110.467519]  dump_stack_lvl+0x34/0x48 [61110.467526]  slab_err.cold+0x53/0x67 [61110.467534]  __kmem_cache_shutdown+0x16e/0x320 [61110.467540]  kmem_cache_destroy+0x51/0x160 [61110.467544]  qla2x00_module_exit+0x93/0x99 [qla2xxx] [61110.467607]  ? __do_sys_delete_module.constprop.0+0x178/0x280 [61110.467613]  ? syscall_trace_enter.constprop.0+0x145/0x1d0 [61110.467616]  ? do_syscall_64+0x5c/0x90 [61110.467619]  ? exc_page_fault+0x62/0x150 [61110.467622]  ? entry_SYSCALL_64_after_hwframe+0x63/0xcd [61110.467626]  </TASK> [61110.467627] Disabling lock debugging due to kernel taint [61110.467635] Object 0x0000000026f7e6e6 @offset=16000 [61110.467639] ------------[ cut here ]------------ [61110.467639] kmem_cache_destroy qla2xxx_srbs: Slab cache still has objects when called from qla2x00_module_exit+0x93/0x99 [qla2xxx] [61110.467659] WARNING: CPU: 53 PID: 455206 at mm/slab_common.c:520 kmem_cache_destroy+0x14d/0x160 [61110.467718] CPU: 53 PID: 455206 Comm: rmmod Kdump: loaded Tainted: G   B      OE    --------  ---  5.14.0-284.11.1.el9_2.x86_64 #1 [61110.467720] Hardware name: HPE ProLiant DL385 Gen10 Plus v2/ProLiant DL385 Gen10 Plus v2, BIOS A42 08/17/2023 [61110.467721] RIP: 0010:kmem_cache_destroy+0x14d/0x160 [61110.467724] Code: 99 7d 07 00 48 89 ef e8 e1 6a 07 00 eb b3 48 8b 55 60 48 8b 4c 24 20 48 c7 c6 70 fc 66 90 48 c7 c7 f8 ef a1 90 e8 e1 ed 7c 00 <0f> 0b eb 93 c3 cc cc cc cc 66 2e 0f 1f 84 00 00 00 00 00 55 48 89 [61110.467725] RSP: 0018:ffffa304e489fe80 EFLAGS: 00010282 [61110.467727] RAX: 0000000000000000 RBX: ffffffffc0d9a860 RCX: 0000000000000027 [61110.467729] RDX: ffff8fd5ff9598a8 RSI: 0000000000000001 RDI: ffff8fd5ff9598a0 [61110.467730] RBP: ffff8fb6aaf78700 R08: 0000000000000000 R09: 0000000100d863b7 [61110.467731] R10: ffffa304e489fd20 R11: ffffffff913bef48 R12: 0000000040002000 [61110.467731] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [61110.467733] FS:  00007f64c89fb740(0000) GS:ffff8fd5ff940000(0000) knlGS:0000000000000000 [61110.467734] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [61110.467735] CR2: 00007f0f02bfe000 CR3: 00000020ad6dc005 CR4: 0000000000770ee0 [61110.467736] PKRU: 55555554 [61110.467737] Call Trace: [61110.467738]  <TASK> [61110.467739]  qla2x00_module_exit+0x93/0x99 [qla2xxx] [61110.467755]  ? __do_sys_delete_module.constprop.0+0x178/0x280  Free sp in the error path to fix the crash.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-02-18 16:22:00 UTC"
                    },
                    {
                        "cve": "CVE-2025-71235",
                        "url": "https://ubuntu.com/security/CVE-2025-71235",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  scsi: qla2xxx: Delay module unload while fabric scan in progress  System crash seen during load/unload test in a loop.  [105954.384919] RBP: ffff914589838dc0 R08: 0000000000000000 R09: 0000000000000086 [105954.384920] R10: 000000000000000f R11: ffffa31240904be5 R12: ffff914605f868e0 [105954.384921] R13: ffff914605f86910 R14: 0000000000008010 R15: 00000000ddb7c000 [105954.384923] FS:  0000000000000000(0000) GS:ffff9163fec40000(0000) knlGS:0000000000000000 [105954.384925] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [105954.384926] CR2: 000055d31ce1d6a0 CR3: 0000000119f5e001 CR4: 0000000000770ee0 [105954.384928] PKRU: 55555554 [105954.384929] Call Trace: [105954.384931]  <IRQ> [105954.384934]  qla24xx_sp_unmap+0x1f3/0x2a0 [qla2xxx] [105954.384962]  ? qla_async_scan_sp_done+0x114/0x1f0 [qla2xxx] [105954.384980]  ? qla24xx_els_ct_entry+0x4de/0x760 [qla2xxx] [105954.384999]  ? __wake_up_common+0x80/0x190 [105954.385004]  ? qla24xx_process_response_queue+0xc2/0xaa0 [qla2xxx] [105954.385023]  ? qla24xx_msix_rsp_q+0x44/0xb0 [qla2xxx] [105954.385040]  ? __handle_irq_event_percpu+0x3d/0x190 [105954.385044]  ? handle_irq_event+0x58/0xb0 [105954.385046]  ? handle_edge_irq+0x93/0x240 [105954.385050]  ? __common_interrupt+0x41/0xa0 [105954.385055]  ? common_interrupt+0x3e/0xa0 [105954.385060]  ? asm_common_interrupt+0x22/0x40  The root cause of this was that there was a free (dma_free_attrs) in the interrupt context.  There was a device discovery/fabric scan in progress.  A module unload was issued which set the UNLOADING flag.  As part of the discovery, after receiving an interrupt a work queue was scheduled (which involved a work to be queued).  Since the UNLOADING flag is set, the work item was not allocated and the mapped memory had to be freed.  The free occurred in interrupt context leading to system crash.  Delay the driver unload until the fabric scan is complete to avoid the crash.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-02-18 16:22:00 UTC"
                    },
                    {
                        "cve": "CVE-2025-71236",
                        "url": "https://ubuntu.com/security/CVE-2025-71236",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  scsi: qla2xxx: Validate sp before freeing associated memory  System crash with the following signature [154563.214890] nvme nvme2: NVME-FC{1}: controller connect complete [154564.169363] qla2xxx [0000:b0:00.1]-3002:2: nvme: Sched: Set ZIO exchange threshold to 3. [154564.169405] qla2xxx [0000:b0:00.1]-ffffff:2: SET ZIO Activity exchange threshold to 5. [154565.539974] qla2xxx [0000:b0:00.1]-5013:2: RSCN database changed – 0078 0080 0000. [154565.545744] qla2xxx [0000:b0:00.1]-5013:2: RSCN database changed – 0078 00a0 0000. [154565.545857] qla2xxx [0000:b0:00.1]-11a2:2: FEC=enabled (data rate). [154565.552760] qla2xxx [0000:b0:00.1]-11a2:2: FEC=enabled (data rate). [154565.553079] BUG: kernel NULL pointer dereference, address: 00000000000000f8 [154565.553080] #PF: supervisor read access in kernel mode [154565.553082] #PF: error_code(0x0000) - not-present page [154565.553084] PGD 80000010488ab067 P4D 80000010488ab067 PUD 104978a067 PMD 0 [154565.553089] Oops: 0000 1 PREEMPT SMP PTI [154565.553092] CPU: 10 PID: 858 Comm: qla2xxx_2_dpc Kdump: loaded Tainted: G           OE     -------  ---  5.14.0-503.11.1.el9_5.x86_64 #1 [154565.553096] Hardware name: HPE Synergy 660 Gen10/Synergy 660 Gen10 Compute Module, BIOS I43 09/30/2024 [154565.553097] RIP: 0010:qla_fab_async_scan.part.0+0x40b/0x870 [qla2xxx] [154565.553141] Code: 00 00 e8 58 a3 ec d4 49 89 e9 ba 12 20 00 00 4c 89 e6 49 c7 c0 00 ee a8 c0 48 c7 c1 66 c0 a9 c0 bf 00 80 00 10 e8 15 69 00 00 <4c> 8b 8d f8 00 00 00 4d 85 c9 74 35 49 8b 84 24 00 19 00 00 48 8b [154565.553143] RSP: 0018:ffffb4dbc8aebdd0 EFLAGS: 00010286 [154565.553145] RAX: 0000000000000000 RBX: ffff8ec2cf0908d0 RCX: 0000000000000002 [154565.553147] RDX: 0000000000000000 RSI: ffffffffc0a9c896 RDI: ffffb4dbc8aebd47 [154565.553148] RBP: 0000000000000000 R08: ffffb4dbc8aebd45 R09: 0000000000ffff0a [154565.553150] R10: 0000000000000000 R11: 000000000000000f R12: ffff8ec2cf0908d0 [154565.553151] R13: ffff8ec2cf090900 R14: 0000000000000102 R15: ffff8ec2cf084000 [154565.553152] FS:  0000000000000000(0000) GS:ffff8ed27f800000(0000) knlGS:0000000000000000 [154565.553154] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [154565.553155] CR2: 00000000000000f8 CR3: 000000113ae0a005 CR4: 00000000007706f0 [154565.553157] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [154565.553158] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [154565.553159] PKRU: 55555554 [154565.553160] Call Trace: [154565.553162]  <TASK> [154565.553165]  ? show_trace_log_lvl+0x1c4/0x2df [154565.553172]  ? show_trace_log_lvl+0x1c4/0x2df [154565.553177]  ? qla_fab_async_scan.part.0+0x40b/0x870 [qla2xxx] [154565.553215]  ? __die_body.cold+0x8/0xd [154565.553218]  ? page_fault_oops+0x134/0x170 [154565.553223]  ? snprintf+0x49/0x70 [154565.553229]  ? exc_page_fault+0x62/0x150 [154565.553238]  ? asm_exc_page_fault+0x22/0x30  Check for sp being non NULL before freeing any associated memory",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-02-18 16:22:00 UTC"
                    },
                    {
                        "cve": "CVE-2025-71229",
                        "url": "https://ubuntu.com/security/CVE-2025-71229",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: rtw88: Fix alignment fault in rtw_core_enable_beacon()  rtw_core_enable_beacon() reads 4 bytes from an address that is not a multiple of 4. This results in a crash on some systems.  Do 1 byte reads/writes instead.  Unable to handle kernel paging request at virtual address ffff8000827e0522 Mem abort info:   ESR = 0x0000000096000021   EC = 0x25: DABT (current EL), IL = 32 bits   SET = 0, FnV = 0   EA = 0, S1PTW = 0   FSC = 0x21: alignment fault Data abort info:   ISV = 0, ISS = 0x00000021, ISS2 = 0x00000000   CM = 0, WnR = 0, TnD = 0, TagAccess = 0   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000005492000 [ffff8000827e0522] pgd=0000000000000000, p4d=10000001021d9403, pud=10000001021da403, pmd=100000011061c403, pte=00780000f3200f13 Internal error: Oops: 0000000096000021 [#1]  SMP Modules linked in: [...] rtw88_8822ce rtw88_8822c rtw88_pci rtw88_core [...] CPU: 0 UID: 0 PID: 73 Comm: kworker/u32:2 Tainted: G        W          6.17.9 #1-NixOS VOLUNTARY Tainted: [W]=WARN Hardware name: FriendlyElec NanoPC-T6 LTS (DT) Workqueue: phy0 rtw_c2h_work [rtw88_core] pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : rtw_pci_read32+0x18/0x40 [rtw88_pci] lr : rtw_core_enable_beacon+0xe0/0x148 [rtw88_core] sp : ffff800080cc3ca0 x29: ffff800080cc3ca0 x28: ffff0001031fc240 x27: ffff000102100828 x26: ffffd2cb7c9b4088 x25: ffff0001031fc2c0 x24: ffff000112fdef00 x23: ffff000112fdef18 x22: ffff000111c29970 x21: 0000000000000001 x20: 0000000000000001 x19: ffff000111c22040 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000000 x10: 0000000000000000 x9 : ffffd2cb6507c090 x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000 x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000 x2 : 0000000000007f10 x1 : 0000000000000522 x0 : ffff8000827e0522 Call trace:  rtw_pci_read32+0x18/0x40 [rtw88_pci] (P)  rtw_hw_scan_chan_switch+0x124/0x1a8 [rtw88_core]  rtw_fw_c2h_cmd_handle+0x254/0x290 [rtw88_core]  rtw_c2h_work+0x50/0x98 [rtw88_core]  process_one_work+0x178/0x3f8  worker_thread+0x208/0x418  kthread+0x120/0x220  ret_from_fork+0x10/0x20 Code: d28fe202 8b020000 f9524400 8b214000 (b9400000) ---[ end trace 0000000000000000 ]---",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-02-18 16:22:00 UTC"
                    },
                    {
                        "cve": "CVE-2025-71237",
                        "url": "https://ubuntu.com/security/CVE-2025-71237",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  nilfs2: Fix potential block overflow that cause system hang  When a user executes the FITRIM command, an underflow can occur when calculating nblocks if end_block is too small. Since nblocks is of type sector_t, which is u64, a negative nblocks value will become a very large positive integer. This ultimately leads to the block layer function __blkdev_issue_discard() taking an excessively long time to process the bio chain, and the ns_segctor_sem lock remains held for a long period. This prevents other tasks from acquiring the ns_segctor_sem lock, resulting in the hang reported by syzbot in [1].  If the ending block is too small, typically if it is smaller than 4KiB range, depending on the usage of the segment 0, it may be possible to attempt a discard request beyond the device size causing the hang.  Exiting successfully and assign the discarded size (0 in this case) to range->len.  Although the start and len values in the user input range are too small, a conservative strategy is adopted here to safely ignore them, which is equivalent to a no-op; it will not perform any trimming and will not throw an error.  [1] task:segctord state:D stack:28968 pid:6093 tgid:6093  ppid:2 task_flags:0x200040 flags:0x00080000 Call Trace:  rwbase_write_lock+0x3dd/0x750 kernel/locking/rwbase_rt.c:272  nilfs_transaction_lock+0x253/0x4c0 fs/nilfs2/segment.c:357  nilfs_segctor_thread_construct fs/nilfs2/segment.c:2569 [inline]  nilfs_segctor_thread+0x6ec/0xe00 fs/nilfs2/segment.c:2684  [ryusuke: corrected part of the commit message about the consequences]",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-02-18 16:22:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-23229",
                        "url": "https://ubuntu.com/security/CVE-2026-23229",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  crypto: virtio - Add spinlock protection with virtqueue notification  When VM boots with one virtio-crypto PCI device and builtin backend, run openssl benchmark command with multiple processes, such as   openssl speed -evp aes-128-cbc -engine afalg  -seconds 10 -multi 32  openssl processes will hangup and there is error reported like this:  virtio_crypto virtio0: dataq.0:id 3 is not a head!  It seems that the data virtqueue need protection when it is handled for virtio done notification. If the spinlock protection is added in virtcrypto_done_task(), openssl benchmark with multiple processes works well.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-02-18 16:22:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-23222",
                        "url": "https://ubuntu.com/security/CVE-2026-23222",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  crypto: omap - Allocate OMAP_CRYPTO_FORCE_COPY scatterlists correctly  The existing allocation of scatterlists in omap_crypto_copy_sg_lists() was allocating an array of scatterlist pointers, not scatterlist objects, resulting in a 4x too small allocation.  Use sizeof(*new_sg) to get the correct object size.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-02-18 16:22:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-23228",
                        "url": "https://ubuntu.com/security/CVE-2026-23228",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb: server: fix leak of active_num_conn in ksmbd_tcp_new_connection()  On kthread_run() failure in ksmbd_tcp_new_connection(), the transport is freed via free_transport(), which does not decrement active_num_conn, leaking this counter.  Replace free_transport() with ksmbd_tcp_disconnect().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-02-18 16:22:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-23220",
                        "url": "https://ubuntu.com/security/CVE-2026-23220",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ksmbd: fix infinite loop caused by next_smb2_rcv_hdr_off reset in error paths  The problem occurs when a signed request fails smb2 signature verification check. In __process_request(), if check_sign_req() returns an error, set_smb2_rsp_status(work, STATUS_ACCESS_DENIED) is called. set_smb2_rsp_status() set work->next_smb2_rcv_hdr_off as zero. By resetting next_smb2_rcv_hdr_off to zero, the pointer to the next command in the chain is lost. Consequently, is_chained_smb2_message() continues to point to the same request header instead of advancing. If the header's NextCommand field is non-zero, the function returns true, causing __handle_ksmbd_work() to repeatedly process the same failed request in an infinite loop. This results in the kernel log being flooded with \"bad smb2 signature\" messages and high CPU usage.  This patch fixes the issue by changing the return value from SERVER_HANDLER_CONTINUE to SERVER_HANDLER_ABORT. This ensures that the processing loop terminates immediately rather than attempting to continue from an invalidated offset.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-02-18 16:22:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-23230",
                        "url": "https://ubuntu.com/security/CVE-2026-23230",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb: client: split cached_fid bitfields to avoid shared-byte RMW races  is_open, has_lease and on_list are stored in the same bitfield byte in struct cached_fid but are updated in different code paths that may run concurrently. Bitfield assignments generate byte read–modify–write operations (e.g. `orb $mask, addr` on x86_64), so updating one flag can restore stale values of the others.  A possible interleaving is:     CPU1: load old byte (has_lease=1, on_list=1)     CPU2: clear both flags (store 0)     CPU1: RMW store (old | IS_OPEN) -> reintroduces cleared bits  To avoid this class of races, convert these flags to separate bool fields.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-02-18 16:22:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-23272",
                        "url": "https://ubuntu.com/security/CVE-2026-23272",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: nf_tables: unconditionally bump set->nelems before insertion  In case that the set is full, a new element gets published then removed without waiting for the RCU grace period, while RCU reader can be walking over it already.  To address this issue, add the element transaction even if set is full, but toggle the set_full flag to report -ENFILE so the abort path safely unwinds the set to its previous state.  As for element updates, decrement set->nelems to restore it.  A simpler fix is to call synchronize_rcu() in the error path. However, with a large batch adding elements to already maxed-out set, this could cause noticeable slowdown of such batches.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-20 09:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-31418",
                        "url": "https://ubuntu.com/security/CVE-2026-31418",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: ipset: drop logically empty buckets in mtype_del  mtype_del() counts empty slots below n->pos in k, but it only drops the bucket when both n->pos and k are zero. This misses buckets whose live entries have all been removed while n->pos still points past deleted slots.  Treat a bucket as empty when all positions below n->pos are unused and release it directly instead of shrinking it further.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-13 14:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-23392",
                        "url": "https://ubuntu.com/security/CVE-2026-23392",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: nf_tables: release flowtable after rcu grace period on error  Call synchronize_rcu() after unregistering the hooks from error path, since a hook that already refers to this flowtable can be already registered, exposing this flowtable to packet path and nfnetlink_hook control plane.  This error path is rare, it should only happen by reaching the maximum number hooks or by failing to set up to hardware offload, just call synchronize_rcu().  There is a check for already used device hooks by different flowtable that could result in EEXIST at this late stage. The hook parser can be updated to perform this check earlier to this error path really becomes rarely exercised.  Uncovered by KASAN reported as use-after-free from nfnetlink_hook path when dumping hooks.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-03-25 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-23278",
                        "url": "https://ubuntu.com/security/CVE-2026-23278",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: nf_tables: always walk all pending catchall elements  During transaction processing we might have more than one catchall element: 1 live catchall element and 1 pending element that is coming as part of the new batch.  If the map holding the catchall elements is also going away, its required to toggle all catchall elements and not just the first viable candidate.  Otherwise, we get:  WARNING: ./include/net/netfilter/nf_tables.h:1281 at nft_data_release+0xb7/0xe0 [nf_tables], CPU#2: nft/1404  RIP: 0010:nft_data_release+0xb7/0xe0 [nf_tables]  [..]  __nft_set_elem_destroy+0x106/0x380 [nf_tables]  nf_tables_abort_release+0x348/0x8d0 [nf_tables]  nf_tables_abort+0xcf2/0x3ac0 [nf_tables]  nfnetlink_rcv_batch+0x9c9/0x20e0 [..]",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-20 09:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-47337",
                        "url": "https://ubuntu.com/security/CVE-2026-47337",
                        "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a possible NULL pointer dereference in the handling of AF_INET/AF_INET6 socket mediation. The bug can be triggered by an unprivileged local user. This can lead to a kernel oops.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 19:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-47336",
                        "url": "https://ubuntu.com/security/CVE-2026-47336",
                        "cve_description": "Ubuntu Linux 6.8 contains SAUCE patches with a possible use of an uninitialized variable in AppArmor AF_INET/AF_INET6 socket mediation code. The bug can be triggered by an unprivileged local user and could result in incorrect fine-grained mediation of network sockets.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-05-28 19:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-47335",
                        "url": "https://ubuntu.com/security/CVE-2026-47335",
                        "cve_description": "Ubuntu Linux 6.8 contains SAUCE patches with a possible NULL pointer dereference in the handling of AppArmor notifications. The bug can be triggered by an unprivileged local user. This can lead to a kernel panic.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 19:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-47334",
                        "url": "https://ubuntu.com/security/CVE-2026-47334",
                        "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly sleep while holding a spinlock in notification handling code. The bug can be triggered by an unprivileged local user and can result in kernel panic or deadlock.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 19:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-47333",
                        "url": "https://ubuntu.com/security/CVE-2026-47333",
                        "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which can potentially incorrectly compute the size of an internal buffer, leading to a heap memory out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in invalid data being processed by the AppArmor DFA policy engine.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-28 19:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-47332",
                        "url": "https://ubuntu.com/security/CVE-2026-47332",
                        "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly validate the size of an internal structure, leading to an out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in information disclosure from adjacent slab objects.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 19:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-47331",
                        "url": "https://ubuntu.com/security/CVE-2026-47331",
                        "cve_description": "Ubuntu Linux 6.8 contains AppArmor SAUCE patches which fail to acquire a lock when modifying a linked list. An unprivileged local user could trigger the race condition that can lead to a use-after-free (UAF) and, theoretically, arbitrary code execution.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-28 19:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-47330",
                        "url": "https://ubuntu.com/security/CVE-2026-47330",
                        "cve_description": "Ubuntu Linux 6.8, 7.17 and 7.0 contain AppArmor SAUCE patches which can, under certain circumstances, use an uninitialized variable in notification handling code. The bug can be triggered by an unprivileged local user and can result in the incorrect caching of AppArmor notification responses.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-05-28 19:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-47329",
                        "url": "https://ubuntu.com/security/CVE-2026-47329",
                        "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches which fail to validate invalid sizes of the name field in AppAmor notification responses. The bug can be triggered by an unprivileged local user and could result in handling of crafted responses.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-05-28 19:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-47327",
                        "url": "https://ubuntu.com/security/CVE-2026-47327",
                        "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a possible NULL pointer dereference in the handling of AppArmor notifications. The bug can be triggered by an unprivileged local user. This can lead to a kernel oops.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 19:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-47328",
                        "url": "https://ubuntu.com/security/CVE-2026-47328",
                        "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly attempt to free a pointer which was not previously kmalloc()d, while at the same time leaking allocated memory. The bug can be triggered by an unprivileged local user and can result in the corruption of slab metadata and could lead to resource exhaustion.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 19:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-47326",
                        "url": "https://ubuntu.com/security/CVE-2026-47326",
                        "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a memory leak in the handling of big responses to AppArmor notifications. The bug can be triggered by an unprivileged local user. The memory leak could lead to resource exhaustion.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 19:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46300",
                        "url": "https://ubuntu.com/security/CVE-2026-46300",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: skbuff: preserve shared-frag marker during coalescing  skb_try_coalesce() can attach paged frags from @from to @to.  If @from has SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same externally-owned or page-cache-backed frags, but the shared-frag marker is currently lost.  That breaks the invariant relied on by later in-place writers.  In particular, ESP input checks skb_has_shared_frag() before deciding whether an uncloned nonlinear skb can skip skb_cow_data().  If TCP receive coalescing has moved shared frags into an unmarked skb, ESP can see skb_has_shared_frag() as false and decrypt in place over page-cache backed frags.  Propagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged frags.  The tailroom copy path does not need the marker because it copies bytes into @to's linear data rather than transferring frag descriptors.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-23 12:17:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46333",
                        "url": "https://ubuntu.com/security/CVE-2026-46333",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ptrace: slightly saner 'get_dumpable()' logic  The 'dumpability' of a task is fundamentally about the memory image of the task - the concept comes from whether it can core dump or not - and makes no sense when you don't have an associated mm.  And almost all users do in fact use it only for the case where the task has a mm pointer.  But we have one odd special case: ptrace_may_access() uses 'dumpable' to check various other things entirely independently of the MM (typically explicitly using flags like PTRACE_MODE_READ_FSCREDS).  Including for threads that no longer have a VM (and maybe never did, like most kernel threads).  It's not what this flag was designed for, but it is what it is.  The ptrace code does check that the uid/gid matches, so you do have to be uid-0 to see kernel thread details, but this means that the traditional \"drop capabilities\" model doesn't make any difference for this all.  Make it all make a *bit* more sense by saying that if you don't have a MM pointer, we'll use a cached \"last dumpability\" flag if the thread ever had a MM (it will be zero for kernel threads since it is never set), and require a proper CAP_SYS_PTRACE capability to override.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-15 14:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43500",
                        "url": "https://ubuntu.com/security/CVE-2026-43500",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present  The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE handler in rxrpc_verify_response() copy the skb to a linear one before calling into the security ops only when skb_cloned() is true.  An skb that is not cloned but still carries externally-owned paged fragments (e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via __ip_append_data, or a chained skb_has_frag_list()) falls through to the in-place decryption path, which binds the frag pages directly into the AEAD/skcipher SGL via skb_to_sgvec().  Extend the gate to also unshare when skb_has_frag_list() or skb_has_shared_frag() is true.  This catches the splice-loopback vector and other externally-shared frag sources while preserving the zero-copy fast path for skbs whose frags are kernel-private (e.g. NIC page_pool RX, GRO).  The OOM/trace handling already in place is reused.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-11 08:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-31676",
                        "url": "https://ubuntu.com/security/CVE-2026-31676",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  rxrpc: only handle RESPONSE during service challenge  Only process RESPONSE packets while the service connection is still in RXRPC_CONN_SERVICE_CHALLENGING. Check that state under state_lock before running response verification and security initialization, then use a local secured flag to decide whether to queue the secured-connection work after the state transition. This keeps duplicate or late RESPONSE packets from re-running the setup path and removes the unlocked post-transition state test.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-25 09:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43284",
                        "url": "https://ubuntu.com/security/CVE-2026-43284",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  xfrm: esp: avoid in-place decrypt on shared skb frags  MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later paths that may modify packet data can first make a private copy. The IPv4/IPv6 datagram append paths did not set this flag when splicing pages into UDP skbs.  That leaves an ESP-in-UDP packet made from shared pipe pages looking like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW fast path for uncloned skbs without a frag_list and decrypts in place over data that is not owned privately by the skb.  Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching TCP. Also make ESP input fall back to skb_cow_data() when the flag is present, so ESP does not decrypt externally backed frags in place. Private nonlinear skb frags still use the existing fast path.  This intentionally does not change ESP output. In esp_output_head(), the path that appends the ESP trailer to existing skb tailroom without calling skb_cow_data() is not reachable for nonlinear skbs: skb_tailroom() returns zero when skb->data_len is nonzero, while ESP tailen is positive. Thus ESP output will either use the separate destination-frag path or fall back to skb_cow_data().",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-08 08:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-31419",
                        "url": "https://ubuntu.com/security/CVE-2026-31419",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: bonding: fix use-after-free in bond_xmit_broadcast()  bond_xmit_broadcast() reuses the original skb for the last slave (determined by bond_is_last_slave()) and clones it for others. Concurrent slave enslave/release can mutate the slave list during RCU-protected iteration, changing which slave is \"last\" mid-loop. This causes the original skb to be double-consumed (double-freed).  Replace the racy bond_is_last_slave() check with a simple index comparison (i + 1 == slaves_count) against the pre-snapshot slave count taken via READ_ONCE() before the loop.  This preserves the zero-copy optimization for the last slave while making the \"last\" determination stable against concurrent list mutations.  The UAF can trigger the following crash:  ================================================================== BUG: KASAN: slab-use-after-free in skb_clone Read of size 8 at addr ffff888100ef8d40 by task exploit/147  CPU: 1 UID: 0 PID: 147 Comm: exploit Not tainted 7.0.0-rc3+ #4 PREEMPTLAZY Call Trace:  <TASK>  dump_stack_lvl (lib/dump_stack.c:123)  print_report (mm/kasan/report.c:379 mm/kasan/report.c:482)  kasan_report (mm/kasan/report.c:597)  skb_clone (include/linux/skbuff.h:1724 include/linux/skbuff.h:1792 include/linux/skbuff.h:3396 net/core/skbuff.c:2108)  bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5334)  bond_start_xmit (drivers/net/bonding/bond_main.c:5567 drivers/net/bonding/bond_main.c:5593)  dev_hard_start_xmit (include/linux/netdevice.h:5325 include/linux/netdevice.h:5334 net/core/dev.c:3871 net/core/dev.c:3887)  __dev_queue_xmit (include/linux/netdevice.h:3601 net/core/dev.c:4838)  ip6_finish_output2 (include/net/neighbour.h:540 include/net/neighbour.h:554 net/ipv6/ip6_output.c:136)  ip6_finish_output (net/ipv6/ip6_output.c:208 net/ipv6/ip6_output.c:219)  ip6_output (net/ipv6/ip6_output.c:250)  ip6_send_skb (net/ipv6/ip6_output.c:1985)  udp_v6_send_skb (net/ipv6/udp.c:1442)  udpv6_sendmsg (net/ipv6/udp.c:1733)  __sys_sendto (net/socket.c:730 net/socket.c:742 net/socket.c:2206)  __x64_sys_sendto (net/socket.c:2209)  do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)  entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)  </TASK>  Allocated by task 147:  Freed by task 147:  The buggy address belongs to the object at ffff888100ef8c80  which belongs to the cache skbuff_head_cache of size 224 The buggy address is located 192 bytes inside of  freed 224-byte region [ffff888100ef8c80, ffff888100ef8d60)  Memory state around the buggy address:  ffff888100ef8c00: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc  ffff888100ef8c80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff888100ef8d00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc                                                     ^  ffff888100ef8d80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb  ffff888100ef8e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================",
                        "cve_priority": "high",
                        "cve_public_date": "2026-04-13 14:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-31431",
                        "url": "https://ubuntu.com/security/CVE-2026-31431",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  crypto: algif_aead - Revert to operating out-of-place  This mostly reverts commit 72548b093ee3 except for the copying of the associated data.  There is no benefit in operating in-place in algif_aead since the source and destination come from different mappings.  Get rid of all the complexity added for in-place operation and just copy the AD directly.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-04-22 09:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-31533",
                        "url": "https://ubuntu.com/security/CVE-2026-31533",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/tls: fix use-after-free in -EBUSY error path of tls_do_encryption  The -EBUSY handling in tls_do_encryption(), introduced by commit 859054147318 (\"net: tls: handle backlogging of crypto requests\"), has a use-after-free due to double cleanup of encrypt_pending and the scatterlist entry.  When crypto_aead_encrypt() returns -EBUSY, the request is enqueued to the cryptd backlog and the async callback tls_encrypt_done() will be invoked upon completion. That callback unconditionally restores the scatterlist entry (sge->offset, sge->length) and decrements ctx->encrypt_pending. However, if tls_encrypt_async_wait() returns an error, the synchronous error path in tls_do_encryption() performs the same cleanup again, double-decrementing encrypt_pending and double-restoring the scatterlist.  The double-decrement corrupts the encrypt_pending sentinel (initialized to 1), making tls_encrypt_async_wait() permanently skip the wait for pending async callbacks. A subsequent sendmsg can then free the tls_rec via bpf_exec_tx_verdict() while a cryptd callback is still pending, resulting in a use-after-free when the callback fires on the freed record.  Fix this by skipping the synchronous cleanup when the -EBUSY async wait returns an error, since the callback has already handled encrypt_pending and sge restoration.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-23 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-31504",
                        "url": "https://ubuntu.com/security/CVE-2026-31504",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: fix fanout UAF in packet_release() via NETDEV_UP race  `packet_release()` has a race window where `NETDEV_UP` can re-register a socket into a fanout group's `arr[]` array. The re-registration is not cleaned up by `fanout_release()`, leaving a dangling pointer in the fanout array. `packet_release()` does NOT zero `po->num` in its `bind_lock` section. After releasing `bind_lock`, `po->num` is still non-zero and `po->ifindex` still matches the bound device. A concurrent `packet_notifier(NETDEV_UP)` that already found the socket in `sklist` can re-register the hook. For fanout sockets, this re-registration calls `__fanout_link(sk, po)` which adds the socket back into `f->arr[]` and increments `f->num_members`, but does NOT increment `f->sk_ref`.  The fix sets `po->num` to zero in `packet_release` while `bind_lock` is held to prevent NETDEV_UP from linking, preventing the race window.  This bug was found following an additional audit with Claude Code based on CVE-2025-38617.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-04-22 14:16:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [
                    2158431,
                    2158432,
                    2158377,
                    2157195,
                    2157196,
                    1786013,
                    2151948,
                    2154560,
                    2146465,
                    2153556,
                    2152194,
                    2141536,
                    2150809,
                    2150809,
                    2150809,
                    2150809,
                    2150809,
                    2150809,
                    2150809,
                    2150809,
                    2150809,
                    2150809,
                    2148714,
                    2148260,
                    2148260,
                    2148260,
                    2148260,
                    2148260,
                    2148260,
                    2148260,
                    2148260,
                    2148260,
                    2148260,
                    2148260,
                    2148260,
                    2148260,
                    2148260,
                    2148260,
                    2154172,
                    2151747,
                    2151747,
                    2151747,
                    2151747,
                    2151747,
                    2151747,
                    2151747,
                    2151747,
                    2148809,
                    2151747,
                    2151747,
                    2151747,
                    2153962
                ],
                "changes": [
                    {
                        "cves": [],
                        "log": [
                            "",
                            "  * jammy/linux-riscv-6.8: 6.8.0-134.134~22.04.1 -proposed tracker (LP: #2158431)",
                            "",
                            "  [ Ubuntu: 6.8.0-134.134 ]",
                            "",
                            "  * noble/linux: 6.8.0-134.134 -proposed tracker (LP: #2158432)",
                            "  * ext4: writeback causes kernel oops when low on space (LP: #2158377)",
                            "    - ext4: get rid of ppath in get_ext_path()",
                            ""
                        ],
                        "package": "linux-riscv-6.8",
                        "version": "6.8.0-134.134~22.04.1",
                        "urgency": "medium",
                        "distributions": "jammy",
                        "launchpad_bugs_fixed": [
                            2158431,
                            2158432,
                            2158377
                        ],
                        "author": "Alessio Faina <alessio.faina@canonical.com>",
                        "date": "Mon, 29 Jun 2026 16:08:57 +0200"
                    },
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-46244",
                                "url": "https://ubuntu.com/security/CVE-2026-46244",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: nft_inner: Fix IPv6 inner_thoff desync  In nft_inner_parse_l2l3(), when processing inner IPv6 packets, ipv6_find_hdr() correctly computes the transport header offset traversing all extension headers, but the result is immediately overwritten with nhoff + sizeof(_ip6h) (40 bytes), which only accounts for the IPv6 base header. This creates a desync between inner_thoff (wrong — points to extension header start) and l4proto (correct — e.g., IPPROTO_TCP), enabling transport header forgery and potential firewall bypass. This issue affects stable versions from Linux 6.2.  For comparison, the normal (non-inner) IPv6 path correctly preserves ipv6_find_hdr()'s result. Removing the incorrect overwrite ensures that ipv6_find_hdr()'s calculated transport header offset is preserved, thereby fixing the desynchronization.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-03 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43185",
                                "url": "https://ubuntu.com/security/CVE-2026-43185",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ksmbd: fix signededness bug in smb_direct_prepare_negotiation()  smb_direct_prepare_negotiation() casts an unsigned __u32 value from sp->max_recv_size and req->preferred_send_size to a signed int before computing min_t(int, ...). A maliciously provided preferred_send_size of 0x80000000 will return as smaller than max_recv_size, and then be used to set the maximum allowed alowed receive size for the next message.  By sending a second message with a large value (>1420 bytes) the attacker can then achieve a heap buffer overflow.  This fix replaces min_t(int, ...) with min_t(u32)",
                                "cve_priority": "critical",
                                "cve_public_date": "2026-05-06 12:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46289",
                                "url": "https://ubuntu.com/security/CVE-2026-46289",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  lib/scatterlist: fix length calculations in extract_kvec_to_sg  Patch series \"Fix bugs in extract_iter_to_sg()\", v3.  Fix bugs in the kvec and user variants of extract_iter_to_sg.  This series is growing due to useful remarks made by sashiko.dev.  The main bugs are: - The length for an sglist entry when extracting from   a kvec can exceed the number of bytes in the page. This   is obviously not intended. - When extracting a user buffer the sglist is temporarily   used as a scratch buffer for extracted page pointers.   If the sglist already contains some elements this scratch   buffer could overlap with existing entries in the sglist.  The series adds test cases to the kunit_iov_iter test that demonstrate all of these bugs.  Additionally, there is a memory leak fix for the test itself.  The bugs were orignally introduced into kernel v6.3 where the function lived in fs/netfs/iterator.c.  It was later moved to lib/scatterlist.c in v6.5.  Thus the actual fix is only marked for backports to v6.5+.   This patch (of 5):  When extracting from a kvec to a scatterlist, do not cross page boundaries.  The required length was already calculated but not used as intended.  Adjust the copied length if the loop runs out of sglist entries without extracting everything.  While there, return immediately from extract_iter_to_sg if there are no sglist entries at all.  A subsequent commit will add kunit test cases that demonstrate that the patch is necessary.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-08 17:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46119",
                                "url": "https://ubuntu.com/security/CVE-2026-46119",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  libceph: Fix slab-out-of-bounds access in auth message processing  If a (potentially corrupted) message of type CEPH_MSG_AUTH_REPLY contains a positive value in its result field, it is treated as an error code by ceph_handle_auth_reply() and returned to handle_auth_reply(). Thereafter, an attempt is made to send the preallocated message of type CEPH_MSG_AUTH, where the returned value is interpreted as the size of the front segment to send. If the result value in the message is greater than the size of the memory buffer allocated for the front segment, an out-of-bounds access occurs, and the content of the memory region beyond this buffer is sent out.  This patch fixes the issue by treating only negative values in the result field as errors. Positive values are therefore treated as success in the same way as a zero value. Additionally, a BUG_ON is added to __send_prepared_auth_request() comparing the len parameter to front_alloc_len to prevent sending the message if it exceeds the bounds of the allocation and to make it easier to catch any logic flaws leading to this.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46135",
                                "url": "https://ubuntu.com/security/CVE-2026-46135",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  nvmet-tcp: fix race between ICReq handling and queue teardown  nvmet_tcp_handle_icreq() updates queue->state after sending an Initialization Connection Response (ICResp), but it does so without serializing against target-side queue teardown.  If an NVMe/TCP host sends an Initialization Connection Request (ICReq) and immediately closes the connection, target-side teardown may start in softirq context before io_work drains the already buffered ICReq. In that case, nvmet_tcp_schedule_release_queue() sets queue->state to NVMET_TCP_Q_DISCONNECTING and drops the queue reference under state_lock.  If io_work later processes that ICReq, nvmet_tcp_handle_icreq() can still overwrite the state back to NVMET_TCP_Q_LIVE. That defeats the DISCONNECTING-state guard in nvmet_tcp_schedule_release_queue() and allows a later socket state change to re-enter teardown and issue a second kref_put() on an already released queue.  The ICResp send failure path has the same problem. If teardown has already moved the queue to DISCONNECTING, a send error can still overwrite the state with NVMET_TCP_Q_FAILED, again reopening the window for a second teardown path to drop the queue reference.  Fix this by serializing both post-send state transitions with state_lock and bailing out if teardown has already started.  Use -ESHUTDOWN as an internal sentinel for that bail-out path rather than propagating it as a transport error like -ECONNRESET. Keep nvmet_tcp_socket_error() setting rcv_state to NVMET_TCP_RECV_ERR before honoring that sentinel so receive-side parsing stays quiesced until the existing release path completes.",
                                "cve_priority": "critical",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46185",
                                "url": "https://ubuntu.com/security/CVE-2026-46185",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb/client: fix out-of-bounds read in symlink_data()  Since smb2_check_message() returns success without length validation for the symlink error response, in symlink_data() it is possible for iov->iov_len to be smaller than sizeof(struct smb2_err_rsp). If the buffer only contains the base SMB2 header (64 bytes), accessing err->ErrorContextCount (at offset 66) or err->ByteCount later in symlink_data() will cause an out-of-bounds read.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46195",
                                "url": "https://ubuntu.com/security/CVE-2026-46195",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb: client: validate dacloffset before building DACL pointers  parse_sec_desc(), build_sec_desc(), and the chown path in id_mode_to_cifs_acl() all add the server-supplied dacloffset to pntsd before proving a DACL header fits inside the returned security descriptor.  On 32-bit builds a malicious server can return dacloffset near U32_MAX, wrap the derived DACL pointer below end_of_acl, and then slip past the later pointer-based bounds checks. build_sec_desc() and id_mode_to_cifs_acl() can then dereference DACL fields from the wrapped pointer in the chmod/chown rewrite paths.  Validate dacloffset numerically before building any DACL pointer and reuse the same helper at the three DACL entry points.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46115",
                                "url": "https://ubuntu.com/security/CVE-2026-46115",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  block: add pgmap check to biovec_phys_mergeable  biovec_phys_mergeable() is used by the request merge, DMA mapping, and integrity merge paths to decide if two physically contiguous bvec segments can be coalesced into one. It currently has no check for whether the segments belong to different dev_pagemaps.  When zone device memory is registered in multiple chunks, each chunk gets its own dev_pagemap. A single bio can legitimately contain bvecs from different pgmaps -- iov_iter_extract_bvecs() breaks at pgmap boundaries but the outer loop in bio_iov_iter_get_pages() continues filling the same bio. If such bvecs are physically contiguous, biovec_phys_mergeable() will coalesce them, making it impossible to recover the correct pgmap for the merged segment via page_pgmap().  Add a zone_device_pages_have_same_pgmap() check to prevent merging bvec segments that span different pgmaps.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43501",
                                "url": "https://ubuntu.com/security/CVE-2026-43501",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ipv6: rpl: reserve mac_len headroom when recompressed SRH grows  ipv6_rpl_srh_rcv() decompresses an RFC 6554 Source Routing Header, swaps the next segment into ipv6_hdr->daddr, recompresses, then pulls the old header and pushes the new one plus the IPv6 header back.  The recompressed header can be larger than the received one when the swap reduces the common-prefix length the segments share with daddr (CmprI=0, CmprE>0, seg[0][0] != daddr[0] gives the maximum +8 bytes).  pskb_expand_head() was gated on segments_left == 0, so on earlier segments the push consumed unchecked headroom.  Once skb_push() leaves fewer than skb->mac_len bytes in front of data, skb_mac_header_rebuild()'s call to:  \tskb_set_mac_header(skb, -skb->mac_len);  will store (data - head) - mac_len into the u16 mac_header field, which wraps to ~65530, and the following memmove() writes mac_len bytes ~64KiB past skb->head.  A single AF_INET6/SOCK_RAW/IPV6_HDRINCL packet over lo with a two segment type-3 SRH (CmprI=0, CmprE=15) reaches headroom 8 after one pass; KASAN reports a 14-byte OOB write in ipv6_rthdr_rcv.  Fix this by expanding the head whenever the remaining room is less than the push size plus mac_len, and request that much extra so the rebuilt MAC header fits afterwards.",
                                "cve_priority": "critical",
                                "cve_public_date": "2026-05-21 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45988",
                                "url": "https://ubuntu.com/security/CVE-2026-45988",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  rxrpc: Fix re-decryption of RESPONSE packets  If a RESPONSE packet gets a temporary failure during processing, it may end up in a partially decrypted state - and then get requeued for a retry.  Fix this by just discarding the packet; we will send another CHALLENGE packet and thereby elicit a further response.  Similarly, discard an incoming CHALLENGE packet if we get an error whilst generating a RESPONSE; the server will send another CHALLENGE.",
                                "cve_priority": "critical",
                                "cve_public_date": "2026-05-27 14:17:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46043",
                                "url": "https://ubuntu.com/security/CVE-2026-46043",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv  rxe_rcv() currently checks only that the incoming packet is at least header_size(pkt) bytes long before payload_size() is used.  However, payload_size() subtracts both the attacker-controlled BTH pad field and RXE_ICRC_SIZE from pkt->paylen:    payload_size = pkt->paylen - offset[RXE_PAYLOAD] - bth_pad(pkt)                  - RXE_ICRC_SIZE  This means a short packet can still make payload_size() underflow even if it includes enough bytes for the fixed headers. Simply requiring header_size(pkt) + RXE_ICRC_SIZE is not sufficient either, because a packet with a forged non-zero BTH pad can still leave payload_size() negative and pass an underflowed value to later receive-path users.  Fix this by validating pkt->paylen against the full minimum length required by payload_size(): header_size(pkt) + bth_pad(pkt) + RXE_ICRC_SIZE.",
                                "cve_priority": "critical",
                                "cve_public_date": "2026-05-27 14:17:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43493",
                                "url": "https://ubuntu.com/security/CVE-2026-43493",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  crypto: pcrypt - Fix handling of MAY_BACKLOG requests  MAY_BACKLOG requests can return EBUSY.  Handle them by checking for that value and filtering out EINPROGRESS notifications.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-19 12:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43071",
                                "url": "https://ubuntu.com/security/CVE-2026-43071",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  dcache: Limit the minimal number of bucket to two  There is an OOB read problem on dentry_hashtable when user sets 'dhash_entries=1':   BUG: unable to handle page fault for address: ffff888b30b774b0   #PF: supervisor read access in kernel mode   #PF: error_code(0x0000) - not-present page   Oops: Oops: 0000 [#1] SMP PTI   RIP: 0010:__d_lookup+0x56/0x120    Call Trace:     d_lookup.cold+0x16/0x5d     lookup_dcache+0x27/0xf0     lookup_one_qstr_excl+0x2a/0x180     start_dirop+0x55/0xa0     simple_start_creating+0x8d/0xa0     debugfs_start_creating+0x8c/0x180     debugfs_create_dir+0x1d/0x1c0     pinctrl_init+0x6d/0x140     do_one_initcall+0x6d/0x3d0     kernel_init_freeable+0x39f/0x460     kernel_init+0x2a/0x260  There will be only one bucket in dentry_hashtable when dhash_entries is set as one, and d_hash_shift is calculated as 32 by dcache_init(). Then, following process will access more than one buckets(which memory region is not allocated) in dentry_hashtable:  d_lookup   b = d_hash(hash)     dentry_hashtable + ((u32)hashlen >> d_hash_shift)     // The C standard defines the behavior of right shift amounts     // exceeding the bit width of the operand as undefined. The     // result of '(u32)hashlen >> d_hash_shift' becomes 'hashlen',     // so 'b' will point to an unallocated memory region.   hlist_bl_for_each_entry_rcu(b)    hlist_bl_first_rcu(head)     h->first  // read OOB!  Fix it by limiting the minimal number of dentry_hashtable bucket to two, so that 'd_hash_shift' won't exceeds the bit width of type u32.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-05-05 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-31685",
                                "url": "https://ubuntu.com/security/CVE-2026-31685",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: ip6t_eui64: reject invalid MAC header for all packets  `eui64_mt6()` derives a modified EUI-64 from the Ethernet source address and compares it with the low 64 bits of the IPv6 source address.  The existing guard only rejects an invalid MAC header when `par->fragoff != 0`. For packets with `par->fragoff == 0`, `eui64_mt6()` can still reach `eth_hdr(skb)` even when the MAC header is not valid.  Fix this by removing the `par->fragoff != 0` condition so that packets with an invalid MAC header are rejected before accessing `eth_hdr(skb)`.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-25 09:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43117",
                                "url": "https://ubuntu.com/security/CVE-2026-43117",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  btrfs: tracepoints: get correct superblock from dentry in event btrfs_sync_file()  If overlay is used on top of btrfs, dentry->d_sb translates to overlay's super block and fsid assignment will lead to a crash.  Use file_inode(file)->i_sb to always get btrfs_sb.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-06 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43114",
                                "url": "https://ubuntu.com/security/CVE-2026-43114",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: nft_set_pipapo_avx2: don't return non-matching entry on expiry  New test case fails unexpectedly when avx2 matching functions are used.  The test first loads a ranomly generated pipapo set with 'ipv4 . port' key, i.e.  nft -f foo.  This works.  Then, it reloads the set after a flush: (echo flush set t s; cat foo) | nft -f -  This is expected to work, because its the same set after all and it was already loaded once.  But with avx2, this fails: nft reports a clashing element.  The reported clash is of following form:      We successfully re-inserted       a . b       c . d  Then we try to insert a . d  avx2 finds the already existing a . d, which (due to 'flush set') is marked as invalid in the new generation.  It skips the element and moves to next.  Due to incorrect masking, the skip-step finds the next matching element *only considering the first field*,  i.e. we return the already reinserted \"a . b\", even though the last field is different and the entry should not have been matched.  No such error is reported for the generic c implementation (no avx2) or when the last field has to use the 'nft_pipapo_avx2_lookup_slow' fallback.  Bisection points to 7711f4bb4b36 (\"netfilter: nft_set_pipapo: fix range overlap detection\") but that fix merely uncovers this bug.  Before this commit, the wrong element is returned, but erronously reported as a full, identical duplicate.  The root-cause is too early return in the avx2 match functions. When we process the last field, we should continue to process data until the entire input size has been consumed to make sure no stale bits remain in the map.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-06 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-31607",
                                "url": "https://ubuntu.com/security/CVE-2026-31607",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  usbip: validate number_of_packets in usbip_pack_ret_submit()  When a USB/IP client receives a RET_SUBMIT response, usbip_pack_ret_submit() unconditionally overwrites urb->number_of_packets from the network PDU. This value is subsequently used as the loop bound in usbip_recv_iso() and usbip_pad_iso() to iterate over urb->iso_frame_desc[], a flexible array whose size was fixed at URB allocation time based on the *original* number_of_packets from the CMD_SUBMIT.  A malicious USB/IP server can set number_of_packets in the response to a value larger than what was originally submitted, causing a heap out-of-bounds write when usbip_recv_iso() writes to urb->iso_frame_desc[i] beyond the allocated region.  KASAN confirmed this with kernel 7.0.0-rc5:    BUG: KASAN: slab-out-of-bounds in usbip_recv_iso+0x46a/0x640   Write of size 4 at addr ffff888106351d40 by task vhci_rx/69    The buggy address is located 0 bytes to the right of    allocated 320-byte region [ffff888106351c00, ffff888106351d40)  The server side (stub_rx.c) and gadget side (vudc_rx.c) already validate number_of_packets in the CMD_SUBMIT path since commits c6688ef9f297 (\"usbip: fix stub_rx: harden CMD_SUBMIT path to handle malicious input\") and b78d830f0049 (\"usbip: fix vudc_rx: harden CMD_SUBMIT path to handle malicious input\"). The server side validates against USBIP_MAX_ISO_PACKETS because no URB exists yet at that point. On the client side we have the original URB, so we can use the tighter bound: the response must not exceed the original number_of_packets.  This mirrors the existing validation of actual_length against transfer_buffer_length in usbip_recv_xbuff(), which checks the response value against the original allocation size.  Kelvin Mbogo's series (\"usb: usbip: fix integer overflow in usbip_recv_iso()\", v2) hardens the receive-side functions themselves; this patch complements that work by catching the bad value at its source -- in usbip_pack_ret_submit() before the overwrite -- and using the tighter per-URB allocation bound rather than the global USBIP_MAX_ISO_PACKETS limit.  Fix this by checking rpdu->number_of_packets against urb->number_of_packets in usbip_pack_ret_submit() before the overwrite. On violation, clamp to zero so that usbip_recv_iso() and usbip_pad_iso() safely return early.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-04-24 15:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-31659",
                                "url": "https://ubuntu.com/security/CVE-2026-31659",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: reject oversized global TT response buffers  batadv_tt_prepare_tvlv_global_data() builds the allocation length for a global TT response in 16-bit temporaries. When a remote originator advertises a large enough global TT, the TT payload length plus the VLAN header offset can exceed 65535 and wrap before kmalloc().  The full-table response path still uses the original TT payload length when it fills tt_change, so the wrapped allocation is too small and batadv_tt_prepare_tvlv_global_data() writes past the end of the heap object before the later packet-size check runs.  Fix this by rejecting TT responses whose TVLV value length cannot fit in the 16-bit TVLV payload length field.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-04-24 15:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-31649",
                                "url": "https://ubuntu.com/security/CVE-2026-31649",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: stmmac: fix integer underflow in chain mode  The jumbo_frm() chain-mode implementation unconditionally computes      len = nopaged_len - bmax;  where nopaged_len = skb_headlen(skb) (linear bytes only) and bmax is BUF_SIZE_8KiB or BUF_SIZE_2KiB.  However, the caller stmmac_xmit() decides to invoke jumbo_frm() based on skb->len (total length including page fragments):      is_jumbo = stmmac_is_jumbo_frm(priv, skb->len, enh_desc);  When a packet has a small linear portion (nopaged_len <= bmax) but a large total length due to page fragments (skb->len > bmax), the subtraction wraps as an unsigned integer, producing a huge len value (~0xFFFFxxxx).  This causes the while (len != 0) loop to execute hundreds of thousands of iterations, passing skb->data + bmax * i pointers far beyond the skb buffer to dma_map_single().  On IOMMU-less SoCs (the typical deployment for stmmac), this maps arbitrary kernel memory to the DMA engine, constituting a kernel memory disclosure and potential memory corruption from hardware.  Fix this by introducing a buf_len local variable clamped to min(nopaged_len, bmax).  Computing len = nopaged_len - buf_len is then always safe: it is zero when the linear portion fits within a single descriptor, causing the while (len != 0) loop to be skipped naturally, and the fragment loop in stmmac_xmit() handles page fragments afterward.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-24 15:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-31657",
                                "url": "https://ubuntu.com/security/CVE-2026-31657",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: hold claim backbone gateways by reference  batadv_bla_add_claim() can replace claim->backbone_gw and drop the old gateway's last reference while readers still follow the pointer.  The netlink claim dump path dereferences claim->backbone_gw->orig and takes claim->backbone_gw->crc_lock without pinning the underlying backbone gateway. batadv_bla_check_claim() still has the same naked pointer access pattern.  Reuse batadv_bla_claim_get_backbone_gw() in both readers so they operate on a stable gateway reference until the read-side work is complete. This keeps the dump and claim-check paths aligned with the lifetime rules introduced for the other BLA claim readers.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-04-24 15:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-31637",
                                "url": "https://ubuntu.com/security/CVE-2026-31637",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  rxrpc: reject undecryptable rxkad response tickets  rxkad_decrypt_ticket() decrypts the RXKAD response ticket and then parses the buffer as plaintext without checking whether crypto_skcipher_decrypt() succeeded.  A malformed RESPONSE can therefore use a non-block-aligned ticket length, make the decrypt operation fail, and still drive the ticket parser with attacker-controlled bytes.  Check the decrypt result and abort the connection with RXKADBADTICKET when ticket decryption fails.",
                                "cve_priority": "critical",
                                "cve_public_date": "2026-04-24 15:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-31669",
                                "url": "https://ubuntu.com/security/CVE-2026-31669",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mptcp: fix slab-use-after-free in __inet_lookup_established  The ehash table lookups are lockless and rely on SLAB_TYPESAFE_BY_RCU to guarantee socket memory stability during RCU read-side critical sections. Both tcp_prot and tcpv6_prot have their slab caches created with this flag via proto_register().  However, MPTCP's mptcp_subflow_init() copies tcpv6_prot into tcpv6_prot_override during inet_init() (fs_initcall, level 5), before inet6_init() (module_init/device_initcall, level 6) has called proto_register(&tcpv6_prot). At that point, tcpv6_prot.slab is still NULL, so tcpv6_prot_override.slab remains NULL permanently.  This causes MPTCP v6 subflow child sockets to be allocated via kmalloc (falling into kmalloc-4k) instead of the TCPv6 slab cache. The kmalloc-4k cache lacks SLAB_TYPESAFE_BY_RCU, so when these sockets are freed without SOCK_RCU_FREE (which is cleared for child sockets by design), the memory can be immediately reused. Concurrent ehash lookups under rcu_read_lock can then access freed memory, triggering a slab-use-after-free in __inet_lookup_established.  Fix this by splitting the IPv6-specific initialization out of mptcp_subflow_init() into a new mptcp_subflow_v6_init(), called from mptcp_proto_v6_init() before protocol registration. This ensures tcpv6_prot_override.slab correctly inherits the SLAB_TYPESAFE_BY_RCU slab cache.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-04-24 15:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-31668",
                                "url": "https://ubuntu.com/security/CVE-2026-31668",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  seg6: separate dst_cache for input and output paths in seg6 lwtunnel  The seg6 lwtunnel uses a single dst_cache per encap route, shared between seg6_input_core() and seg6_output_core(). These two paths can perform the post-encap SID lookup in different routing contexts (e.g., ip rules matching on the ingress interface, or VRF table separation). Whichever path runs first populates the cache, and the other reuses it blindly, bypassing its own lookup.  Fix this by splitting the cache into cache_input and cache_output, so each path maintains its own cached dst independently.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-24 15:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43011",
                                "url": "https://ubuntu.com/security/CVE-2026-43011",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/x25: Fix potential double free of skb  When alloc_skb fails in x25_queue_rx_frame it calls kfree_skb(skb) at line 48 and returns 1 (error). This error propagates back through the call chain:  x25_queue_rx_frame returns 1     |     v x25_state3_machine receives the return value 1 and takes the else branch at line 278, setting queued=0 and returning 0     |     v x25_process_rx_frame returns queued=0     |     v x25_backlog_rcv at line 452 sees queued=0 and calls kfree_skb(skb) again  This would free the same skb twice. Looking at x25_backlog_rcv:  net/x25/x25_in.c:x25_backlog_rcv() {     ...     queued = x25_process_rx_frame(sk, skb);     ...     if (!queued)         kfree_skb(skb); }",
                                "cve_priority": "critical",
                                "cve_public_date": "2026-05-01 15:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43037",
                                "url": "https://ubuntu.com/security/CVE-2026-43037",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ip6_tunnel: clear skb2->cb[] in ip4ip6_err()  Oskar Kjos reported the following problem.  ip4ip6_err() calls icmp_send() on a cloned skb whose cb[] was written by the IPv6 receive path as struct inet6_skb_parm. icmp_send() passes IPCB(skb2) to __ip_options_echo(), which interprets that cb[] region as struct inet_skb_parm (IPv4). The layouts differ: inet6_skb_parm.nhoff at offset 14 overlaps inet_skb_parm.opt.rr, producing a non-zero rr value. __ip_options_echo() then reads optlen from attacker-controlled packet data at sptr[rr+1] and copies that many bytes into dopt->__data, a fixed 40-byte stack buffer (IP_OPTIONS_DATA_FIXED_SIZE).  To fix this we clear skb2->cb[], as suggested by Oskar Kjos.  Also add minimal IPv4 header validation (version == 4, ihl >= 5).",
                                "cve_priority": "critical",
                                "cve_public_date": "2026-05-01 15:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43341",
                                "url": "https://ubuntu.com/security/CVE-2026-43341",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/ipv6: ioam6: prevent schema length wraparound in trace fill  ioam6_fill_trace_data() stores the schema contribution to the trace length in a u8. With bit 22 enabled and the largest schema payload, sclen becomes 1 + 1020 / 4, wraps from 256 to 0, and bypasses the remaining-space check. __ioam6_fill_trace_data() then positions the write cursor without reserving the schema area but still copies the 4-byte schema header and the full schema payload, overrunning the trace buffer.  Keep sclen in an unsigned int so the remaining-space check and the write cursor calculation both see the full schema length.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-08 14:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43038",
                                "url": "https://ubuntu.com/security/CVE-2026-43038",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ipv6: icmp: clear skb2->cb[] in ip6_err_gen_icmpv6_unreach()  Sashiko AI-review observed:    In ip6_err_gen_icmpv6_unreach(), the skb is an outer IPv4 ICMP error packet   where its cb contains an IPv4 inet_skb_parm. When skb is cloned into skb2   and passed to icmp6_send(), it uses IP6CB(skb2).    IP6CB interprets the IPv4 inet_skb_parm as an inet6_skb_parm. The cipso   offset in inet_skb_parm.opt directly overlaps with dsthao in inet6_skb_parm   at offset 18.    If an attacker sends a forged ICMPv4 error with a CIPSO IP option, dsthao   would be a non-zero offset. Inside icmp6_send(), mip6_addr_swap() is called   and uses ipv6_find_tlv(skb, opt->dsthao, IPV6_TLV_HAO).    This would scan the inner, attacker-controlled IPv6 packet starting at that   offset, potentially returning a fake TLV without checking if the remaining   packet length can hold the full 18-byte struct ipv6_destopt_hao.    Could mip6_addr_swap() then perform a 16-byte swap that extends past the end   of the packet data into skb_shared_info?    Should the cb array also be cleared in ip6_err_gen_icmpv6_unreach() and   ip6ip6_err() to prevent this?  This patch implements the first suggestion.  I am not sure if ip6ip6_err() needs to be changed. A separate patch would be better anyway.",
                                "cve_priority": "critical",
                                "cve_public_date": "2026-05-01 15:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-31682",
                                "url": "https://ubuntu.com/security/CVE-2026-31682",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  bridge: br_nd_send: linearize skb before parsing ND options  br_nd_send() parses neighbour discovery options from ns->opt[] and assumes that these options are in the linear part of request.  Its callers only guarantee that the ICMPv6 header and target address are available, so the option area can still be non-linear. Parsing ns->opt[] in that case can access data past the linear buffer.  Linearize request before option parsing and derive ns from the linear network header.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-25 09:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-31436",
                                "url": "https://ubuntu.com/security/CVE-2026-31436",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  dmaengine: idxd: fix possible wrong descriptor completion in llist_abort_desc()  At the end of this function, d is the traversal cursor of flist, but the code completes found instead. This can lead to issues such as NULL pointer dereferences, double completion, or descriptor leaks.  Fix this by completing d instead of found in the final list_for_each_entry_safe() loop.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-04-22 14:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43384",
                                "url": "https://ubuntu.com/security/CVE-2026-43384",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/tcp-ao: Fix MAC comparison to be constant-time  To prevent timing attacks, MACs need to be compared in constant time.  Use the appropriate helper function for this.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-08 15:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-31448",
                                "url": "https://ubuntu.com/security/CVE-2026-31448",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ext4: avoid infinite loops caused by residual data  On the mkdir/mknod path, when mapping logical blocks to physical blocks, if inserting a new extent into the extent tree fails (in this example, because the file system disabled the huge file feature when marking the inode as dirty), ext4_ext_map_blocks() only calls ext4_free_blocks() to reclaim the physical block without deleting the corresponding data in the extent tree. This causes subsequent mkdir operations to reference the previously reclaimed physical block number again, even though this physical block is already being used by the xattr block. Therefore, a situation arises where both the directory and xattr are using the same buffer head block in memory simultaneously.  The above causes ext4_xattr_block_set() to enter an infinite loop about \"inserted\" and cannot release the inode lock, ultimately leading to the 143s blocking problem mentioned in [1].  If the metadata is corrupted, then trying to remove some extent space can do even more harm. Also in case EXT4_GET_BLOCKS_DELALLOC_RESERVE was passed, remove space wrongly update quota information. Jan Kara suggests distinguishing between two cases:  1) The error is ENOSPC or EDQUOT - in this case the filesystem is fully consistent and we must maintain its consistency including all the accounting. However these errors can happen only early before we've inserted the extent into the extent tree. So current code works correctly for this case.  2) Some other error - this means metadata is corrupted. We should strive to do as few modifications as possible to limit damage. So I'd just skip freeing of allocated blocks.  [1] INFO: task syz.0.17:5995 blocked for more than 143 seconds. Call Trace:  inode_lock_nested include/linux/fs.h:1073 [inline]  __start_dirop fs/namei.c:2923 [inline]  start_dirop fs/namei.c:2934 [inline]",
                                "cve_priority": "low",
                                "cve_public_date": "2026-04-22 14:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-31478",
                                "url": "https://ubuntu.com/security/CVE-2026-31478",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ksmbd: replace hardcoded hdr2_len with offsetof() in smb2_calc_max_out_buf_len()  After this commit (e2b76ab8b5c9 \"ksmbd: add support for read compound\"), response buffer management was changed to use dynamic iov array. In the new design, smb2_calc_max_out_buf_len() expects the second argument (hdr2_len) to be the offset of ->Buffer field in the response structure, not a hardcoded magic number. Fix the remaining call sites to use the correct offsetof() value.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-04-22 14:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-23428",
                                "url": "https://ubuntu.com/security/CVE-2026-23428",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ksmbd: fix use-after-free of share_conf in compound request  smb2_get_ksmbd_tcon() reuses work->tcon in compound requests without validating tcon->t_state. ksmbd_tree_conn_lookup() checks t_state == TREE_CONNECTED on the initial lookup path, but the compound reuse path bypasses this check entirely.  If a prior command in the compound (SMB2_TREE_DISCONNECT) sets t_state to TREE_DISCONNECTED and frees share_conf via ksmbd_share_config_put(), subsequent commands dereference the freed share_conf through work->tcon->share_conf.  KASAN report:  [    4.144653] ================================================================== [    4.145059] BUG: KASAN: slab-use-after-free in smb2_write+0xc74/0xe70 [    4.145415] Read of size 4 at addr ffff88810430c194 by task kworker/1:1/44 [    4.145772] [    4.145867] CPU: 1 UID: 0 PID: 44 Comm: kworker/1:1 Not tainted 7.0.0-rc3+ #60 PREEMPTLAZY [    4.145871] Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [    4.145875] Workqueue: ksmbd-io handle_ksmbd_work [    4.145888] Call Trace: [    4.145892]  <TASK> [    4.145894]  dump_stack_lvl+0x64/0x80 [    4.145910]  print_report+0xce/0x660 [    4.145919]  ? __pfx__raw_spin_lock_irqsave+0x10/0x10 [    4.145928]  ? smb2_write+0xc74/0xe70 [    4.145931]  kasan_report+0xce/0x100 [    4.145934]  ? smb2_write+0xc74/0xe70 [    4.145937]  smb2_write+0xc74/0xe70 [    4.145939]  ? __pfx_smb2_write+0x10/0x10 [    4.145942]  ? _raw_spin_unlock+0xe/0x30 [    4.145945]  ? ksmbd_smb2_check_message+0xeb2/0x24c0 [    4.145948]  ? smb2_tree_disconnect+0x31c/0x480 [    4.145951]  handle_ksmbd_work+0x40f/0x1080 [    4.145953]  process_one_work+0x5fa/0xef0 [    4.145962]  ? assign_work+0x122/0x3e0 [    4.145964]  worker_thread+0x54b/0xf70 [    4.145967]  ? __pfx_worker_thread+0x10/0x10 [    4.145970]  kthread+0x346/0x470 [    4.145976]  ? recalc_sigpending+0x19b/0x230 [    4.145980]  ? __pfx_kthread+0x10/0x10 [    4.145984]  ret_from_fork+0x4fb/0x6c0 [    4.145992]  ? __pfx_ret_from_fork+0x10/0x10 [    4.145995]  ? __switch_to+0x36c/0xbe0 [    4.145999]  ? __pfx_kthread+0x10/0x10 [    4.146003]  ret_from_fork_asm+0x1a/0x30 [    4.146013]  </TASK> [    4.146014] [    4.149858] Allocated by task 44: [    4.149953]  kasan_save_stack+0x33/0x60 [    4.150061]  kasan_save_track+0x14/0x30 [    4.150169]  __kasan_kmalloc+0x8f/0xa0 [    4.150274]  ksmbd_share_config_get+0x1dd/0xdd0 [    4.150401]  ksmbd_tree_conn_connect+0x7e/0x600 [    4.150529]  smb2_tree_connect+0x2e6/0x1000 [    4.150645]  handle_ksmbd_work+0x40f/0x1080 [    4.150761]  process_one_work+0x5fa/0xef0 [    4.150873]  worker_thread+0x54b/0xf70 [    4.150978]  kthread+0x346/0x470 [    4.151071]  ret_from_fork+0x4fb/0x6c0 [    4.151176]  ret_from_fork_asm+0x1a/0x30 [    4.151286] [    4.151332] Freed by task 44: [    4.151418]  kasan_save_stack+0x33/0x60 [    4.151526]  kasan_save_track+0x14/0x30 [    4.151634]  kasan_save_free_info+0x3b/0x60 [    4.151751]  __kasan_slab_free+0x43/0x70 [    4.151861]  kfree+0x1ca/0x430 [    4.151952]  __ksmbd_tree_conn_disconnect+0xc8/0x190 [    4.152088]  smb2_tree_disconnect+0x1cd/0x480 [    4.152211]  handle_ksmbd_work+0x40f/0x1080 [    4.152326]  process_one_work+0x5fa/0xef0 [    4.152438]  worker_thread+0x54b/0xf70 [    4.152545]  kthread+0x346/0x470 [    4.152638]  ret_from_fork+0x4fb/0x6c0 [    4.152743]  ret_from_fork_asm+0x1a/0x30 [    4.152853] [    4.152900] The buggy address belongs to the object at ffff88810430c180 [    4.152900]  which belongs to the cache kmalloc-96 of size 96 [    4.153226] The buggy address is located 20 bytes inside of [    4.153226]  freed 96-byte region [ffff88810430c180, ffff88810430c1e0) [    4.153549] [    4.153596] The buggy address belongs to the physical page: [    4.153750] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88810430ce80 pfn:0x10430c [    4.154000] flags: 0x ---truncated---",
                                "cve_priority": "high",
                                "cve_public_date": "2026-04-03 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-23450",
                                "url": "https://ubuntu.com/security/CVE-2026-23450",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/smc: fix NULL dereference and UAF in smc_tcp_syn_recv_sock()  Syzkaller reported a panic in smc_tcp_syn_recv_sock() [1].  smc_tcp_syn_recv_sock() is called in the TCP receive path (softirq) via icsk_af_ops->syn_recv_sock on the clcsock (TCP listening socket). It reads sk_user_data to get the smc_sock pointer. However, when the SMC listen socket is being closed concurrently, smc_close_active() sets clcsock->sk_user_data to NULL under sk_callback_lock, and then the smc_sock itself can be freed via sock_put() in smc_release().  This leads to two issues:  1) NULL pointer dereference: sk_user_data is NULL when    accessed. 2) Use-after-free: sk_user_data is read as non-NULL, but the    smc_sock is freed before its fields (e.g., queued_smc_hs,    ori_af_ops) are accessed.  The race window looks like this (the syzkaller crash [1] triggers via the SYN cookie path: tcp_get_cookie_sock() -> smc_tcp_syn_recv_sock(), but the normal tcp_check_req() path has the same race):    CPU A (softirq)              CPU B (process ctx)    tcp_v4_rcv()     TCP_NEW_SYN_RECV:     sk = req->rsk_listener     sock_hold(sk)     /* No lock on listener */                                smc_close_active():                                  write_lock_bh(cb_lock)                                  sk_user_data = NULL                                  write_unlock_bh(cb_lock)                                  ...                                  smc_clcsock_release()                                  sock_put(smc->sk) x2                                    -> smc_sock freed!     tcp_check_req()       smc_tcp_syn_recv_sock():         smc = user_data(sk)           -> NULL or dangling         smc->queued_smc_hs           -> crash!  Note that the clcsock and smc_sock are two independent objects with separate refcounts. TCP stack holds a reference on the clcsock, which keeps it alive, but this does NOT prevent the smc_sock from being freed.  Fix this by using RCU and refcount_inc_not_zero() to safely access smc_sock. Since smc_tcp_syn_recv_sock() is called in the TCP three-way handshake path, taking read_lock_bh on sk_callback_lock is too heavy and would not survive a SYN flood attack. Using rcu_read_lock() is much more lightweight.  - Set SOCK_RCU_FREE on the SMC listen socket so that   smc_sock freeing is deferred until after the RCU grace   period. This guarantees the memory is still valid when   accessed inside rcu_read_lock(). - Use rcu_read_lock() to protect reading sk_user_data. - Use refcount_inc_not_zero(&smc->sk.sk_refcnt) to pin the   smc_sock. If the refcount has already reached zero (close   path completed), it returns false and we bail out safely.  Note: smc_hs_congested() has a similar lockless read of sk_user_data without rcu_read_lock(), but it only checks for NULL and accesses the global smc_hs_wq, never dereferencing any smc_sock field, so it is not affected.  Reproducer was verified with mdelay injection and smc_run, the issue no longer occurs with this patch applied.  [1] https://syzkaller.appspot.com/bug?extid=827ae2bfb3a3529333e9",
                                "cve_priority": "high",
                                "cve_public_date": "2026-04-03 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-23455",
                                "url": "https://ubuntu.com/security/CVE-2026-23455",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: nf_conntrack_h323: check for zero length in DecodeQ931()  In DecodeQ931(), the UserUserIE code path reads a 16-bit length from the packet, then decrements it by 1 to skip the protocol discriminator byte before passing it to DecodeH323_UserInformation(). If the encoded length is 0, the decrement wraps to -1, which is then passed as a large value to the decoder, leading to an out-of-bounds read.  Add a check to ensure len is positive after the decrement.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-04-03 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-31402",
                                "url": "https://ubuntu.com/security/CVE-2026-31402",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  nfsd: fix heap overflow in NFSv4.0 LOCK replay cache  The NFSv4.0 replay cache uses a fixed 112-byte inline buffer (rp_ibuf[NFSD4_REPLAY_ISIZE]) to store encoded operation responses. This size was calculated based on OPEN responses and does not account for LOCK denied responses, which include the conflicting lock owner as a variable-length field up to 1024 bytes (NFS4_OPAQUE_LIMIT).  When a LOCK operation is denied due to a conflict with an existing lock that has a large owner, nfsd4_encode_operation() copies the full encoded response into the undersized replay buffer via read_bytes_from_xdr_buf() with no bounds check. This results in a slab-out-of-bounds write of up to 944 bytes past the end of the buffer, corrupting adjacent heap memory.  This can be triggered remotely by an unauthenticated attacker with two cooperating NFSv4.0 clients: one sets a lock with a large owner string, then the other requests a conflicting lock to provoke the denial.  We could fix this by increasing NFSD4_REPLAY_ISIZE to allow for a full opaque, but that would increase the size of every stateowner, when most lockowners are not that large.  Instead, fix this by checking the encoded response length against NFSD4_REPLAY_ISIZE before copying into the replay buffer. If the response is too large, set rp_buflen to 0 to skip caching the replay payload. The status is still cached, and the client already received the correct response on the original request.",
                                "cve_priority": "critical",
                                "cve_public_date": "2026-04-03 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43383",
                                "url": "https://ubuntu.com/security/CVE-2026-43383",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/tcp-md5: Fix MAC comparison to be constant-time  To prevent timing attacks, MACs need to be compared in constant time.  Use the appropriate helper function for this.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-08 15:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43378",
                                "url": "https://ubuntu.com/security/CVE-2026-43378",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb: server: fix use-after-free in smb2_open()  The opinfo pointer obtained via rcu_dereference(fp->f_opinfo) is dereferenced after rcu_read_unlock(), creating a use-after-free window.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-08 15:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46243",
                                "url": "https://ubuntu.com/security/CVE-2026-46243",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb: client: reject userspace cifs.spnego descriptions  cifs.spnego key descriptions contain authority-bearing fields such as pid, uid, creduid, and upcall_target that cifs.upcall treats as kernel-originating inputs. However, userspace can also create keys of this type through request_key(2) or add_key(2), allowing those fields to be supplied without CIFS origin.  Only accept cifs.spnego descriptions while CIFS is using its private spnego_cred to request the key.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-01 17:17:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43414",
                                "url": "https://ubuntu.com/security/CVE-2026-43414",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  scsi: qla2xxx: Completely fix fcport double free  In qla24xx_els_dcmd_iocb() sp->free is set to qla2x00_els_dcmd_sp_free(). When an error happens, this function is called by qla2x00_sp_release(), when kref_put() releases the first and the last reference.  qla2x00_els_dcmd_sp_free() frees fcport by calling qla2x00_free_fcport(). Doing it one more time after kref_put() is a bad idea.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-05-08 15:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43407",
                                "url": "https://ubuntu.com/security/CVE-2026-43407",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  libceph: Fix potential out-of-bounds access in ceph_handle_auth_reply()  This patch fixes an out-of-bounds access in ceph_handle_auth_reply() that can be triggered by a message of type CEPH_MSG_AUTH_REPLY. In ceph_handle_auth_reply(), the value of the payload_len field of such a message is stored in a variable of type int. A value greater than INT_MAX leads to an integer overflow and is interpreted as a negative value. This leads to decrementing the pointer address by this value and subsequently accessing it because ceph_decode_need() only checks that the memory access does not exceed the end address of the allocation.  This patch fixes the issue by changing the data type of payload_len to u32. Additionally, the data type of result_msg_len is changed to u32, as it is also a variable holding a non-negative length.  Also, an additional layer of sanity checks is introduced, ensuring that directly after reading it from the message, payload_len and result_msg_len are not greater than the overall segment length.  BUG: KASAN: slab-out-of-bounds in ceph_handle_auth_reply+0x642/0x7a0 [libceph] Read of size 4 at addr ffff88811404df14 by task kworker/20:1/262  CPU: 20 UID: 0 PID: 262 Comm: kworker/20:1 Not tainted 6.19.2 #5 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Workqueue: ceph-msgr ceph_con_workfn [libceph] Call Trace:  <TASK>  dump_stack_lvl+0x76/0xa0  print_report+0xd1/0x620  ? __pfx__raw_spin_lock_irqsave+0x10/0x10  ? kasan_complete_mode_report_info+0x72/0x210  kasan_report+0xe7/0x130  ? ceph_handle_auth_reply+0x642/0x7a0 [libceph]  ? ceph_handle_auth_reply+0x642/0x7a0 [libceph]  __asan_report_load_n_noabort+0xf/0x20  ceph_handle_auth_reply+0x642/0x7a0 [libceph]  mon_dispatch+0x973/0x23d0 [libceph]  ? apparmor_socket_recvmsg+0x6b/0xa0  ? __pfx_mon_dispatch+0x10/0x10 [libceph]  ? __kasan_check_write+0x14/0x30i  ? mutex_unlock+0x7f/0xd0  ? __pfx_mutex_unlock+0x10/0x10  ? __pfx_do_recvmsg+0x10/0x10 [libceph]  ceph_con_process_message+0x1f1/0x650 [libceph]  process_message+0x1e/0x450 [libceph]  ceph_con_v2_try_read+0x2e48/0x6c80 [libceph]  ? __pfx_ceph_con_v2_try_read+0x10/0x10 [libceph]  ? save_fpregs_to_fpstate+0xb0/0x230  ? raw_spin_rq_unlock+0x17/0xa0  ? finish_task_switch.isra.0+0x13b/0x760  ? __switch_to+0x385/0xda0  ? __kasan_check_write+0x14/0x30  ? mutex_lock+0x8d/0xe0  ? __pfx_mutex_lock+0x10/0x10  ceph_con_workfn+0x248/0x10c0 [libceph]  process_one_work+0x629/0xf80  ? __kasan_check_write+0x14/0x30  worker_thread+0x87f/0x1570  ? __pfx__raw_spin_lock_irqsave+0x10/0x10  ? __pfx_try_to_wake_up+0x10/0x10  ? kasan_print_address_stack_frame+0x1f7/0x280  ? __pfx_worker_thread+0x10/0x10  kthread+0x396/0x830  ? __pfx__raw_spin_lock_irq+0x10/0x10  ? __pfx_kthread+0x10/0x10  ? __kasan_check_write+0x14/0x30  ? recalc_sigpending+0x180/0x210  ? __pfx_kthread+0x10/0x10  ret_from_fork+0x3f7/0x610  ? __pfx_ret_from_fork+0x10/0x10  ? __switch_to+0x385/0xda0  ? __pfx_kthread+0x10/0x10  ret_from_fork_asm+0x1a/0x30  </TASK>  [ idryomov: replace if statements with ceph_decode_need() for   payload_len and result_msg_len ]",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-08 15:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43406",
                                "url": "https://ubuntu.com/security/CVE-2026-43406",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  libceph: prevent potential out-of-bounds reads in process_message_header()  If the message frame is (maliciously) corrupted in a way that the length of the control segment ends up being less than the size of the message header or a different frame is made to look like a message frame, out-of-bounds reads may ensue in process_message_header().  Perform an explicit bounds check before decoding the message header.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-08 15:16:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * jammy/linux-riscv-6.8: 6.8.0-131.131~22.04.1 -proposed tracker (LP: #2157195)",
                            "",
                            "  [ Ubuntu: 6.8.0-131.131 ]",
                            "",
                            "  * noble/linux: 6.8.0-131.131 -proposed tracker (LP: #2157196)",
                            "  * Packaging resync (LP: #1786013)",
                            "    - [Packaging] update annotations scripts",
                            "  * CVE-2026-46244",
                            "    - netfilter: nft_inner: Fix IPv6 inner_thoff desync",
                            "  * CVE-2026-43185",
                            "    - ksmbd: fix signededness bug in smb_direct_prepare_negotiation()",
                            "  * CVE-2026-46289",
                            "    - lib/scatterlist: fix length calculations in extract_kvec_to_sg",
                            "  * CVE-2026-46119",
                            "    - libceph: Fix slab-out-of-bounds access in auth message processing",
                            "  * CVE-2026-46135",
                            "    - nvmet-tcp: fix race between ICReq handling and queue teardown",
                            "  * CVE-2026-46185",
                            "    - smb/client: fix out-of-bounds read in symlink_data()",
                            "  * CVE-2026-46195",
                            "    - smb: client: validate dacloffset before building DACL pointers",
                            "  * CVE-2026-46115",
                            "    - block: add pgmap check to biovec_phys_mergeable",
                            "  * CVE-2026-43501",
                            "    - ipv6: rpl: reserve mac_len headroom when recompressed SRH grows",
                            "  * CVE-2026-45988",
                            "    - rxrpc: Fix re-decryption of RESPONSE packets",
                            "  * CVE-2026-46043",
                            "    - RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv",
                            "  * CVE-2026-43493",
                            "    - crypto: pcrypt - Fix handling of MAY_BACKLOG requests",
                            "  * CVE-2026-43071",
                            "    - dcache: Limit the minimal number of bucket to two",
                            "  * CVE-2026-31685",
                            "    - netfilter: ip6t_eui64: reject invalid MAC header for all packets",
                            "  * CVE-2026-43117",
                            "    - btrfs: tracepoints: get correct superblock from dentry in event",
                            "      btrfs_sync_file()",
                            "  * CVE-2026-43114",
                            "    - netfilter: nft_set_pipapo_avx2: don't return non-matching entry on",
                            "      expiry",
                            "  * CVE-2026-31607",
                            "    - usbip: validate number_of_packets in usbip_pack_ret_submit()",
                            "  * CVE-2026-31659",
                            "    - batman-adv: reject oversized global TT response buffers",
                            "  * CVE-2026-31649",
                            "    - net: stmmac: fix integer underflow in chain mode",
                            "  * CVE-2026-31657",
                            "    - batman-adv: hold claim backbone gateways by reference",
                            "  * CVE-2026-31637",
                            "    - rxrpc: reject undecryptable rxkad response tickets",
                            "  * CVE-2026-31669",
                            "    - mptcp: fix slab-use-after-free in __inet_lookup_established",
                            "  * CVE-2026-31668",
                            "    - seg6: separate dst_cache for input and output paths in seg6 lwtunnel",
                            "  * CVE-2026-43011",
                            "    - net/x25: Fix potential double free of skb",
                            "  * CVE-2026-43037",
                            "    - ip6_tunnel: clear skb2->cb[] in ip4ip6_err()",
                            "  * CVE-2026-43341",
                            "    - net/ipv6: ioam6: prevent schema length wraparound in trace fill",
                            "  * CVE-2026-43038",
                            "    - ipv6: icmp: clear skb2->cb[] in ip6_err_gen_icmpv6_unreach()",
                            "  * CVE-2026-31682",
                            "    - bridge: br_nd_send: linearize skb before parsing ND options",
                            "  * CVE-2026-31436",
                            "    - dmaengine: idxd: fix possible wrong descriptor completion in",
                            "      llist_abort_desc()",
                            "  * CVE-2026-43384",
                            "    - net/tcp-ao: Fix MAC comparison to be constant-time",
                            "  * CVE-2026-31448",
                            "    - ext4: get rid of ppath in ext4_find_extent()",
                            "    - ext4: get rid of ppath in ext4_ext_create_new_leaf()",
                            "    - ext4: get rid of ppath in ext4_ext_insert_extent()",
                            "    - ext4: avoid infinite loops caused by residual data",
                            "  * CVE-2026-31478",
                            "    - ksmbd: replace hardcoded hdr2_len with offsetof() in",
                            "      smb2_calc_max_out_buf_len()",
                            "  * CVE-2026-23428",
                            "    - ksmbd: fix use-after-free of share_conf in compound request",
                            "  * CVE-2026-23450",
                            "    - net/smc: fix NULL dereference and UAF in smc_tcp_syn_recv_sock()",
                            "  * CVE-2026-23455",
                            "    - netfilter: nf_conntrack_h323: check for zero length in DecodeQ931()",
                            "  * CVE-2026-31402",
                            "    - nfsd: fix heap overflow in NFSv4.0 LOCK replay cache",
                            "  * CVE-2026-43383",
                            "    - net/tcp-md5: Fix MAC comparison to be constant-time",
                            "  * CVE-2026-43378",
                            "    - smb: server: fix use-after-free in smb2_open()",
                            "  * CVE-2026-46243",
                            "    - smb: client: reject userspace cifs.spnego descriptions",
                            "  * CVE-2026-43414",
                            "    - scsi: qla2xxx: Completely fix fcport double free",
                            "  * CVE-2026-43407",
                            "    - libceph: Fix potential out-of-bounds access in ceph_handle_auth_reply()",
                            "  * CVE-2026-43406",
                            "    - libceph: prevent potential out-of-bounds reads in",
                            "      process_message_header()",
                            ""
                        ],
                        "package": "linux-riscv-6.8",
                        "version": "6.8.0-131.131~22.04.1",
                        "urgency": "medium",
                        "distributions": "jammy",
                        "launchpad_bugs_fixed": [
                            2157195,
                            2157196,
                            1786013
                        ],
                        "author": "Alessio Faina <alessio.faina@canonical.com>",
                        "date": "Tue, 23 Jun 2026 10:45:49 +0200"
                    },
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-23249",
                                "url": "https://ubuntu.com/security/CVE-2026-23249",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  xfs: check for deleted cursors when revalidating two btrees  The free space and inode btree repair functions will rebuild both btrees at the same time, after which it needs to evaluate both btrees to confirm that the corruptions are gone.  However, Jiaming Zhang ran syzbot and produced a crash in the second xchk_allocbt call.  His root-cause analysis is as follows (with minor corrections):   In xrep_revalidate_allocbt(), xchk_allocbt() is called twice (first  for BNOBT, second for CNTBT). The cause of this issue is that the  first call nullified the cursor required by the second call.   Let's first enter xrep_revalidate_allocbt() via following call chain:   xfs_file_ioctl() ->  xfs_ioc_scrubv_metadata() ->  xfs_scrub_metadata() ->  `sc->ops->repair_eval(sc)` ->  xrep_revalidate_allocbt()   xchk_allocbt() is called twice in this function. In the first call:   /* Note that sc->sm->sm_type is XFS_SCRUB_TYPE_BNOPT now */  xchk_allocbt() ->  xchk_btree() ->  `bs->scrub_rec(bs, recp)` ->  xchk_allocbt_rec() ->  xchk_allocbt_xref() ->  xchk_allocbt_xref_other()   since sm_type is XFS_SCRUB_TYPE_BNOBT, pur is set to &sc->sa.cnt_cur.  Kernel called xfs_alloc_get_rec() and returned -EFSCORRUPTED. Call  chain:   xfs_alloc_get_rec() ->  xfs_btree_get_rec() ->  xfs_btree_check_block() ->  (XFS_IS_CORRUPT || XFS_TEST_ERROR), the former is false and the latter  is true, return -EFSCORRUPTED. This should be caused by  ioctl$XFS_IOC_ERROR_INJECTION I guess.   Back to xchk_allocbt_xref_other(), after receiving -EFSCORRUPTED from  xfs_alloc_get_rec(), kernel called xchk_should_check_xref(). In this  function, *curpp (points to sc->sa.cnt_cur) is nullified.   Back to xrep_revalidate_allocbt(), since sc->sa.cnt_cur has been  nullified, it then triggered null-ptr-deref via xchk_allocbt() (second  call) -> xchk_btree().  So.  The bnobt revalidation failed on a cross-reference attempt, so we deleted the cntbt cursor, and then crashed when we tried to revalidate the cntbt.  Therefore, check for a null cntbt cursor before that revalidation, and mark the repair incomplete.  Also we can ignore the second tree entirely if the first tree was rebuilt but is already corrupt.  Apply the same fix to xrep_revalidate_iallocbt because it has the same problem.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-18 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2025-71267",
                                "url": "https://ubuntu.com/security/CVE-2025-71267",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  fs: ntfs3: fix infinite loop triggered by zero-sized ATTR_LIST  We found an infinite loop bug in the ntfs3 file system that can lead to a Denial-of-Service (DoS) condition.  A malformed NTFS image can cause an infinite loop when an ATTR_LIST attribute indicates a zero data size while the driver allocates memory for it.  When ntfs_load_attr_list() processes a resident ATTR_LIST with data_size set to zero, it still allocates memory because of al_aligned(0). This creates an inconsistent state where ni->attr_list.size is zero, but ni->attr_list.le is non-null. This causes ni_enum_attr_ex to incorrectly assume that no attribute list exists and enumerates only the primary MFT record. When it finds ATTR_LIST, the code reloads it and restarts the enumeration, repeating indefinitely. The mount operation never completes, hanging the kernel thread.  This patch adds validation to ensure that data_size is non-zero before memory allocation. When a zero-sized ATTR_LIST is detected, the function returns -EINVAL, preventing a DoS vulnerability.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-18 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2025-71265",
                                "url": "https://ubuntu.com/security/CVE-2025-71265",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  fs: ntfs3: fix infinite loop in attr_load_runs_range on inconsistent metadata  We found an infinite loop bug in the ntfs3 file system that can lead to a Denial-of-Service (DoS) condition.  A malformed NTFS image can cause an infinite loop when an attribute header indicates an empty run list, while directory entries reference it as containing actual data. In NTFS, setting evcn=-1 with svcn=0 is a valid way to represent an empty run list, and run_unpack() correctly handles this by checking if evcn + 1 equals svcn and returning early without parsing any run data. However, this creates a problem when there is metadata inconsistency, where the attribute header claims to be empty (evcn=-1) but the caller expects to read actual data. When run_unpack() immediately returns success upon seeing this condition, it leaves the runs_tree uninitialized with run->runs as a NULL. The calling function attr_load_runs_range() assumes that a successful return means that the runs were loaded and sets clen to 0, expecting the next run_lookup_entry() call to succeed. Because runs_tree remains uninitialized, run_lookup_entry() continues to fail, and the loop increments vcn by zero (vcn += 0), leading to an infinite loop.  This patch adds a retry counter to detect when run_lookup_entry() fails consecutively after attr_load_runs_vcn(). If the run is still not found on the second attempt, it indicates corrupted metadata and returns -EINVAL, preventing the Denial-of-Service (DoS) vulnerability.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-18 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2025-71266",
                                "url": "https://ubuntu.com/security/CVE-2025-71266",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  fs: ntfs3: check return value of indx_find to avoid infinite loop  We found an infinite loop bug in the ntfs3 file system that can lead to a Denial-of-Service (DoS) condition.  A malformed dentry in the ntfs3 filesystem can cause the kernel to hang during the lookup operations. By setting the HAS_SUB_NODE flag in an INDEX_ENTRY within a directory's INDEX_ALLOCATION block and manipulating the VCN pointer, an attacker can cause the indx_find() function to repeatedly read the same block, allocating 4 KB of memory each time. The kernel lacks VCN loop detection and depth limits, causing memory exhaustion and an OOM crash.  This patch adds a return value check for fnd_push() to prevent a memory exhaustion vulnerability caused by infinite loops. When the index exceeds the size of the fnd->nodes array, fnd_push() returns -EINVAL. The indx_find() function checks this return value and stops processing, preventing further memory allocation.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-18 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-23241",
                                "url": "https://ubuntu.com/security/CVE-2026-23241",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  audit: add missing syscalls to read class  The \"at\" variant of getxattr() and listxattr() are missing from the audit read class. Calling getxattrat() or listxattrat() on a file to read its extended attributes will bypass audit rules such as:  -w /tmp/test -p rwa -k test_rwa  The current patch adds missing syscalls to the audit read class.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-17 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2025-71239",
                                "url": "https://ubuntu.com/security/CVE-2025-71239",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  audit: add fchmodat2() to change attributes class  fchmodat2(), introduced in version 6.6 is currently not in the change attribute class of audit. Calling fchmodat2() to change a file attribute in the same fashion than chmod() or fchmodat() will bypass audit rules such as:  -w /tmp/test -p rwa -k test_rwa  The current patch adds fchmodat2() to the change attributes class.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-17 10:15:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-31411",
                                "url": "https://ubuntu.com/security/CVE-2026-31411",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: atm: fix crash due to unvalidated vcc pointer in sigd_send()  Reproducer available at [1].  The ATM send path (sendmsg -> vcc_sendmsg -> sigd_send) reads the vcc pointer from msg->vcc and uses it directly without any validation. This pointer comes from userspace via sendmsg() and can be arbitrarily forged:      int fd = socket(AF_ATMSVC, SOCK_DGRAM, 0);     ioctl(fd, ATMSIGD_CTRL);  // become ATM signaling daemon     struct msghdr msg = { .msg_iov = &iov, ... };     *(unsigned long *)(buf + 4) = 0xdeadbeef;  // fake vcc pointer     sendmsg(fd, &msg, 0);  // kernel dereferences 0xdeadbeef  In normal operation, the kernel sends the vcc pointer to the signaling daemon via sigd_enq() when processing operations like connect(), bind(), or listen(). The daemon is expected to return the same pointer when responding. However, a malicious daemon can send arbitrary pointer values.  Fix this by introducing find_get_vcc() which validates the pointer by searching through vcc_hash (similar to how sigd_close() iterates over all VCCs), and acquires a reference via sock_hold() if found.  Since struct atm_vcc embeds struct sock as its first member, they share the same lifetime. Therefore using sock_hold/sock_put is sufficient to keep the vcc alive while it is being used.  Note that there may be a race with sigd_close() which could mark the vcc with various flags (e.g., ATM_VF_RELEASED) after find_get_vcc() returns. However, sock_hold() guarantees the memory remains valid, so this race only affects the logical state, not memory safety.  [1]: https://gist.github.com/mrpre/1ba5949c45529c511152e2f4c755b0f3",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-08 14:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-23243",
                                "url": "https://ubuntu.com/security/CVE-2026-23243",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/umad: Reject negative data_len in ib_umad_write  ib_umad_write computes data_len from user-controlled count and the MAD header sizes. With a mismatched user MAD header size and RMPP header length, data_len can become negative and reach ib_create_send_mad(). This can make the padding calculation exceed the segment size and trigger an out-of-bounds memset in alloc_send_rmpp_list().  Add an explicit check to reject negative data_len before creating the send buffer.  KASAN splat: [  211.363464] BUG: KASAN: slab-out-of-bounds in ib_create_send_mad+0xa01/0x11b0 [  211.364077] Write of size 220 at addr ffff88800c3fa1f8 by task spray_thread/102 [  211.365867] ib_create_send_mad+0xa01/0x11b0 [  211.365887] ib_umad_write+0x853/0x1c80",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-18 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-23242",
                                "url": "https://ubuntu.com/security/CVE-2026-23242",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/siw: Fix potential NULL pointer dereference in header processing  If siw_get_hdr() returns -EINVAL before set_rx_fpdu_context(), qp->rx_fpdu can be NULL. The error path in siw_tcp_rx_data() dereferences qp->rx_fpdu->more_ddp_segs without checking, which may lead to a NULL pointer deref. Only check more_ddp_segs when rx_fpdu is present.  KASAN splat: [  101.384271] KASAN: null-ptr-deref in range [0x00000000000000c0-0x00000000000000c7] [  101.385869] RIP: 0010:siw_tcp_rx_data+0x13ad/0x1e50",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-18 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2025-71233",
                                "url": "https://ubuntu.com/security/CVE-2025-71233",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  PCI: endpoint: Avoid creating sub-groups asynchronously  The asynchronous creation of sub-groups by a delayed work could lead to a NULL pointer dereference when the driver directory is removed before the work completes.  The crash can be easily reproduced with the following commands:    # cd /sys/kernel/config/pci_ep/functions/pci_epf_test   # for i in {1..20}; do mkdir test && rmdir test; done    BUG: kernel NULL pointer dereference, address: 0000000000000088   ...   Call Trace:    configfs_register_group+0x3d/0x190    pci_epf_cfs_work+0x41/0x110    process_one_work+0x18f/0x350    worker_thread+0x25a/0x3a0  Fix this issue by using configfs_add_default_group() API which does not have the deadlock problem as configfs_register_group() and does not require the delayed work handler.  [mani: slightly reworded the description and added stable list]",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-02-18 16:22:00 UTC"
                            },
                            {
                                "cve": "CVE-2025-71231",
                                "url": "https://ubuntu.com/security/CVE-2025-71231",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  crypto: iaa - Fix out-of-bounds index in find_empty_iaa_compression_mode  The local variable 'i' is initialized with -EINVAL, but the for loop immediately overwrites it and -EINVAL is never returned.  If no empty compression mode can be found, the function would return the out-of-bounds index IAA_COMP_MODES_MAX, which would cause an invalid array access in add_iaa_compression_mode().  Fix both issues by returning either a valid index or -EINVAL.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-02-18 16:22:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-23169",
                                "url": "https://ubuntu.com/security/CVE-2026-23169",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mptcp: fix race in mptcp_pm_nl_flush_addrs_doit()  syzbot and Eulgyu Kim reported crashes in mptcp_pm_nl_get_local_id() and/or mptcp_pm_nl_is_backup()  Root cause is list_splice_init() in mptcp_pm_nl_flush_addrs_doit() which is not RCU ready.  list_splice_init_rcu() can not be called here while holding pernet->lock spinlock.  Many thanks to Eulgyu Kim for providing a repro and testing our patches.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-02-14 16:15:00 UTC"
                            },
                            {
                                "cve": "CVE-2025-40005",
                                "url": "https://ubuntu.com/security/CVE-2025-40005",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: cadence-quadspi: Implement refcount to handle unbind during busy  driver support indirect read and indirect write operation with assumption no force device removal(unbind) operation. However force device removal(removal) is still available to root superuser.  Unbinding driver during operation causes kernel crash. This changes ensure driver able to handle such operation for indirect read and indirect write by implementing refcount to track attached devices to the controller and gracefully wait and until attached devices remove operation completed before proceed with removal operation.",
                                "cve_priority": "medium",
                                "cve_public_date": "2025-10-20 16:15:00 UTC"
                            },
                            {
                                "cve": "CVE-2025-71232",
                                "url": "https://ubuntu.com/security/CVE-2025-71232",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  scsi: qla2xxx: Free sp in error path to fix system crash  System crash seen during load/unload test in a loop,  [61110.449331] qla2xxx [0000:27:00.0]-0042:0: Disabled MSI-X. [61110.467494] ============================================================================= [61110.467498] BUG qla2xxx_srbs (Tainted: G           OE    --------  --- ): Objects remaining in qla2xxx_srbs on __kmem_cache_shutdown() [61110.467501] -----------------------------------------------------------------------------  [61110.467502] Slab 0x000000000ffc8162 objects=51 used=1 fp=0x00000000e25d3d85 flags=0x57ffffc0010200(slab|head|node=1|zone=2|lastcpupid=0x1fffff) [61110.467509] CPU: 53 PID: 455206 Comm: rmmod Kdump: loaded Tainted: G          OE    --------  ---  5.14.0-284.11.1.el9_2.x86_64 #1 [61110.467513] Hardware name: HPE ProLiant DL385 Gen10 Plus v2/ProLiant DL385 Gen10 Plus v2, BIOS A42 08/17/2023 [61110.467515] Call Trace: [61110.467516]  <TASK> [61110.467519]  dump_stack_lvl+0x34/0x48 [61110.467526]  slab_err.cold+0x53/0x67 [61110.467534]  __kmem_cache_shutdown+0x16e/0x320 [61110.467540]  kmem_cache_destroy+0x51/0x160 [61110.467544]  qla2x00_module_exit+0x93/0x99 [qla2xxx] [61110.467607]  ? __do_sys_delete_module.constprop.0+0x178/0x280 [61110.467613]  ? syscall_trace_enter.constprop.0+0x145/0x1d0 [61110.467616]  ? do_syscall_64+0x5c/0x90 [61110.467619]  ? exc_page_fault+0x62/0x150 [61110.467622]  ? entry_SYSCALL_64_after_hwframe+0x63/0xcd [61110.467626]  </TASK> [61110.467627] Disabling lock debugging due to kernel taint [61110.467635] Object 0x0000000026f7e6e6 @offset=16000 [61110.467639] ------------[ cut here ]------------ [61110.467639] kmem_cache_destroy qla2xxx_srbs: Slab cache still has objects when called from qla2x00_module_exit+0x93/0x99 [qla2xxx] [61110.467659] WARNING: CPU: 53 PID: 455206 at mm/slab_common.c:520 kmem_cache_destroy+0x14d/0x160 [61110.467718] CPU: 53 PID: 455206 Comm: rmmod Kdump: loaded Tainted: G   B      OE    --------  ---  5.14.0-284.11.1.el9_2.x86_64 #1 [61110.467720] Hardware name: HPE ProLiant DL385 Gen10 Plus v2/ProLiant DL385 Gen10 Plus v2, BIOS A42 08/17/2023 [61110.467721] RIP: 0010:kmem_cache_destroy+0x14d/0x160 [61110.467724] Code: 99 7d 07 00 48 89 ef e8 e1 6a 07 00 eb b3 48 8b 55 60 48 8b 4c 24 20 48 c7 c6 70 fc 66 90 48 c7 c7 f8 ef a1 90 e8 e1 ed 7c 00 <0f> 0b eb 93 c3 cc cc cc cc 66 2e 0f 1f 84 00 00 00 00 00 55 48 89 [61110.467725] RSP: 0018:ffffa304e489fe80 EFLAGS: 00010282 [61110.467727] RAX: 0000000000000000 RBX: ffffffffc0d9a860 RCX: 0000000000000027 [61110.467729] RDX: ffff8fd5ff9598a8 RSI: 0000000000000001 RDI: ffff8fd5ff9598a0 [61110.467730] RBP: ffff8fb6aaf78700 R08: 0000000000000000 R09: 0000000100d863b7 [61110.467731] R10: ffffa304e489fd20 R11: ffffffff913bef48 R12: 0000000040002000 [61110.467731] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [61110.467733] FS:  00007f64c89fb740(0000) GS:ffff8fd5ff940000(0000) knlGS:0000000000000000 [61110.467734] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [61110.467735] CR2: 00007f0f02bfe000 CR3: 00000020ad6dc005 CR4: 0000000000770ee0 [61110.467736] PKRU: 55555554 [61110.467737] Call Trace: [61110.467738]  <TASK> [61110.467739]  qla2x00_module_exit+0x93/0x99 [qla2xxx] [61110.467755]  ? __do_sys_delete_module.constprop.0+0x178/0x280  Free sp in the error path to fix the crash.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-02-18 16:22:00 UTC"
                            },
                            {
                                "cve": "CVE-2025-71235",
                                "url": "https://ubuntu.com/security/CVE-2025-71235",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  scsi: qla2xxx: Delay module unload while fabric scan in progress  System crash seen during load/unload test in a loop.  [105954.384919] RBP: ffff914589838dc0 R08: 0000000000000000 R09: 0000000000000086 [105954.384920] R10: 000000000000000f R11: ffffa31240904be5 R12: ffff914605f868e0 [105954.384921] R13: ffff914605f86910 R14: 0000000000008010 R15: 00000000ddb7c000 [105954.384923] FS:  0000000000000000(0000) GS:ffff9163fec40000(0000) knlGS:0000000000000000 [105954.384925] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [105954.384926] CR2: 000055d31ce1d6a0 CR3: 0000000119f5e001 CR4: 0000000000770ee0 [105954.384928] PKRU: 55555554 [105954.384929] Call Trace: [105954.384931]  <IRQ> [105954.384934]  qla24xx_sp_unmap+0x1f3/0x2a0 [qla2xxx] [105954.384962]  ? qla_async_scan_sp_done+0x114/0x1f0 [qla2xxx] [105954.384980]  ? qla24xx_els_ct_entry+0x4de/0x760 [qla2xxx] [105954.384999]  ? __wake_up_common+0x80/0x190 [105954.385004]  ? qla24xx_process_response_queue+0xc2/0xaa0 [qla2xxx] [105954.385023]  ? qla24xx_msix_rsp_q+0x44/0xb0 [qla2xxx] [105954.385040]  ? __handle_irq_event_percpu+0x3d/0x190 [105954.385044]  ? handle_irq_event+0x58/0xb0 [105954.385046]  ? handle_edge_irq+0x93/0x240 [105954.385050]  ? __common_interrupt+0x41/0xa0 [105954.385055]  ? common_interrupt+0x3e/0xa0 [105954.385060]  ? asm_common_interrupt+0x22/0x40  The root cause of this was that there was a free (dma_free_attrs) in the interrupt context.  There was a device discovery/fabric scan in progress.  A module unload was issued which set the UNLOADING flag.  As part of the discovery, after receiving an interrupt a work queue was scheduled (which involved a work to be queued).  Since the UNLOADING flag is set, the work item was not allocated and the mapped memory had to be freed.  The free occurred in interrupt context leading to system crash.  Delay the driver unload until the fabric scan is complete to avoid the crash.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-02-18 16:22:00 UTC"
                            },
                            {
                                "cve": "CVE-2025-71236",
                                "url": "https://ubuntu.com/security/CVE-2025-71236",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  scsi: qla2xxx: Validate sp before freeing associated memory  System crash with the following signature [154563.214890] nvme nvme2: NVME-FC{1}: controller connect complete [154564.169363] qla2xxx [0000:b0:00.1]-3002:2: nvme: Sched: Set ZIO exchange threshold to 3. [154564.169405] qla2xxx [0000:b0:00.1]-ffffff:2: SET ZIO Activity exchange threshold to 5. [154565.539974] qla2xxx [0000:b0:00.1]-5013:2: RSCN database changed – 0078 0080 0000. [154565.545744] qla2xxx [0000:b0:00.1]-5013:2: RSCN database changed – 0078 00a0 0000. [154565.545857] qla2xxx [0000:b0:00.1]-11a2:2: FEC=enabled (data rate). [154565.552760] qla2xxx [0000:b0:00.1]-11a2:2: FEC=enabled (data rate). [154565.553079] BUG: kernel NULL pointer dereference, address: 00000000000000f8 [154565.553080] #PF: supervisor read access in kernel mode [154565.553082] #PF: error_code(0x0000) - not-present page [154565.553084] PGD 80000010488ab067 P4D 80000010488ab067 PUD 104978a067 PMD 0 [154565.553089] Oops: 0000 1 PREEMPT SMP PTI [154565.553092] CPU: 10 PID: 858 Comm: qla2xxx_2_dpc Kdump: loaded Tainted: G           OE     -------  ---  5.14.0-503.11.1.el9_5.x86_64 #1 [154565.553096] Hardware name: HPE Synergy 660 Gen10/Synergy 660 Gen10 Compute Module, BIOS I43 09/30/2024 [154565.553097] RIP: 0010:qla_fab_async_scan.part.0+0x40b/0x870 [qla2xxx] [154565.553141] Code: 00 00 e8 58 a3 ec d4 49 89 e9 ba 12 20 00 00 4c 89 e6 49 c7 c0 00 ee a8 c0 48 c7 c1 66 c0 a9 c0 bf 00 80 00 10 e8 15 69 00 00 <4c> 8b 8d f8 00 00 00 4d 85 c9 74 35 49 8b 84 24 00 19 00 00 48 8b [154565.553143] RSP: 0018:ffffb4dbc8aebdd0 EFLAGS: 00010286 [154565.553145] RAX: 0000000000000000 RBX: ffff8ec2cf0908d0 RCX: 0000000000000002 [154565.553147] RDX: 0000000000000000 RSI: ffffffffc0a9c896 RDI: ffffb4dbc8aebd47 [154565.553148] RBP: 0000000000000000 R08: ffffb4dbc8aebd45 R09: 0000000000ffff0a [154565.553150] R10: 0000000000000000 R11: 000000000000000f R12: ffff8ec2cf0908d0 [154565.553151] R13: ffff8ec2cf090900 R14: 0000000000000102 R15: ffff8ec2cf084000 [154565.553152] FS:  0000000000000000(0000) GS:ffff8ed27f800000(0000) knlGS:0000000000000000 [154565.553154] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [154565.553155] CR2: 00000000000000f8 CR3: 000000113ae0a005 CR4: 00000000007706f0 [154565.553157] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [154565.553158] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [154565.553159] PKRU: 55555554 [154565.553160] Call Trace: [154565.553162]  <TASK> [154565.553165]  ? show_trace_log_lvl+0x1c4/0x2df [154565.553172]  ? show_trace_log_lvl+0x1c4/0x2df [154565.553177]  ? qla_fab_async_scan.part.0+0x40b/0x870 [qla2xxx] [154565.553215]  ? __die_body.cold+0x8/0xd [154565.553218]  ? page_fault_oops+0x134/0x170 [154565.553223]  ? snprintf+0x49/0x70 [154565.553229]  ? exc_page_fault+0x62/0x150 [154565.553238]  ? asm_exc_page_fault+0x22/0x30  Check for sp being non NULL before freeing any associated memory",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-02-18 16:22:00 UTC"
                            },
                            {
                                "cve": "CVE-2025-71229",
                                "url": "https://ubuntu.com/security/CVE-2025-71229",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: rtw88: Fix alignment fault in rtw_core_enable_beacon()  rtw_core_enable_beacon() reads 4 bytes from an address that is not a multiple of 4. This results in a crash on some systems.  Do 1 byte reads/writes instead.  Unable to handle kernel paging request at virtual address ffff8000827e0522 Mem abort info:   ESR = 0x0000000096000021   EC = 0x25: DABT (current EL), IL = 32 bits   SET = 0, FnV = 0   EA = 0, S1PTW = 0   FSC = 0x21: alignment fault Data abort info:   ISV = 0, ISS = 0x00000021, ISS2 = 0x00000000   CM = 0, WnR = 0, TnD = 0, TagAccess = 0   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000005492000 [ffff8000827e0522] pgd=0000000000000000, p4d=10000001021d9403, pud=10000001021da403, pmd=100000011061c403, pte=00780000f3200f13 Internal error: Oops: 0000000096000021 [#1]  SMP Modules linked in: [...] rtw88_8822ce rtw88_8822c rtw88_pci rtw88_core [...] CPU: 0 UID: 0 PID: 73 Comm: kworker/u32:2 Tainted: G        W          6.17.9 #1-NixOS VOLUNTARY Tainted: [W]=WARN Hardware name: FriendlyElec NanoPC-T6 LTS (DT) Workqueue: phy0 rtw_c2h_work [rtw88_core] pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : rtw_pci_read32+0x18/0x40 [rtw88_pci] lr : rtw_core_enable_beacon+0xe0/0x148 [rtw88_core] sp : ffff800080cc3ca0 x29: ffff800080cc3ca0 x28: ffff0001031fc240 x27: ffff000102100828 x26: ffffd2cb7c9b4088 x25: ffff0001031fc2c0 x24: ffff000112fdef00 x23: ffff000112fdef18 x22: ffff000111c29970 x21: 0000000000000001 x20: 0000000000000001 x19: ffff000111c22040 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000000 x10: 0000000000000000 x9 : ffffd2cb6507c090 x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000 x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000 x2 : 0000000000007f10 x1 : 0000000000000522 x0 : ffff8000827e0522 Call trace:  rtw_pci_read32+0x18/0x40 [rtw88_pci] (P)  rtw_hw_scan_chan_switch+0x124/0x1a8 [rtw88_core]  rtw_fw_c2h_cmd_handle+0x254/0x290 [rtw88_core]  rtw_c2h_work+0x50/0x98 [rtw88_core]  process_one_work+0x178/0x3f8  worker_thread+0x208/0x418  kthread+0x120/0x220  ret_from_fork+0x10/0x20 Code: d28fe202 8b020000 f9524400 8b214000 (b9400000) ---[ end trace 0000000000000000 ]---",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-02-18 16:22:00 UTC"
                            },
                            {
                                "cve": "CVE-2025-71237",
                                "url": "https://ubuntu.com/security/CVE-2025-71237",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  nilfs2: Fix potential block overflow that cause system hang  When a user executes the FITRIM command, an underflow can occur when calculating nblocks if end_block is too small. Since nblocks is of type sector_t, which is u64, a negative nblocks value will become a very large positive integer. This ultimately leads to the block layer function __blkdev_issue_discard() taking an excessively long time to process the bio chain, and the ns_segctor_sem lock remains held for a long period. This prevents other tasks from acquiring the ns_segctor_sem lock, resulting in the hang reported by syzbot in [1].  If the ending block is too small, typically if it is smaller than 4KiB range, depending on the usage of the segment 0, it may be possible to attempt a discard request beyond the device size causing the hang.  Exiting successfully and assign the discarded size (0 in this case) to range->len.  Although the start and len values in the user input range are too small, a conservative strategy is adopted here to safely ignore them, which is equivalent to a no-op; it will not perform any trimming and will not throw an error.  [1] task:segctord state:D stack:28968 pid:6093 tgid:6093  ppid:2 task_flags:0x200040 flags:0x00080000 Call Trace:  rwbase_write_lock+0x3dd/0x750 kernel/locking/rwbase_rt.c:272  nilfs_transaction_lock+0x253/0x4c0 fs/nilfs2/segment.c:357  nilfs_segctor_thread_construct fs/nilfs2/segment.c:2569 [inline]  nilfs_segctor_thread+0x6ec/0xe00 fs/nilfs2/segment.c:2684  [ryusuke: corrected part of the commit message about the consequences]",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-02-18 16:22:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-23229",
                                "url": "https://ubuntu.com/security/CVE-2026-23229",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  crypto: virtio - Add spinlock protection with virtqueue notification  When VM boots with one virtio-crypto PCI device and builtin backend, run openssl benchmark command with multiple processes, such as   openssl speed -evp aes-128-cbc -engine afalg  -seconds 10 -multi 32  openssl processes will hangup and there is error reported like this:  virtio_crypto virtio0: dataq.0:id 3 is not a head!  It seems that the data virtqueue need protection when it is handled for virtio done notification. If the spinlock protection is added in virtcrypto_done_task(), openssl benchmark with multiple processes works well.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-02-18 16:22:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-23222",
                                "url": "https://ubuntu.com/security/CVE-2026-23222",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  crypto: omap - Allocate OMAP_CRYPTO_FORCE_COPY scatterlists correctly  The existing allocation of scatterlists in omap_crypto_copy_sg_lists() was allocating an array of scatterlist pointers, not scatterlist objects, resulting in a 4x too small allocation.  Use sizeof(*new_sg) to get the correct object size.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-02-18 16:22:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-23228",
                                "url": "https://ubuntu.com/security/CVE-2026-23228",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb: server: fix leak of active_num_conn in ksmbd_tcp_new_connection()  On kthread_run() failure in ksmbd_tcp_new_connection(), the transport is freed via free_transport(), which does not decrement active_num_conn, leaking this counter.  Replace free_transport() with ksmbd_tcp_disconnect().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-02-18 16:22:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-23220",
                                "url": "https://ubuntu.com/security/CVE-2026-23220",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ksmbd: fix infinite loop caused by next_smb2_rcv_hdr_off reset in error paths  The problem occurs when a signed request fails smb2 signature verification check. In __process_request(), if check_sign_req() returns an error, set_smb2_rsp_status(work, STATUS_ACCESS_DENIED) is called. set_smb2_rsp_status() set work->next_smb2_rcv_hdr_off as zero. By resetting next_smb2_rcv_hdr_off to zero, the pointer to the next command in the chain is lost. Consequently, is_chained_smb2_message() continues to point to the same request header instead of advancing. If the header's NextCommand field is non-zero, the function returns true, causing __handle_ksmbd_work() to repeatedly process the same failed request in an infinite loop. This results in the kernel log being flooded with \"bad smb2 signature\" messages and high CPU usage.  This patch fixes the issue by changing the return value from SERVER_HANDLER_CONTINUE to SERVER_HANDLER_ABORT. This ensures that the processing loop terminates immediately rather than attempting to continue from an invalidated offset.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-02-18 16:22:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-23230",
                                "url": "https://ubuntu.com/security/CVE-2026-23230",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb: client: split cached_fid bitfields to avoid shared-byte RMW races  is_open, has_lease and on_list are stored in the same bitfield byte in struct cached_fid but are updated in different code paths that may run concurrently. Bitfield assignments generate byte read–modify–write operations (e.g. `orb $mask, addr` on x86_64), so updating one flag can restore stale values of the others.  A possible interleaving is:     CPU1: load old byte (has_lease=1, on_list=1)     CPU2: clear both flags (store 0)     CPU1: RMW store (old | IS_OPEN) -> reintroduces cleared bits  To avoid this class of races, convert these flags to separate bool fields.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-02-18 16:22:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-23272",
                                "url": "https://ubuntu.com/security/CVE-2026-23272",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: nf_tables: unconditionally bump set->nelems before insertion  In case that the set is full, a new element gets published then removed without waiting for the RCU grace period, while RCU reader can be walking over it already.  To address this issue, add the element transaction even if set is full, but toggle the set_full flag to report -ENFILE so the abort path safely unwinds the set to its previous state.  As for element updates, decrement set->nelems to restore it.  A simpler fix is to call synchronize_rcu() in the error path. However, with a large batch adding elements to already maxed-out set, this could cause noticeable slowdown of such batches.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-20 09:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-31418",
                                "url": "https://ubuntu.com/security/CVE-2026-31418",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: ipset: drop logically empty buckets in mtype_del  mtype_del() counts empty slots below n->pos in k, but it only drops the bucket when both n->pos and k are zero. This misses buckets whose live entries have all been removed while n->pos still points past deleted slots.  Treat a bucket as empty when all positions below n->pos are unused and release it directly instead of shrinking it further.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-13 14:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-23392",
                                "url": "https://ubuntu.com/security/CVE-2026-23392",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: nf_tables: release flowtable after rcu grace period on error  Call synchronize_rcu() after unregistering the hooks from error path, since a hook that already refers to this flowtable can be already registered, exposing this flowtable to packet path and nfnetlink_hook control plane.  This error path is rare, it should only happen by reaching the maximum number hooks or by failing to set up to hardware offload, just call synchronize_rcu().  There is a check for already used device hooks by different flowtable that could result in EEXIST at this late stage. The hook parser can be updated to perform this check earlier to this error path really becomes rarely exercised.  Uncovered by KASAN reported as use-after-free from nfnetlink_hook path when dumping hooks.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-03-25 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-23278",
                                "url": "https://ubuntu.com/security/CVE-2026-23278",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: nf_tables: always walk all pending catchall elements  During transaction processing we might have more than one catchall element: 1 live catchall element and 1 pending element that is coming as part of the new batch.  If the map holding the catchall elements is also going away, its required to toggle all catchall elements and not just the first viable candidate.  Otherwise, we get:  WARNING: ./include/net/netfilter/nf_tables.h:1281 at nft_data_release+0xb7/0xe0 [nf_tables], CPU#2: nft/1404  RIP: 0010:nft_data_release+0xb7/0xe0 [nf_tables]  [..]  __nft_set_elem_destroy+0x106/0x380 [nf_tables]  nf_tables_abort_release+0x348/0x8d0 [nf_tables]  nf_tables_abort+0xcf2/0x3ac0 [nf_tables]  nfnetlink_rcv_batch+0x9c9/0x20e0 [..]",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-20 09:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-47337",
                                "url": "https://ubuntu.com/security/CVE-2026-47337",
                                "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a possible NULL pointer dereference in the handling of AF_INET/AF_INET6 socket mediation. The bug can be triggered by an unprivileged local user. This can lead to a kernel oops.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 19:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-47336",
                                "url": "https://ubuntu.com/security/CVE-2026-47336",
                                "cve_description": "Ubuntu Linux 6.8 contains SAUCE patches with a possible use of an uninitialized variable in AppArmor AF_INET/AF_INET6 socket mediation code. The bug can be triggered by an unprivileged local user and could result in incorrect fine-grained mediation of network sockets.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-05-28 19:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-47335",
                                "url": "https://ubuntu.com/security/CVE-2026-47335",
                                "cve_description": "Ubuntu Linux 6.8 contains SAUCE patches with a possible NULL pointer dereference in the handling of AppArmor notifications. The bug can be triggered by an unprivileged local user. This can lead to a kernel panic.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 19:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-47334",
                                "url": "https://ubuntu.com/security/CVE-2026-47334",
                                "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly sleep while holding a spinlock in notification handling code. The bug can be triggered by an unprivileged local user and can result in kernel panic or deadlock.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 19:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-47333",
                                "url": "https://ubuntu.com/security/CVE-2026-47333",
                                "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which can potentially incorrectly compute the size of an internal buffer, leading to a heap memory out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in invalid data being processed by the AppArmor DFA policy engine.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-28 19:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-47332",
                                "url": "https://ubuntu.com/security/CVE-2026-47332",
                                "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly validate the size of an internal structure, leading to an out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in information disclosure from adjacent slab objects.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 19:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-47331",
                                "url": "https://ubuntu.com/security/CVE-2026-47331",
                                "cve_description": "Ubuntu Linux 6.8 contains AppArmor SAUCE patches which fail to acquire a lock when modifying a linked list. An unprivileged local user could trigger the race condition that can lead to a use-after-free (UAF) and, theoretically, arbitrary code execution.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-28 19:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-47330",
                                "url": "https://ubuntu.com/security/CVE-2026-47330",
                                "cve_description": "Ubuntu Linux 6.8, 7.17 and 7.0 contain AppArmor SAUCE patches which can, under certain circumstances, use an uninitialized variable in notification handling code. The bug can be triggered by an unprivileged local user and can result in the incorrect caching of AppArmor notification responses.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-05-28 19:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-47329",
                                "url": "https://ubuntu.com/security/CVE-2026-47329",
                                "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches which fail to validate invalid sizes of the name field in AppAmor notification responses. The bug can be triggered by an unprivileged local user and could result in handling of crafted responses.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-05-28 19:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-47327",
                                "url": "https://ubuntu.com/security/CVE-2026-47327",
                                "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a possible NULL pointer dereference in the handling of AppArmor notifications. The bug can be triggered by an unprivileged local user. This can lead to a kernel oops.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 19:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-47328",
                                "url": "https://ubuntu.com/security/CVE-2026-47328",
                                "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly attempt to free a pointer which was not previously kmalloc()d, while at the same time leaking allocated memory. The bug can be triggered by an unprivileged local user and can result in the corruption of slab metadata and could lead to resource exhaustion.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 19:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-47326",
                                "url": "https://ubuntu.com/security/CVE-2026-47326",
                                "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a memory leak in the handling of big responses to AppArmor notifications. The bug can be triggered by an unprivileged local user. The memory leak could lead to resource exhaustion.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 19:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46300",
                                "url": "https://ubuntu.com/security/CVE-2026-46300",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: skbuff: preserve shared-frag marker during coalescing  skb_try_coalesce() can attach paged frags from @from to @to.  If @from has SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same externally-owned or page-cache-backed frags, but the shared-frag marker is currently lost.  That breaks the invariant relied on by later in-place writers.  In particular, ESP input checks skb_has_shared_frag() before deciding whether an uncloned nonlinear skb can skip skb_cow_data().  If TCP receive coalescing has moved shared frags into an unmarked skb, ESP can see skb_has_shared_frag() as false and decrypt in place over page-cache backed frags.  Propagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged frags.  The tailroom copy path does not need the marker because it copies bytes into @to's linear data rather than transferring frag descriptors.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-23 12:17:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46333",
                                "url": "https://ubuntu.com/security/CVE-2026-46333",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ptrace: slightly saner 'get_dumpable()' logic  The 'dumpability' of a task is fundamentally about the memory image of the task - the concept comes from whether it can core dump or not - and makes no sense when you don't have an associated mm.  And almost all users do in fact use it only for the case where the task has a mm pointer.  But we have one odd special case: ptrace_may_access() uses 'dumpable' to check various other things entirely independently of the MM (typically explicitly using flags like PTRACE_MODE_READ_FSCREDS).  Including for threads that no longer have a VM (and maybe never did, like most kernel threads).  It's not what this flag was designed for, but it is what it is.  The ptrace code does check that the uid/gid matches, so you do have to be uid-0 to see kernel thread details, but this means that the traditional \"drop capabilities\" model doesn't make any difference for this all.  Make it all make a *bit* more sense by saying that if you don't have a MM pointer, we'll use a cached \"last dumpability\" flag if the thread ever had a MM (it will be zero for kernel threads since it is never set), and require a proper CAP_SYS_PTRACE capability to override.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-15 14:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43500",
                                "url": "https://ubuntu.com/security/CVE-2026-43500",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present  The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE handler in rxrpc_verify_response() copy the skb to a linear one before calling into the security ops only when skb_cloned() is true.  An skb that is not cloned but still carries externally-owned paged fragments (e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via __ip_append_data, or a chained skb_has_frag_list()) falls through to the in-place decryption path, which binds the frag pages directly into the AEAD/skcipher SGL via skb_to_sgvec().  Extend the gate to also unshare when skb_has_frag_list() or skb_has_shared_frag() is true.  This catches the splice-loopback vector and other externally-shared frag sources while preserving the zero-copy fast path for skbs whose frags are kernel-private (e.g. NIC page_pool RX, GRO).  The OOM/trace handling already in place is reused.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-11 08:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-31676",
                                "url": "https://ubuntu.com/security/CVE-2026-31676",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  rxrpc: only handle RESPONSE during service challenge  Only process RESPONSE packets while the service connection is still in RXRPC_CONN_SERVICE_CHALLENGING. Check that state under state_lock before running response verification and security initialization, then use a local secured flag to decide whether to queue the secured-connection work after the state transition. This keeps duplicate or late RESPONSE packets from re-running the setup path and removes the unlocked post-transition state test.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-25 09:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43284",
                                "url": "https://ubuntu.com/security/CVE-2026-43284",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  xfrm: esp: avoid in-place decrypt on shared skb frags  MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later paths that may modify packet data can first make a private copy. The IPv4/IPv6 datagram append paths did not set this flag when splicing pages into UDP skbs.  That leaves an ESP-in-UDP packet made from shared pipe pages looking like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW fast path for uncloned skbs without a frag_list and decrypts in place over data that is not owned privately by the skb.  Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching TCP. Also make ESP input fall back to skb_cow_data() when the flag is present, so ESP does not decrypt externally backed frags in place. Private nonlinear skb frags still use the existing fast path.  This intentionally does not change ESP output. In esp_output_head(), the path that appends the ESP trailer to existing skb tailroom without calling skb_cow_data() is not reachable for nonlinear skbs: skb_tailroom() returns zero when skb->data_len is nonzero, while ESP tailen is positive. Thus ESP output will either use the separate destination-frag path or fall back to skb_cow_data().",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-08 08:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-31419",
                                "url": "https://ubuntu.com/security/CVE-2026-31419",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: bonding: fix use-after-free in bond_xmit_broadcast()  bond_xmit_broadcast() reuses the original skb for the last slave (determined by bond_is_last_slave()) and clones it for others. Concurrent slave enslave/release can mutate the slave list during RCU-protected iteration, changing which slave is \"last\" mid-loop. This causes the original skb to be double-consumed (double-freed).  Replace the racy bond_is_last_slave() check with a simple index comparison (i + 1 == slaves_count) against the pre-snapshot slave count taken via READ_ONCE() before the loop.  This preserves the zero-copy optimization for the last slave while making the \"last\" determination stable against concurrent list mutations.  The UAF can trigger the following crash:  ================================================================== BUG: KASAN: slab-use-after-free in skb_clone Read of size 8 at addr ffff888100ef8d40 by task exploit/147  CPU: 1 UID: 0 PID: 147 Comm: exploit Not tainted 7.0.0-rc3+ #4 PREEMPTLAZY Call Trace:  <TASK>  dump_stack_lvl (lib/dump_stack.c:123)  print_report (mm/kasan/report.c:379 mm/kasan/report.c:482)  kasan_report (mm/kasan/report.c:597)  skb_clone (include/linux/skbuff.h:1724 include/linux/skbuff.h:1792 include/linux/skbuff.h:3396 net/core/skbuff.c:2108)  bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5334)  bond_start_xmit (drivers/net/bonding/bond_main.c:5567 drivers/net/bonding/bond_main.c:5593)  dev_hard_start_xmit (include/linux/netdevice.h:5325 include/linux/netdevice.h:5334 net/core/dev.c:3871 net/core/dev.c:3887)  __dev_queue_xmit (include/linux/netdevice.h:3601 net/core/dev.c:4838)  ip6_finish_output2 (include/net/neighbour.h:540 include/net/neighbour.h:554 net/ipv6/ip6_output.c:136)  ip6_finish_output (net/ipv6/ip6_output.c:208 net/ipv6/ip6_output.c:219)  ip6_output (net/ipv6/ip6_output.c:250)  ip6_send_skb (net/ipv6/ip6_output.c:1985)  udp_v6_send_skb (net/ipv6/udp.c:1442)  udpv6_sendmsg (net/ipv6/udp.c:1733)  __sys_sendto (net/socket.c:730 net/socket.c:742 net/socket.c:2206)  __x64_sys_sendto (net/socket.c:2209)  do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)  entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)  </TASK>  Allocated by task 147:  Freed by task 147:  The buggy address belongs to the object at ffff888100ef8c80  which belongs to the cache skbuff_head_cache of size 224 The buggy address is located 192 bytes inside of  freed 224-byte region [ffff888100ef8c80, ffff888100ef8d60)  Memory state around the buggy address:  ffff888100ef8c00: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc  ffff888100ef8c80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff888100ef8d00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc                                                     ^  ffff888100ef8d80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb  ffff888100ef8e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================",
                                "cve_priority": "high",
                                "cve_public_date": "2026-04-13 14:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-31431",
                                "url": "https://ubuntu.com/security/CVE-2026-31431",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  crypto: algif_aead - Revert to operating out-of-place  This mostly reverts commit 72548b093ee3 except for the copying of the associated data.  There is no benefit in operating in-place in algif_aead since the source and destination come from different mappings.  Get rid of all the complexity added for in-place operation and just copy the AD directly.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-04-22 09:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-31533",
                                "url": "https://ubuntu.com/security/CVE-2026-31533",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/tls: fix use-after-free in -EBUSY error path of tls_do_encryption  The -EBUSY handling in tls_do_encryption(), introduced by commit 859054147318 (\"net: tls: handle backlogging of crypto requests\"), has a use-after-free due to double cleanup of encrypt_pending and the scatterlist entry.  When crypto_aead_encrypt() returns -EBUSY, the request is enqueued to the cryptd backlog and the async callback tls_encrypt_done() will be invoked upon completion. That callback unconditionally restores the scatterlist entry (sge->offset, sge->length) and decrements ctx->encrypt_pending. However, if tls_encrypt_async_wait() returns an error, the synchronous error path in tls_do_encryption() performs the same cleanup again, double-decrementing encrypt_pending and double-restoring the scatterlist.  The double-decrement corrupts the encrypt_pending sentinel (initialized to 1), making tls_encrypt_async_wait() permanently skip the wait for pending async callbacks. A subsequent sendmsg can then free the tls_rec via bpf_exec_tx_verdict() while a cryptd callback is still pending, resulting in a use-after-free when the callback fires on the freed record.  Fix this by skipping the synchronous cleanup when the -EBUSY async wait returns an error, since the callback has already handled encrypt_pending and sge restoration.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-23 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-31504",
                                "url": "https://ubuntu.com/security/CVE-2026-31504",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: fix fanout UAF in packet_release() via NETDEV_UP race  `packet_release()` has a race window where `NETDEV_UP` can re-register a socket into a fanout group's `arr[]` array. The re-registration is not cleaned up by `fanout_release()`, leaving a dangling pointer in the fanout array. `packet_release()` does NOT zero `po->num` in its `bind_lock` section. After releasing `bind_lock`, `po->num` is still non-zero and `po->ifindex` still matches the bound device. A concurrent `packet_notifier(NETDEV_UP)` that already found the socket in `sklist` can re-register the hook. For fanout sockets, this re-registration calls `__fanout_link(sk, po)` which adds the socket back into `f->arr[]` and increments `f->num_members`, but does NOT increment `f->sk_ref`.  The fix sets `po->num` to zero in `packet_release` while `bind_lock` is held to prevent NETDEV_UP from linking, preventing the race window.  This bug was found following an additional audit with Claude Code based on CVE-2025-38617.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-04-22 14:16:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * jammy/linux-riscv-6.8: 6.8.0-130.130~22.04.1 -proposed tracker (LP: #2151948)",
                            "",
                            "  [ Ubuntu: 6.8.0-130.130 ]",
                            "",
                            "  * noble/linux: 6.8.0-130.130 -proposed tracker (LP: #2154560)",
                            "  * Noble update: upstream stable patchset 2026-03-26 (LP: #2146465)",
                            "    - Revert \"UBUNTU: SAUCE: Fix skb_vlan_inet_prepare() usage\"",
                            "  * Kernel regression (6.8.0-117.generic) (LP: #2153556)",
                            "    - net: bonding: update the slave array for broadcast mode",
                            "    - bonding: do not set usable_slaves for broadcast mode",
                            "  * perf_cpu_map__merge fails to compile on ppc46el, s390x on noble linux",
                            "    (LP: #2152194)",
                            "    - SAUCE: temporary fix attempt for size eceed",
                            "  * Some powerpc test from ubuntu_kernel_selftests timeout with 45 seconds",
                            "    (LP: #2141536)",
                            "    - selftests/powerpc: Lower run time of count_stcx_fail test",
                            "    - selftests/powerpc: Give all tests 2 minutes timeout",
                            "  * Noble update: upstream stable patchset 2026-05-01 (LP: #2150809)",
                            "    - auxdisplay: arm-charlcd: fix release_mem_region() size",
                            "    - hfsplus: return error when node already exists in hfs_bnode_create",
                            "    - rcu: s/boost_kthread_mutex/kthread_mutex",
                            "    - rcu/exp: Move expedited kthread worker creation functions above",
                            "      rcutree_prepare_cpu()",
                            "    - rcu: Refactor expedited handling check in rcu_read_unlock_special()",
                            "    - rcu: Remove local_irq_save/restore() in",
                            "      rcu_preempt_deferred_qs_handler()",
                            "    - rcu: Fix rcu_read_unlock() deadloop due to softirq",
                            "    - audit: move the compat_xxx_class[] extern declarations to audit_arch.h",
                            "    - i3c: Move device name assignment after i3c_bus_init",
                            "    - fs: add <linux/init_task.h> for 'init_fs'",
                            "    - i3c: master: Update hot-join flag only on success",
                            "    - gfs2: Retries missing in gfs2_{rename,exchange}",
                            "    - gfs2: Fix use-after-free in iomap inline data write path",
                            "    - i3c: dw: Initialize spinlock to avoid upsetting lockdep",
                            "    - tpm: tpm_i2c_infineon: Fix locality leak on get_burstcount() failure",
                            "    - tpm: st33zp24: Fix missing cleanup on get_burstcount() error",
                            "    - btrfs: qgroup: return correct error when deleting qgroup relation item",
                            "    - btrfs: fix block_group_tree dirty_list corruption",
                            "    - smb: client: fix potential UAF and double free in smb2_open_file()",
                            "    - xen/virtio: Don't use grant-dma-ops when running as Dom0",
                            "    - ACPICA: Fix NULL pointer dereference in acpi_ev_address_space_dispatch()",
                            "    - io_uring/sync: validate passed in offset",
                            "    - cpuidle: menu: Cleanup after loadavg removal",
                            "    - cpuidle: governors: menu: Always check timers with tick stopped",
                            "    - md/raid10: fix any_working flag handling in raid10_sync_request",
                            "    - iomap: fix submission side handling of completion side errors",
                            "    - ublk: Validate SQE128 flag before accessing the cmd",
                            "    - x86/xen: make some functions static",
                            "    - Partial revert \"x86/xen: fix balloon target initialization for PVH dom0\"",
                            "    - PM: wakeup: Handle empty list in wakeup_sources_walk_start()",
                            "    - perf: arm_spe: Properly set hw.state on failures",
                            "    - PM: sleep: wakeirq: harden dev_pm_clear_wake_irq() against races",
                            "    - s390/cio: Fix device lifecycle handling in css_alloc_subchannel()",
                            "    - crypto: qat - fix warning on adf_pfvf_pf_proto.c",
                            "    - selftests/bpf: veristat: fix printing order in output_stats()",
                            "    - libbpf: Fix OOB read in btf_dump_get_bitfield_value",
                            "    - ARM: VDSO: Patch out __vdso_clock_getres() if unavailable",
                            "    - crypto: cavium - fix dma_free_coherent() size",
                            "    - crypto: octeontx - fix dma_free_coherent() size",
                            "    - crypto: hisilicon/zip - adjust the way to obtain the req in the callback",
                            "      function",
                            "    - crypto: hisilicon/sec2 - support skcipher/aead fallback for hardware",
                            "      queue unavailable",
                            "    - hrtimer: Fix trace oddity",
                            "    - bpf, sockmap: Fix incorrect copied_seq calculation",
                            "    - bpf, sockmap: Fix FIONREAD for sockmap",
                            "    - crypto: hisilicon/trng - modifying the order of header files",
                            "    - crypto: hisilicon/trng - support tfms sharing the device",
                            "    - bpf: Fix bpf_xdp_store_bytes proto for read-only arg",
                            "    - scsi: efct: Use IRQF_ONESHOT and default primary handler",
                            "    - EDAC/altera: Remove IRQF_ONESHOT",
                            "    - mfd: wm8350-core: Use IRQF_ONESHOT",
                            "    - sched/rt: Skip currently executing CPU in rto_next_cpu()",
                            "    - pstore/ram: fix buffer overflow in persistent_ram_save_old()",
                            "    - soc: qcom: smem: handle ENOMEM error during probe",
                            "    - EDAC/i5000: Fix snprintf() size calculation in calculate_dimm_size()",
                            "    - EDAC/i5400: Fix snprintf() limit calculation in calculate_dimm_size()",
                            "    - arm64: dts: tqma8mpql-mba8mpxl: Fix HDMI CEC pad control settings",
                            "    - clk: qcom: Return correct error code in qcom_cc_probe_by_index()",
                            "    - arm64: dts: qcom: sdm630: fix gpu_speed_bin size",
                            "    - arm64: dts: qcom: sdm845-oneplus: Don't mark ts supply boot-on",
                            "    - ARM: dts: allwinner: sun5i-a13-utoo-p66: delete \"power-gpios\" property",
                            "    - powerpc/uaccess: Move barrier_nospec() out of",
                            "      allow_read_{from/write}_user()",
                            "    - soc: qcom: cmd-db: Use devm_memremap() to fix memory leak in",
                            "      cmd_db_dev_probe",
                            "    - soc: mediatek: svs: Fix memory leak in svs_enable_debug_write()",
                            "    - powerpc/eeh: fix recursive pci_lock_rescan_remove locking in EEH event",
                            "      handling",
                            "    - ARM: dts: lpc32xx: Set motor PWM #pwm-cells property value to 3 cells",
                            "    - arm: dts: lpc32xx: add clocks property to Motor Control PWM device tree",
                            "      node",
                            "    - arm64: dts: amlogic: axg: assign the MMC signal clocks",
                            "    - arm64: dts: amlogic: gx: assign the MMC signal clocks",
                            "    - arm64: dts: amlogic: g12: assign the MMC B and C signal clocks",
                            "    - arm64: dts: amlogic: g12: assign the MMC A signal clock",
                            "    - arm64: dts: qcom: sdm845-db845c: drop CS from SPIO0",
                            "    - arm64: dts: qcom: sdm845-db845c: specify power for WiFi CH1",
                            "    - arm64: dts: qcom: sm6115: Add CX_MEM/DBGC GPU regions",
                            "    - workqueue: Factor out assign_rescuer_work()",
                            "    - workqueue: Only assign rescuer work when really needed",
                            "    - workqueue: Process rescuer work items one-by-one using a cursor",
                            "    - smack: /smack/doi must be > 0",
                            "    - smack: /smack/doi: accept previously used values",
                            "    - ASoC: nau8821: Consistently clear interrupts before unmasking",
                            "    - ASoC: nau8821: Avoid unnecessary blocking in IRQ handler",
                            "    - ASoC: nau8821: Fixup nau8821_enable_jack_detect()",
                            "    - drm/amdgpu: Use explicit VCN instance 0 in SR-IOV init",
                            "    - drm/msm/disp/dpu: add merge3d support for sc7280",
                            "    - regulator: core: move supply check earlier in set_machine_constraints()",
                            "    - HID: playstation: Add missing check for input_ff_create_memless",
                            "    - drm/msm/dpu: fix CMD panels on DPU 1.x - 3.x",
                            "    - media: ccs: Accommodate C-PHY into the calculation",
                            "    - drm/msm/a2xx: fix pixel shader start on A225",
                            "    - platform/chrome: cros_typec_switch: Don't touch struct",
                            "      fwnode_handle::dev",
                            "    - media: uvcvideo: Fix allocation for small frame sizes",
                            "    - platform/chrome: cros_ec_lightbar: Fix response size initialization",
                            "    - spi: tools: Add include folder to .gitignore",
                            "    - Revert \"hwmon: (ibmpex) fix use-after-free in high/low store\"",
                            "    - PCI: mediatek: Fix IRQ domain leak when MSI allocation fails",
                            "    - Documentation: PCI: endpoint: Fix ntb/vntb copy & paste errors",
                            "    - PCI/PM: Avoid redundant delays on D3hot->D3cold",
                            "    - PCI/P2PDMA: Release per-CPU pgmap ref when vm_insert_page() fails",
                            "    - Documentation: tracing: Add ring-buffer mapping",
                            "    - docs: fix WARNING document not included in any toctree",
                            "    - Documentation: trace: Refactor toctree",
                            "    - Documentation: tracing: Add PCI tracepoint documentation",
                            "    - PCI: Do not attempt to set ExtTag for VFs",
                            "    - PCI/portdrv: Fix potential resource leak",
                            "    - quota: fix livelock between quotactl and freeze_super",
                            "    - net: mctp-i2c: fix duplicate reception of old data",
                            "    - mctp i2c: initialise event handler read bytes",
                            "    - wifi: cfg80211: stop NAN and P2P in cfg80211_leave",
                            "    - netfilter: nf_tables: reset table validation state on abort",
                            "    - netfilter: nf_conncount: make nf_conncount_gc_list() to disable BH",
                            "    - netfilter: nf_conncount: increase the connection clean up limit to 64",
                            "    - netfilter: nft_compat: add more restrictions on netlink attributes",
                            "    - netfilter: nf_conncount: fix tracking of connections from localhost",
                            "    - module: add helper function for reading module_buildid()",
                            "    - kallsyms/ftrace: set module buildid in ftrace_mod_address_lookup()",
                            "    - PCI: Mark 3ware-9650SA Root Port Extended Tags as broken",
                            "    - iommu/vt-d: Flush cache for PASID table before using it",
                            "    - dm: use bio_clone_blkg_association",
                            "    - nfsd: never defer requests during idmap lookup",
                            "    - fat: avoid parent link count underflow in rmdir",
                            "    - tcp: tcp_tx_timestamp() must look at the rtx queue",
                            "    - wifi: ath10k: sdio: add missing lock protection in",
                            "      ath10k_sdio_fw_crashed_dump()",
                            "    - PCI: Initialize RCB from pci_configure_device()",
                            "    - PCI: Add PCIE_MSG_CODE_ASSERT_INTx message macros",
                            "    - PCI: Add defines for bridge window indexing",
                            "    - PCI/ACPI: Restrict program_hpx_type2() to AER bits",
                            "    - ipc: don't audit capability check in ipc_permissions()",
                            "    - ucount: check for CAP_SYS_RESOURCE using ns_capable_noaudit()",
                            "    - of: unittest: fix possible null-pointer dereferences in",
                            "      of_unittest_property_copy()",
                            "    - mptcp: fix receive space timestamp initialization",
                            "    - octeontx2-af: Fix PF driver crash with kexec kernel booting",
                            "    - bonding: only set speed/duplex to unknown, if getting speed failed",
                            "    - inet: RAW sockets using IPPROTO_RAW MUST drop incoming ICMP",
                            "    - nfc: hci: shdlc: Stop timers and work before freeing context",
                            "    - netfilter: nft_set_hash: fix get operation on big endian",
                            "    - netfilter: nft_counter: fix reset of counters on 32bit archs",
                            "    - netfilter: nft_set_rbtree: check for partial overlaps in anonymous sets",
                            "    - PCI: Add ACS quirk for Pericom PI7C9X2G404 switches [12d8:b404]",
                            "    - net: hns3: fix double free issue for tx spare buffer",
                            "    - procfs: fix missing RCU protection when reading real_parent in",
                            "      do_task_stat()",
                            "    - smb: client: correct value for smbd_max_fragmented_recv_size",
                            "    - net: sunhme: Fix sbus regression",
                            "    - net: Add skb_dstref_steal and skb_dstref_restore",
                            "    - net: Switch to skb_dstref_steal/skb_dstref_restore for ip_route_input",
                            "      callers",
                            "    - xfrm: fix ip_rt_bug race in icmp_route_lookup reverse path",
                            "    - serial: caif: fix use-after-free in caif_serial ldisc_close()",
                            "    - octeon_ep: disable per ring interrupts",
                            "    - octeon_ep: ensure dbell BADDR updation",
                            "    - ionic: Rate limit unknown xcvr type messages",
                            "    - octeontx2-pf: Unregister devlink on probe failure",
                            "    - RDMA/rtrs: server: remove dead code",
                            "    - IB/cache: update gid cache on client reregister event",
                            "    - RDMA/hns: Fix WQ_MEM_RECLAIM warning",
                            "    - RDMA/hns: Notify ULP of remaining soft-WCs during reset",
                            "    - power: supply: ab8500: Fix use-after-free in power_supply_changed()",
                            "    - power: supply: act8945a: Fix use-after-free in power_supply_changed()",
                            "    - power: supply: bq256xx: Fix use-after-free in power_supply_changed()",
                            "    - power: supply: bq25980: Fix use-after-free in power_supply_changed()",
                            "    - power: supply: cpcap-battery: Fix use-after-free in",
                            "      power_supply_changed()",
                            "    - power: supply: goldfish: Fix use-after-free in power_supply_changed()",
                            "    - power: supply: rt9455: Fix use-after-free in power_supply_changed()",
                            "    - power: supply: sbs-battery: Fix use-after-free in power_supply_changed()",
                            "    - power: reset: nvmem-reboot-mode: respect cell size for nvmem_cell_write",
                            "    - power: supply: bq27xxx: fix wrong errno when bus ops are unsupported",
                            "    - power: supply: wm97xx: Fix NULL pointer dereference in",
                            "      power_supply_changed()",
                            "    - RDMA/rtrs-srv: fix SG mapping",
                            "    - RDMA/rxe: Fix double free in rxe_srq_from_init",
                            "    - tools/power/x86/intel-speed-select: Fix file descriptor leak in",
                            "      isolate_cpus()",
                            "    - mtd: rawnand: cadence: Fix return type of CDMA send-and-wait helper",
                            "    - crypto: ccp - Add an S4 restore flow",
                            "    - crypto: ccp - Factor out ring destroy handling to a helper",
                            "    - crypto: ccp - Send PSP_CMD_TEE_RING_DESTROY when PSP_CMD_TEE_RING_INIT",
                            "      fails",
                            "    - mtd: parsers: Fix memory leak in mtd_parser_tplink_safeloader_parse()",
                            "    - RDMA/uverbs: Validate wqe_size before using it in ib_uverbs_post_send",
                            "    - RDMA/rxe: Fix race condition in QP timer handlers",
                            "    - svcrdma: Increase the per-transport rw_ctx count",
                            "    - svcrdma: Reduce the number of rdma_rw contexts per-QP",
                            "    - RDMA/core: add rdma_rw_max_sge() helper for SQ sizing",
                            "    - cxl: Fix premature commit_end increment on decoder commit failure",
                            "    - mtd: parsers: ofpart: fix OF node refcount leak in",
                            "      parse_fixed_partitions()",
                            "    - mtd: spinand: Fix kernel doc",
                            "    - power: supply: qcom_battmgr: Recognize \"LiP\" as lithium-polymer",
                            "    - RDMA/uverbs: Add __GFP_NOWARN to ib_uverbs_unmarshall_recv() kmalloc",
                            "    - pNFS: fix a missing wake up while waiting on NFS_LAYOUT_DRAIN",
                            "    - scsi: smartpqi: Fix memory leak in pqi_report_phys_luns()",
                            "    - scsi: ufs: host: mediatek: Require CONFIG_PM",
                            "    - scsi: csiostor: Fix dereference of null pointer rn",
                            "    - nvdimm: virtio_pmem: serialize flush requests",
                            "    - fs/nfs: Fix readdir slow-start regression",
                            "    - tracing: Properly process error handling in event_hist_trigger_parse()",
                            "    - tracing: Remove duplicate ENABLE_EVENT_STR and DISABLE_EVENT_STR macros",
                            "    - fbdev: of_display_timing: Fix device node reference leak in",
                            "      of_get_display_timings()",
                            "    - fbdev: au1200fb: Fix a memory leak in au1200fb_drv_probe()",
                            "    - clk: qcom: gcc-sm8550: Use floor ops for SDCC RCGs",
                            "    - clk: qcom: rcg2: compute 2d using duty fraction directly",
                            "    - clk: meson: gxbb: Limit the HDMI PLL OD to /4 on GXL/GXM SoCs",
                            "    - clk: qcom: gcc-sm8450: Update the SDCC RCGs to use shared_floor_ops",
                            "    - clk: qcom: gcc-sdx75: Update the SDCC RCGs to use shared_floor_ops",
                            "    - clk: qcom: gcc-qdu1000: Update the SDCC RCGs to use shared_floor_ops",
                            "    - clk: qcom: gcc-msm8953: Remove ALWAYS_ON flag from cpp_gdsc",
                            "    - clk: qcom: gcc-msm8917: Remove ALWAYS_ON flag from cpp_gdsc",
                            "    - clk: qcom: gcc-ipq5018: flag sleep clock as critical",
                            "    - clk: Move clk_{save,restore}_context() to COMMON_CLK section",
                            "    - clk: qcom: dispcc-sdm845: Enable parents for pixel clocks",
                            "    - clk: qcom: gfx3d: add parent to parent request map",
                            "    - clk: mediatek: Fix error handling in runtime PM setup",
                            "    - dmaengine: mediatek: uart-apdma: Fix above 4G addressing TX/RX",
                            "    - dma: dma-axi-dmac: fix SW cyclic transfers",
                            "    - staging: greybus: lights: avoid NULL deref",
                            "    - serial: imx: change SERIAL_IMX_CONSOLE to bool",
                            "    - serial: SH_SCI: improve \"DMA support\" prompt",
                            "    - mmc: rtsx_pci_sdmmc: increase power-on settling delay to 5ms",
                            "    - iio: pressure: mprls0025pa: fix scan_type struct",
                            "    - watchdog: starfive-wdt: Fix PM reference leak in probe error path",
                            "    - coresight: etm3x: Fix cpulocked warning on cpuhp",
                            "    - Revert \"mmc: rtsx_pci_sdmmc: increase power-on settling delay to 5ms\"",
                            "    - mfd: arizona: Fix regulator resource leak on",
                            "      wm5102_clear_write_sequencer() failure",
                            "    - mfd: simple-mfd-i2c: Add MAX77705 support",
                            "    - mfd: simple-mfd-i2c: Add compatible strings for Layerscape QIXIS FPGA",
                            "    - mfd: simple-mfd-i2c: Add SpacemiT P1 support",
                            "    - mfd: simple-mfd-i2c: Keep compatible strings in alphabetical order",
                            "    - mfd: simple-mfd-i2c: Add Delta TN48M CPLD support",
                            "    - [Config] Disable new Delta TN48M CPLD support by default",
                            "    - drivers: iio: mpu3050: use dev_err_probe for regulator request",
                            "    - usb: bdc: fix sleep during atomic",
                            "    - pinctrl: equilibrium: Fix device node reference leak in pinbank_init()",
                            "    - ovl: Fix uninit-value in ovl_fill_real",
                            "    - iio: sca3000: Fix a resource leak in sca3000_probe()",
                            "    - pinctrl: qcom: sm8250-lpass-lpi: Fix i2s2_data_groups definition",
                            "    - pinctrl: single: fix refcount leak in pcs_add_gpio_func()",
                            "    - leds: qcom-lpg: Check the return value of regmap_bulk_write()",
                            "    - backlight: qcom-wled: Support ovp values for PMI8994",
                            "    - backlight: qcom-wled: Change PM8950 WLED configurations",
                            "    - dmaengine: fsl-edma: don't explicitly disable clocks in .remove()",
                            "    - io_uring/cancel: de-unionize file and user_data in struct io_cancel_data",
                            "    - fs/ntfs3: prevent infinite loops caused by the next valid being the same",
                            "    - fs/ntfs3: Fix slab-out-of-bounds read in DeleteIndexEntryRoot",
                            "    - ACPI: CPPC: Fix remaining for_each_possible_cpu() to use online CPUs",
                            "    - powercap: intel_rapl_tpmi: Remove FW_BUG from invalid version check",
                            "    - kbuild: Add objtool to top-level clean target",
                            "    - selftests/memfd: delete unused declarations",
                            "    - selftests/memfd: use IPC semaphore instead of SIGSTOP/SIGCONT",
                            "    - ACPI: PM: Add unused power resource quirk for THUNDEROBOT ZERO",
                            "    - cpuidle: Skip governor when only one idle state is available",
                            "    - selftests: mlxsw: tc_restrictions: Fix test failure with new iproute2",
                            "    - net: sparx5/lan969x: fix DWRR cost max to match hardware register width",
                            "    - net: mscc: ocelot: extract ocelot_xmit_timestamp() helper",
                            "    - net: mscc: ocelot: split xmit into FDMA and register injection paths",
                            "    - net: mscc: ocelot: add missing lock protection in ocelot_port_xmit_inj()",
                            "    - ipv6: Fix out-of-bound access in fib6_add_rt2node().",
                            "    - net: sparx5/lan969x: fix PTP clock max_adj value",
                            "    - net: usb: catc: enable basic endpoint checking",
                            "    - xen-netback: reject zero-queue configuration from guest",
                            "    - net/rds: rds_sendmsg should not discard payload_len",
                            "    - net: bridge: mcast: always update mdb_n_entries for vlan contexts",
                            "    - selftests: forwarding: vxlan_bridge_1d: fix test failure with",
                            "      br_netfilter enabled",
                            "    - selftests: forwarding: vxlan_bridge_1d_ipv6: fix test failure with",
                            "      br_netfilter enabled",
                            "    - netfilter: nf_conntrack_h323: don't pass uninitialised l3num value",
                            "    - net: remove WARN_ON_ONCE when accessing forward path array",
                            "    - ipv6: fix a race in ip6_sock_set_v6only()",
                            "    - bpftool: Fix truncated netlink dumps",
                            "    - ping: annotate data-races in ping_lookup()",
                            "    - icmp: move icmp_global.credit and icmp_global.stamp to per netns storage",
                            "    - icmp: icmp_msgs_per_sec and icmp_msgs_burst sysctls become per netns",
                            "    - icmp: prevent possible overflow in icmp_global_allow()",
                            "    - cache: add __cacheline_group_{begin, end}_aligned() (+ couple more)",
                            "    - inet: move icmp_global_{credit,stamp} to a separate cache line",
                            "    - octeontx2-af: Fix default entries mcam entry action",
                            "    - bonding: alb: fix UAF in rlb_arp_recv during bond up/down",
                            "    - net/mlx5: Fix multiport device check over light SFs",
                            "    - apparmor: fix NULL sock in aa_sock_file_perm",
                            "    - apparmor: return -ENOMEM in unpack_perms_table upon alloc failure",
                            "    - apparmor: fix rlimit for posix cpu timers",
                            "    - apparmor: remove apply_modes_to_perms from label_match",
                            "    - apparmor: make label_match return a consistent value",
                            "    - apparmor: fix invalid deref of rawdata when export_binary is unset",
                            "    - apparmor: fix aa_label to return state from compount and component match",
                            "    - drm/amdgpu: Fix memory leak in amdgpu_acpi_enumerate_xcc()",
                            "    - drm/amdgpu: Fix memory leak in amdgpu_ras_init()",
                            "    - drm/i915/acpi: free _DSM package when no connectors",
                            "    - ASoC: codecs: aw88261: Fix erroneous bitmask logic in Awinic init",
                            "    - drm/amdkfd: fix debug watchpoints for logical devices",
                            "    - drm/amdkfd: Fix watch_id bounds checking in debug address watch v2",
                            "    - spi: wpcm-fiu: Use devm_platform_ioremap_resource_byname()",
                            "    - spi: wpcm-fiu: Fix uninitialized res",
                            "    - spi: wpcm-fiu: Simplify with dev_err_probe()",
                            "    - spi: wpcm-fiu: Fix potential NULL pointer dereference in",
                            "      wpcm_fiu_probe()",
                            "    - s390/kexec: Make KEXEC_SIG available when CONFIG_MODULES=n",
                            "    - efi: Fix reservation of unaccepted memory table",
                            "    - btrfs: fix invalid leaf access in btrfs_quota_enable() if ref key not",
                            "      found",
                            "    - x86/hyperv: Fix error pointer dereference",
                            "    - ASoC: rockchip: i2s-tdm: Use param rate if not provided by set_sysclk",
                            "    - drm/amd/display: Use same max plane scaling limits for all 64 bpp",
                            "      formats",
                            "    - MIPS: Work around LLVM bug when gp is used as global register variable",
                            "    - ext4: don't cache extent during splitting extent",
                            "    - ext4: fix memory leak in ext4_ext_shift_extents()",
                            "    - ext4: use optimized mballoc scanning regardless of inode format",
                            "    - ata: pata_ftide010: Fix some DMA timings",
                            "    - ata: libata-scsi: refactor ata_scsi_translate()",
                            "    - SUNRPC: auth_gss: fix memory leaks in XDR decoding error paths",
                            "    - SUNRPC: fix gss_auth kref leak in gss_alloc_msg error path",
                            "    - ASoC: dt-bindings: asahi-kasei,ak4458: Fix the supply names",
                            "    - ASoC: dt-bindings: asahi-kasei,ak5558: Fix the supply names",
                            "    - perf test stat: Update test expectations and events",
                            "    - perf test stat tests: Fix for virtualized machines",
                            "    - perf unwind-libdw: Fix invalid reference counts",
                            "    - perf callchain: Fix srcline printing with inlines",
                            "    - libsubcmd: Fix null intersection case in exclude_cmds()",
                            "    - libperf: Don't remove -g when EXTRA_CFLAGS are used",
                            "    - libperf build: Always place libperf includes first",
                            "    - rtc: interface: Alarm race handling should not discard preceding error",
                            "    - hfsplus: fix volume corruption issue for generic/498",
                            "    - fs/buffer: add alert in try_to_free_buffers() for folios without buffers",
                            "    - hfsplus: pretend special inodes as regular files",
                            "    - i3c: master: svc: Initialize 'dev' to NULL in svc_i3c_master_ibi_isr()",
                            "    - minix: Add required sanity checking to minix_check_superblock()",
                            "    - btrfs: handle user interrupt properly in btrfs_trim_fs()",
                            "    - smb: client: add proper locking around ses->iface_last_update",
                            "    - gfs2: fiemap page fault fix",
                            "    - smb: client: prevent races in ->query_interfaces()",
                            "    - tools/power cpupower: Reset errno before strtoull()",
                            "    - s390/purgatory: Add -Wno-default-const-init-unsafe to KBUILD_CFLAGS",
                            "    - perf/arm-cmn: Support CMN-600AE",
                            "    - arm64: Add support for TSV110 Spectre-BHB mitigation",
                            "    - rnbd-srv: Zero the rsp buffer before using it",
                            "    - x86/xen/pvh: Enable PAE mode for 32-bit guest only when CONFIG_X86_PAE",
                            "      is set",
                            "    - EFI/CPER: don't dump the entire memory region",
                            "    - APEI/GHES: ensure that won't go past CPER allocated record",
                            "    - EFI/CPER: don't go past the ARM processor CPER record buffer",
                            "    - ACPI: processor: Fix NULL-pointer dereference in",
                            "      acpi_processor_errata_piix4()",
                            "    - ACPICA: Abort AML bytecode execution when executing AML_FATAL_OP",
                            "    - md-cluster: fix NULL pointer dereference in process_metadata_update",
                            "    - cpufreq: dt-platdev: Block the driver from probing on more QC platforms",
                            "    - s390/perf: Disable register readout on sampling events",
                            "    - perf/cxlpmu: Replace IRQF_ONESHOT with IRQF_NO_THREAD",
                            "    - xenbus: Use .freeze/.thaw to handle xenbus devices",
                            "    - blk-mq-debugfs: add missing debugfs_mutex in",
                            "      blk_mq_debugfs_register_hctxs()",
                            "    - sparc: Synchronize user stack on fork and clone",
                            "    - sparc: don't reference obsolete termio struct for TC* constants",
                            "    - bpf: verifier improvement in 32bit shift sign extension pattern",
                            "    - clocksource/drivers/sh_tmu: Always leave device running after probe",
                            "    - clocksource/drivers/timer-integrator-ap: Add missing Kconfig dependency",
                            "      on OF",
                            "    - PCI/MSI: Unmap MSI-X region on error",
                            "    - crypto: hisilicon/qm - move the barrier before writing to the mailbox",
                            "      register",
                            "    - mailbox: bcm-ferxrm-mailbox: Use default primary handler",
                            "    - char: tpm: cr50: Remove IRQF_ONESHOT",
                            "    - pstore: ram_core: fix incorrect success return when vmap() fails",
                            "    - arm64: tegra: smaug: Add usb-role-switch support",
                            "    - parisc: Prevent interrupts during reboot",
                            "    - drm/display/dp_mst: Add protection against 0 vcpi",
                            "    - spi-geni-qcom: initialize mode related registers to 0",
                            "    - spi-geni-qcom: use xfer->bits_per_word for can_dma()",
                            "    - media: dvb-core: dmxdevfilter must always flush bufs",
                            "    - spi: stm32: fix Overrun issue at < 8bpw",
                            "    - drm/v3d: Set DMA segment size to avoid debug warnings",
                            "    - media: omap3isp: isp_video_mbus_to_pix/pix_to_mbus fixes",
                            "    - media: omap3isp: isppreview: always clamp in preview_try_format()",
                            "    - media: omap3isp: set initial format",
                            "    - media: mediatek: vcodec: Don't try to decode 422/444 VP9",
                            "    - drm/amdgpu: add support for HDP IP version 6.1.1",
                            "    - drm/amdgpu: avoid a warning in timedout job handler",
                            "    - HID: apple: Add \"SONiX KN85 Keyboard\" to the list of non-apple keyboards",
                            "    - ASoC: wm8962: Add WM8962_ADC_MONOMIX to \"3D Coefficients\" mask",
                            "    - ASoC: wm8962: Don't report a microphone if it's shorted to ground on",
                            "      plug",
                            "    - spi: spi-mem: Limit octal DTR constraints to octal DTR situations",
                            "    - media: amphion: Clear last_buffer_dequeued flag for DEC_CMD_START",
                            "    - media: adv7180: fix frame interval in progressive mode",
                            "    - media: pvrusb2: fix URB leak in pvr2_send_request_ex",
                            "    - media: solo6x10: Check for out of bounds chip_id",
                            "    - media: cx25821: Fix a resource leak in cx25821_dev_setup()",
                            "    - media: v4l2-async: Fix error handling on steps after finding a match",
                            "    - drm/amdkfd: Fix GART PTE for non-4K pagesize in svm_migrate_gart_map()",
                            "    - drm: Account property blob allocations to memcg",
                            "    - hyper-v: Mark inner union in hv_kvp_exchg_msg_value as packed",
                            "    - virt: vbox: uapi: Mark inner unions in packed structs as packed",
                            "    - drm/atmel-hlcdc: fix memory leak from the atomic_destroy_state callback",
                            "    - drm/atmel-hlcdc: don't reject the commit if the src rect has fractional",
                            "      parts",
                            "    - drm/atmel-hlcdc: fix use-after-free of drm_crtc_commit after release",
                            "    - media: rkisp1: Fix filter mode register configuration",
                            "    - HID: multitouch: add eGalaxTouch EXC3188 support",
                            "    - HID: elecom: Add support for ELECOM HUGE Plus M-HT1MRBK",
                            "    - ALSA: hda/conexant: Add headset mic fix for MECHREVO Wujie 15X Pro",
                            "    - gpio: aspeed-sgpio: Change the macro to support deferred probe",
                            "    - ASoC: sunxi: sun50i-dmic: Add missing check for devm_regmap_init_mmio",
                            "    - spi: spi-mem: Protect dirmap_create() with spi_mem_access_start/end",
                            "    - ASoC: codecs: max98390: Check return value of devm_gpiod_get_optional()",
                            "      in max98390_i2c_probe()",
                            "    - hwmon: (nct6775) Add ASUS Pro WS WRX90E-SAGE SE",
                            "    - hwmon: (f71882fg) Add F81968 support",
                            "    - ASoC: es8328: Add error unwind in resume",
                            "    - modpost: Amend ppc64 save/restfpr symnames for -Os build",
                            "    - ALSA: usb-audio: Add iface reset and delay quirk for AB13X USB Audio",
                            "    - jfs: Add missing set_freezable() for freezable kthread",
                            "    - jfs: nlink overflow in jfs_rename",
                            "    - wifi: rtw88: fix DTIM period handling when conf->dtim_period is zero",
                            "    - wifi: rtw88: 8822b: Avoid WARNING in rtw8822b_config_trx_mode()",
                            "    - wifi: rtw88: rtw8821cu: Add ID for Mercusys MU6H",
                            "    - dm: replace -EEXIST with -EBUSY",
                            "    - dm: remove fake timeout to avoid leak request",
                            "    - iommu/arm-smmu-v3: Improve CMDQ lock fairness and efficiency",
                            "    - wifi: libertas: fix WARNING in usb_tx_block",
                            "    - iommu/amd: move wait_on_sem() out of spinlock",
                            "    - wifi: rtw89: wow: add reason codes for disassociation in WoWLAN mode",
                            "    - PCI: dw-rockchip: Disable BAR 0 and BAR 1 for Root Port",
                            "    - wifi: ath11k: add pm quirk for Thinkpad Z13/Z16 Gen1",
                            "    - wifi: ath12k: fix preferred hardware mode calculation",
                            "    - ipv6: annotate data-races in ip6_multipath_hash_{policy,fields}()",
                            "    - ipv6: exthdrs: annotate data-race over multiple sysctl",
                            "    - ext4: mark group add fast-commit ineligible",
                            "    - ext4: move ext4_percpu_param_init() before ext4_mb_init()",
                            "    - ext4: mark group extend fast-commit ineligible",
                            "    - netfilter: nf_conntrack: Add allow_clash to generic protocol handler",
                            "    - netfilter: xt_tcpmss: check remaining length before reading optlen",
                            "    - openrisc: define arch-specific version of nop()",
                            "    - net: usb: r8152: fix transmit queue timeout",
                            "    - wifi: iwlwifi: mvm: check the validity of noa_len",
                            "    - net/rds: No shortcut out of RDS_CONN_ERROR",
                            "    - gro: change the BUG_ON() in gro_pull_from_frag0()",
                            "    - ipv4: igmp: annotate data-races around idev->mr_maxdelay",
                            "    - net: hns3: extend HCLGE_FD_AD_QID to 11 bits",
                            "    - wifi: iwlegacy: add missing mutex protection in il4965_store_tx_power()",
                            "    - wifi: iwlegacy: add missing mutex protection in",
                            "      il3945_store_measurement()",
                            "    - ipv4: fib: Annotate access to struct fib_alias.fa_state.",
                            "    - Bluetooth: hci_conn: Set link_policy on incoming ACL connections",
                            "    - Bluetooth: hci_conn: use mod_delayed_work for active mode timeout",
                            "    - Bluetooth: btusb: Add new VID/PID for RTL8852CE",
                            "    - Bluetooth: btusb: Add device ID for Realtek RTL8761BU",
                            "    - octeontx2-af: Workaround SQM/PSE stalls by disabling sticky",
                            "    - wifi: rtw89: pci: restore LDO setting after device resume",
                            "    - wifi: ath10k: fix lock protection in",
                            "      ath10k_wmi_event_peer_sta_ps_state_chg()",
                            "    - net: usb: sr9700: remove code to drive nonexistent multicast filter",
                            "    - vmw_vsock: bypass false-positive Wnonnull warning with gcc-16",
                            "    - net/rds: Clear reconnect pending bit",
                            "    - PCI: Mark ASM1164 SATA controller to avoid bus reset",
                            "    - PCI: Fix pci_slot_lock () device locking",
                            "    - PCI: Enable ACS after configuring IOMMU for OF platforms",
                            "    - PCI: Add ACS quirk for Qualcomm Hamoa & Glymur",
                            "    - PCI: Mark Nvidia GB10 to avoid bus reset",
                            "    - myri10ge: avoid uninitialized variable use",
                            "    - nfc: nxp-nci: remove interrupt trigger type",
                            "    - RDMA/rtrs-clt: For conn rejection use actual err number",
                            "    - ata: libata: avoid long timeouts on hot-unplugged SATA DAS",
                            "    - hisi_acc_vfio_pci: update status after RAS error",
                            "    - scsi: buslogic: Reduce stack usage",
                            "    - vhost: fix caching attributes of MMIO regions by setting them explicitly",
                            "    - tracing: Fix false sharing in hwlat get_sample()",
                            "    - remoteproc: imx_dsp_rproc: Skip RP_MBOX_SUSPEND_SYSTEM when mailbox TX",
                            "      channel is uninitialized",
                            "    - mailbox: pcc: Remove spurious IRQF_ONESHOT usage",
                            "    - mailbox: imx: Skip the suspend flag for i.MX7ULP",
                            "    - mailbox: sprd: mask interrupts that are not handled",
                            "    - remoteproc: mediatek: Break lock dependency to `prepare_lock`",
                            "    - mailbox: sprd: clear delivery flag before handling TX done",
                            "    - clk: microchip: core: correct return value on *_get_parent()",
                            "    - m68k: nommu: fix memmove() with differently aligned src and dest for",
                            "      68000",
                            "    - soundwire: dmi-quirks: add mapping for Avell B.ON (OEM rebranded of",
                            "      NUC15)",
                            "    - staging: rtl8723bs: fix missing status update on sdio_alloc_irq()",
                            "      failure",
                            "    - serial: 8250_dw: handle clock enable errors in runtime_resume",
                            "    - usb: typec: ucsi: psy: Fix voltage and current max for non-Fixed PDOs",
                            "    - fpga: of-fpga-region: Fail if any bridge is missing",
                            "    - dmaengine: sun6i: Choose appropriate burst length under maxburst",
                            "    - dmaengine: stm32-mdma: initialize m2m_hw_period and ccr to fix warnings",
                            "    - misc: bcm_vk: Fix possible null-pointer dereferences in bcm_vk_read()",
                            "    - misc: eeprom: Fix EWEN/EWDS/ERAL commands for 93xx56 and 93xx66",
                            "    - staging: rtl8723bs: fix memory leak on failure path",
                            "    - serial: 8250: 8250_omap.c: Clear DMA RX running status only after DMA",
                            "      termination is done",
                            "    - fix it87_wdt early reboot by reporting running timer",
                            "    - binder: don't use %pK through printk",
                            "    - watchdog: imx7ulp_wdt: handle the nowayout option",
                            "    - phy: mvebu-cp110-utmi: fix dr_mode property read from dts",
                            "    - phy: fsl-imx8mq-usb: disable bind/unbind platform driver feature",
                            "    - Revert \"mfd: da9052-spi: Change read-mask to write-mask\"",
                            "    - iio: Use IRQF_NO_THREAD",
                            "    - iio: magnetometer: Remove IRQF_ONESHOT",
                            "    - MIPS: Loongson: Make cpumask_of_node() robust against NUMA_NO_NODE",
                            "    - fs/ntfs3: drop preallocated clusters for sparse and compressed files",
                            "    - fs/ntfs3: avoid calling run_get_entry() when run == NULL in",
                            "      ntfs_read_run_nb_ra()",
                            "    - ceph: supply snapshot context in ceph_uninline_data()",
                            "    - libceph: define and enforce CEPH_MAX_KEY_LEN",
                            "    - thermal: int340x: Fix sysfs group leak on DLVR registration failure",
                            "    - include: uapi: netfilter_bridge.h: Cover for musl libc",
                            "    - ARM: 9467/1: mm: Don't use %pK through printk",
                            "    - drm/amd/display: Avoid updating surface with the same surface under MPO",
                            "    - drm/amdgpu: Adjust usleep_range in fence wait",
                            "    - ALSA: usb-audio: Update the number of packets properly at receiving",
                            "    - drm/amdgpu: Add HAINAN clock adjustment",
                            "    - drm/radeon: Add HAINAN clock adjustment",
                            "    - ALSA: usb-audio: Add sanity check for OOB writes at silencing",
                            "    - btrfs: replace BUG() with error handling in __btrfs_balance()",
                            "    - drm/amd/display: Remove conditional for shaper 3DLUT power-on",
                            "    - rtc: zynqmp: correct frequency value",
                            "    - ntb: ntb_hw_switchtec: Fix array-index-out-of-bounds access",
                            "    - ntb: ntb_hw_switchtec: Fix shift-out-of-bounds for 0 mw lut",
                            "    - xfrm6: fix uninitialized saddr in xfrm6_get_saddr()",
                            "    - xfrm: skip templates check for packet offload tunnel mode",
                            "    - ipmi: ipmb: initialise event handler read bytes",
                            "    - xfrm: always flush state and policy upon NETDEV_UNREGISTER event",
                            "    - net: usb: kaweth: remove TX queue manipulation in kaweth_set_rx_mode",
                            "    - net: usb: lan78xx: scan all MDIO addresses on LAN7801",
                            "    - net: ixp4xx_eth: convert to ndo_hwtstamp_get() and ndo_hwtstamp_set()",
                            "    - net: ethernet: xscale: Check for PTP support properly",
                            "    - wifi: cfg80211: wext: fix IGTK key ID off-by-one",
                            "    - Remove WARN_ALL_UNSEEDED_RANDOM kernel config option",
                            "    - [Config] Remove WARN_ALL_UNSEEDED_RANDOM",
                            "    - Bluetooth: L2CAP: Fix invalid response to L2CAP_ECRED_RECONF_REQ",
                            "    - Bluetooth: hci_qca: Cleanup on all setup failures",
                            "    - Bluetooth: L2CAP: Fix response to L2CAP_ECRED_CONN_REQ",
                            "    - Bluetooth: L2CAP: Fix not checking output MTU is acceptable on",
                            "      L2CAP_ECRED_CONN_REQ",
                            "    - Bluetooth: L2CAP: Fix missing key size check for L2CAP_LE_CONN_REQ",
                            "    - tipc: fix duplicate publication key in tipc_service_insert_publ()",
                            "    - RDMA/core: Fix stale RoCE GIDs during netdev events at registration",
                            "    - net: wan: farsync: Fix use-after-free bugs caused by unfinished tasklets",
                            "    - RDMA/efa: Fix typo in efa_alloc_mr()",
                            "    - net: usb: pegasus: enable basic endpoint checking",
                            "    - RDMA/umem: Fix double dma_buf_unpin in failure path",
                            "    - net/mlx5: DR, Fix circular locking dependency in dump",
                            "    - net/mlx5: Fix missing devlink lock in SRIOV enable error path",
                            "    - net: consume xmit errors of GSO frames",
                            "    - dpaa2-switch: validate num_ifs to prevent out-of-bounds write",
                            "    - netfilter: nf_conntrack_h323: fix OOB read in decode_choice()",
                            "    - rpmsg: core: fix race in driver_override_show() and use core helper",
                            "    - clk: renesas: rzg2l: Fix intin variable size",
                            "    - clk: renesas: rzg2l: Select correct div round macro",
                            "    - ASoC: SOF: ipc4-control: If there is no data do not send bytes update",
                            "    - ASoC: SOF: ipc4-topology: Correct the allocation size for bytes controls",
                            "    - ASoC: SOF: ipc4-control: Use the correct size for",
                            "      scontrol->ipc_control_data",
                            "    - ASoC: SOF: ipc4-control: Keep the payload size up to date",
                            "    - fpga: dfl: use subsys_initcall to allow built-in drivers to be added",
                            "    - dm-verity: correctly handle dm_bufio_client_create() failure",
                            "    - media: mediatek: encoder: Fix uninitialized scalar variable issue",
                            "    - media: mtk-mdp: Fix error handling in probe function",
                            "    - media: mtk-mdp: Fix a reference leak bug in mtk_mdp_remove()",
                            "    - media: verisilicon: AV1: Fix enable cdef computation",
                            "    - media: verisilicon: AV1: Fix tx mode bit setting",
                            "    - ARM: omap2: Fix reference count leaks in omap_control_init()",
                            "    - KVM: nSVM: Remove a user-triggerable WARN on nested_svm_load_cr3()",
                            "      succeeding",
                            "    - arm64: Disable branch profiling for all arm64 code",
                            "    - HID: hid-pl: handle probe errors",
                            "    - HID: magicmouse: Do not crash on missing msc->input",
                            "    - HID: prodikeys: Check presence of pm->input_ep82",
                            "    - HID: logitech-hidpp: Check maxfield in hidpp_get_report_length()",
                            "    - arm64: dts: apple: t8112-j473: Keep the HDMI port powered on",
                            "    - media: verisilicon: AV1: Set IDR flag for intra_only frame type",
                            "    - media: radio-keene: fix memory leak in error path",
                            "    - media: cx88: Add missing unmap in snd_cx88_hw_params()",
                            "    - media: cx23885: Add missing unmap in snd_cx23885_hw_params()",
                            "    - media: cx25821: Add missing unmap in snd_cx25821_hw_params()",
                            "    - media: i2c/tw9903: Fix potential memory leak in tw9903_probe()",
                            "    - media: i2c/tw9906: Fix potential memory leak in tw9906_probe()",
                            "    - media: i2c: ov01a10: Fix the horizontal flip control",
                            "    - media: i2c: ov01a10: Fix reported pixel-rate value",
                            "    - media: i2c: ov01a10: Fix analogue gain range",
                            "    - media: i2c: ov01a10: Add missing v4l2_subdev_cleanup() calls",
                            "    - media: i2c: ov01a10: Fix test-pattern disabling",
                            "    - media: qcom: camss: vfe: Fix out-of-bounds access in",
                            "      vfe_isr_reg_update()",
                            "    - media: ccs: Avoid possible division by zero",
                            "    - media: i2c: ov5647: Initialize subdev before controls",
                            "    - media: i2c: ov5647: Correct pixel array offset",
                            "    - media: i2c: ov5647: Correct minimum VBLANK value",
                            "    - media: i2c: ov5647: Sensor should report RAW color space",
                            "    - media: i2c: ov5647: Fix PIXEL_RATE value for VGA mode",
                            "    - media: i2c: ov5647: use our own mutex for the ctrl lock",
                            "    - dm-integrity: fix a typo in the code for write/discard race",
                            "    - dm: clear cloned request bio pointer when last clone bio completes",
                            "    - soc: ti: k3-socinfo: Fix regmap leak on probe failure",
                            "    - soc: ti: pruss: Fix double free in pruss_clk_mux_setup()",
                            "    - KVM: nSVM: Always use vmcb01 in VMLOAD/VMSAVE emulation",
                            "    - clk: clk-apple-nco: Add \"apple,t8103-nco\" compatible",
                            "    - media: i2c: ov01a10: Fix digital gain range",
                            "    - clk: tegra: tegra124-emc: Fix potential memory leak in",
                            "      tegra124_clk_register_emc()",
                            "    - s390/pci: Handle futile config accesses of disabled devices directly",
                            "    - dm-integrity: fix recalculation in bitmap mode",
                            "    - dm-unstripe: fix mapping bug when there are multiple targets in a table",
                            "    - arm64: dts: rockchip: Do not enable hdmi_sound node on Pinebook Pro",
                            "    - media: venus: vdec: fix error state assignment for zero bytesused",
                            "    - media: venus: vdec: restrict EOS addr quirk to IRIS2 only",
                            "    - drm: of: drm_of_panel_bridge_remove(): fix device_node leak",
                            "    - mm, page_alloc, thp: prevent reclaim for __GFP_THISNODE THP allocations",
                            "    - selftests/mm/charge_reserved_hugetlb: drop mount size for hugetlbfs",
                            "    - xfs: mark data structures corrupt on EIO and ENODATA",
                            "    - media: verisilicon: AV1: Fix tile info buffer size",
                            "    - iommu/vt-d: Flush dev-IOTLB only when PCIe device is accessible in",
                            "      scalable mode",
                            "    - mfd: core: Add locking around 'mfd_of_node_list'",
                            "    - xfs: delete attr leaf freemap entries when empty",
                            "    - xfs: fix freemap adjustments when adding xattrs to leaf blocks",
                            "    - xfs: fix remote xattr valuelblk check",
                            "    - KVM: x86: Add SRCU protection for reading PDPTRs in __get_sregs2()",
                            "    - PCI: endpoint: Fix swapped parameters in",
                            "      pci_{primary/secondary}_epc_epf_unlink() functions",
                            "    - md/bitmap: fix GPF in write_page caused by resize race",
                            "    - nfsd: fix return error code for nfsd_map_name_to_[ug]id",
                            "    - nvmem: Drop OF node reference on nvmem_add_one_cell() failure",
                            "    - usb: gadget: tegra-xudc: Add handling for BLCG_COREPLL_PWRDN",
                            "    - bus: fsl-mc: fix an error handling in fsl_mc_device_add()",
                            "    - dm mpath: make pg_init_delay_msecs settable",
                            "    - tools: Fix bitfield dependency failure",
                            "    - powerpc/smp: Add check for kcalloc() failure in parse_thread_groups()",
                            "    - iio: gyro: itg3200: Fix unchecked return value in read_raw",
                            "    - mm/highmem: fix __kmap_to_page() build error",
                            "    - rapidio: replace rio_free_net() with kfree() in rio_scan_alloc_net()",
                            "    - ocfs2: fix reflink preserve cleanup issue",
                            "    - kexec: derive purgatory entry from symbol",
                            "    - Revert \"PCI/IOV: Add PCI rescan-remove locking when enabling/disabling",
                            "      SR-IOV\"",
                            "    - PCI/IOV: Fix race between SR-IOV enable/disable and hotplug",
                            "    - arm64: Fix non-atomic __READ_ONCE() with CONFIG_LTO=y",
                            "    - btrfs: continue trimming remaining devices on failure",
                            "    - remoteproc: imx_rproc: Fix invalid loaded resource table detection",
                            "    - perf/arm-cmn: Reject unsupported hardware configurations",
                            "    - scsi: ufs: core: Flush exception handling work when RPM level is zero",
                            "    - usb: dwc3: gadget: Move vbus draw to workqueue context",
                            "    - usb: dwc2: fix resume failure if dr_mode is host",
                            "    - mtd: rawnand: pl353: Fix software ECC support",
                            "    - tipc: fix RCU dereference race in tipc_aead_users_dec()",
                            "    - drm/amdkfd: Fix out-of-bounds write in kfd_event_page_set()",
                            "    - net: cpsw_new: Fix unnecessary netdev unregistration in cpsw_probe()",
                            "      error path",
                            "    - PCI: Fix pci_slot_trylock() error handling",
                            "    - parisc: kernel: replace kfree() with put_device() in create_tree_node()",
                            "    - staging: rtl8723bs: fix null dereference in find_network",
                            "    - cifs: Fix locking usage for tcon fields",
                            "    - MIPS: rb532: Fix MMIO UART resource registration",
                            "    - ceph: supply snapshot context in ceph_zero_partial_object()",
                            "    - LoongArch: Make cpumask_of_node() robust against NUMA_NO_NODE",
                            "    - LoongArch: Prefer top-down allocation after arch_mem_init()",
                            "    - LoongArch: Guard percpu handler under !CONFIG_PREEMPT_RT",
                            "    - LoongArch: Disable instrumentation for setup_ptwalker()",
                            "    - net: ethernet: marvell: skge: remove incorrect conflicting PCI ID",
                            "    - net: wan/fsl_ucc_hdlc: Fix dma_free_coherent() in uhdlc_memclean()",
                            "    - octeontx2-af: CGX: fix bitmap leaks",
                            "    - net: macb: Fix tx/rx malfunction after phy link down and up",
                            "    - tracing: Fix to set write permission to per-cpu buffer_size_kb",
                            "    - io_uring/filetable: clamp alloc_hint to the configured alloc range",
                            "    - net: intel: fix PCI device ID conflict between i40e and ipw2200",
                            "    - atm: fore200e: fix use-after-free in tasklets during device removal",
                            "    - ipv6: ioam: fix heap buffer overflow in __ioam6_fill_trace_data()",
                            "    - fbcon: check return value of con2fb_acquire_newinfo()",
                            "    - fbdev: vt8500lcdfb: fix missing dma_free_coherent()",
                            "    - fbdev: of: display_timing: fix refcount leak in of_get_display_timings()",
                            "    - fbdev: ffb: fix corrupted video output on Sun FFB1",
                            "    - fbcon: Remove struct fbcon_display.inverse",
                            "    - cifs: some missing initializations on replay",
                            "    - ASoC: amd: yc: Add DMI quirk for ASUS Vivobook Pro 15X M6501RR",
                            "    - net: ethernet: ec_bhf: Fix dma_free_coherent() dma handle",
                            "    - net/sched: act_skbedit: fix divide-by-zero in tcf_skbedit_hash()",
                            "    - x86/kexec: Copy ACPI root pointer address from config table",
                            "    - arm64: Force the use of CNTVCT_EL0 in __delay()",
                            "    - net: nfc: nci: Fix parameter validation for packet data",
                            "    - tracing: Fix checking of freed trace_event_file for hist files",
                            "    - tracing: Wake up poll waiters for hist files when removing an event",
                            "    - NTB: ntb_transport: Fix too small buffer for debugfs_name",
                            "    - drm/i915/wakeref: clean up INTEL_WAKEREF_PUT_* flag macros",
                            "    - arm64: Fix sampling the \"stable\" virtual counter in preemptible section",
                            "    - gfs2: Fix slab-use-after-free in qd_put",
                            "    - io_uring: use release-acquire ordering for IORING_SETUP_R_DISABLED",
                            "    - thermal: intel: x86_pkg_temp_thermal: Handle invalid temperature",
                            "    - OPP: Return correct value in dev_pm_opp_get_level",
                            "    - cpufreq: scmi: Fix device_node reference leak in scmi_cpu_domain_id()",
                            "    - perf/x86/core: Do not set bit width for unavailable counters",
                            "    - genirq: Set IRQF_COND_ONESHOT in devm_request_irq().",
                            "    - platform/x86: int0002: Remove IRQF_ONESHOT from request_irq()",
                            "    - media: pci: mg4b: Use IRQF_NO_THREAD",
                            "    - firmware: arm_ffa: Correct 32-bit response handling in",
                            "      NOTIFICATION_INFO_GET",
                            "    - arm64: dts: qcom: msm8994-octagon: Fix Analog Devices vendor prefix of",
                            "      AD7147",
                            "    - arm64: dts: mediatek: mt8183-jacuzzi-pico6: Fix typo in pinmux node",
                            "    - arm64: dts: qcom: qrb4210-rb2: Fix UART3 wakeup IRQ storm",
                            "    - arm64: dts: qcom: x1e: bus is 40-bits (fix 64GB models)",
                            "    - media: chips-media: wave5: Fix memory leak on codec_info allocation",
                            "      failure",
                            "    - drm/amd: Drop \"amdgpu kernel modesetting enabled\" message",
                            "    - drm/amdkfd: Fix signal_eviction_fence() bool return value",
                            "    - drm/xe: Unregister drm device on probe error",
                            "    - HID: intel-ish-hid: fix NULL-ptr-deref in ishtp_bus_remove_all_clients",
                            "    - wifi: cfg80211: Fix use_for flag update on BSS refresh",
                            "    - PCI: Check parent for NULL in of_pci_bus_release_domain_nr()",
                            "    - netfilter: nfnetlink_queue: optimize verdict lookup with hash table",
                            "    - netfilter: nfnetlink_queue: do shared-unconfirmed check before",
                            "      segmentation",
                            "    - netfilter: nft_set_rbtree: fix bogus EEXIST with NLM_F_CREATE with null",
                            "      interval",
                            "    - power: supply: pm8916_bms_vm: Fix use-after-free in",
                            "      power_supply_changed()",
                            "    - power: supply: pm8916_lbc: Fix use-after-free in power_supply_changed()",
                            "    - RDMA/mlx5: Fix UMR hang in LAG error state unload",
                            "    - IB/mlx5: Fix port speed query for representors",
                            "    - platform/x86/amd/pmf: Prevent TEE errors after hibernate",
                            "    - crypto: ccp - Declare PSP dead if PSP_CMD_TEE_RING_INIT fails",
                            "    - power: supply: pm8916_lbc: Fix use-after-free for extcon in IRQ handler",
                            "    - clk: qcom: gcc-sm8650: Use floor ops for SDCC RCGs",
                            "    - clk: qcom: gcc-sm4450: Update the SDCC RCGs to use shared_floor_ops",
                            "    - clk: qcom: gcc-x1e80100: Update the SDCC RCGs to use shared_floor_ops",
                            "    - dma: dma-axi-dmac: fix HW scatter-gather not looking at the queue",
                            "    - iio: pressure: mprls0025pa: fix interrupt flag",
                            "    - objpool: fix the overestimation of object pooling metadata size",
                            "    - ipvs: do not keep dest_dst if dev is going down",
                            "    - net/mlx5e: Use unsigned for mlx5e_get_max_num_channels",
                            "    - AppArmor: Allow apparmor to handle unaligned dfa tables",
                            "    - apparmor: Fix & Optimize table creation from possibly unaligned memory",
                            "    - apparmor: avoid per-cpu hold underflow in aa_get_buffer",
                            "    - drm/amd/display: Fix out-of-bounds stream encoder index v3",
                            "    - btrfs: use the correct type to initialize block reserve for delayed refs",
                            "    - Drivers: hv: vmbus: Use kthread for vmbus interrupts on PREEMPT_RT",
                            "    - i3c: mipi-i3c-hci: Reset RING_OPERATION1 fields during init",
                            "    - APEI/GHES: ARM processor Error: don't go past allocated memory",
                            "    - ACPI: resource: Add JWIPC JVC9100 to irq1_level_low_skip_override[]",
                            "    - powercap: intel_rapl: Add PL4 support for Ice Lake",
                            "    - alpha: fix user-space corruption during memory compaction",
                            "    - ACPI: x86: s2idle: Invoke Microsoft _DSM Function 9 (Turn On Display)",
                            "    - ACPI: battery: fix incorrect charging status when current is zero",
                            "    - perf/x86/msr: Add Airmont NP",
                            "    - perf/x86/cstate: Add Airmont NP",
                            "    - bpf: Recognize special arithmetic shift in the verifier",
                            "    - firmware: arm_ffa: Unmap Rx/Tx buffers on init failure",
                            "    - gpu/panel-edp: add AUO panel entry for B140HAN06.4",
                            "    - drm/amdgpu: fix NULL pointer issue buffer funcs",
                            "    - ASoC: SOF: ipc4: Support for sending payload along with LARGE_CONFIG_GET",
                            "    - media: chips-media: wave5: Fix conditional in start_streaming",
                            "    - media: chips-media: wave5: Process ready frames when CMD_STOP sent to",
                            "      Encoder",
                            "    - drm/amd/display: Fix dsc eDP issue",
                            "    - drm/panel: Fix a possible null-pointer dereference in",
                            "      jdi_panel_dsi_remove()",
                            "    - media: mt9m114: Avoid a reset low spike during probe()",
                            "    - media: mt9m114: Return -EPROBE_DEFER if no endpoint is found",
                            "    - ALSA: hda/realtek: add HP Victus 16-e0xxx mute LED quirk",
                            "    - PCI: Add Intel Nova Lake audio Device ID",
                            "    - drm/amd/display: Disable FEC when powering down encoders",
                            "    - drm/amd/display: avoid dig reg access timeout on usb4 link training fail",
                            "    - hwmon: (dell-smm) Add support for Dell OptiPlex 7080",
                            "    - HID: logitech-hidpp: Add support for Logitech K980",
                            "    - ASoC: SOF: Intel: hda: Fix NULL pointer dereference",
                            "    - spi: geni-qcom: Fix abort sequence execution for serial engine errors",
                            "    - ALSA: hda/realtek - Enable mute LEDs on HP ENVY x360 15-es0xxx",
                            "    - wifi: rtw89: 8922a: set random mac if efuse contains zeroes",
                            "    - wifi: rtw89: ser: enable error IMR after recovering from L1",
                            "    - wifi: rtw88: Use devm_kmemdup() in rtw_set_supported_band()",
                            "    - wifi: rtw89: mac: correct page number for CSI response",
                            "    - wifi: ath11k: Fix failure to connect to a 6 GHz AP",
                            "    - ipv6: annotate data-races over sysctl.flowlabel_reflect",
                            "    - ext4: use reserved metadata blocks when splitting extent on endio",
                            "    - Bluetooth: btusb: Add support for MediaTek7920 0489:e158",
                            "    - net: sfp: add quirk for Lantech 8330-265D",
                            "    - PCI/AER: Clear stale errors on reporting agents upon probe",
                            "    - scsi: ufs: mediatek: Fix page faults in ufs_mtk_clk_scale() trace event",
                            "    - riscv: vector: init vector context with proper vlenb",
                            "    - HID: i2c-hid: Add FocalTech FT8112",
                            "    - 9p/xen: protect xen_9pfs_front_free against concurrent calls",
                            "    - soundwire: intel_auxdevice: add cs42l45 codec to wake_capable_list",
                            "    - most: remove usage of the deprecated ida_simple_xx() API",
                            "    - most: core: fix resource leak in most_register_interface error paths",
                            "    - usb: chipidea: udc: fix DMA and SG cleanup in _ep_nuke()",
                            "    - serial: 8250: 8250_omap.c: Add support for handling UART error",
                            "      conditions",
                            "    - mfd: intel-lpss: Add Intel Nova Lake-S PCI IDs",
                            "    - ACPI: x86: Force enabling of PWM2 on the Yogabook YB1-X90",
                            "    - drm/amd/display: Fix writeback on DCN 3.2+",
                            "    - drm/amd/display: Fix system resume lag issue",
                            "    - drm/amd/display: bypass post csc for additional color spaces in dal",
                            "    - spi: spidev: fix lock inversion between spi_lock and buf_lock",
                            "    - Bluetooth: L2CAP: Avoid -Wflex-array-member-not-at-end warnings",
                            "    - Bluetooth: L2CAP: Fix result of L2CAP_ECRED_CONN_RSP when MTU is too",
                            "      short",
                            "    - kcm: fix zero-frag skb in frag_list on partial sendmsg error",
                            "    - net/mlx5: E-switch, Clear legacy flag when moving to switchdev",
                            "    - net/mlx5e: Separate address related variables to be in struct",
                            "    - net/mlx5e: Support routed networks during IPsec MACs initialization",
                            "    - net/mlx5e: Fix \"scheduling while atomic\" in IPsec MAC address query",
                            "    - drm/tests: shmem: Swap names of export tests",
                            "    - KVM: x86: Return \"unsupported\" instead of \"invalid\" on access to",
                            "      unsupported PV MSR",
                            "    - media: amphion: Drop min_queued_buffers assignment",
                            "    - media: rockchip: rga: Fix possible ERR_PTR dereference in rga_buf_init()",
                            "    - media: i2c: ov01a10: Fix passing stream instead of pad to",
                            "      v4l2_subdev_state_get_format()",
                            "    - media: ccs: Fix setting initial sub-device state",
                            "    - platform/x86: ISST: Add missing write block check",
                            "    - bus: omap-ocp2scp: fix OF populate on driver rebind",
                            "    - media: stm32: dcmipp: bytecap: clear all interrupts upon stream stop",
                            "    - drm/buddy: Prevent BUG_ON by validating rounded allocation",
                            "    - xfs: remove xfs_attr_leaf_hasname",
                            "    - mfd: qcom-pm8xxx: Fix OF populate on driver rebind",
                            "    - mfd: omap-usb-host: Fix OF populate on driver rebind",
                            "    - xfs: fix the xattr scrub to detect freemap/entries array collisions",
                            "    - pinctrl: intel: Add code name documentation",
                            "    - vhost: move vdpa group bound check to vhost_vdpa",
                            "    - clk: rs9: Reserve 8 struct clk_hw slots for for 9FGV0841",
                            "    - mm/slab: use unsigned long for orig_size to ensure proper metadata align",
                            "    - drm/amd/display: Increase DCN35 SR enter/exit latency",
                            "    - drm/amdgpu: fix sync handling in amdgpu_dma_buf_move_notify",
                            "    - mm: numa_memblks: Identify the accurate NUMA ID of CFMW",
                            "    - drm/amdgpu: keep vga memory on MacBooks with switchable graphics",
                            "    - most: core: fix leak on early registration failure",
                            "    - Bluetooth: L2CAP: Fix stack-out-of-bounds read in l2cap_ecred_conn_req",
                            "    - Upstream stable to v6.6.128, v6.12.75",
                            "  * Noble update: upstream stable patchset 2026-05-01 (LP: #2150809) //",
                            "    CVE-2026-23249",
                            "    - xfs: check for deleted cursors when revalidating two btrees",
                            "  * Noble update: upstream stable patchset 2026-05-01 (LP: #2150809) //",
                            "    CVE-2025-71267",
                            "    - fs: ntfs3: fix infinite loop triggered by zero-sized ATTR_LIST",
                            "  * Noble update: upstream stable patchset 2026-05-01 (LP: #2150809) //",
                            "    CVE-2025-71265",
                            "    - fs: ntfs3: fix infinite loop in attr_load_runs_range on inconsistent",
                            "      metadata",
                            "  * Noble update: upstream stable patchset 2026-05-01 (LP: #2150809) //",
                            "    CVE-2025-71266",
                            "    - fs: ntfs3: check return value of indx_find to avoid infinite loop",
                            "  * Noble update: upstream stable patchset 2026-05-01 (LP: #2150809) //",
                            "    CVE-2026-23241",
                            "    - audit: add missing syscalls to read class",
                            "  * Noble update: upstream stable patchset 2026-05-01 (LP: #2150809) //",
                            "    CVE-2025-71239",
                            "    - audit: add fchmodat2() to change attributes class",
                            "  * Noble update: upstream stable patchset 2026-05-01 (LP: #2150809) //",
                            "    CVE-2026-31411",
                            "    - net: atm: fix crash due to unvalidated vcc pointer in sigd_send()",
                            "  * Noble update: upstream stable patchset 2026-05-01 (LP: #2150809) //",
                            "    CVE-2026-23243",
                            "    - RDMA/umad: Reject negative data_len in ib_umad_write",
                            "  * Noble update: upstream stable patchset 2026-05-01 (LP: #2150809) //",
                            "    CVE-2026-23242",
                            "    - RDMA/siw: Fix potential NULL pointer dereference in header processing",
                            "  * Noble update: upstream stable patchset 2026-04-17 (LP: #2148714)",
                            "    - scsi: qla2xxx: Fix bsg_done() causing double free",
                            "    - PCI: endpoint: Remove unused field in struct pci_epf_group",
                            "    - bus: fsl-mc: Replace snprintf and sprintf with sysfs_emit in sysfs show",
                            "      functions",
                            "    - bus: fsl-mc: fix use-after-free in driver_override_show()",
                            "    - ASoC: amd: yc: Add ASUS ExpertBook PM1503CDA to quirks list",
                            "    - gpio: sprd: Change sprd_gpio lock to raw_spin_lock",
                            "    - ALSA: hda/realtek: Add quirk for Inspur S14-G1",
                            "    - ASoC: cs35l45: Corrects ASP_TX5 DAPM widget channel",
                            "    - romfs: check sb_set_blocksize() return value",
                            "    - drm/tegra: hdmi: sor: Fix error: variable ‘j’ set but not used",
                            "    - platform/x86: classmate-laptop: Add missing NULL pointer checks",
                            "    - ASoC: Intel: sof_es8336: Add DMI quirk for Huawei BOD-WXX9",
                            "    - ASoC: amd: yc: Add quirk for HP 200 G2a 16",
                            "    - platform/x86/amd/pmc: Add quirk for MECHREVO Wujie 15X Pro",
                            "    - platform/x86: panasonic-laptop: Fix sysfs group leak in error path",
                            "    - ASoC: cs42l43: Correct handling of 3-pole jack load detection",
                            "    - ASoC: fsl_xcvr: fix missing lock in fsl_xcvr_mode_put()",
                            "    - gpiolib: acpi: Fix gpio count with string references",
                            "    - LoongArch: Rework KASAN initialization for PTW-enabled systems",
                            "    - Revert \"wireguard: device: enable threaded NAPI\"",
                            "    - mm/hugetlb: fix copy_hugetlb_page_range() to use ->pt_share_count",
                            "    - mm/hugetlb: fix hugetlb_pmd_shared()",
                            "    - mm/hugetlb: fix two comments related to huge_pmd_unshare()",
                            "    - mm/hugetlb: fix excessive IPI broadcasts when unsharing PMD tables using",
                            "      mmu_gather",
                            "    - cpuset: Fix missing adaptation for cpuset_is_populated",
                            "    - LoongArch: Add writecombine support for DMW-based ioremap()",
                            "    - fbdev: rivafb: fix divide error in nv3_arb()",
                            "    - fbdev: smscufx: properly copy ioctl memory to kernelspace",
                            "    - f2fs: fix to add gc count stat in f2fs_gc_range",
                            "    - f2fs: fix out-of-bounds access in sysfs attribute read/write",
                            "    - f2fs: fix IS_CHECKPOINTED flag inconsistency issue caused by concurrent",
                            "      atomic commit and checkpoint writes",
                            "    - f2fs: fix to avoid UAF in f2fs_write_end_io()",
                            "    - f2fs: fix to avoid mapping wrong physical block for swapfile",
                            "    - USB: serial: option: add Telit FN920C04 RNDIS compositions",
                            "    - bnxt_en: Change FW message timeout warning",
                            "    - bnxt_en: hide CONFIG_DETECT_HUNG_TASK specific code",
                            "    - ALSA: hda/realtek: Enable headset mic for Acer Nitro 5",
                            "    - drm/amd/display: remove assert around dpp_base replacement",
                            "    - ASoC: fsl_xcvr: Revert fix missing lock in fsl_xcvr_mode_put()",
                            "    - Upstream stable to v6.6.126, v6.6.127, v6.12.73, v6.12.74",
                            "  * Noble update: upstream stable patchset 2026-04-13 (LP: #2148260)",
                            "    - Bluetooth: btusb: Add USB ID 7392:e611 for Edimax EW-7611UXB",
                            "    - crypto: octeontx - Fix length check to avoid truncation in",
                            "      ucode_load_store",
                            "    - crypto: virtio - Remove duplicated virtqueue_kick in",
                            "      virtio_crypto_skcipher_crypt_req",
                            "    - scsi: qla2xxx: Allow recovery for tape devices",
                            "    - scsi: qla2xxx: Query FW again before proceeding with login",
                            "    - Revert \"netfilter: nf_tables: missing objects with no memcg accounting\"",
                            "    - netfilter: nf_tables: missing objects with no memcg accounting",
                            "    - vsock/test: verify socket options after setting them",
                            "    - selftests: mptcp: pm: ensure unknown flags are ignored",
                            "    - gpio: omap: do not register driver in probe()",
                            "    - net: tunnel: make skb_vlan_inet_prepare() return drop reasons",
                            "    - Upstream stable to v6.6.125, v6.12.71, v6.12.72",
                            "  * Noble update: upstream stable patchset 2026-04-13 (LP: #2148260) //",
                            "    CVE-2025-71233",
                            "    - PCI: endpoint: Avoid creating sub-groups asynchronously",
                            "  * Noble update: upstream stable patchset 2026-04-13 (LP: #2148260) //",
                            "    CVE-2025-71231",
                            "    - crypto: iaa - Fix out-of-bounds index in find_empty_iaa_compression_mode",
                            "  * Noble update: upstream stable patchset 2026-04-13 (LP: #2148260) //",
                            "    CVE-2026-23169",
                            "    - mptcp: fix race in mptcp_pm_nl_flush_addrs_doit()",
                            "  * Noble update: upstream stable patchset 2026-04-13 (LP: #2148260) //",
                            "    CVE-2025-40005",
                            "    - spi: cadence-quadspi: Implement refcount to handle unbind during busy",
                            "  * Noble update: upstream stable patchset 2026-04-13 (LP: #2148260) //",
                            "    CVE-2025-71232",
                            "    - scsi: qla2xxx: Free sp in error path to fix system crash",
                            "  * Noble update: upstream stable patchset 2026-04-13 (LP: #2148260) //",
                            "    CVE-2025-71235",
                            "    - scsi: qla2xxx: Delay module unload while fabric scan in progress",
                            "  * Noble update: upstream stable patchset 2026-04-13 (LP: #2148260) //",
                            "    CVE-2025-71236",
                            "    - scsi: qla2xxx: Validate sp before freeing associated memory",
                            "  * Noble update: upstream stable patchset 2026-04-13 (LP: #2148260) //",
                            "    CVE-2025-71229",
                            "    - wifi: rtw88: Fix alignment fault in rtw_core_enable_beacon()",
                            "  * Noble update: upstream stable patchset 2026-04-13 (LP: #2148260) //",
                            "    CVE-2025-71237",
                            "    - nilfs2: Fix potential block overflow that cause system hang",
                            "  * Noble update: upstream stable patchset 2026-04-13 (LP: #2148260) //",
                            "    CVE-2026-23229",
                            "    - crypto: virtio - Add spinlock protection with virtqueue notification",
                            "  * Noble update: upstream stable patchset 2026-04-13 (LP: #2148260) //",
                            "    CVE-2026-23222",
                            "    - crypto: omap - Allocate OMAP_CRYPTO_FORCE_COPY scatterlists correctly",
                            "  * Noble update: upstream stable patchset 2026-04-13 (LP: #2148260) //",
                            "    CVE-2026-23228",
                            "    - smb: server: fix leak of active_num_conn in ksmbd_tcp_new_connection()",
                            "  * Noble update: upstream stable patchset 2026-04-13 (LP: #2148260) //",
                            "    CVE-2026-23220",
                            "    - ksmbd: fix infinite loop caused by next_smb2_rcv_hdr_off reset in error",
                            "      paths",
                            "  * Noble update: upstream stable patchset 2026-04-13 (LP: #2148260) //",
                            "    CVE-2026-23230",
                            "    - smb: client: split cached_fid bitfields to avoid shared-byte RMW races",
                            "  * CVE-2026-23272",
                            "    - netfilter: nf_tables: unconditionally bump set->nelems before insertion",
                            "  * CVE-2026-31418",
                            "    - netfilter: ipset: drop logically empty buckets in mtype_del",
                            "  * CVE-2026-23392",
                            "    - netfilter: nf_tables: release flowtable after rcu grace period on error",
                            "  * CVE-2026-23278",
                            "    - netfilter: nf_tables: always walk all pending catchall elements",
                            "  * GRO managed-frag use-after-free leading to local privilege escalation",
                            "    (LP: #2154172)",
                            "    - net: gro: don't merge zcopy skbs",
                            "  * AppArmor Vulnerabilities  (LP: #2151747)",
                            "    - apparmor: Fix incorrect profile->signal range check",
                            "    - SAUCE: apparmor: pass big_resp to handler",
                            "    - SAUCE: apparmor: remove redundant kref_init for listener->count",
                            "    - SAUCE: apparmor: fix NULL pointer dereference in unpack_pdb",
                            "  * AppArmor Vulnerabilities  (LP: #2151747) // CVE-2026-47337",
                            "    - SAUCE: apparmor: fix NULL pointer dereference in bind_map_addr",
                            "  * AppArmor Vulnerabilities  (LP: #2151747) // CVE-2026-47336",
                            "    - SAUCE: apparmor: fix use of unintialized variable in net opt level",
                            "  * AppArmor Vulnerabilities  (LP: #2151747) // CVE-2026-47335",
                            "    - SAUCE: apparmor: fix possible NULL pointer dereference by adding a NULL",
                            "      check",
                            "  * AppArmor Vulnerabilities  (LP: #2151747) // CVE-2026-47334",
                            "    - SAUCE: apparmor: fix sleep prone memory allocation under a spin_lock",
                            "  * AppArmor Vulnerabilities  (LP: #2151747) // CVE-2026-47333",
                            "    - SAUCE: apparmor: fix dfa unpacking size of the notification filter",
                            "  * AppArmor Vulnerabilities  (LP: #2151747) // CVE-2026-47332",
                            "    - SAUCE: apparmor: fix size check against type instead of pointer",
                            "  * AppArmor Vulnerabilities  (LP: #2151747) // CVE-2026-47331",
                            "    - SAUCE: apparmor: fix changing rules list without a lock",
                            "  * apparmor: LLVM/clang build failure due to uninitialized variable in",
                            "    notify.c (LP: #2148809) // CVE-2026-47330",
                            "    - SAUCE: apparmor: initialize variable used in uninitialized context",
                            "  * AppArmor Vulnerabilities  (LP: #2151747) // CVE-2026-47329",
                            "    - SAUCE: apparmor: fix name validation bypass on notification",
                            "  * AppArmor Vulnerabilities  (LP: #2151747) // CVE-2026-47327 //",
                            "    CVE-2026-47328",
                            "    - SAUCE: apparmor: fix glob memory leak after kstrdup",
                            "  * AppArmor Vulnerabilities  (LP: #2151747) // CVE-2026-47326",
                            "    - SAUCE: apparmor: fix inverted NULL check after aa_get_buffer",
                            "  * CVE-2026-46300",
                            "    - net: skbuff: preserve shared-frag marker during coalescing",
                            "    - net: skbuff: propagate shared-frag marker through frag-transfer helpers",
                            "  * net/rds: reset op_nents when zerocopy page pin fails (LP: #2153962)",
                            "    - net/rds: reset op_nents when zerocopy page pin fails",
                            "  * CVE-2026-46333",
                            "    - ptrace: slightly saner 'get_dumpable()' logic",
                            "  * CVE-2026-43500",
                            "    - rxrpc: Fix conn-level packet handling to unshare RESPONSE packets",
                            "    - rxrpc: Parse received packets before dealing with timeouts",
                            "    - rxrpc: Fix potential UAF after skb_unshare() failure",
                            "    - rxrpc: Fix rxrpc_input_call_event() to only unshare DATA packets",
                            "    - rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present",
                            "  * CVE-2026-31676 // CVE-2026-43500",
                            "    - rxrpc: only handle RESPONSE during service challenge",
                            "  * CVE-2026-43284",
                            "    - xfrm: esp: avoid in-place decrypt on shared skb frags",
                            "  * CVE-2026-31419",
                            "    - net: bonding: fix use-after-free in bond_xmit_broadcast()",
                            "  * CVE-2026-31431",
                            "    - crypto: scatterwalk - Backport memcpy_sglist()",
                            "    - crypto: algif_aead - use memcpy_sglist() instead of null skcipher",
                            "    - crypto: algif_aead - Revert to operating out-of-place",
                            "    - crypto: algif_aead - snapshot IV for async AEAD requests",
                            "    - crypto: authenc - use memcpy_sglist() instead of null skcipher",
                            "    - crypto: authencesn - Do not place hiseq at end of dst for out-of-place",
                            "      decryption",
                            "    - crypto: authencesn - Fix src offset when decrypting in-place",
                            "    - crypto: af_alg - Fix page reassignment overflow in af_alg_pull_tsgl",
                            "    - crypto: algif_aead - Fix minimum RX size check for decryption",
                            "  * CVE-2026-31533",
                            "    - net/tls: fix use-after-free in -EBUSY error path of tls_do_encryption",
                            "  * CVE-2026-31504",
                            "    - net: fix fanout UAF in packet_release() via NETDEV_UP race",
                            ""
                        ],
                        "package": "linux-riscv-6.8",
                        "version": "6.8.0-130.130~22.04.1",
                        "urgency": "medium",
                        "distributions": "jammy",
                        "launchpad_bugs_fixed": [
                            2151948,
                            2154560,
                            2146465,
                            2153556,
                            2152194,
                            2141536,
                            2150809,
                            2150809,
                            2150809,
                            2150809,
                            2150809,
                            2150809,
                            2150809,
                            2150809,
                            2150809,
                            2150809,
                            2148714,
                            2148260,
                            2148260,
                            2148260,
                            2148260,
                            2148260,
                            2148260,
                            2148260,
                            2148260,
                            2148260,
                            2148260,
                            2148260,
                            2148260,
                            2148260,
                            2148260,
                            2148260,
                            2154172,
                            2151747,
                            2151747,
                            2151747,
                            2151747,
                            2151747,
                            2151747,
                            2151747,
                            2151747,
                            2148809,
                            2151747,
                            2151747,
                            2151747,
                            2153962
                        ],
                        "author": "Sarah Emery <sarah.emery@canonical.com>",
                        "date": "Wed, 03 Jun 2026 17:23:35 +0200"
                    }
                ],
                "notes": "linux-modules-6.8.0-134-generic version '6.8.0-134.134~22.04.1' (source package linux-riscv-6.8 version '6.8.0-134.134~22.04.1') was added. linux-modules-6.8.0-134-generic version '6.8.0-134.134~22.04.1' has the same source package name, linux-riscv-6.8, as removed package linux-headers-6.8.0-124-generic. As such we can use the source package version of the removed package, '6.8.0-124.124~22.04.1', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.",
                "is_version_downgrade": false
            },
            {
                "name": "linux-riscv-6.8-headers-6.8.0-134",
                "from_version": {
                    "source_package_name": "linux-riscv-6.8",
                    "source_package_version": "6.8.0-124.124~22.04.1",
                    "version": null
                },
                "to_version": {
                    "source_package_name": "linux-riscv-6.8",
                    "source_package_version": "6.8.0-134.134~22.04.1",
                    "version": "6.8.0-134.134~22.04.1"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-46244",
                        "url": "https://ubuntu.com/security/CVE-2026-46244",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: nft_inner: Fix IPv6 inner_thoff desync  In nft_inner_parse_l2l3(), when processing inner IPv6 packets, ipv6_find_hdr() correctly computes the transport header offset traversing all extension headers, but the result is immediately overwritten with nhoff + sizeof(_ip6h) (40 bytes), which only accounts for the IPv6 base header. This creates a desync between inner_thoff (wrong — points to extension header start) and l4proto (correct — e.g., IPPROTO_TCP), enabling transport header forgery and potential firewall bypass. This issue affects stable versions from Linux 6.2.  For comparison, the normal (non-inner) IPv6 path correctly preserves ipv6_find_hdr()'s result. Removing the incorrect overwrite ensures that ipv6_find_hdr()'s calculated transport header offset is preserved, thereby fixing the desynchronization.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-03 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43185",
                        "url": "https://ubuntu.com/security/CVE-2026-43185",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ksmbd: fix signededness bug in smb_direct_prepare_negotiation()  smb_direct_prepare_negotiation() casts an unsigned __u32 value from sp->max_recv_size and req->preferred_send_size to a signed int before computing min_t(int, ...). A maliciously provided preferred_send_size of 0x80000000 will return as smaller than max_recv_size, and then be used to set the maximum allowed alowed receive size for the next message.  By sending a second message with a large value (>1420 bytes) the attacker can then achieve a heap buffer overflow.  This fix replaces min_t(int, ...) with min_t(u32)",
                        "cve_priority": "critical",
                        "cve_public_date": "2026-05-06 12:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46289",
                        "url": "https://ubuntu.com/security/CVE-2026-46289",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  lib/scatterlist: fix length calculations in extract_kvec_to_sg  Patch series \"Fix bugs in extract_iter_to_sg()\", v3.  Fix bugs in the kvec and user variants of extract_iter_to_sg.  This series is growing due to useful remarks made by sashiko.dev.  The main bugs are: - The length for an sglist entry when extracting from   a kvec can exceed the number of bytes in the page. This   is obviously not intended. - When extracting a user buffer the sglist is temporarily   used as a scratch buffer for extracted page pointers.   If the sglist already contains some elements this scratch   buffer could overlap with existing entries in the sglist.  The series adds test cases to the kunit_iov_iter test that demonstrate all of these bugs.  Additionally, there is a memory leak fix for the test itself.  The bugs were orignally introduced into kernel v6.3 where the function lived in fs/netfs/iterator.c.  It was later moved to lib/scatterlist.c in v6.5.  Thus the actual fix is only marked for backports to v6.5+.   This patch (of 5):  When extracting from a kvec to a scatterlist, do not cross page boundaries.  The required length was already calculated but not used as intended.  Adjust the copied length if the loop runs out of sglist entries without extracting everything.  While there, return immediately from extract_iter_to_sg if there are no sglist entries at all.  A subsequent commit will add kunit test cases that demonstrate that the patch is necessary.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-08 17:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46119",
                        "url": "https://ubuntu.com/security/CVE-2026-46119",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  libceph: Fix slab-out-of-bounds access in auth message processing  If a (potentially corrupted) message of type CEPH_MSG_AUTH_REPLY contains a positive value in its result field, it is treated as an error code by ceph_handle_auth_reply() and returned to handle_auth_reply(). Thereafter, an attempt is made to send the preallocated message of type CEPH_MSG_AUTH, where the returned value is interpreted as the size of the front segment to send. If the result value in the message is greater than the size of the memory buffer allocated for the front segment, an out-of-bounds access occurs, and the content of the memory region beyond this buffer is sent out.  This patch fixes the issue by treating only negative values in the result field as errors. Positive values are therefore treated as success in the same way as a zero value. Additionally, a BUG_ON is added to __send_prepared_auth_request() comparing the len parameter to front_alloc_len to prevent sending the message if it exceeds the bounds of the allocation and to make it easier to catch any logic flaws leading to this.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46135",
                        "url": "https://ubuntu.com/security/CVE-2026-46135",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  nvmet-tcp: fix race between ICReq handling and queue teardown  nvmet_tcp_handle_icreq() updates queue->state after sending an Initialization Connection Response (ICResp), but it does so without serializing against target-side queue teardown.  If an NVMe/TCP host sends an Initialization Connection Request (ICReq) and immediately closes the connection, target-side teardown may start in softirq context before io_work drains the already buffered ICReq. In that case, nvmet_tcp_schedule_release_queue() sets queue->state to NVMET_TCP_Q_DISCONNECTING and drops the queue reference under state_lock.  If io_work later processes that ICReq, nvmet_tcp_handle_icreq() can still overwrite the state back to NVMET_TCP_Q_LIVE. That defeats the DISCONNECTING-state guard in nvmet_tcp_schedule_release_queue() and allows a later socket state change to re-enter teardown and issue a second kref_put() on an already released queue.  The ICResp send failure path has the same problem. If teardown has already moved the queue to DISCONNECTING, a send error can still overwrite the state with NVMET_TCP_Q_FAILED, again reopening the window for a second teardown path to drop the queue reference.  Fix this by serializing both post-send state transitions with state_lock and bailing out if teardown has already started.  Use -ESHUTDOWN as an internal sentinel for that bail-out path rather than propagating it as a transport error like -ECONNRESET. Keep nvmet_tcp_socket_error() setting rcv_state to NVMET_TCP_RECV_ERR before honoring that sentinel so receive-side parsing stays quiesced until the existing release path completes.",
                        "cve_priority": "critical",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46185",
                        "url": "https://ubuntu.com/security/CVE-2026-46185",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb/client: fix out-of-bounds read in symlink_data()  Since smb2_check_message() returns success without length validation for the symlink error response, in symlink_data() it is possible for iov->iov_len to be smaller than sizeof(struct smb2_err_rsp). If the buffer only contains the base SMB2 header (64 bytes), accessing err->ErrorContextCount (at offset 66) or err->ByteCount later in symlink_data() will cause an out-of-bounds read.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46195",
                        "url": "https://ubuntu.com/security/CVE-2026-46195",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb: client: validate dacloffset before building DACL pointers  parse_sec_desc(), build_sec_desc(), and the chown path in id_mode_to_cifs_acl() all add the server-supplied dacloffset to pntsd before proving a DACL header fits inside the returned security descriptor.  On 32-bit builds a malicious server can return dacloffset near U32_MAX, wrap the derived DACL pointer below end_of_acl, and then slip past the later pointer-based bounds checks. build_sec_desc() and id_mode_to_cifs_acl() can then dereference DACL fields from the wrapped pointer in the chmod/chown rewrite paths.  Validate dacloffset numerically before building any DACL pointer and reuse the same helper at the three DACL entry points.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46115",
                        "url": "https://ubuntu.com/security/CVE-2026-46115",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  block: add pgmap check to biovec_phys_mergeable  biovec_phys_mergeable() is used by the request merge, DMA mapping, and integrity merge paths to decide if two physically contiguous bvec segments can be coalesced into one. It currently has no check for whether the segments belong to different dev_pagemaps.  When zone device memory is registered in multiple chunks, each chunk gets its own dev_pagemap. A single bio can legitimately contain bvecs from different pgmaps -- iov_iter_extract_bvecs() breaks at pgmap boundaries but the outer loop in bio_iov_iter_get_pages() continues filling the same bio. If such bvecs are physically contiguous, biovec_phys_mergeable() will coalesce them, making it impossible to recover the correct pgmap for the merged segment via page_pgmap().  Add a zone_device_pages_have_same_pgmap() check to prevent merging bvec segments that span different pgmaps.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43501",
                        "url": "https://ubuntu.com/security/CVE-2026-43501",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ipv6: rpl: reserve mac_len headroom when recompressed SRH grows  ipv6_rpl_srh_rcv() decompresses an RFC 6554 Source Routing Header, swaps the next segment into ipv6_hdr->daddr, recompresses, then pulls the old header and pushes the new one plus the IPv6 header back.  The recompressed header can be larger than the received one when the swap reduces the common-prefix length the segments share with daddr (CmprI=0, CmprE>0, seg[0][0] != daddr[0] gives the maximum +8 bytes).  pskb_expand_head() was gated on segments_left == 0, so on earlier segments the push consumed unchecked headroom.  Once skb_push() leaves fewer than skb->mac_len bytes in front of data, skb_mac_header_rebuild()'s call to:  \tskb_set_mac_header(skb, -skb->mac_len);  will store (data - head) - mac_len into the u16 mac_header field, which wraps to ~65530, and the following memmove() writes mac_len bytes ~64KiB past skb->head.  A single AF_INET6/SOCK_RAW/IPV6_HDRINCL packet over lo with a two segment type-3 SRH (CmprI=0, CmprE=15) reaches headroom 8 after one pass; KASAN reports a 14-byte OOB write in ipv6_rthdr_rcv.  Fix this by expanding the head whenever the remaining room is less than the push size plus mac_len, and request that much extra so the rebuilt MAC header fits afterwards.",
                        "cve_priority": "critical",
                        "cve_public_date": "2026-05-21 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45988",
                        "url": "https://ubuntu.com/security/CVE-2026-45988",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  rxrpc: Fix re-decryption of RESPONSE packets  If a RESPONSE packet gets a temporary failure during processing, it may end up in a partially decrypted state - and then get requeued for a retry.  Fix this by just discarding the packet; we will send another CHALLENGE packet and thereby elicit a further response.  Similarly, discard an incoming CHALLENGE packet if we get an error whilst generating a RESPONSE; the server will send another CHALLENGE.",
                        "cve_priority": "critical",
                        "cve_public_date": "2026-05-27 14:17:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46043",
                        "url": "https://ubuntu.com/security/CVE-2026-46043",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv  rxe_rcv() currently checks only that the incoming packet is at least header_size(pkt) bytes long before payload_size() is used.  However, payload_size() subtracts both the attacker-controlled BTH pad field and RXE_ICRC_SIZE from pkt->paylen:    payload_size = pkt->paylen - offset[RXE_PAYLOAD] - bth_pad(pkt)                  - RXE_ICRC_SIZE  This means a short packet can still make payload_size() underflow even if it includes enough bytes for the fixed headers. Simply requiring header_size(pkt) + RXE_ICRC_SIZE is not sufficient either, because a packet with a forged non-zero BTH pad can still leave payload_size() negative and pass an underflowed value to later receive-path users.  Fix this by validating pkt->paylen against the full minimum length required by payload_size(): header_size(pkt) + bth_pad(pkt) + RXE_ICRC_SIZE.",
                        "cve_priority": "critical",
                        "cve_public_date": "2026-05-27 14:17:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43493",
                        "url": "https://ubuntu.com/security/CVE-2026-43493",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  crypto: pcrypt - Fix handling of MAY_BACKLOG requests  MAY_BACKLOG requests can return EBUSY.  Handle them by checking for that value and filtering out EINPROGRESS notifications.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-19 12:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43071",
                        "url": "https://ubuntu.com/security/CVE-2026-43071",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  dcache: Limit the minimal number of bucket to two  There is an OOB read problem on dentry_hashtable when user sets 'dhash_entries=1':   BUG: unable to handle page fault for address: ffff888b30b774b0   #PF: supervisor read access in kernel mode   #PF: error_code(0x0000) - not-present page   Oops: Oops: 0000 [#1] SMP PTI   RIP: 0010:__d_lookup+0x56/0x120    Call Trace:     d_lookup.cold+0x16/0x5d     lookup_dcache+0x27/0xf0     lookup_one_qstr_excl+0x2a/0x180     start_dirop+0x55/0xa0     simple_start_creating+0x8d/0xa0     debugfs_start_creating+0x8c/0x180     debugfs_create_dir+0x1d/0x1c0     pinctrl_init+0x6d/0x140     do_one_initcall+0x6d/0x3d0     kernel_init_freeable+0x39f/0x460     kernel_init+0x2a/0x260  There will be only one bucket in dentry_hashtable when dhash_entries is set as one, and d_hash_shift is calculated as 32 by dcache_init(). Then, following process will access more than one buckets(which memory region is not allocated) in dentry_hashtable:  d_lookup   b = d_hash(hash)     dentry_hashtable + ((u32)hashlen >> d_hash_shift)     // The C standard defines the behavior of right shift amounts     // exceeding the bit width of the operand as undefined. The     // result of '(u32)hashlen >> d_hash_shift' becomes 'hashlen',     // so 'b' will point to an unallocated memory region.   hlist_bl_for_each_entry_rcu(b)    hlist_bl_first_rcu(head)     h->first  // read OOB!  Fix it by limiting the minimal number of dentry_hashtable bucket to two, so that 'd_hash_shift' won't exceeds the bit width of type u32.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-05-05 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-31685",
                        "url": "https://ubuntu.com/security/CVE-2026-31685",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: ip6t_eui64: reject invalid MAC header for all packets  `eui64_mt6()` derives a modified EUI-64 from the Ethernet source address and compares it with the low 64 bits of the IPv6 source address.  The existing guard only rejects an invalid MAC header when `par->fragoff != 0`. For packets with `par->fragoff == 0`, `eui64_mt6()` can still reach `eth_hdr(skb)` even when the MAC header is not valid.  Fix this by removing the `par->fragoff != 0` condition so that packets with an invalid MAC header are rejected before accessing `eth_hdr(skb)`.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-25 09:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43117",
                        "url": "https://ubuntu.com/security/CVE-2026-43117",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  btrfs: tracepoints: get correct superblock from dentry in event btrfs_sync_file()  If overlay is used on top of btrfs, dentry->d_sb translates to overlay's super block and fsid assignment will lead to a crash.  Use file_inode(file)->i_sb to always get btrfs_sb.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-06 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43114",
                        "url": "https://ubuntu.com/security/CVE-2026-43114",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: nft_set_pipapo_avx2: don't return non-matching entry on expiry  New test case fails unexpectedly when avx2 matching functions are used.  The test first loads a ranomly generated pipapo set with 'ipv4 . port' key, i.e.  nft -f foo.  This works.  Then, it reloads the set after a flush: (echo flush set t s; cat foo) | nft -f -  This is expected to work, because its the same set after all and it was already loaded once.  But with avx2, this fails: nft reports a clashing element.  The reported clash is of following form:      We successfully re-inserted       a . b       c . d  Then we try to insert a . d  avx2 finds the already existing a . d, which (due to 'flush set') is marked as invalid in the new generation.  It skips the element and moves to next.  Due to incorrect masking, the skip-step finds the next matching element *only considering the first field*,  i.e. we return the already reinserted \"a . b\", even though the last field is different and the entry should not have been matched.  No such error is reported for the generic c implementation (no avx2) or when the last field has to use the 'nft_pipapo_avx2_lookup_slow' fallback.  Bisection points to 7711f4bb4b36 (\"netfilter: nft_set_pipapo: fix range overlap detection\") but that fix merely uncovers this bug.  Before this commit, the wrong element is returned, but erronously reported as a full, identical duplicate.  The root-cause is too early return in the avx2 match functions. When we process the last field, we should continue to process data until the entire input size has been consumed to make sure no stale bits remain in the map.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-06 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-31607",
                        "url": "https://ubuntu.com/security/CVE-2026-31607",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  usbip: validate number_of_packets in usbip_pack_ret_submit()  When a USB/IP client receives a RET_SUBMIT response, usbip_pack_ret_submit() unconditionally overwrites urb->number_of_packets from the network PDU. This value is subsequently used as the loop bound in usbip_recv_iso() and usbip_pad_iso() to iterate over urb->iso_frame_desc[], a flexible array whose size was fixed at URB allocation time based on the *original* number_of_packets from the CMD_SUBMIT.  A malicious USB/IP server can set number_of_packets in the response to a value larger than what was originally submitted, causing a heap out-of-bounds write when usbip_recv_iso() writes to urb->iso_frame_desc[i] beyond the allocated region.  KASAN confirmed this with kernel 7.0.0-rc5:    BUG: KASAN: slab-out-of-bounds in usbip_recv_iso+0x46a/0x640   Write of size 4 at addr ffff888106351d40 by task vhci_rx/69    The buggy address is located 0 bytes to the right of    allocated 320-byte region [ffff888106351c00, ffff888106351d40)  The server side (stub_rx.c) and gadget side (vudc_rx.c) already validate number_of_packets in the CMD_SUBMIT path since commits c6688ef9f297 (\"usbip: fix stub_rx: harden CMD_SUBMIT path to handle malicious input\") and b78d830f0049 (\"usbip: fix vudc_rx: harden CMD_SUBMIT path to handle malicious input\"). The server side validates against USBIP_MAX_ISO_PACKETS because no URB exists yet at that point. On the client side we have the original URB, so we can use the tighter bound: the response must not exceed the original number_of_packets.  This mirrors the existing validation of actual_length against transfer_buffer_length in usbip_recv_xbuff(), which checks the response value against the original allocation size.  Kelvin Mbogo's series (\"usb: usbip: fix integer overflow in usbip_recv_iso()\", v2) hardens the receive-side functions themselves; this patch complements that work by catching the bad value at its source -- in usbip_pack_ret_submit() before the overwrite -- and using the tighter per-URB allocation bound rather than the global USBIP_MAX_ISO_PACKETS limit.  Fix this by checking rpdu->number_of_packets against urb->number_of_packets in usbip_pack_ret_submit() before the overwrite. On violation, clamp to zero so that usbip_recv_iso() and usbip_pad_iso() safely return early.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-04-24 15:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-31659",
                        "url": "https://ubuntu.com/security/CVE-2026-31659",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: reject oversized global TT response buffers  batadv_tt_prepare_tvlv_global_data() builds the allocation length for a global TT response in 16-bit temporaries. When a remote originator advertises a large enough global TT, the TT payload length plus the VLAN header offset can exceed 65535 and wrap before kmalloc().  The full-table response path still uses the original TT payload length when it fills tt_change, so the wrapped allocation is too small and batadv_tt_prepare_tvlv_global_data() writes past the end of the heap object before the later packet-size check runs.  Fix this by rejecting TT responses whose TVLV value length cannot fit in the 16-bit TVLV payload length field.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-04-24 15:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-31649",
                        "url": "https://ubuntu.com/security/CVE-2026-31649",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: stmmac: fix integer underflow in chain mode  The jumbo_frm() chain-mode implementation unconditionally computes      len = nopaged_len - bmax;  where nopaged_len = skb_headlen(skb) (linear bytes only) and bmax is BUF_SIZE_8KiB or BUF_SIZE_2KiB.  However, the caller stmmac_xmit() decides to invoke jumbo_frm() based on skb->len (total length including page fragments):      is_jumbo = stmmac_is_jumbo_frm(priv, skb->len, enh_desc);  When a packet has a small linear portion (nopaged_len <= bmax) but a large total length due to page fragments (skb->len > bmax), the subtraction wraps as an unsigned integer, producing a huge len value (~0xFFFFxxxx).  This causes the while (len != 0) loop to execute hundreds of thousands of iterations, passing skb->data + bmax * i pointers far beyond the skb buffer to dma_map_single().  On IOMMU-less SoCs (the typical deployment for stmmac), this maps arbitrary kernel memory to the DMA engine, constituting a kernel memory disclosure and potential memory corruption from hardware.  Fix this by introducing a buf_len local variable clamped to min(nopaged_len, bmax).  Computing len = nopaged_len - buf_len is then always safe: it is zero when the linear portion fits within a single descriptor, causing the while (len != 0) loop to be skipped naturally, and the fragment loop in stmmac_xmit() handles page fragments afterward.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-24 15:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-31657",
                        "url": "https://ubuntu.com/security/CVE-2026-31657",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: hold claim backbone gateways by reference  batadv_bla_add_claim() can replace claim->backbone_gw and drop the old gateway's last reference while readers still follow the pointer.  The netlink claim dump path dereferences claim->backbone_gw->orig and takes claim->backbone_gw->crc_lock without pinning the underlying backbone gateway. batadv_bla_check_claim() still has the same naked pointer access pattern.  Reuse batadv_bla_claim_get_backbone_gw() in both readers so they operate on a stable gateway reference until the read-side work is complete. This keeps the dump and claim-check paths aligned with the lifetime rules introduced for the other BLA claim readers.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-04-24 15:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-31637",
                        "url": "https://ubuntu.com/security/CVE-2026-31637",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  rxrpc: reject undecryptable rxkad response tickets  rxkad_decrypt_ticket() decrypts the RXKAD response ticket and then parses the buffer as plaintext without checking whether crypto_skcipher_decrypt() succeeded.  A malformed RESPONSE can therefore use a non-block-aligned ticket length, make the decrypt operation fail, and still drive the ticket parser with attacker-controlled bytes.  Check the decrypt result and abort the connection with RXKADBADTICKET when ticket decryption fails.",
                        "cve_priority": "critical",
                        "cve_public_date": "2026-04-24 15:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-31669",
                        "url": "https://ubuntu.com/security/CVE-2026-31669",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mptcp: fix slab-use-after-free in __inet_lookup_established  The ehash table lookups are lockless and rely on SLAB_TYPESAFE_BY_RCU to guarantee socket memory stability during RCU read-side critical sections. Both tcp_prot and tcpv6_prot have their slab caches created with this flag via proto_register().  However, MPTCP's mptcp_subflow_init() copies tcpv6_prot into tcpv6_prot_override during inet_init() (fs_initcall, level 5), before inet6_init() (module_init/device_initcall, level 6) has called proto_register(&tcpv6_prot). At that point, tcpv6_prot.slab is still NULL, so tcpv6_prot_override.slab remains NULL permanently.  This causes MPTCP v6 subflow child sockets to be allocated via kmalloc (falling into kmalloc-4k) instead of the TCPv6 slab cache. The kmalloc-4k cache lacks SLAB_TYPESAFE_BY_RCU, so when these sockets are freed without SOCK_RCU_FREE (which is cleared for child sockets by design), the memory can be immediately reused. Concurrent ehash lookups under rcu_read_lock can then access freed memory, triggering a slab-use-after-free in __inet_lookup_established.  Fix this by splitting the IPv6-specific initialization out of mptcp_subflow_init() into a new mptcp_subflow_v6_init(), called from mptcp_proto_v6_init() before protocol registration. This ensures tcpv6_prot_override.slab correctly inherits the SLAB_TYPESAFE_BY_RCU slab cache.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-04-24 15:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-31668",
                        "url": "https://ubuntu.com/security/CVE-2026-31668",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  seg6: separate dst_cache for input and output paths in seg6 lwtunnel  The seg6 lwtunnel uses a single dst_cache per encap route, shared between seg6_input_core() and seg6_output_core(). These two paths can perform the post-encap SID lookup in different routing contexts (e.g., ip rules matching on the ingress interface, or VRF table separation). Whichever path runs first populates the cache, and the other reuses it blindly, bypassing its own lookup.  Fix this by splitting the cache into cache_input and cache_output, so each path maintains its own cached dst independently.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-24 15:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43011",
                        "url": "https://ubuntu.com/security/CVE-2026-43011",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/x25: Fix potential double free of skb  When alloc_skb fails in x25_queue_rx_frame it calls kfree_skb(skb) at line 48 and returns 1 (error). This error propagates back through the call chain:  x25_queue_rx_frame returns 1     |     v x25_state3_machine receives the return value 1 and takes the else branch at line 278, setting queued=0 and returning 0     |     v x25_process_rx_frame returns queued=0     |     v x25_backlog_rcv at line 452 sees queued=0 and calls kfree_skb(skb) again  This would free the same skb twice. Looking at x25_backlog_rcv:  net/x25/x25_in.c:x25_backlog_rcv() {     ...     queued = x25_process_rx_frame(sk, skb);     ...     if (!queued)         kfree_skb(skb); }",
                        "cve_priority": "critical",
                        "cve_public_date": "2026-05-01 15:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43037",
                        "url": "https://ubuntu.com/security/CVE-2026-43037",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ip6_tunnel: clear skb2->cb[] in ip4ip6_err()  Oskar Kjos reported the following problem.  ip4ip6_err() calls icmp_send() on a cloned skb whose cb[] was written by the IPv6 receive path as struct inet6_skb_parm. icmp_send() passes IPCB(skb2) to __ip_options_echo(), which interprets that cb[] region as struct inet_skb_parm (IPv4). The layouts differ: inet6_skb_parm.nhoff at offset 14 overlaps inet_skb_parm.opt.rr, producing a non-zero rr value. __ip_options_echo() then reads optlen from attacker-controlled packet data at sptr[rr+1] and copies that many bytes into dopt->__data, a fixed 40-byte stack buffer (IP_OPTIONS_DATA_FIXED_SIZE).  To fix this we clear skb2->cb[], as suggested by Oskar Kjos.  Also add minimal IPv4 header validation (version == 4, ihl >= 5).",
                        "cve_priority": "critical",
                        "cve_public_date": "2026-05-01 15:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43341",
                        "url": "https://ubuntu.com/security/CVE-2026-43341",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/ipv6: ioam6: prevent schema length wraparound in trace fill  ioam6_fill_trace_data() stores the schema contribution to the trace length in a u8. With bit 22 enabled and the largest schema payload, sclen becomes 1 + 1020 / 4, wraps from 256 to 0, and bypasses the remaining-space check. __ioam6_fill_trace_data() then positions the write cursor without reserving the schema area but still copies the 4-byte schema header and the full schema payload, overrunning the trace buffer.  Keep sclen in an unsigned int so the remaining-space check and the write cursor calculation both see the full schema length.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-08 14:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43038",
                        "url": "https://ubuntu.com/security/CVE-2026-43038",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ipv6: icmp: clear skb2->cb[] in ip6_err_gen_icmpv6_unreach()  Sashiko AI-review observed:    In ip6_err_gen_icmpv6_unreach(), the skb is an outer IPv4 ICMP error packet   where its cb contains an IPv4 inet_skb_parm. When skb is cloned into skb2   and passed to icmp6_send(), it uses IP6CB(skb2).    IP6CB interprets the IPv4 inet_skb_parm as an inet6_skb_parm. The cipso   offset in inet_skb_parm.opt directly overlaps with dsthao in inet6_skb_parm   at offset 18.    If an attacker sends a forged ICMPv4 error with a CIPSO IP option, dsthao   would be a non-zero offset. Inside icmp6_send(), mip6_addr_swap() is called   and uses ipv6_find_tlv(skb, opt->dsthao, IPV6_TLV_HAO).    This would scan the inner, attacker-controlled IPv6 packet starting at that   offset, potentially returning a fake TLV without checking if the remaining   packet length can hold the full 18-byte struct ipv6_destopt_hao.    Could mip6_addr_swap() then perform a 16-byte swap that extends past the end   of the packet data into skb_shared_info?    Should the cb array also be cleared in ip6_err_gen_icmpv6_unreach() and   ip6ip6_err() to prevent this?  This patch implements the first suggestion.  I am not sure if ip6ip6_err() needs to be changed. A separate patch would be better anyway.",
                        "cve_priority": "critical",
                        "cve_public_date": "2026-05-01 15:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-31682",
                        "url": "https://ubuntu.com/security/CVE-2026-31682",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  bridge: br_nd_send: linearize skb before parsing ND options  br_nd_send() parses neighbour discovery options from ns->opt[] and assumes that these options are in the linear part of request.  Its callers only guarantee that the ICMPv6 header and target address are available, so the option area can still be non-linear. Parsing ns->opt[] in that case can access data past the linear buffer.  Linearize request before option parsing and derive ns from the linear network header.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-25 09:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-31436",
                        "url": "https://ubuntu.com/security/CVE-2026-31436",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  dmaengine: idxd: fix possible wrong descriptor completion in llist_abort_desc()  At the end of this function, d is the traversal cursor of flist, but the code completes found instead. This can lead to issues such as NULL pointer dereferences, double completion, or descriptor leaks.  Fix this by completing d instead of found in the final list_for_each_entry_safe() loop.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-04-22 14:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43384",
                        "url": "https://ubuntu.com/security/CVE-2026-43384",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/tcp-ao: Fix MAC comparison to be constant-time  To prevent timing attacks, MACs need to be compared in constant time.  Use the appropriate helper function for this.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-08 15:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-31448",
                        "url": "https://ubuntu.com/security/CVE-2026-31448",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ext4: avoid infinite loops caused by residual data  On the mkdir/mknod path, when mapping logical blocks to physical blocks, if inserting a new extent into the extent tree fails (in this example, because the file system disabled the huge file feature when marking the inode as dirty), ext4_ext_map_blocks() only calls ext4_free_blocks() to reclaim the physical block without deleting the corresponding data in the extent tree. This causes subsequent mkdir operations to reference the previously reclaimed physical block number again, even though this physical block is already being used by the xattr block. Therefore, a situation arises where both the directory and xattr are using the same buffer head block in memory simultaneously.  The above causes ext4_xattr_block_set() to enter an infinite loop about \"inserted\" and cannot release the inode lock, ultimately leading to the 143s blocking problem mentioned in [1].  If the metadata is corrupted, then trying to remove some extent space can do even more harm. Also in case EXT4_GET_BLOCKS_DELALLOC_RESERVE was passed, remove space wrongly update quota information. Jan Kara suggests distinguishing between two cases:  1) The error is ENOSPC or EDQUOT - in this case the filesystem is fully consistent and we must maintain its consistency including all the accounting. However these errors can happen only early before we've inserted the extent into the extent tree. So current code works correctly for this case.  2) Some other error - this means metadata is corrupted. We should strive to do as few modifications as possible to limit damage. So I'd just skip freeing of allocated blocks.  [1] INFO: task syz.0.17:5995 blocked for more than 143 seconds. Call Trace:  inode_lock_nested include/linux/fs.h:1073 [inline]  __start_dirop fs/namei.c:2923 [inline]  start_dirop fs/namei.c:2934 [inline]",
                        "cve_priority": "low",
                        "cve_public_date": "2026-04-22 14:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-31478",
                        "url": "https://ubuntu.com/security/CVE-2026-31478",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ksmbd: replace hardcoded hdr2_len with offsetof() in smb2_calc_max_out_buf_len()  After this commit (e2b76ab8b5c9 \"ksmbd: add support for read compound\"), response buffer management was changed to use dynamic iov array. In the new design, smb2_calc_max_out_buf_len() expects the second argument (hdr2_len) to be the offset of ->Buffer field in the response structure, not a hardcoded magic number. Fix the remaining call sites to use the correct offsetof() value.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-04-22 14:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-23428",
                        "url": "https://ubuntu.com/security/CVE-2026-23428",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ksmbd: fix use-after-free of share_conf in compound request  smb2_get_ksmbd_tcon() reuses work->tcon in compound requests without validating tcon->t_state. ksmbd_tree_conn_lookup() checks t_state == TREE_CONNECTED on the initial lookup path, but the compound reuse path bypasses this check entirely.  If a prior command in the compound (SMB2_TREE_DISCONNECT) sets t_state to TREE_DISCONNECTED and frees share_conf via ksmbd_share_config_put(), subsequent commands dereference the freed share_conf through work->tcon->share_conf.  KASAN report:  [    4.144653] ================================================================== [    4.145059] BUG: KASAN: slab-use-after-free in smb2_write+0xc74/0xe70 [    4.145415] Read of size 4 at addr ffff88810430c194 by task kworker/1:1/44 [    4.145772] [    4.145867] CPU: 1 UID: 0 PID: 44 Comm: kworker/1:1 Not tainted 7.0.0-rc3+ #60 PREEMPTLAZY [    4.145871] Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [    4.145875] Workqueue: ksmbd-io handle_ksmbd_work [    4.145888] Call Trace: [    4.145892]  <TASK> [    4.145894]  dump_stack_lvl+0x64/0x80 [    4.145910]  print_report+0xce/0x660 [    4.145919]  ? __pfx__raw_spin_lock_irqsave+0x10/0x10 [    4.145928]  ? smb2_write+0xc74/0xe70 [    4.145931]  kasan_report+0xce/0x100 [    4.145934]  ? smb2_write+0xc74/0xe70 [    4.145937]  smb2_write+0xc74/0xe70 [    4.145939]  ? __pfx_smb2_write+0x10/0x10 [    4.145942]  ? _raw_spin_unlock+0xe/0x30 [    4.145945]  ? ksmbd_smb2_check_message+0xeb2/0x24c0 [    4.145948]  ? smb2_tree_disconnect+0x31c/0x480 [    4.145951]  handle_ksmbd_work+0x40f/0x1080 [    4.145953]  process_one_work+0x5fa/0xef0 [    4.145962]  ? assign_work+0x122/0x3e0 [    4.145964]  worker_thread+0x54b/0xf70 [    4.145967]  ? __pfx_worker_thread+0x10/0x10 [    4.145970]  kthread+0x346/0x470 [    4.145976]  ? recalc_sigpending+0x19b/0x230 [    4.145980]  ? __pfx_kthread+0x10/0x10 [    4.145984]  ret_from_fork+0x4fb/0x6c0 [    4.145992]  ? __pfx_ret_from_fork+0x10/0x10 [    4.145995]  ? __switch_to+0x36c/0xbe0 [    4.145999]  ? __pfx_kthread+0x10/0x10 [    4.146003]  ret_from_fork_asm+0x1a/0x30 [    4.146013]  </TASK> [    4.146014] [    4.149858] Allocated by task 44: [    4.149953]  kasan_save_stack+0x33/0x60 [    4.150061]  kasan_save_track+0x14/0x30 [    4.150169]  __kasan_kmalloc+0x8f/0xa0 [    4.150274]  ksmbd_share_config_get+0x1dd/0xdd0 [    4.150401]  ksmbd_tree_conn_connect+0x7e/0x600 [    4.150529]  smb2_tree_connect+0x2e6/0x1000 [    4.150645]  handle_ksmbd_work+0x40f/0x1080 [    4.150761]  process_one_work+0x5fa/0xef0 [    4.150873]  worker_thread+0x54b/0xf70 [    4.150978]  kthread+0x346/0x470 [    4.151071]  ret_from_fork+0x4fb/0x6c0 [    4.151176]  ret_from_fork_asm+0x1a/0x30 [    4.151286] [    4.151332] Freed by task 44: [    4.151418]  kasan_save_stack+0x33/0x60 [    4.151526]  kasan_save_track+0x14/0x30 [    4.151634]  kasan_save_free_info+0x3b/0x60 [    4.151751]  __kasan_slab_free+0x43/0x70 [    4.151861]  kfree+0x1ca/0x430 [    4.151952]  __ksmbd_tree_conn_disconnect+0xc8/0x190 [    4.152088]  smb2_tree_disconnect+0x1cd/0x480 [    4.152211]  handle_ksmbd_work+0x40f/0x1080 [    4.152326]  process_one_work+0x5fa/0xef0 [    4.152438]  worker_thread+0x54b/0xf70 [    4.152545]  kthread+0x346/0x470 [    4.152638]  ret_from_fork+0x4fb/0x6c0 [    4.152743]  ret_from_fork_asm+0x1a/0x30 [    4.152853] [    4.152900] The buggy address belongs to the object at ffff88810430c180 [    4.152900]  which belongs to the cache kmalloc-96 of size 96 [    4.153226] The buggy address is located 20 bytes inside of [    4.153226]  freed 96-byte region [ffff88810430c180, ffff88810430c1e0) [    4.153549] [    4.153596] The buggy address belongs to the physical page: [    4.153750] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88810430ce80 pfn:0x10430c [    4.154000] flags: 0x ---truncated---",
                        "cve_priority": "high",
                        "cve_public_date": "2026-04-03 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-23450",
                        "url": "https://ubuntu.com/security/CVE-2026-23450",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/smc: fix NULL dereference and UAF in smc_tcp_syn_recv_sock()  Syzkaller reported a panic in smc_tcp_syn_recv_sock() [1].  smc_tcp_syn_recv_sock() is called in the TCP receive path (softirq) via icsk_af_ops->syn_recv_sock on the clcsock (TCP listening socket). It reads sk_user_data to get the smc_sock pointer. However, when the SMC listen socket is being closed concurrently, smc_close_active() sets clcsock->sk_user_data to NULL under sk_callback_lock, and then the smc_sock itself can be freed via sock_put() in smc_release().  This leads to two issues:  1) NULL pointer dereference: sk_user_data is NULL when    accessed. 2) Use-after-free: sk_user_data is read as non-NULL, but the    smc_sock is freed before its fields (e.g., queued_smc_hs,    ori_af_ops) are accessed.  The race window looks like this (the syzkaller crash [1] triggers via the SYN cookie path: tcp_get_cookie_sock() -> smc_tcp_syn_recv_sock(), but the normal tcp_check_req() path has the same race):    CPU A (softirq)              CPU B (process ctx)    tcp_v4_rcv()     TCP_NEW_SYN_RECV:     sk = req->rsk_listener     sock_hold(sk)     /* No lock on listener */                                smc_close_active():                                  write_lock_bh(cb_lock)                                  sk_user_data = NULL                                  write_unlock_bh(cb_lock)                                  ...                                  smc_clcsock_release()                                  sock_put(smc->sk) x2                                    -> smc_sock freed!     tcp_check_req()       smc_tcp_syn_recv_sock():         smc = user_data(sk)           -> NULL or dangling         smc->queued_smc_hs           -> crash!  Note that the clcsock and smc_sock are two independent objects with separate refcounts. TCP stack holds a reference on the clcsock, which keeps it alive, but this does NOT prevent the smc_sock from being freed.  Fix this by using RCU and refcount_inc_not_zero() to safely access smc_sock. Since smc_tcp_syn_recv_sock() is called in the TCP three-way handshake path, taking read_lock_bh on sk_callback_lock is too heavy and would not survive a SYN flood attack. Using rcu_read_lock() is much more lightweight.  - Set SOCK_RCU_FREE on the SMC listen socket so that   smc_sock freeing is deferred until after the RCU grace   period. This guarantees the memory is still valid when   accessed inside rcu_read_lock(). - Use rcu_read_lock() to protect reading sk_user_data. - Use refcount_inc_not_zero(&smc->sk.sk_refcnt) to pin the   smc_sock. If the refcount has already reached zero (close   path completed), it returns false and we bail out safely.  Note: smc_hs_congested() has a similar lockless read of sk_user_data without rcu_read_lock(), but it only checks for NULL and accesses the global smc_hs_wq, never dereferencing any smc_sock field, so it is not affected.  Reproducer was verified with mdelay injection and smc_run, the issue no longer occurs with this patch applied.  [1] https://syzkaller.appspot.com/bug?extid=827ae2bfb3a3529333e9",
                        "cve_priority": "high",
                        "cve_public_date": "2026-04-03 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-23455",
                        "url": "https://ubuntu.com/security/CVE-2026-23455",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: nf_conntrack_h323: check for zero length in DecodeQ931()  In DecodeQ931(), the UserUserIE code path reads a 16-bit length from the packet, then decrements it by 1 to skip the protocol discriminator byte before passing it to DecodeH323_UserInformation(). If the encoded length is 0, the decrement wraps to -1, which is then passed as a large value to the decoder, leading to an out-of-bounds read.  Add a check to ensure len is positive after the decrement.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-04-03 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-31402",
                        "url": "https://ubuntu.com/security/CVE-2026-31402",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  nfsd: fix heap overflow in NFSv4.0 LOCK replay cache  The NFSv4.0 replay cache uses a fixed 112-byte inline buffer (rp_ibuf[NFSD4_REPLAY_ISIZE]) to store encoded operation responses. This size was calculated based on OPEN responses and does not account for LOCK denied responses, which include the conflicting lock owner as a variable-length field up to 1024 bytes (NFS4_OPAQUE_LIMIT).  When a LOCK operation is denied due to a conflict with an existing lock that has a large owner, nfsd4_encode_operation() copies the full encoded response into the undersized replay buffer via read_bytes_from_xdr_buf() with no bounds check. This results in a slab-out-of-bounds write of up to 944 bytes past the end of the buffer, corrupting adjacent heap memory.  This can be triggered remotely by an unauthenticated attacker with two cooperating NFSv4.0 clients: one sets a lock with a large owner string, then the other requests a conflicting lock to provoke the denial.  We could fix this by increasing NFSD4_REPLAY_ISIZE to allow for a full opaque, but that would increase the size of every stateowner, when most lockowners are not that large.  Instead, fix this by checking the encoded response length against NFSD4_REPLAY_ISIZE before copying into the replay buffer. If the response is too large, set rp_buflen to 0 to skip caching the replay payload. The status is still cached, and the client already received the correct response on the original request.",
                        "cve_priority": "critical",
                        "cve_public_date": "2026-04-03 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43383",
                        "url": "https://ubuntu.com/security/CVE-2026-43383",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/tcp-md5: Fix MAC comparison to be constant-time  To prevent timing attacks, MACs need to be compared in constant time.  Use the appropriate helper function for this.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-08 15:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43378",
                        "url": "https://ubuntu.com/security/CVE-2026-43378",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb: server: fix use-after-free in smb2_open()  The opinfo pointer obtained via rcu_dereference(fp->f_opinfo) is dereferenced after rcu_read_unlock(), creating a use-after-free window.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-08 15:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46243",
                        "url": "https://ubuntu.com/security/CVE-2026-46243",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb: client: reject userspace cifs.spnego descriptions  cifs.spnego key descriptions contain authority-bearing fields such as pid, uid, creduid, and upcall_target that cifs.upcall treats as kernel-originating inputs. However, userspace can also create keys of this type through request_key(2) or add_key(2), allowing those fields to be supplied without CIFS origin.  Only accept cifs.spnego descriptions while CIFS is using its private spnego_cred to request the key.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-01 17:17:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43414",
                        "url": "https://ubuntu.com/security/CVE-2026-43414",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  scsi: qla2xxx: Completely fix fcport double free  In qla24xx_els_dcmd_iocb() sp->free is set to qla2x00_els_dcmd_sp_free(). When an error happens, this function is called by qla2x00_sp_release(), when kref_put() releases the first and the last reference.  qla2x00_els_dcmd_sp_free() frees fcport by calling qla2x00_free_fcport(). Doing it one more time after kref_put() is a bad idea.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-05-08 15:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43407",
                        "url": "https://ubuntu.com/security/CVE-2026-43407",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  libceph: Fix potential out-of-bounds access in ceph_handle_auth_reply()  This patch fixes an out-of-bounds access in ceph_handle_auth_reply() that can be triggered by a message of type CEPH_MSG_AUTH_REPLY. In ceph_handle_auth_reply(), the value of the payload_len field of such a message is stored in a variable of type int. A value greater than INT_MAX leads to an integer overflow and is interpreted as a negative value. This leads to decrementing the pointer address by this value and subsequently accessing it because ceph_decode_need() only checks that the memory access does not exceed the end address of the allocation.  This patch fixes the issue by changing the data type of payload_len to u32. Additionally, the data type of result_msg_len is changed to u32, as it is also a variable holding a non-negative length.  Also, an additional layer of sanity checks is introduced, ensuring that directly after reading it from the message, payload_len and result_msg_len are not greater than the overall segment length.  BUG: KASAN: slab-out-of-bounds in ceph_handle_auth_reply+0x642/0x7a0 [libceph] Read of size 4 at addr ffff88811404df14 by task kworker/20:1/262  CPU: 20 UID: 0 PID: 262 Comm: kworker/20:1 Not tainted 6.19.2 #5 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Workqueue: ceph-msgr ceph_con_workfn [libceph] Call Trace:  <TASK>  dump_stack_lvl+0x76/0xa0  print_report+0xd1/0x620  ? __pfx__raw_spin_lock_irqsave+0x10/0x10  ? kasan_complete_mode_report_info+0x72/0x210  kasan_report+0xe7/0x130  ? ceph_handle_auth_reply+0x642/0x7a0 [libceph]  ? ceph_handle_auth_reply+0x642/0x7a0 [libceph]  __asan_report_load_n_noabort+0xf/0x20  ceph_handle_auth_reply+0x642/0x7a0 [libceph]  mon_dispatch+0x973/0x23d0 [libceph]  ? apparmor_socket_recvmsg+0x6b/0xa0  ? __pfx_mon_dispatch+0x10/0x10 [libceph]  ? __kasan_check_write+0x14/0x30i  ? mutex_unlock+0x7f/0xd0  ? __pfx_mutex_unlock+0x10/0x10  ? __pfx_do_recvmsg+0x10/0x10 [libceph]  ceph_con_process_message+0x1f1/0x650 [libceph]  process_message+0x1e/0x450 [libceph]  ceph_con_v2_try_read+0x2e48/0x6c80 [libceph]  ? __pfx_ceph_con_v2_try_read+0x10/0x10 [libceph]  ? save_fpregs_to_fpstate+0xb0/0x230  ? raw_spin_rq_unlock+0x17/0xa0  ? finish_task_switch.isra.0+0x13b/0x760  ? __switch_to+0x385/0xda0  ? __kasan_check_write+0x14/0x30  ? mutex_lock+0x8d/0xe0  ? __pfx_mutex_lock+0x10/0x10  ceph_con_workfn+0x248/0x10c0 [libceph]  process_one_work+0x629/0xf80  ? __kasan_check_write+0x14/0x30  worker_thread+0x87f/0x1570  ? __pfx__raw_spin_lock_irqsave+0x10/0x10  ? __pfx_try_to_wake_up+0x10/0x10  ? kasan_print_address_stack_frame+0x1f7/0x280  ? __pfx_worker_thread+0x10/0x10  kthread+0x396/0x830  ? __pfx__raw_spin_lock_irq+0x10/0x10  ? __pfx_kthread+0x10/0x10  ? __kasan_check_write+0x14/0x30  ? recalc_sigpending+0x180/0x210  ? __pfx_kthread+0x10/0x10  ret_from_fork+0x3f7/0x610  ? __pfx_ret_from_fork+0x10/0x10  ? __switch_to+0x385/0xda0  ? __pfx_kthread+0x10/0x10  ret_from_fork_asm+0x1a/0x30  </TASK>  [ idryomov: replace if statements with ceph_decode_need() for   payload_len and result_msg_len ]",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-08 15:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43406",
                        "url": "https://ubuntu.com/security/CVE-2026-43406",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  libceph: prevent potential out-of-bounds reads in process_message_header()  If the message frame is (maliciously) corrupted in a way that the length of the control segment ends up being less than the size of the message header or a different frame is made to look like a message frame, out-of-bounds reads may ensue in process_message_header().  Perform an explicit bounds check before decoding the message header.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-08 15:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-23249",
                        "url": "https://ubuntu.com/security/CVE-2026-23249",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  xfs: check for deleted cursors when revalidating two btrees  The free space and inode btree repair functions will rebuild both btrees at the same time, after which it needs to evaluate both btrees to confirm that the corruptions are gone.  However, Jiaming Zhang ran syzbot and produced a crash in the second xchk_allocbt call.  His root-cause analysis is as follows (with minor corrections):   In xrep_revalidate_allocbt(), xchk_allocbt() is called twice (first  for BNOBT, second for CNTBT). The cause of this issue is that the  first call nullified the cursor required by the second call.   Let's first enter xrep_revalidate_allocbt() via following call chain:   xfs_file_ioctl() ->  xfs_ioc_scrubv_metadata() ->  xfs_scrub_metadata() ->  `sc->ops->repair_eval(sc)` ->  xrep_revalidate_allocbt()   xchk_allocbt() is called twice in this function. In the first call:   /* Note that sc->sm->sm_type is XFS_SCRUB_TYPE_BNOPT now */  xchk_allocbt() ->  xchk_btree() ->  `bs->scrub_rec(bs, recp)` ->  xchk_allocbt_rec() ->  xchk_allocbt_xref() ->  xchk_allocbt_xref_other()   since sm_type is XFS_SCRUB_TYPE_BNOBT, pur is set to &sc->sa.cnt_cur.  Kernel called xfs_alloc_get_rec() and returned -EFSCORRUPTED. Call  chain:   xfs_alloc_get_rec() ->  xfs_btree_get_rec() ->  xfs_btree_check_block() ->  (XFS_IS_CORRUPT || XFS_TEST_ERROR), the former is false and the latter  is true, return -EFSCORRUPTED. This should be caused by  ioctl$XFS_IOC_ERROR_INJECTION I guess.   Back to xchk_allocbt_xref_other(), after receiving -EFSCORRUPTED from  xfs_alloc_get_rec(), kernel called xchk_should_check_xref(). In this  function, *curpp (points to sc->sa.cnt_cur) is nullified.   Back to xrep_revalidate_allocbt(), since sc->sa.cnt_cur has been  nullified, it then triggered null-ptr-deref via xchk_allocbt() (second  call) -> xchk_btree().  So.  The bnobt revalidation failed on a cross-reference attempt, so we deleted the cntbt cursor, and then crashed when we tried to revalidate the cntbt.  Therefore, check for a null cntbt cursor before that revalidation, and mark the repair incomplete.  Also we can ignore the second tree entirely if the first tree was rebuilt but is already corrupt.  Apply the same fix to xrep_revalidate_iallocbt because it has the same problem.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-18 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2025-71267",
                        "url": "https://ubuntu.com/security/CVE-2025-71267",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  fs: ntfs3: fix infinite loop triggered by zero-sized ATTR_LIST  We found an infinite loop bug in the ntfs3 file system that can lead to a Denial-of-Service (DoS) condition.  A malformed NTFS image can cause an infinite loop when an ATTR_LIST attribute indicates a zero data size while the driver allocates memory for it.  When ntfs_load_attr_list() processes a resident ATTR_LIST with data_size set to zero, it still allocates memory because of al_aligned(0). This creates an inconsistent state where ni->attr_list.size is zero, but ni->attr_list.le is non-null. This causes ni_enum_attr_ex to incorrectly assume that no attribute list exists and enumerates only the primary MFT record. When it finds ATTR_LIST, the code reloads it and restarts the enumeration, repeating indefinitely. The mount operation never completes, hanging the kernel thread.  This patch adds validation to ensure that data_size is non-zero before memory allocation. When a zero-sized ATTR_LIST is detected, the function returns -EINVAL, preventing a DoS vulnerability.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-18 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2025-71265",
                        "url": "https://ubuntu.com/security/CVE-2025-71265",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  fs: ntfs3: fix infinite loop in attr_load_runs_range on inconsistent metadata  We found an infinite loop bug in the ntfs3 file system that can lead to a Denial-of-Service (DoS) condition.  A malformed NTFS image can cause an infinite loop when an attribute header indicates an empty run list, while directory entries reference it as containing actual data. In NTFS, setting evcn=-1 with svcn=0 is a valid way to represent an empty run list, and run_unpack() correctly handles this by checking if evcn + 1 equals svcn and returning early without parsing any run data. However, this creates a problem when there is metadata inconsistency, where the attribute header claims to be empty (evcn=-1) but the caller expects to read actual data. When run_unpack() immediately returns success upon seeing this condition, it leaves the runs_tree uninitialized with run->runs as a NULL. The calling function attr_load_runs_range() assumes that a successful return means that the runs were loaded and sets clen to 0, expecting the next run_lookup_entry() call to succeed. Because runs_tree remains uninitialized, run_lookup_entry() continues to fail, and the loop increments vcn by zero (vcn += 0), leading to an infinite loop.  This patch adds a retry counter to detect when run_lookup_entry() fails consecutively after attr_load_runs_vcn(). If the run is still not found on the second attempt, it indicates corrupted metadata and returns -EINVAL, preventing the Denial-of-Service (DoS) vulnerability.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-18 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2025-71266",
                        "url": "https://ubuntu.com/security/CVE-2025-71266",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  fs: ntfs3: check return value of indx_find to avoid infinite loop  We found an infinite loop bug in the ntfs3 file system that can lead to a Denial-of-Service (DoS) condition.  A malformed dentry in the ntfs3 filesystem can cause the kernel to hang during the lookup operations. By setting the HAS_SUB_NODE flag in an INDEX_ENTRY within a directory's INDEX_ALLOCATION block and manipulating the VCN pointer, an attacker can cause the indx_find() function to repeatedly read the same block, allocating 4 KB of memory each time. The kernel lacks VCN loop detection and depth limits, causing memory exhaustion and an OOM crash.  This patch adds a return value check for fnd_push() to prevent a memory exhaustion vulnerability caused by infinite loops. When the index exceeds the size of the fnd->nodes array, fnd_push() returns -EINVAL. The indx_find() function checks this return value and stops processing, preventing further memory allocation.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-18 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-23241",
                        "url": "https://ubuntu.com/security/CVE-2026-23241",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  audit: add missing syscalls to read class  The \"at\" variant of getxattr() and listxattr() are missing from the audit read class. Calling getxattrat() or listxattrat() on a file to read its extended attributes will bypass audit rules such as:  -w /tmp/test -p rwa -k test_rwa  The current patch adds missing syscalls to the audit read class.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-17 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2025-71239",
                        "url": "https://ubuntu.com/security/CVE-2025-71239",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  audit: add fchmodat2() to change attributes class  fchmodat2(), introduced in version 6.6 is currently not in the change attribute class of audit. Calling fchmodat2() to change a file attribute in the same fashion than chmod() or fchmodat() will bypass audit rules such as:  -w /tmp/test -p rwa -k test_rwa  The current patch adds fchmodat2() to the change attributes class.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-17 10:15:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-31411",
                        "url": "https://ubuntu.com/security/CVE-2026-31411",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: atm: fix crash due to unvalidated vcc pointer in sigd_send()  Reproducer available at [1].  The ATM send path (sendmsg -> vcc_sendmsg -> sigd_send) reads the vcc pointer from msg->vcc and uses it directly without any validation. This pointer comes from userspace via sendmsg() and can be arbitrarily forged:      int fd = socket(AF_ATMSVC, SOCK_DGRAM, 0);     ioctl(fd, ATMSIGD_CTRL);  // become ATM signaling daemon     struct msghdr msg = { .msg_iov = &iov, ... };     *(unsigned long *)(buf + 4) = 0xdeadbeef;  // fake vcc pointer     sendmsg(fd, &msg, 0);  // kernel dereferences 0xdeadbeef  In normal operation, the kernel sends the vcc pointer to the signaling daemon via sigd_enq() when processing operations like connect(), bind(), or listen(). The daemon is expected to return the same pointer when responding. However, a malicious daemon can send arbitrary pointer values.  Fix this by introducing find_get_vcc() which validates the pointer by searching through vcc_hash (similar to how sigd_close() iterates over all VCCs), and acquires a reference via sock_hold() if found.  Since struct atm_vcc embeds struct sock as its first member, they share the same lifetime. Therefore using sock_hold/sock_put is sufficient to keep the vcc alive while it is being used.  Note that there may be a race with sigd_close() which could mark the vcc with various flags (e.g., ATM_VF_RELEASED) after find_get_vcc() returns. However, sock_hold() guarantees the memory remains valid, so this race only affects the logical state, not memory safety.  [1]: https://gist.github.com/mrpre/1ba5949c45529c511152e2f4c755b0f3",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-08 14:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-23243",
                        "url": "https://ubuntu.com/security/CVE-2026-23243",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/umad: Reject negative data_len in ib_umad_write  ib_umad_write computes data_len from user-controlled count and the MAD header sizes. With a mismatched user MAD header size and RMPP header length, data_len can become negative and reach ib_create_send_mad(). This can make the padding calculation exceed the segment size and trigger an out-of-bounds memset in alloc_send_rmpp_list().  Add an explicit check to reject negative data_len before creating the send buffer.  KASAN splat: [  211.363464] BUG: KASAN: slab-out-of-bounds in ib_create_send_mad+0xa01/0x11b0 [  211.364077] Write of size 220 at addr ffff88800c3fa1f8 by task spray_thread/102 [  211.365867] ib_create_send_mad+0xa01/0x11b0 [  211.365887] ib_umad_write+0x853/0x1c80",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-18 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-23242",
                        "url": "https://ubuntu.com/security/CVE-2026-23242",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/siw: Fix potential NULL pointer dereference in header processing  If siw_get_hdr() returns -EINVAL before set_rx_fpdu_context(), qp->rx_fpdu can be NULL. The error path in siw_tcp_rx_data() dereferences qp->rx_fpdu->more_ddp_segs without checking, which may lead to a NULL pointer deref. Only check more_ddp_segs when rx_fpdu is present.  KASAN splat: [  101.384271] KASAN: null-ptr-deref in range [0x00000000000000c0-0x00000000000000c7] [  101.385869] RIP: 0010:siw_tcp_rx_data+0x13ad/0x1e50",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-18 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2025-71233",
                        "url": "https://ubuntu.com/security/CVE-2025-71233",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  PCI: endpoint: Avoid creating sub-groups asynchronously  The asynchronous creation of sub-groups by a delayed work could lead to a NULL pointer dereference when the driver directory is removed before the work completes.  The crash can be easily reproduced with the following commands:    # cd /sys/kernel/config/pci_ep/functions/pci_epf_test   # for i in {1..20}; do mkdir test && rmdir test; done    BUG: kernel NULL pointer dereference, address: 0000000000000088   ...   Call Trace:    configfs_register_group+0x3d/0x190    pci_epf_cfs_work+0x41/0x110    process_one_work+0x18f/0x350    worker_thread+0x25a/0x3a0  Fix this issue by using configfs_add_default_group() API which does not have the deadlock problem as configfs_register_group() and does not require the delayed work handler.  [mani: slightly reworded the description and added stable list]",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-02-18 16:22:00 UTC"
                    },
                    {
                        "cve": "CVE-2025-71231",
                        "url": "https://ubuntu.com/security/CVE-2025-71231",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  crypto: iaa - Fix out-of-bounds index in find_empty_iaa_compression_mode  The local variable 'i' is initialized with -EINVAL, but the for loop immediately overwrites it and -EINVAL is never returned.  If no empty compression mode can be found, the function would return the out-of-bounds index IAA_COMP_MODES_MAX, which would cause an invalid array access in add_iaa_compression_mode().  Fix both issues by returning either a valid index or -EINVAL.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-02-18 16:22:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-23169",
                        "url": "https://ubuntu.com/security/CVE-2026-23169",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mptcp: fix race in mptcp_pm_nl_flush_addrs_doit()  syzbot and Eulgyu Kim reported crashes in mptcp_pm_nl_get_local_id() and/or mptcp_pm_nl_is_backup()  Root cause is list_splice_init() in mptcp_pm_nl_flush_addrs_doit() which is not RCU ready.  list_splice_init_rcu() can not be called here while holding pernet->lock spinlock.  Many thanks to Eulgyu Kim for providing a repro and testing our patches.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-02-14 16:15:00 UTC"
                    },
                    {
                        "cve": "CVE-2025-40005",
                        "url": "https://ubuntu.com/security/CVE-2025-40005",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: cadence-quadspi: Implement refcount to handle unbind during busy  driver support indirect read and indirect write operation with assumption no force device removal(unbind) operation. However force device removal(removal) is still available to root superuser.  Unbinding driver during operation causes kernel crash. This changes ensure driver able to handle such operation for indirect read and indirect write by implementing refcount to track attached devices to the controller and gracefully wait and until attached devices remove operation completed before proceed with removal operation.",
                        "cve_priority": "medium",
                        "cve_public_date": "2025-10-20 16:15:00 UTC"
                    },
                    {
                        "cve": "CVE-2025-71232",
                        "url": "https://ubuntu.com/security/CVE-2025-71232",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  scsi: qla2xxx: Free sp in error path to fix system crash  System crash seen during load/unload test in a loop,  [61110.449331] qla2xxx [0000:27:00.0]-0042:0: Disabled MSI-X. [61110.467494] ============================================================================= [61110.467498] BUG qla2xxx_srbs (Tainted: G           OE    --------  --- ): Objects remaining in qla2xxx_srbs on __kmem_cache_shutdown() [61110.467501] -----------------------------------------------------------------------------  [61110.467502] Slab 0x000000000ffc8162 objects=51 used=1 fp=0x00000000e25d3d85 flags=0x57ffffc0010200(slab|head|node=1|zone=2|lastcpupid=0x1fffff) [61110.467509] CPU: 53 PID: 455206 Comm: rmmod Kdump: loaded Tainted: G          OE    --------  ---  5.14.0-284.11.1.el9_2.x86_64 #1 [61110.467513] Hardware name: HPE ProLiant DL385 Gen10 Plus v2/ProLiant DL385 Gen10 Plus v2, BIOS A42 08/17/2023 [61110.467515] Call Trace: [61110.467516]  <TASK> [61110.467519]  dump_stack_lvl+0x34/0x48 [61110.467526]  slab_err.cold+0x53/0x67 [61110.467534]  __kmem_cache_shutdown+0x16e/0x320 [61110.467540]  kmem_cache_destroy+0x51/0x160 [61110.467544]  qla2x00_module_exit+0x93/0x99 [qla2xxx] [61110.467607]  ? __do_sys_delete_module.constprop.0+0x178/0x280 [61110.467613]  ? syscall_trace_enter.constprop.0+0x145/0x1d0 [61110.467616]  ? do_syscall_64+0x5c/0x90 [61110.467619]  ? exc_page_fault+0x62/0x150 [61110.467622]  ? entry_SYSCALL_64_after_hwframe+0x63/0xcd [61110.467626]  </TASK> [61110.467627] Disabling lock debugging due to kernel taint [61110.467635] Object 0x0000000026f7e6e6 @offset=16000 [61110.467639] ------------[ cut here ]------------ [61110.467639] kmem_cache_destroy qla2xxx_srbs: Slab cache still has objects when called from qla2x00_module_exit+0x93/0x99 [qla2xxx] [61110.467659] WARNING: CPU: 53 PID: 455206 at mm/slab_common.c:520 kmem_cache_destroy+0x14d/0x160 [61110.467718] CPU: 53 PID: 455206 Comm: rmmod Kdump: loaded Tainted: G   B      OE    --------  ---  5.14.0-284.11.1.el9_2.x86_64 #1 [61110.467720] Hardware name: HPE ProLiant DL385 Gen10 Plus v2/ProLiant DL385 Gen10 Plus v2, BIOS A42 08/17/2023 [61110.467721] RIP: 0010:kmem_cache_destroy+0x14d/0x160 [61110.467724] Code: 99 7d 07 00 48 89 ef e8 e1 6a 07 00 eb b3 48 8b 55 60 48 8b 4c 24 20 48 c7 c6 70 fc 66 90 48 c7 c7 f8 ef a1 90 e8 e1 ed 7c 00 <0f> 0b eb 93 c3 cc cc cc cc 66 2e 0f 1f 84 00 00 00 00 00 55 48 89 [61110.467725] RSP: 0018:ffffa304e489fe80 EFLAGS: 00010282 [61110.467727] RAX: 0000000000000000 RBX: ffffffffc0d9a860 RCX: 0000000000000027 [61110.467729] RDX: ffff8fd5ff9598a8 RSI: 0000000000000001 RDI: ffff8fd5ff9598a0 [61110.467730] RBP: ffff8fb6aaf78700 R08: 0000000000000000 R09: 0000000100d863b7 [61110.467731] R10: ffffa304e489fd20 R11: ffffffff913bef48 R12: 0000000040002000 [61110.467731] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [61110.467733] FS:  00007f64c89fb740(0000) GS:ffff8fd5ff940000(0000) knlGS:0000000000000000 [61110.467734] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [61110.467735] CR2: 00007f0f02bfe000 CR3: 00000020ad6dc005 CR4: 0000000000770ee0 [61110.467736] PKRU: 55555554 [61110.467737] Call Trace: [61110.467738]  <TASK> [61110.467739]  qla2x00_module_exit+0x93/0x99 [qla2xxx] [61110.467755]  ? __do_sys_delete_module.constprop.0+0x178/0x280  Free sp in the error path to fix the crash.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-02-18 16:22:00 UTC"
                    },
                    {
                        "cve": "CVE-2025-71235",
                        "url": "https://ubuntu.com/security/CVE-2025-71235",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  scsi: qla2xxx: Delay module unload while fabric scan in progress  System crash seen during load/unload test in a loop.  [105954.384919] RBP: ffff914589838dc0 R08: 0000000000000000 R09: 0000000000000086 [105954.384920] R10: 000000000000000f R11: ffffa31240904be5 R12: ffff914605f868e0 [105954.384921] R13: ffff914605f86910 R14: 0000000000008010 R15: 00000000ddb7c000 [105954.384923] FS:  0000000000000000(0000) GS:ffff9163fec40000(0000) knlGS:0000000000000000 [105954.384925] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [105954.384926] CR2: 000055d31ce1d6a0 CR3: 0000000119f5e001 CR4: 0000000000770ee0 [105954.384928] PKRU: 55555554 [105954.384929] Call Trace: [105954.384931]  <IRQ> [105954.384934]  qla24xx_sp_unmap+0x1f3/0x2a0 [qla2xxx] [105954.384962]  ? qla_async_scan_sp_done+0x114/0x1f0 [qla2xxx] [105954.384980]  ? qla24xx_els_ct_entry+0x4de/0x760 [qla2xxx] [105954.384999]  ? __wake_up_common+0x80/0x190 [105954.385004]  ? qla24xx_process_response_queue+0xc2/0xaa0 [qla2xxx] [105954.385023]  ? qla24xx_msix_rsp_q+0x44/0xb0 [qla2xxx] [105954.385040]  ? __handle_irq_event_percpu+0x3d/0x190 [105954.385044]  ? handle_irq_event+0x58/0xb0 [105954.385046]  ? handle_edge_irq+0x93/0x240 [105954.385050]  ? __common_interrupt+0x41/0xa0 [105954.385055]  ? common_interrupt+0x3e/0xa0 [105954.385060]  ? asm_common_interrupt+0x22/0x40  The root cause of this was that there was a free (dma_free_attrs) in the interrupt context.  There was a device discovery/fabric scan in progress.  A module unload was issued which set the UNLOADING flag.  As part of the discovery, after receiving an interrupt a work queue was scheduled (which involved a work to be queued).  Since the UNLOADING flag is set, the work item was not allocated and the mapped memory had to be freed.  The free occurred in interrupt context leading to system crash.  Delay the driver unload until the fabric scan is complete to avoid the crash.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-02-18 16:22:00 UTC"
                    },
                    {
                        "cve": "CVE-2025-71236",
                        "url": "https://ubuntu.com/security/CVE-2025-71236",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  scsi: qla2xxx: Validate sp before freeing associated memory  System crash with the following signature [154563.214890] nvme nvme2: NVME-FC{1}: controller connect complete [154564.169363] qla2xxx [0000:b0:00.1]-3002:2: nvme: Sched: Set ZIO exchange threshold to 3. [154564.169405] qla2xxx [0000:b0:00.1]-ffffff:2: SET ZIO Activity exchange threshold to 5. [154565.539974] qla2xxx [0000:b0:00.1]-5013:2: RSCN database changed – 0078 0080 0000. [154565.545744] qla2xxx [0000:b0:00.1]-5013:2: RSCN database changed – 0078 00a0 0000. [154565.545857] qla2xxx [0000:b0:00.1]-11a2:2: FEC=enabled (data rate). [154565.552760] qla2xxx [0000:b0:00.1]-11a2:2: FEC=enabled (data rate). [154565.553079] BUG: kernel NULL pointer dereference, address: 00000000000000f8 [154565.553080] #PF: supervisor read access in kernel mode [154565.553082] #PF: error_code(0x0000) - not-present page [154565.553084] PGD 80000010488ab067 P4D 80000010488ab067 PUD 104978a067 PMD 0 [154565.553089] Oops: 0000 1 PREEMPT SMP PTI [154565.553092] CPU: 10 PID: 858 Comm: qla2xxx_2_dpc Kdump: loaded Tainted: G           OE     -------  ---  5.14.0-503.11.1.el9_5.x86_64 #1 [154565.553096] Hardware name: HPE Synergy 660 Gen10/Synergy 660 Gen10 Compute Module, BIOS I43 09/30/2024 [154565.553097] RIP: 0010:qla_fab_async_scan.part.0+0x40b/0x870 [qla2xxx] [154565.553141] Code: 00 00 e8 58 a3 ec d4 49 89 e9 ba 12 20 00 00 4c 89 e6 49 c7 c0 00 ee a8 c0 48 c7 c1 66 c0 a9 c0 bf 00 80 00 10 e8 15 69 00 00 <4c> 8b 8d f8 00 00 00 4d 85 c9 74 35 49 8b 84 24 00 19 00 00 48 8b [154565.553143] RSP: 0018:ffffb4dbc8aebdd0 EFLAGS: 00010286 [154565.553145] RAX: 0000000000000000 RBX: ffff8ec2cf0908d0 RCX: 0000000000000002 [154565.553147] RDX: 0000000000000000 RSI: ffffffffc0a9c896 RDI: ffffb4dbc8aebd47 [154565.553148] RBP: 0000000000000000 R08: ffffb4dbc8aebd45 R09: 0000000000ffff0a [154565.553150] R10: 0000000000000000 R11: 000000000000000f R12: ffff8ec2cf0908d0 [154565.553151] R13: ffff8ec2cf090900 R14: 0000000000000102 R15: ffff8ec2cf084000 [154565.553152] FS:  0000000000000000(0000) GS:ffff8ed27f800000(0000) knlGS:0000000000000000 [154565.553154] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [154565.553155] CR2: 00000000000000f8 CR3: 000000113ae0a005 CR4: 00000000007706f0 [154565.553157] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [154565.553158] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [154565.553159] PKRU: 55555554 [154565.553160] Call Trace: [154565.553162]  <TASK> [154565.553165]  ? show_trace_log_lvl+0x1c4/0x2df [154565.553172]  ? show_trace_log_lvl+0x1c4/0x2df [154565.553177]  ? qla_fab_async_scan.part.0+0x40b/0x870 [qla2xxx] [154565.553215]  ? __die_body.cold+0x8/0xd [154565.553218]  ? page_fault_oops+0x134/0x170 [154565.553223]  ? snprintf+0x49/0x70 [154565.553229]  ? exc_page_fault+0x62/0x150 [154565.553238]  ? asm_exc_page_fault+0x22/0x30  Check for sp being non NULL before freeing any associated memory",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-02-18 16:22:00 UTC"
                    },
                    {
                        "cve": "CVE-2025-71229",
                        "url": "https://ubuntu.com/security/CVE-2025-71229",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: rtw88: Fix alignment fault in rtw_core_enable_beacon()  rtw_core_enable_beacon() reads 4 bytes from an address that is not a multiple of 4. This results in a crash on some systems.  Do 1 byte reads/writes instead.  Unable to handle kernel paging request at virtual address ffff8000827e0522 Mem abort info:   ESR = 0x0000000096000021   EC = 0x25: DABT (current EL), IL = 32 bits   SET = 0, FnV = 0   EA = 0, S1PTW = 0   FSC = 0x21: alignment fault Data abort info:   ISV = 0, ISS = 0x00000021, ISS2 = 0x00000000   CM = 0, WnR = 0, TnD = 0, TagAccess = 0   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000005492000 [ffff8000827e0522] pgd=0000000000000000, p4d=10000001021d9403, pud=10000001021da403, pmd=100000011061c403, pte=00780000f3200f13 Internal error: Oops: 0000000096000021 [#1]  SMP Modules linked in: [...] rtw88_8822ce rtw88_8822c rtw88_pci rtw88_core [...] CPU: 0 UID: 0 PID: 73 Comm: kworker/u32:2 Tainted: G        W          6.17.9 #1-NixOS VOLUNTARY Tainted: [W]=WARN Hardware name: FriendlyElec NanoPC-T6 LTS (DT) Workqueue: phy0 rtw_c2h_work [rtw88_core] pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : rtw_pci_read32+0x18/0x40 [rtw88_pci] lr : rtw_core_enable_beacon+0xe0/0x148 [rtw88_core] sp : ffff800080cc3ca0 x29: ffff800080cc3ca0 x28: ffff0001031fc240 x27: ffff000102100828 x26: ffffd2cb7c9b4088 x25: ffff0001031fc2c0 x24: ffff000112fdef00 x23: ffff000112fdef18 x22: ffff000111c29970 x21: 0000000000000001 x20: 0000000000000001 x19: ffff000111c22040 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000000 x10: 0000000000000000 x9 : ffffd2cb6507c090 x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000 x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000 x2 : 0000000000007f10 x1 : 0000000000000522 x0 : ffff8000827e0522 Call trace:  rtw_pci_read32+0x18/0x40 [rtw88_pci] (P)  rtw_hw_scan_chan_switch+0x124/0x1a8 [rtw88_core]  rtw_fw_c2h_cmd_handle+0x254/0x290 [rtw88_core]  rtw_c2h_work+0x50/0x98 [rtw88_core]  process_one_work+0x178/0x3f8  worker_thread+0x208/0x418  kthread+0x120/0x220  ret_from_fork+0x10/0x20 Code: d28fe202 8b020000 f9524400 8b214000 (b9400000) ---[ end trace 0000000000000000 ]---",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-02-18 16:22:00 UTC"
                    },
                    {
                        "cve": "CVE-2025-71237",
                        "url": "https://ubuntu.com/security/CVE-2025-71237",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  nilfs2: Fix potential block overflow that cause system hang  When a user executes the FITRIM command, an underflow can occur when calculating nblocks if end_block is too small. Since nblocks is of type sector_t, which is u64, a negative nblocks value will become a very large positive integer. This ultimately leads to the block layer function __blkdev_issue_discard() taking an excessively long time to process the bio chain, and the ns_segctor_sem lock remains held for a long period. This prevents other tasks from acquiring the ns_segctor_sem lock, resulting in the hang reported by syzbot in [1].  If the ending block is too small, typically if it is smaller than 4KiB range, depending on the usage of the segment 0, it may be possible to attempt a discard request beyond the device size causing the hang.  Exiting successfully and assign the discarded size (0 in this case) to range->len.  Although the start and len values in the user input range are too small, a conservative strategy is adopted here to safely ignore them, which is equivalent to a no-op; it will not perform any trimming and will not throw an error.  [1] task:segctord state:D stack:28968 pid:6093 tgid:6093  ppid:2 task_flags:0x200040 flags:0x00080000 Call Trace:  rwbase_write_lock+0x3dd/0x750 kernel/locking/rwbase_rt.c:272  nilfs_transaction_lock+0x253/0x4c0 fs/nilfs2/segment.c:357  nilfs_segctor_thread_construct fs/nilfs2/segment.c:2569 [inline]  nilfs_segctor_thread+0x6ec/0xe00 fs/nilfs2/segment.c:2684  [ryusuke: corrected part of the commit message about the consequences]",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-02-18 16:22:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-23229",
                        "url": "https://ubuntu.com/security/CVE-2026-23229",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  crypto: virtio - Add spinlock protection with virtqueue notification  When VM boots with one virtio-crypto PCI device and builtin backend, run openssl benchmark command with multiple processes, such as   openssl speed -evp aes-128-cbc -engine afalg  -seconds 10 -multi 32  openssl processes will hangup and there is error reported like this:  virtio_crypto virtio0: dataq.0:id 3 is not a head!  It seems that the data virtqueue need protection when it is handled for virtio done notification. If the spinlock protection is added in virtcrypto_done_task(), openssl benchmark with multiple processes works well.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-02-18 16:22:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-23222",
                        "url": "https://ubuntu.com/security/CVE-2026-23222",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  crypto: omap - Allocate OMAP_CRYPTO_FORCE_COPY scatterlists correctly  The existing allocation of scatterlists in omap_crypto_copy_sg_lists() was allocating an array of scatterlist pointers, not scatterlist objects, resulting in a 4x too small allocation.  Use sizeof(*new_sg) to get the correct object size.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-02-18 16:22:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-23228",
                        "url": "https://ubuntu.com/security/CVE-2026-23228",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb: server: fix leak of active_num_conn in ksmbd_tcp_new_connection()  On kthread_run() failure in ksmbd_tcp_new_connection(), the transport is freed via free_transport(), which does not decrement active_num_conn, leaking this counter.  Replace free_transport() with ksmbd_tcp_disconnect().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-02-18 16:22:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-23220",
                        "url": "https://ubuntu.com/security/CVE-2026-23220",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ksmbd: fix infinite loop caused by next_smb2_rcv_hdr_off reset in error paths  The problem occurs when a signed request fails smb2 signature verification check. In __process_request(), if check_sign_req() returns an error, set_smb2_rsp_status(work, STATUS_ACCESS_DENIED) is called. set_smb2_rsp_status() set work->next_smb2_rcv_hdr_off as zero. By resetting next_smb2_rcv_hdr_off to zero, the pointer to the next command in the chain is lost. Consequently, is_chained_smb2_message() continues to point to the same request header instead of advancing. If the header's NextCommand field is non-zero, the function returns true, causing __handle_ksmbd_work() to repeatedly process the same failed request in an infinite loop. This results in the kernel log being flooded with \"bad smb2 signature\" messages and high CPU usage.  This patch fixes the issue by changing the return value from SERVER_HANDLER_CONTINUE to SERVER_HANDLER_ABORT. This ensures that the processing loop terminates immediately rather than attempting to continue from an invalidated offset.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-02-18 16:22:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-23230",
                        "url": "https://ubuntu.com/security/CVE-2026-23230",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb: client: split cached_fid bitfields to avoid shared-byte RMW races  is_open, has_lease and on_list are stored in the same bitfield byte in struct cached_fid but are updated in different code paths that may run concurrently. Bitfield assignments generate byte read–modify–write operations (e.g. `orb $mask, addr` on x86_64), so updating one flag can restore stale values of the others.  A possible interleaving is:     CPU1: load old byte (has_lease=1, on_list=1)     CPU2: clear both flags (store 0)     CPU1: RMW store (old | IS_OPEN) -> reintroduces cleared bits  To avoid this class of races, convert these flags to separate bool fields.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-02-18 16:22:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-23272",
                        "url": "https://ubuntu.com/security/CVE-2026-23272",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: nf_tables: unconditionally bump set->nelems before insertion  In case that the set is full, a new element gets published then removed without waiting for the RCU grace period, while RCU reader can be walking over it already.  To address this issue, add the element transaction even if set is full, but toggle the set_full flag to report -ENFILE so the abort path safely unwinds the set to its previous state.  As for element updates, decrement set->nelems to restore it.  A simpler fix is to call synchronize_rcu() in the error path. However, with a large batch adding elements to already maxed-out set, this could cause noticeable slowdown of such batches.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-20 09:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-31418",
                        "url": "https://ubuntu.com/security/CVE-2026-31418",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: ipset: drop logically empty buckets in mtype_del  mtype_del() counts empty slots below n->pos in k, but it only drops the bucket when both n->pos and k are zero. This misses buckets whose live entries have all been removed while n->pos still points past deleted slots.  Treat a bucket as empty when all positions below n->pos are unused and release it directly instead of shrinking it further.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-13 14:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-23392",
                        "url": "https://ubuntu.com/security/CVE-2026-23392",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: nf_tables: release flowtable after rcu grace period on error  Call synchronize_rcu() after unregistering the hooks from error path, since a hook that already refers to this flowtable can be already registered, exposing this flowtable to packet path and nfnetlink_hook control plane.  This error path is rare, it should only happen by reaching the maximum number hooks or by failing to set up to hardware offload, just call synchronize_rcu().  There is a check for already used device hooks by different flowtable that could result in EEXIST at this late stage. The hook parser can be updated to perform this check earlier to this error path really becomes rarely exercised.  Uncovered by KASAN reported as use-after-free from nfnetlink_hook path when dumping hooks.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-03-25 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-23278",
                        "url": "https://ubuntu.com/security/CVE-2026-23278",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: nf_tables: always walk all pending catchall elements  During transaction processing we might have more than one catchall element: 1 live catchall element and 1 pending element that is coming as part of the new batch.  If the map holding the catchall elements is also going away, its required to toggle all catchall elements and not just the first viable candidate.  Otherwise, we get:  WARNING: ./include/net/netfilter/nf_tables.h:1281 at nft_data_release+0xb7/0xe0 [nf_tables], CPU#2: nft/1404  RIP: 0010:nft_data_release+0xb7/0xe0 [nf_tables]  [..]  __nft_set_elem_destroy+0x106/0x380 [nf_tables]  nf_tables_abort_release+0x348/0x8d0 [nf_tables]  nf_tables_abort+0xcf2/0x3ac0 [nf_tables]  nfnetlink_rcv_batch+0x9c9/0x20e0 [..]",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-20 09:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-47337",
                        "url": "https://ubuntu.com/security/CVE-2026-47337",
                        "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a possible NULL pointer dereference in the handling of AF_INET/AF_INET6 socket mediation. The bug can be triggered by an unprivileged local user. This can lead to a kernel oops.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 19:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-47336",
                        "url": "https://ubuntu.com/security/CVE-2026-47336",
                        "cve_description": "Ubuntu Linux 6.8 contains SAUCE patches with a possible use of an uninitialized variable in AppArmor AF_INET/AF_INET6 socket mediation code. The bug can be triggered by an unprivileged local user and could result in incorrect fine-grained mediation of network sockets.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-05-28 19:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-47335",
                        "url": "https://ubuntu.com/security/CVE-2026-47335",
                        "cve_description": "Ubuntu Linux 6.8 contains SAUCE patches with a possible NULL pointer dereference in the handling of AppArmor notifications. The bug can be triggered by an unprivileged local user. This can lead to a kernel panic.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 19:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-47334",
                        "url": "https://ubuntu.com/security/CVE-2026-47334",
                        "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly sleep while holding a spinlock in notification handling code. The bug can be triggered by an unprivileged local user and can result in kernel panic or deadlock.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 19:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-47333",
                        "url": "https://ubuntu.com/security/CVE-2026-47333",
                        "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which can potentially incorrectly compute the size of an internal buffer, leading to a heap memory out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in invalid data being processed by the AppArmor DFA policy engine.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-28 19:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-47332",
                        "url": "https://ubuntu.com/security/CVE-2026-47332",
                        "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly validate the size of an internal structure, leading to an out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in information disclosure from adjacent slab objects.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 19:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-47331",
                        "url": "https://ubuntu.com/security/CVE-2026-47331",
                        "cve_description": "Ubuntu Linux 6.8 contains AppArmor SAUCE patches which fail to acquire a lock when modifying a linked list. An unprivileged local user could trigger the race condition that can lead to a use-after-free (UAF) and, theoretically, arbitrary code execution.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-28 19:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-47330",
                        "url": "https://ubuntu.com/security/CVE-2026-47330",
                        "cve_description": "Ubuntu Linux 6.8, 7.17 and 7.0 contain AppArmor SAUCE patches which can, under certain circumstances, use an uninitialized variable in notification handling code. The bug can be triggered by an unprivileged local user and can result in the incorrect caching of AppArmor notification responses.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-05-28 19:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-47329",
                        "url": "https://ubuntu.com/security/CVE-2026-47329",
                        "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches which fail to validate invalid sizes of the name field in AppAmor notification responses. The bug can be triggered by an unprivileged local user and could result in handling of crafted responses.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-05-28 19:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-47327",
                        "url": "https://ubuntu.com/security/CVE-2026-47327",
                        "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a possible NULL pointer dereference in the handling of AppArmor notifications. The bug can be triggered by an unprivileged local user. This can lead to a kernel oops.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 19:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-47328",
                        "url": "https://ubuntu.com/security/CVE-2026-47328",
                        "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly attempt to free a pointer which was not previously kmalloc()d, while at the same time leaking allocated memory. The bug can be triggered by an unprivileged local user and can result in the corruption of slab metadata and could lead to resource exhaustion.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 19:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-47326",
                        "url": "https://ubuntu.com/security/CVE-2026-47326",
                        "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a memory leak in the handling of big responses to AppArmor notifications. The bug can be triggered by an unprivileged local user. The memory leak could lead to resource exhaustion.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 19:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46300",
                        "url": "https://ubuntu.com/security/CVE-2026-46300",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: skbuff: preserve shared-frag marker during coalescing  skb_try_coalesce() can attach paged frags from @from to @to.  If @from has SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same externally-owned or page-cache-backed frags, but the shared-frag marker is currently lost.  That breaks the invariant relied on by later in-place writers.  In particular, ESP input checks skb_has_shared_frag() before deciding whether an uncloned nonlinear skb can skip skb_cow_data().  If TCP receive coalescing has moved shared frags into an unmarked skb, ESP can see skb_has_shared_frag() as false and decrypt in place over page-cache backed frags.  Propagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged frags.  The tailroom copy path does not need the marker because it copies bytes into @to's linear data rather than transferring frag descriptors.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-23 12:17:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46333",
                        "url": "https://ubuntu.com/security/CVE-2026-46333",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ptrace: slightly saner 'get_dumpable()' logic  The 'dumpability' of a task is fundamentally about the memory image of the task - the concept comes from whether it can core dump or not - and makes no sense when you don't have an associated mm.  And almost all users do in fact use it only for the case where the task has a mm pointer.  But we have one odd special case: ptrace_may_access() uses 'dumpable' to check various other things entirely independently of the MM (typically explicitly using flags like PTRACE_MODE_READ_FSCREDS).  Including for threads that no longer have a VM (and maybe never did, like most kernel threads).  It's not what this flag was designed for, but it is what it is.  The ptrace code does check that the uid/gid matches, so you do have to be uid-0 to see kernel thread details, but this means that the traditional \"drop capabilities\" model doesn't make any difference for this all.  Make it all make a *bit* more sense by saying that if you don't have a MM pointer, we'll use a cached \"last dumpability\" flag if the thread ever had a MM (it will be zero for kernel threads since it is never set), and require a proper CAP_SYS_PTRACE capability to override.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-15 14:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43500",
                        "url": "https://ubuntu.com/security/CVE-2026-43500",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present  The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE handler in rxrpc_verify_response() copy the skb to a linear one before calling into the security ops only when skb_cloned() is true.  An skb that is not cloned but still carries externally-owned paged fragments (e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via __ip_append_data, or a chained skb_has_frag_list()) falls through to the in-place decryption path, which binds the frag pages directly into the AEAD/skcipher SGL via skb_to_sgvec().  Extend the gate to also unshare when skb_has_frag_list() or skb_has_shared_frag() is true.  This catches the splice-loopback vector and other externally-shared frag sources while preserving the zero-copy fast path for skbs whose frags are kernel-private (e.g. NIC page_pool RX, GRO).  The OOM/trace handling already in place is reused.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-11 08:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-31676",
                        "url": "https://ubuntu.com/security/CVE-2026-31676",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  rxrpc: only handle RESPONSE during service challenge  Only process RESPONSE packets while the service connection is still in RXRPC_CONN_SERVICE_CHALLENGING. Check that state under state_lock before running response verification and security initialization, then use a local secured flag to decide whether to queue the secured-connection work after the state transition. This keeps duplicate or late RESPONSE packets from re-running the setup path and removes the unlocked post-transition state test.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-25 09:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43284",
                        "url": "https://ubuntu.com/security/CVE-2026-43284",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  xfrm: esp: avoid in-place decrypt on shared skb frags  MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later paths that may modify packet data can first make a private copy. The IPv4/IPv6 datagram append paths did not set this flag when splicing pages into UDP skbs.  That leaves an ESP-in-UDP packet made from shared pipe pages looking like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW fast path for uncloned skbs without a frag_list and decrypts in place over data that is not owned privately by the skb.  Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching TCP. Also make ESP input fall back to skb_cow_data() when the flag is present, so ESP does not decrypt externally backed frags in place. Private nonlinear skb frags still use the existing fast path.  This intentionally does not change ESP output. In esp_output_head(), the path that appends the ESP trailer to existing skb tailroom without calling skb_cow_data() is not reachable for nonlinear skbs: skb_tailroom() returns zero when skb->data_len is nonzero, while ESP tailen is positive. Thus ESP output will either use the separate destination-frag path or fall back to skb_cow_data().",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-08 08:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-31419",
                        "url": "https://ubuntu.com/security/CVE-2026-31419",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: bonding: fix use-after-free in bond_xmit_broadcast()  bond_xmit_broadcast() reuses the original skb for the last slave (determined by bond_is_last_slave()) and clones it for others. Concurrent slave enslave/release can mutate the slave list during RCU-protected iteration, changing which slave is \"last\" mid-loop. This causes the original skb to be double-consumed (double-freed).  Replace the racy bond_is_last_slave() check with a simple index comparison (i + 1 == slaves_count) against the pre-snapshot slave count taken via READ_ONCE() before the loop.  This preserves the zero-copy optimization for the last slave while making the \"last\" determination stable against concurrent list mutations.  The UAF can trigger the following crash:  ================================================================== BUG: KASAN: slab-use-after-free in skb_clone Read of size 8 at addr ffff888100ef8d40 by task exploit/147  CPU: 1 UID: 0 PID: 147 Comm: exploit Not tainted 7.0.0-rc3+ #4 PREEMPTLAZY Call Trace:  <TASK>  dump_stack_lvl (lib/dump_stack.c:123)  print_report (mm/kasan/report.c:379 mm/kasan/report.c:482)  kasan_report (mm/kasan/report.c:597)  skb_clone (include/linux/skbuff.h:1724 include/linux/skbuff.h:1792 include/linux/skbuff.h:3396 net/core/skbuff.c:2108)  bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5334)  bond_start_xmit (drivers/net/bonding/bond_main.c:5567 drivers/net/bonding/bond_main.c:5593)  dev_hard_start_xmit (include/linux/netdevice.h:5325 include/linux/netdevice.h:5334 net/core/dev.c:3871 net/core/dev.c:3887)  __dev_queue_xmit (include/linux/netdevice.h:3601 net/core/dev.c:4838)  ip6_finish_output2 (include/net/neighbour.h:540 include/net/neighbour.h:554 net/ipv6/ip6_output.c:136)  ip6_finish_output (net/ipv6/ip6_output.c:208 net/ipv6/ip6_output.c:219)  ip6_output (net/ipv6/ip6_output.c:250)  ip6_send_skb (net/ipv6/ip6_output.c:1985)  udp_v6_send_skb (net/ipv6/udp.c:1442)  udpv6_sendmsg (net/ipv6/udp.c:1733)  __sys_sendto (net/socket.c:730 net/socket.c:742 net/socket.c:2206)  __x64_sys_sendto (net/socket.c:2209)  do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)  entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)  </TASK>  Allocated by task 147:  Freed by task 147:  The buggy address belongs to the object at ffff888100ef8c80  which belongs to the cache skbuff_head_cache of size 224 The buggy address is located 192 bytes inside of  freed 224-byte region [ffff888100ef8c80, ffff888100ef8d60)  Memory state around the buggy address:  ffff888100ef8c00: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc  ffff888100ef8c80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff888100ef8d00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc                                                     ^  ffff888100ef8d80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb  ffff888100ef8e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================",
                        "cve_priority": "high",
                        "cve_public_date": "2026-04-13 14:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-31431",
                        "url": "https://ubuntu.com/security/CVE-2026-31431",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  crypto: algif_aead - Revert to operating out-of-place  This mostly reverts commit 72548b093ee3 except for the copying of the associated data.  There is no benefit in operating in-place in algif_aead since the source and destination come from different mappings.  Get rid of all the complexity added for in-place operation and just copy the AD directly.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-04-22 09:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-31533",
                        "url": "https://ubuntu.com/security/CVE-2026-31533",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/tls: fix use-after-free in -EBUSY error path of tls_do_encryption  The -EBUSY handling in tls_do_encryption(), introduced by commit 859054147318 (\"net: tls: handle backlogging of crypto requests\"), has a use-after-free due to double cleanup of encrypt_pending and the scatterlist entry.  When crypto_aead_encrypt() returns -EBUSY, the request is enqueued to the cryptd backlog and the async callback tls_encrypt_done() will be invoked upon completion. That callback unconditionally restores the scatterlist entry (sge->offset, sge->length) and decrements ctx->encrypt_pending. However, if tls_encrypt_async_wait() returns an error, the synchronous error path in tls_do_encryption() performs the same cleanup again, double-decrementing encrypt_pending and double-restoring the scatterlist.  The double-decrement corrupts the encrypt_pending sentinel (initialized to 1), making tls_encrypt_async_wait() permanently skip the wait for pending async callbacks. A subsequent sendmsg can then free the tls_rec via bpf_exec_tx_verdict() while a cryptd callback is still pending, resulting in a use-after-free when the callback fires on the freed record.  Fix this by skipping the synchronous cleanup when the -EBUSY async wait returns an error, since the callback has already handled encrypt_pending and sge restoration.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-23 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-31504",
                        "url": "https://ubuntu.com/security/CVE-2026-31504",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: fix fanout UAF in packet_release() via NETDEV_UP race  `packet_release()` has a race window where `NETDEV_UP` can re-register a socket into a fanout group's `arr[]` array. The re-registration is not cleaned up by `fanout_release()`, leaving a dangling pointer in the fanout array. `packet_release()` does NOT zero `po->num` in its `bind_lock` section. After releasing `bind_lock`, `po->num` is still non-zero and `po->ifindex` still matches the bound device. A concurrent `packet_notifier(NETDEV_UP)` that already found the socket in `sklist` can re-register the hook. For fanout sockets, this re-registration calls `__fanout_link(sk, po)` which adds the socket back into `f->arr[]` and increments `f->num_members`, but does NOT increment `f->sk_ref`.  The fix sets `po->num` to zero in `packet_release` while `bind_lock` is held to prevent NETDEV_UP from linking, preventing the race window.  This bug was found following an additional audit with Claude Code based on CVE-2025-38617.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-04-22 14:16:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [
                    2158431,
                    2158432,
                    2158377,
                    2157195,
                    2157196,
                    1786013,
                    2151948,
                    2154560,
                    2146465,
                    2153556,
                    2152194,
                    2141536,
                    2150809,
                    2150809,
                    2150809,
                    2150809,
                    2150809,
                    2150809,
                    2150809,
                    2150809,
                    2150809,
                    2150809,
                    2148714,
                    2148260,
                    2148260,
                    2148260,
                    2148260,
                    2148260,
                    2148260,
                    2148260,
                    2148260,
                    2148260,
                    2148260,
                    2148260,
                    2148260,
                    2148260,
                    2148260,
                    2148260,
                    2154172,
                    2151747,
                    2151747,
                    2151747,
                    2151747,
                    2151747,
                    2151747,
                    2151747,
                    2151747,
                    2148809,
                    2151747,
                    2151747,
                    2151747,
                    2153962
                ],
                "changes": [
                    {
                        "cves": [],
                        "log": [
                            "",
                            "  * jammy/linux-riscv-6.8: 6.8.0-134.134~22.04.1 -proposed tracker (LP: #2158431)",
                            "",
                            "  [ Ubuntu: 6.8.0-134.134 ]",
                            "",
                            "  * noble/linux: 6.8.0-134.134 -proposed tracker (LP: #2158432)",
                            "  * ext4: writeback causes kernel oops when low on space (LP: #2158377)",
                            "    - ext4: get rid of ppath in get_ext_path()",
                            ""
                        ],
                        "package": "linux-riscv-6.8",
                        "version": "6.8.0-134.134~22.04.1",
                        "urgency": "medium",
                        "distributions": "jammy",
                        "launchpad_bugs_fixed": [
                            2158431,
                            2158432,
                            2158377
                        ],
                        "author": "Alessio Faina <alessio.faina@canonical.com>",
                        "date": "Mon, 29 Jun 2026 16:08:57 +0200"
                    },
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-46244",
                                "url": "https://ubuntu.com/security/CVE-2026-46244",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: nft_inner: Fix IPv6 inner_thoff desync  In nft_inner_parse_l2l3(), when processing inner IPv6 packets, ipv6_find_hdr() correctly computes the transport header offset traversing all extension headers, but the result is immediately overwritten with nhoff + sizeof(_ip6h) (40 bytes), which only accounts for the IPv6 base header. This creates a desync between inner_thoff (wrong — points to extension header start) and l4proto (correct — e.g., IPPROTO_TCP), enabling transport header forgery and potential firewall bypass. This issue affects stable versions from Linux 6.2.  For comparison, the normal (non-inner) IPv6 path correctly preserves ipv6_find_hdr()'s result. Removing the incorrect overwrite ensures that ipv6_find_hdr()'s calculated transport header offset is preserved, thereby fixing the desynchronization.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-03 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43185",
                                "url": "https://ubuntu.com/security/CVE-2026-43185",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ksmbd: fix signededness bug in smb_direct_prepare_negotiation()  smb_direct_prepare_negotiation() casts an unsigned __u32 value from sp->max_recv_size and req->preferred_send_size to a signed int before computing min_t(int, ...). A maliciously provided preferred_send_size of 0x80000000 will return as smaller than max_recv_size, and then be used to set the maximum allowed alowed receive size for the next message.  By sending a second message with a large value (>1420 bytes) the attacker can then achieve a heap buffer overflow.  This fix replaces min_t(int, ...) with min_t(u32)",
                                "cve_priority": "critical",
                                "cve_public_date": "2026-05-06 12:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46289",
                                "url": "https://ubuntu.com/security/CVE-2026-46289",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  lib/scatterlist: fix length calculations in extract_kvec_to_sg  Patch series \"Fix bugs in extract_iter_to_sg()\", v3.  Fix bugs in the kvec and user variants of extract_iter_to_sg.  This series is growing due to useful remarks made by sashiko.dev.  The main bugs are: - The length for an sglist entry when extracting from   a kvec can exceed the number of bytes in the page. This   is obviously not intended. - When extracting a user buffer the sglist is temporarily   used as a scratch buffer for extracted page pointers.   If the sglist already contains some elements this scratch   buffer could overlap with existing entries in the sglist.  The series adds test cases to the kunit_iov_iter test that demonstrate all of these bugs.  Additionally, there is a memory leak fix for the test itself.  The bugs were orignally introduced into kernel v6.3 where the function lived in fs/netfs/iterator.c.  It was later moved to lib/scatterlist.c in v6.5.  Thus the actual fix is only marked for backports to v6.5+.   This patch (of 5):  When extracting from a kvec to a scatterlist, do not cross page boundaries.  The required length was already calculated but not used as intended.  Adjust the copied length if the loop runs out of sglist entries without extracting everything.  While there, return immediately from extract_iter_to_sg if there are no sglist entries at all.  A subsequent commit will add kunit test cases that demonstrate that the patch is necessary.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-08 17:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46119",
                                "url": "https://ubuntu.com/security/CVE-2026-46119",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  libceph: Fix slab-out-of-bounds access in auth message processing  If a (potentially corrupted) message of type CEPH_MSG_AUTH_REPLY contains a positive value in its result field, it is treated as an error code by ceph_handle_auth_reply() and returned to handle_auth_reply(). Thereafter, an attempt is made to send the preallocated message of type CEPH_MSG_AUTH, where the returned value is interpreted as the size of the front segment to send. If the result value in the message is greater than the size of the memory buffer allocated for the front segment, an out-of-bounds access occurs, and the content of the memory region beyond this buffer is sent out.  This patch fixes the issue by treating only negative values in the result field as errors. Positive values are therefore treated as success in the same way as a zero value. Additionally, a BUG_ON is added to __send_prepared_auth_request() comparing the len parameter to front_alloc_len to prevent sending the message if it exceeds the bounds of the allocation and to make it easier to catch any logic flaws leading to this.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46135",
                                "url": "https://ubuntu.com/security/CVE-2026-46135",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  nvmet-tcp: fix race between ICReq handling and queue teardown  nvmet_tcp_handle_icreq() updates queue->state after sending an Initialization Connection Response (ICResp), but it does so without serializing against target-side queue teardown.  If an NVMe/TCP host sends an Initialization Connection Request (ICReq) and immediately closes the connection, target-side teardown may start in softirq context before io_work drains the already buffered ICReq. In that case, nvmet_tcp_schedule_release_queue() sets queue->state to NVMET_TCP_Q_DISCONNECTING and drops the queue reference under state_lock.  If io_work later processes that ICReq, nvmet_tcp_handle_icreq() can still overwrite the state back to NVMET_TCP_Q_LIVE. That defeats the DISCONNECTING-state guard in nvmet_tcp_schedule_release_queue() and allows a later socket state change to re-enter teardown and issue a second kref_put() on an already released queue.  The ICResp send failure path has the same problem. If teardown has already moved the queue to DISCONNECTING, a send error can still overwrite the state with NVMET_TCP_Q_FAILED, again reopening the window for a second teardown path to drop the queue reference.  Fix this by serializing both post-send state transitions with state_lock and bailing out if teardown has already started.  Use -ESHUTDOWN as an internal sentinel for that bail-out path rather than propagating it as a transport error like -ECONNRESET. Keep nvmet_tcp_socket_error() setting rcv_state to NVMET_TCP_RECV_ERR before honoring that sentinel so receive-side parsing stays quiesced until the existing release path completes.",
                                "cve_priority": "critical",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46185",
                                "url": "https://ubuntu.com/security/CVE-2026-46185",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb/client: fix out-of-bounds read in symlink_data()  Since smb2_check_message() returns success without length validation for the symlink error response, in symlink_data() it is possible for iov->iov_len to be smaller than sizeof(struct smb2_err_rsp). If the buffer only contains the base SMB2 header (64 bytes), accessing err->ErrorContextCount (at offset 66) or err->ByteCount later in symlink_data() will cause an out-of-bounds read.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46195",
                                "url": "https://ubuntu.com/security/CVE-2026-46195",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb: client: validate dacloffset before building DACL pointers  parse_sec_desc(), build_sec_desc(), and the chown path in id_mode_to_cifs_acl() all add the server-supplied dacloffset to pntsd before proving a DACL header fits inside the returned security descriptor.  On 32-bit builds a malicious server can return dacloffset near U32_MAX, wrap the derived DACL pointer below end_of_acl, and then slip past the later pointer-based bounds checks. build_sec_desc() and id_mode_to_cifs_acl() can then dereference DACL fields from the wrapped pointer in the chmod/chown rewrite paths.  Validate dacloffset numerically before building any DACL pointer and reuse the same helper at the three DACL entry points.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46115",
                                "url": "https://ubuntu.com/security/CVE-2026-46115",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  block: add pgmap check to biovec_phys_mergeable  biovec_phys_mergeable() is used by the request merge, DMA mapping, and integrity merge paths to decide if two physically contiguous bvec segments can be coalesced into one. It currently has no check for whether the segments belong to different dev_pagemaps.  When zone device memory is registered in multiple chunks, each chunk gets its own dev_pagemap. A single bio can legitimately contain bvecs from different pgmaps -- iov_iter_extract_bvecs() breaks at pgmap boundaries but the outer loop in bio_iov_iter_get_pages() continues filling the same bio. If such bvecs are physically contiguous, biovec_phys_mergeable() will coalesce them, making it impossible to recover the correct pgmap for the merged segment via page_pgmap().  Add a zone_device_pages_have_same_pgmap() check to prevent merging bvec segments that span different pgmaps.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43501",
                                "url": "https://ubuntu.com/security/CVE-2026-43501",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ipv6: rpl: reserve mac_len headroom when recompressed SRH grows  ipv6_rpl_srh_rcv() decompresses an RFC 6554 Source Routing Header, swaps the next segment into ipv6_hdr->daddr, recompresses, then pulls the old header and pushes the new one plus the IPv6 header back.  The recompressed header can be larger than the received one when the swap reduces the common-prefix length the segments share with daddr (CmprI=0, CmprE>0, seg[0][0] != daddr[0] gives the maximum +8 bytes).  pskb_expand_head() was gated on segments_left == 0, so on earlier segments the push consumed unchecked headroom.  Once skb_push() leaves fewer than skb->mac_len bytes in front of data, skb_mac_header_rebuild()'s call to:  \tskb_set_mac_header(skb, -skb->mac_len);  will store (data - head) - mac_len into the u16 mac_header field, which wraps to ~65530, and the following memmove() writes mac_len bytes ~64KiB past skb->head.  A single AF_INET6/SOCK_RAW/IPV6_HDRINCL packet over lo with a two segment type-3 SRH (CmprI=0, CmprE=15) reaches headroom 8 after one pass; KASAN reports a 14-byte OOB write in ipv6_rthdr_rcv.  Fix this by expanding the head whenever the remaining room is less than the push size plus mac_len, and request that much extra so the rebuilt MAC header fits afterwards.",
                                "cve_priority": "critical",
                                "cve_public_date": "2026-05-21 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45988",
                                "url": "https://ubuntu.com/security/CVE-2026-45988",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  rxrpc: Fix re-decryption of RESPONSE packets  If a RESPONSE packet gets a temporary failure during processing, it may end up in a partially decrypted state - and then get requeued for a retry.  Fix this by just discarding the packet; we will send another CHALLENGE packet and thereby elicit a further response.  Similarly, discard an incoming CHALLENGE packet if we get an error whilst generating a RESPONSE; the server will send another CHALLENGE.",
                                "cve_priority": "critical",
                                "cve_public_date": "2026-05-27 14:17:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46043",
                                "url": "https://ubuntu.com/security/CVE-2026-46043",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv  rxe_rcv() currently checks only that the incoming packet is at least header_size(pkt) bytes long before payload_size() is used.  However, payload_size() subtracts both the attacker-controlled BTH pad field and RXE_ICRC_SIZE from pkt->paylen:    payload_size = pkt->paylen - offset[RXE_PAYLOAD] - bth_pad(pkt)                  - RXE_ICRC_SIZE  This means a short packet can still make payload_size() underflow even if it includes enough bytes for the fixed headers. Simply requiring header_size(pkt) + RXE_ICRC_SIZE is not sufficient either, because a packet with a forged non-zero BTH pad can still leave payload_size() negative and pass an underflowed value to later receive-path users.  Fix this by validating pkt->paylen against the full minimum length required by payload_size(): header_size(pkt) + bth_pad(pkt) + RXE_ICRC_SIZE.",
                                "cve_priority": "critical",
                                "cve_public_date": "2026-05-27 14:17:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43493",
                                "url": "https://ubuntu.com/security/CVE-2026-43493",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  crypto: pcrypt - Fix handling of MAY_BACKLOG requests  MAY_BACKLOG requests can return EBUSY.  Handle them by checking for that value and filtering out EINPROGRESS notifications.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-19 12:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43071",
                                "url": "https://ubuntu.com/security/CVE-2026-43071",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  dcache: Limit the minimal number of bucket to two  There is an OOB read problem on dentry_hashtable when user sets 'dhash_entries=1':   BUG: unable to handle page fault for address: ffff888b30b774b0   #PF: supervisor read access in kernel mode   #PF: error_code(0x0000) - not-present page   Oops: Oops: 0000 [#1] SMP PTI   RIP: 0010:__d_lookup+0x56/0x120    Call Trace:     d_lookup.cold+0x16/0x5d     lookup_dcache+0x27/0xf0     lookup_one_qstr_excl+0x2a/0x180     start_dirop+0x55/0xa0     simple_start_creating+0x8d/0xa0     debugfs_start_creating+0x8c/0x180     debugfs_create_dir+0x1d/0x1c0     pinctrl_init+0x6d/0x140     do_one_initcall+0x6d/0x3d0     kernel_init_freeable+0x39f/0x460     kernel_init+0x2a/0x260  There will be only one bucket in dentry_hashtable when dhash_entries is set as one, and d_hash_shift is calculated as 32 by dcache_init(). Then, following process will access more than one buckets(which memory region is not allocated) in dentry_hashtable:  d_lookup   b = d_hash(hash)     dentry_hashtable + ((u32)hashlen >> d_hash_shift)     // The C standard defines the behavior of right shift amounts     // exceeding the bit width of the operand as undefined. The     // result of '(u32)hashlen >> d_hash_shift' becomes 'hashlen',     // so 'b' will point to an unallocated memory region.   hlist_bl_for_each_entry_rcu(b)    hlist_bl_first_rcu(head)     h->first  // read OOB!  Fix it by limiting the minimal number of dentry_hashtable bucket to two, so that 'd_hash_shift' won't exceeds the bit width of type u32.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-05-05 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-31685",
                                "url": "https://ubuntu.com/security/CVE-2026-31685",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: ip6t_eui64: reject invalid MAC header for all packets  `eui64_mt6()` derives a modified EUI-64 from the Ethernet source address and compares it with the low 64 bits of the IPv6 source address.  The existing guard only rejects an invalid MAC header when `par->fragoff != 0`. For packets with `par->fragoff == 0`, `eui64_mt6()` can still reach `eth_hdr(skb)` even when the MAC header is not valid.  Fix this by removing the `par->fragoff != 0` condition so that packets with an invalid MAC header are rejected before accessing `eth_hdr(skb)`.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-25 09:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43117",
                                "url": "https://ubuntu.com/security/CVE-2026-43117",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  btrfs: tracepoints: get correct superblock from dentry in event btrfs_sync_file()  If overlay is used on top of btrfs, dentry->d_sb translates to overlay's super block and fsid assignment will lead to a crash.  Use file_inode(file)->i_sb to always get btrfs_sb.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-06 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43114",
                                "url": "https://ubuntu.com/security/CVE-2026-43114",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: nft_set_pipapo_avx2: don't return non-matching entry on expiry  New test case fails unexpectedly when avx2 matching functions are used.  The test first loads a ranomly generated pipapo set with 'ipv4 . port' key, i.e.  nft -f foo.  This works.  Then, it reloads the set after a flush: (echo flush set t s; cat foo) | nft -f -  This is expected to work, because its the same set after all and it was already loaded once.  But with avx2, this fails: nft reports a clashing element.  The reported clash is of following form:      We successfully re-inserted       a . b       c . d  Then we try to insert a . d  avx2 finds the already existing a . d, which (due to 'flush set') is marked as invalid in the new generation.  It skips the element and moves to next.  Due to incorrect masking, the skip-step finds the next matching element *only considering the first field*,  i.e. we return the already reinserted \"a . b\", even though the last field is different and the entry should not have been matched.  No such error is reported for the generic c implementation (no avx2) or when the last field has to use the 'nft_pipapo_avx2_lookup_slow' fallback.  Bisection points to 7711f4bb4b36 (\"netfilter: nft_set_pipapo: fix range overlap detection\") but that fix merely uncovers this bug.  Before this commit, the wrong element is returned, but erronously reported as a full, identical duplicate.  The root-cause is too early return in the avx2 match functions. When we process the last field, we should continue to process data until the entire input size has been consumed to make sure no stale bits remain in the map.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-06 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-31607",
                                "url": "https://ubuntu.com/security/CVE-2026-31607",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  usbip: validate number_of_packets in usbip_pack_ret_submit()  When a USB/IP client receives a RET_SUBMIT response, usbip_pack_ret_submit() unconditionally overwrites urb->number_of_packets from the network PDU. This value is subsequently used as the loop bound in usbip_recv_iso() and usbip_pad_iso() to iterate over urb->iso_frame_desc[], a flexible array whose size was fixed at URB allocation time based on the *original* number_of_packets from the CMD_SUBMIT.  A malicious USB/IP server can set number_of_packets in the response to a value larger than what was originally submitted, causing a heap out-of-bounds write when usbip_recv_iso() writes to urb->iso_frame_desc[i] beyond the allocated region.  KASAN confirmed this with kernel 7.0.0-rc5:    BUG: KASAN: slab-out-of-bounds in usbip_recv_iso+0x46a/0x640   Write of size 4 at addr ffff888106351d40 by task vhci_rx/69    The buggy address is located 0 bytes to the right of    allocated 320-byte region [ffff888106351c00, ffff888106351d40)  The server side (stub_rx.c) and gadget side (vudc_rx.c) already validate number_of_packets in the CMD_SUBMIT path since commits c6688ef9f297 (\"usbip: fix stub_rx: harden CMD_SUBMIT path to handle malicious input\") and b78d830f0049 (\"usbip: fix vudc_rx: harden CMD_SUBMIT path to handle malicious input\"). The server side validates against USBIP_MAX_ISO_PACKETS because no URB exists yet at that point. On the client side we have the original URB, so we can use the tighter bound: the response must not exceed the original number_of_packets.  This mirrors the existing validation of actual_length against transfer_buffer_length in usbip_recv_xbuff(), which checks the response value against the original allocation size.  Kelvin Mbogo's series (\"usb: usbip: fix integer overflow in usbip_recv_iso()\", v2) hardens the receive-side functions themselves; this patch complements that work by catching the bad value at its source -- in usbip_pack_ret_submit() before the overwrite -- and using the tighter per-URB allocation bound rather than the global USBIP_MAX_ISO_PACKETS limit.  Fix this by checking rpdu->number_of_packets against urb->number_of_packets in usbip_pack_ret_submit() before the overwrite. On violation, clamp to zero so that usbip_recv_iso() and usbip_pad_iso() safely return early.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-04-24 15:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-31659",
                                "url": "https://ubuntu.com/security/CVE-2026-31659",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: reject oversized global TT response buffers  batadv_tt_prepare_tvlv_global_data() builds the allocation length for a global TT response in 16-bit temporaries. When a remote originator advertises a large enough global TT, the TT payload length plus the VLAN header offset can exceed 65535 and wrap before kmalloc().  The full-table response path still uses the original TT payload length when it fills tt_change, so the wrapped allocation is too small and batadv_tt_prepare_tvlv_global_data() writes past the end of the heap object before the later packet-size check runs.  Fix this by rejecting TT responses whose TVLV value length cannot fit in the 16-bit TVLV payload length field.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-04-24 15:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-31649",
                                "url": "https://ubuntu.com/security/CVE-2026-31649",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: stmmac: fix integer underflow in chain mode  The jumbo_frm() chain-mode implementation unconditionally computes      len = nopaged_len - bmax;  where nopaged_len = skb_headlen(skb) (linear bytes only) and bmax is BUF_SIZE_8KiB or BUF_SIZE_2KiB.  However, the caller stmmac_xmit() decides to invoke jumbo_frm() based on skb->len (total length including page fragments):      is_jumbo = stmmac_is_jumbo_frm(priv, skb->len, enh_desc);  When a packet has a small linear portion (nopaged_len <= bmax) but a large total length due to page fragments (skb->len > bmax), the subtraction wraps as an unsigned integer, producing a huge len value (~0xFFFFxxxx).  This causes the while (len != 0) loop to execute hundreds of thousands of iterations, passing skb->data + bmax * i pointers far beyond the skb buffer to dma_map_single().  On IOMMU-less SoCs (the typical deployment for stmmac), this maps arbitrary kernel memory to the DMA engine, constituting a kernel memory disclosure and potential memory corruption from hardware.  Fix this by introducing a buf_len local variable clamped to min(nopaged_len, bmax).  Computing len = nopaged_len - buf_len is then always safe: it is zero when the linear portion fits within a single descriptor, causing the while (len != 0) loop to be skipped naturally, and the fragment loop in stmmac_xmit() handles page fragments afterward.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-24 15:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-31657",
                                "url": "https://ubuntu.com/security/CVE-2026-31657",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: hold claim backbone gateways by reference  batadv_bla_add_claim() can replace claim->backbone_gw and drop the old gateway's last reference while readers still follow the pointer.  The netlink claim dump path dereferences claim->backbone_gw->orig and takes claim->backbone_gw->crc_lock without pinning the underlying backbone gateway. batadv_bla_check_claim() still has the same naked pointer access pattern.  Reuse batadv_bla_claim_get_backbone_gw() in both readers so they operate on a stable gateway reference until the read-side work is complete. This keeps the dump and claim-check paths aligned with the lifetime rules introduced for the other BLA claim readers.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-04-24 15:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-31637",
                                "url": "https://ubuntu.com/security/CVE-2026-31637",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  rxrpc: reject undecryptable rxkad response tickets  rxkad_decrypt_ticket() decrypts the RXKAD response ticket and then parses the buffer as plaintext without checking whether crypto_skcipher_decrypt() succeeded.  A malformed RESPONSE can therefore use a non-block-aligned ticket length, make the decrypt operation fail, and still drive the ticket parser with attacker-controlled bytes.  Check the decrypt result and abort the connection with RXKADBADTICKET when ticket decryption fails.",
                                "cve_priority": "critical",
                                "cve_public_date": "2026-04-24 15:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-31669",
                                "url": "https://ubuntu.com/security/CVE-2026-31669",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mptcp: fix slab-use-after-free in __inet_lookup_established  The ehash table lookups are lockless and rely on SLAB_TYPESAFE_BY_RCU to guarantee socket memory stability during RCU read-side critical sections. Both tcp_prot and tcpv6_prot have their slab caches created with this flag via proto_register().  However, MPTCP's mptcp_subflow_init() copies tcpv6_prot into tcpv6_prot_override during inet_init() (fs_initcall, level 5), before inet6_init() (module_init/device_initcall, level 6) has called proto_register(&tcpv6_prot). At that point, tcpv6_prot.slab is still NULL, so tcpv6_prot_override.slab remains NULL permanently.  This causes MPTCP v6 subflow child sockets to be allocated via kmalloc (falling into kmalloc-4k) instead of the TCPv6 slab cache. The kmalloc-4k cache lacks SLAB_TYPESAFE_BY_RCU, so when these sockets are freed without SOCK_RCU_FREE (which is cleared for child sockets by design), the memory can be immediately reused. Concurrent ehash lookups under rcu_read_lock can then access freed memory, triggering a slab-use-after-free in __inet_lookup_established.  Fix this by splitting the IPv6-specific initialization out of mptcp_subflow_init() into a new mptcp_subflow_v6_init(), called from mptcp_proto_v6_init() before protocol registration. This ensures tcpv6_prot_override.slab correctly inherits the SLAB_TYPESAFE_BY_RCU slab cache.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-04-24 15:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-31668",
                                "url": "https://ubuntu.com/security/CVE-2026-31668",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  seg6: separate dst_cache for input and output paths in seg6 lwtunnel  The seg6 lwtunnel uses a single dst_cache per encap route, shared between seg6_input_core() and seg6_output_core(). These two paths can perform the post-encap SID lookup in different routing contexts (e.g., ip rules matching on the ingress interface, or VRF table separation). Whichever path runs first populates the cache, and the other reuses it blindly, bypassing its own lookup.  Fix this by splitting the cache into cache_input and cache_output, so each path maintains its own cached dst independently.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-24 15:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43011",
                                "url": "https://ubuntu.com/security/CVE-2026-43011",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/x25: Fix potential double free of skb  When alloc_skb fails in x25_queue_rx_frame it calls kfree_skb(skb) at line 48 and returns 1 (error). This error propagates back through the call chain:  x25_queue_rx_frame returns 1     |     v x25_state3_machine receives the return value 1 and takes the else branch at line 278, setting queued=0 and returning 0     |     v x25_process_rx_frame returns queued=0     |     v x25_backlog_rcv at line 452 sees queued=0 and calls kfree_skb(skb) again  This would free the same skb twice. Looking at x25_backlog_rcv:  net/x25/x25_in.c:x25_backlog_rcv() {     ...     queued = x25_process_rx_frame(sk, skb);     ...     if (!queued)         kfree_skb(skb); }",
                                "cve_priority": "critical",
                                "cve_public_date": "2026-05-01 15:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43037",
                                "url": "https://ubuntu.com/security/CVE-2026-43037",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ip6_tunnel: clear skb2->cb[] in ip4ip6_err()  Oskar Kjos reported the following problem.  ip4ip6_err() calls icmp_send() on a cloned skb whose cb[] was written by the IPv6 receive path as struct inet6_skb_parm. icmp_send() passes IPCB(skb2) to __ip_options_echo(), which interprets that cb[] region as struct inet_skb_parm (IPv4). The layouts differ: inet6_skb_parm.nhoff at offset 14 overlaps inet_skb_parm.opt.rr, producing a non-zero rr value. __ip_options_echo() then reads optlen from attacker-controlled packet data at sptr[rr+1] and copies that many bytes into dopt->__data, a fixed 40-byte stack buffer (IP_OPTIONS_DATA_FIXED_SIZE).  To fix this we clear skb2->cb[], as suggested by Oskar Kjos.  Also add minimal IPv4 header validation (version == 4, ihl >= 5).",
                                "cve_priority": "critical",
                                "cve_public_date": "2026-05-01 15:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43341",
                                "url": "https://ubuntu.com/security/CVE-2026-43341",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/ipv6: ioam6: prevent schema length wraparound in trace fill  ioam6_fill_trace_data() stores the schema contribution to the trace length in a u8. With bit 22 enabled and the largest schema payload, sclen becomes 1 + 1020 / 4, wraps from 256 to 0, and bypasses the remaining-space check. __ioam6_fill_trace_data() then positions the write cursor without reserving the schema area but still copies the 4-byte schema header and the full schema payload, overrunning the trace buffer.  Keep sclen in an unsigned int so the remaining-space check and the write cursor calculation both see the full schema length.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-08 14:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43038",
                                "url": "https://ubuntu.com/security/CVE-2026-43038",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ipv6: icmp: clear skb2->cb[] in ip6_err_gen_icmpv6_unreach()  Sashiko AI-review observed:    In ip6_err_gen_icmpv6_unreach(), the skb is an outer IPv4 ICMP error packet   where its cb contains an IPv4 inet_skb_parm. When skb is cloned into skb2   and passed to icmp6_send(), it uses IP6CB(skb2).    IP6CB interprets the IPv4 inet_skb_parm as an inet6_skb_parm. The cipso   offset in inet_skb_parm.opt directly overlaps with dsthao in inet6_skb_parm   at offset 18.    If an attacker sends a forged ICMPv4 error with a CIPSO IP option, dsthao   would be a non-zero offset. Inside icmp6_send(), mip6_addr_swap() is called   and uses ipv6_find_tlv(skb, opt->dsthao, IPV6_TLV_HAO).    This would scan the inner, attacker-controlled IPv6 packet starting at that   offset, potentially returning a fake TLV without checking if the remaining   packet length can hold the full 18-byte struct ipv6_destopt_hao.    Could mip6_addr_swap() then perform a 16-byte swap that extends past the end   of the packet data into skb_shared_info?    Should the cb array also be cleared in ip6_err_gen_icmpv6_unreach() and   ip6ip6_err() to prevent this?  This patch implements the first suggestion.  I am not sure if ip6ip6_err() needs to be changed. A separate patch would be better anyway.",
                                "cve_priority": "critical",
                                "cve_public_date": "2026-05-01 15:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-31682",
                                "url": "https://ubuntu.com/security/CVE-2026-31682",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  bridge: br_nd_send: linearize skb before parsing ND options  br_nd_send() parses neighbour discovery options from ns->opt[] and assumes that these options are in the linear part of request.  Its callers only guarantee that the ICMPv6 header and target address are available, so the option area can still be non-linear. Parsing ns->opt[] in that case can access data past the linear buffer.  Linearize request before option parsing and derive ns from the linear network header.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-25 09:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-31436",
                                "url": "https://ubuntu.com/security/CVE-2026-31436",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  dmaengine: idxd: fix possible wrong descriptor completion in llist_abort_desc()  At the end of this function, d is the traversal cursor of flist, but the code completes found instead. This can lead to issues such as NULL pointer dereferences, double completion, or descriptor leaks.  Fix this by completing d instead of found in the final list_for_each_entry_safe() loop.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-04-22 14:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43384",
                                "url": "https://ubuntu.com/security/CVE-2026-43384",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/tcp-ao: Fix MAC comparison to be constant-time  To prevent timing attacks, MACs need to be compared in constant time.  Use the appropriate helper function for this.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-08 15:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-31448",
                                "url": "https://ubuntu.com/security/CVE-2026-31448",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ext4: avoid infinite loops caused by residual data  On the mkdir/mknod path, when mapping logical blocks to physical blocks, if inserting a new extent into the extent tree fails (in this example, because the file system disabled the huge file feature when marking the inode as dirty), ext4_ext_map_blocks() only calls ext4_free_blocks() to reclaim the physical block without deleting the corresponding data in the extent tree. This causes subsequent mkdir operations to reference the previously reclaimed physical block number again, even though this physical block is already being used by the xattr block. Therefore, a situation arises where both the directory and xattr are using the same buffer head block in memory simultaneously.  The above causes ext4_xattr_block_set() to enter an infinite loop about \"inserted\" and cannot release the inode lock, ultimately leading to the 143s blocking problem mentioned in [1].  If the metadata is corrupted, then trying to remove some extent space can do even more harm. Also in case EXT4_GET_BLOCKS_DELALLOC_RESERVE was passed, remove space wrongly update quota information. Jan Kara suggests distinguishing between two cases:  1) The error is ENOSPC or EDQUOT - in this case the filesystem is fully consistent and we must maintain its consistency including all the accounting. However these errors can happen only early before we've inserted the extent into the extent tree. So current code works correctly for this case.  2) Some other error - this means metadata is corrupted. We should strive to do as few modifications as possible to limit damage. So I'd just skip freeing of allocated blocks.  [1] INFO: task syz.0.17:5995 blocked for more than 143 seconds. Call Trace:  inode_lock_nested include/linux/fs.h:1073 [inline]  __start_dirop fs/namei.c:2923 [inline]  start_dirop fs/namei.c:2934 [inline]",
                                "cve_priority": "low",
                                "cve_public_date": "2026-04-22 14:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-31478",
                                "url": "https://ubuntu.com/security/CVE-2026-31478",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ksmbd: replace hardcoded hdr2_len with offsetof() in smb2_calc_max_out_buf_len()  After this commit (e2b76ab8b5c9 \"ksmbd: add support for read compound\"), response buffer management was changed to use dynamic iov array. In the new design, smb2_calc_max_out_buf_len() expects the second argument (hdr2_len) to be the offset of ->Buffer field in the response structure, not a hardcoded magic number. Fix the remaining call sites to use the correct offsetof() value.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-04-22 14:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-23428",
                                "url": "https://ubuntu.com/security/CVE-2026-23428",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ksmbd: fix use-after-free of share_conf in compound request  smb2_get_ksmbd_tcon() reuses work->tcon in compound requests without validating tcon->t_state. ksmbd_tree_conn_lookup() checks t_state == TREE_CONNECTED on the initial lookup path, but the compound reuse path bypasses this check entirely.  If a prior command in the compound (SMB2_TREE_DISCONNECT) sets t_state to TREE_DISCONNECTED and frees share_conf via ksmbd_share_config_put(), subsequent commands dereference the freed share_conf through work->tcon->share_conf.  KASAN report:  [    4.144653] ================================================================== [    4.145059] BUG: KASAN: slab-use-after-free in smb2_write+0xc74/0xe70 [    4.145415] Read of size 4 at addr ffff88810430c194 by task kworker/1:1/44 [    4.145772] [    4.145867] CPU: 1 UID: 0 PID: 44 Comm: kworker/1:1 Not tainted 7.0.0-rc3+ #60 PREEMPTLAZY [    4.145871] Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [    4.145875] Workqueue: ksmbd-io handle_ksmbd_work [    4.145888] Call Trace: [    4.145892]  <TASK> [    4.145894]  dump_stack_lvl+0x64/0x80 [    4.145910]  print_report+0xce/0x660 [    4.145919]  ? __pfx__raw_spin_lock_irqsave+0x10/0x10 [    4.145928]  ? smb2_write+0xc74/0xe70 [    4.145931]  kasan_report+0xce/0x100 [    4.145934]  ? smb2_write+0xc74/0xe70 [    4.145937]  smb2_write+0xc74/0xe70 [    4.145939]  ? __pfx_smb2_write+0x10/0x10 [    4.145942]  ? _raw_spin_unlock+0xe/0x30 [    4.145945]  ? ksmbd_smb2_check_message+0xeb2/0x24c0 [    4.145948]  ? smb2_tree_disconnect+0x31c/0x480 [    4.145951]  handle_ksmbd_work+0x40f/0x1080 [    4.145953]  process_one_work+0x5fa/0xef0 [    4.145962]  ? assign_work+0x122/0x3e0 [    4.145964]  worker_thread+0x54b/0xf70 [    4.145967]  ? __pfx_worker_thread+0x10/0x10 [    4.145970]  kthread+0x346/0x470 [    4.145976]  ? recalc_sigpending+0x19b/0x230 [    4.145980]  ? __pfx_kthread+0x10/0x10 [    4.145984]  ret_from_fork+0x4fb/0x6c0 [    4.145992]  ? __pfx_ret_from_fork+0x10/0x10 [    4.145995]  ? __switch_to+0x36c/0xbe0 [    4.145999]  ? __pfx_kthread+0x10/0x10 [    4.146003]  ret_from_fork_asm+0x1a/0x30 [    4.146013]  </TASK> [    4.146014] [    4.149858] Allocated by task 44: [    4.149953]  kasan_save_stack+0x33/0x60 [    4.150061]  kasan_save_track+0x14/0x30 [    4.150169]  __kasan_kmalloc+0x8f/0xa0 [    4.150274]  ksmbd_share_config_get+0x1dd/0xdd0 [    4.150401]  ksmbd_tree_conn_connect+0x7e/0x600 [    4.150529]  smb2_tree_connect+0x2e6/0x1000 [    4.150645]  handle_ksmbd_work+0x40f/0x1080 [    4.150761]  process_one_work+0x5fa/0xef0 [    4.150873]  worker_thread+0x54b/0xf70 [    4.150978]  kthread+0x346/0x470 [    4.151071]  ret_from_fork+0x4fb/0x6c0 [    4.151176]  ret_from_fork_asm+0x1a/0x30 [    4.151286] [    4.151332] Freed by task 44: [    4.151418]  kasan_save_stack+0x33/0x60 [    4.151526]  kasan_save_track+0x14/0x30 [    4.151634]  kasan_save_free_info+0x3b/0x60 [    4.151751]  __kasan_slab_free+0x43/0x70 [    4.151861]  kfree+0x1ca/0x430 [    4.151952]  __ksmbd_tree_conn_disconnect+0xc8/0x190 [    4.152088]  smb2_tree_disconnect+0x1cd/0x480 [    4.152211]  handle_ksmbd_work+0x40f/0x1080 [    4.152326]  process_one_work+0x5fa/0xef0 [    4.152438]  worker_thread+0x54b/0xf70 [    4.152545]  kthread+0x346/0x470 [    4.152638]  ret_from_fork+0x4fb/0x6c0 [    4.152743]  ret_from_fork_asm+0x1a/0x30 [    4.152853] [    4.152900] The buggy address belongs to the object at ffff88810430c180 [    4.152900]  which belongs to the cache kmalloc-96 of size 96 [    4.153226] The buggy address is located 20 bytes inside of [    4.153226]  freed 96-byte region [ffff88810430c180, ffff88810430c1e0) [    4.153549] [    4.153596] The buggy address belongs to the physical page: [    4.153750] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88810430ce80 pfn:0x10430c [    4.154000] flags: 0x ---truncated---",
                                "cve_priority": "high",
                                "cve_public_date": "2026-04-03 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-23450",
                                "url": "https://ubuntu.com/security/CVE-2026-23450",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/smc: fix NULL dereference and UAF in smc_tcp_syn_recv_sock()  Syzkaller reported a panic in smc_tcp_syn_recv_sock() [1].  smc_tcp_syn_recv_sock() is called in the TCP receive path (softirq) via icsk_af_ops->syn_recv_sock on the clcsock (TCP listening socket). It reads sk_user_data to get the smc_sock pointer. However, when the SMC listen socket is being closed concurrently, smc_close_active() sets clcsock->sk_user_data to NULL under sk_callback_lock, and then the smc_sock itself can be freed via sock_put() in smc_release().  This leads to two issues:  1) NULL pointer dereference: sk_user_data is NULL when    accessed. 2) Use-after-free: sk_user_data is read as non-NULL, but the    smc_sock is freed before its fields (e.g., queued_smc_hs,    ori_af_ops) are accessed.  The race window looks like this (the syzkaller crash [1] triggers via the SYN cookie path: tcp_get_cookie_sock() -> smc_tcp_syn_recv_sock(), but the normal tcp_check_req() path has the same race):    CPU A (softirq)              CPU B (process ctx)    tcp_v4_rcv()     TCP_NEW_SYN_RECV:     sk = req->rsk_listener     sock_hold(sk)     /* No lock on listener */                                smc_close_active():                                  write_lock_bh(cb_lock)                                  sk_user_data = NULL                                  write_unlock_bh(cb_lock)                                  ...                                  smc_clcsock_release()                                  sock_put(smc->sk) x2                                    -> smc_sock freed!     tcp_check_req()       smc_tcp_syn_recv_sock():         smc = user_data(sk)           -> NULL or dangling         smc->queued_smc_hs           -> crash!  Note that the clcsock and smc_sock are two independent objects with separate refcounts. TCP stack holds a reference on the clcsock, which keeps it alive, but this does NOT prevent the smc_sock from being freed.  Fix this by using RCU and refcount_inc_not_zero() to safely access smc_sock. Since smc_tcp_syn_recv_sock() is called in the TCP three-way handshake path, taking read_lock_bh on sk_callback_lock is too heavy and would not survive a SYN flood attack. Using rcu_read_lock() is much more lightweight.  - Set SOCK_RCU_FREE on the SMC listen socket so that   smc_sock freeing is deferred until after the RCU grace   period. This guarantees the memory is still valid when   accessed inside rcu_read_lock(). - Use rcu_read_lock() to protect reading sk_user_data. - Use refcount_inc_not_zero(&smc->sk.sk_refcnt) to pin the   smc_sock. If the refcount has already reached zero (close   path completed), it returns false and we bail out safely.  Note: smc_hs_congested() has a similar lockless read of sk_user_data without rcu_read_lock(), but it only checks for NULL and accesses the global smc_hs_wq, never dereferencing any smc_sock field, so it is not affected.  Reproducer was verified with mdelay injection and smc_run, the issue no longer occurs with this patch applied.  [1] https://syzkaller.appspot.com/bug?extid=827ae2bfb3a3529333e9",
                                "cve_priority": "high",
                                "cve_public_date": "2026-04-03 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-23455",
                                "url": "https://ubuntu.com/security/CVE-2026-23455",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: nf_conntrack_h323: check for zero length in DecodeQ931()  In DecodeQ931(), the UserUserIE code path reads a 16-bit length from the packet, then decrements it by 1 to skip the protocol discriminator byte before passing it to DecodeH323_UserInformation(). If the encoded length is 0, the decrement wraps to -1, which is then passed as a large value to the decoder, leading to an out-of-bounds read.  Add a check to ensure len is positive after the decrement.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-04-03 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-31402",
                                "url": "https://ubuntu.com/security/CVE-2026-31402",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  nfsd: fix heap overflow in NFSv4.0 LOCK replay cache  The NFSv4.0 replay cache uses a fixed 112-byte inline buffer (rp_ibuf[NFSD4_REPLAY_ISIZE]) to store encoded operation responses. This size was calculated based on OPEN responses and does not account for LOCK denied responses, which include the conflicting lock owner as a variable-length field up to 1024 bytes (NFS4_OPAQUE_LIMIT).  When a LOCK operation is denied due to a conflict with an existing lock that has a large owner, nfsd4_encode_operation() copies the full encoded response into the undersized replay buffer via read_bytes_from_xdr_buf() with no bounds check. This results in a slab-out-of-bounds write of up to 944 bytes past the end of the buffer, corrupting adjacent heap memory.  This can be triggered remotely by an unauthenticated attacker with two cooperating NFSv4.0 clients: one sets a lock with a large owner string, then the other requests a conflicting lock to provoke the denial.  We could fix this by increasing NFSD4_REPLAY_ISIZE to allow for a full opaque, but that would increase the size of every stateowner, when most lockowners are not that large.  Instead, fix this by checking the encoded response length against NFSD4_REPLAY_ISIZE before copying into the replay buffer. If the response is too large, set rp_buflen to 0 to skip caching the replay payload. The status is still cached, and the client already received the correct response on the original request.",
                                "cve_priority": "critical",
                                "cve_public_date": "2026-04-03 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43383",
                                "url": "https://ubuntu.com/security/CVE-2026-43383",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/tcp-md5: Fix MAC comparison to be constant-time  To prevent timing attacks, MACs need to be compared in constant time.  Use the appropriate helper function for this.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-08 15:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43378",
                                "url": "https://ubuntu.com/security/CVE-2026-43378",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb: server: fix use-after-free in smb2_open()  The opinfo pointer obtained via rcu_dereference(fp->f_opinfo) is dereferenced after rcu_read_unlock(), creating a use-after-free window.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-08 15:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46243",
                                "url": "https://ubuntu.com/security/CVE-2026-46243",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb: client: reject userspace cifs.spnego descriptions  cifs.spnego key descriptions contain authority-bearing fields such as pid, uid, creduid, and upcall_target that cifs.upcall treats as kernel-originating inputs. However, userspace can also create keys of this type through request_key(2) or add_key(2), allowing those fields to be supplied without CIFS origin.  Only accept cifs.spnego descriptions while CIFS is using its private spnego_cred to request the key.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-01 17:17:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43414",
                                "url": "https://ubuntu.com/security/CVE-2026-43414",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  scsi: qla2xxx: Completely fix fcport double free  In qla24xx_els_dcmd_iocb() sp->free is set to qla2x00_els_dcmd_sp_free(). When an error happens, this function is called by qla2x00_sp_release(), when kref_put() releases the first and the last reference.  qla2x00_els_dcmd_sp_free() frees fcport by calling qla2x00_free_fcport(). Doing it one more time after kref_put() is a bad idea.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-05-08 15:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43407",
                                "url": "https://ubuntu.com/security/CVE-2026-43407",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  libceph: Fix potential out-of-bounds access in ceph_handle_auth_reply()  This patch fixes an out-of-bounds access in ceph_handle_auth_reply() that can be triggered by a message of type CEPH_MSG_AUTH_REPLY. In ceph_handle_auth_reply(), the value of the payload_len field of such a message is stored in a variable of type int. A value greater than INT_MAX leads to an integer overflow and is interpreted as a negative value. This leads to decrementing the pointer address by this value and subsequently accessing it because ceph_decode_need() only checks that the memory access does not exceed the end address of the allocation.  This patch fixes the issue by changing the data type of payload_len to u32. Additionally, the data type of result_msg_len is changed to u32, as it is also a variable holding a non-negative length.  Also, an additional layer of sanity checks is introduced, ensuring that directly after reading it from the message, payload_len and result_msg_len are not greater than the overall segment length.  BUG: KASAN: slab-out-of-bounds in ceph_handle_auth_reply+0x642/0x7a0 [libceph] Read of size 4 at addr ffff88811404df14 by task kworker/20:1/262  CPU: 20 UID: 0 PID: 262 Comm: kworker/20:1 Not tainted 6.19.2 #5 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Workqueue: ceph-msgr ceph_con_workfn [libceph] Call Trace:  <TASK>  dump_stack_lvl+0x76/0xa0  print_report+0xd1/0x620  ? __pfx__raw_spin_lock_irqsave+0x10/0x10  ? kasan_complete_mode_report_info+0x72/0x210  kasan_report+0xe7/0x130  ? ceph_handle_auth_reply+0x642/0x7a0 [libceph]  ? ceph_handle_auth_reply+0x642/0x7a0 [libceph]  __asan_report_load_n_noabort+0xf/0x20  ceph_handle_auth_reply+0x642/0x7a0 [libceph]  mon_dispatch+0x973/0x23d0 [libceph]  ? apparmor_socket_recvmsg+0x6b/0xa0  ? __pfx_mon_dispatch+0x10/0x10 [libceph]  ? __kasan_check_write+0x14/0x30i  ? mutex_unlock+0x7f/0xd0  ? __pfx_mutex_unlock+0x10/0x10  ? __pfx_do_recvmsg+0x10/0x10 [libceph]  ceph_con_process_message+0x1f1/0x650 [libceph]  process_message+0x1e/0x450 [libceph]  ceph_con_v2_try_read+0x2e48/0x6c80 [libceph]  ? __pfx_ceph_con_v2_try_read+0x10/0x10 [libceph]  ? save_fpregs_to_fpstate+0xb0/0x230  ? raw_spin_rq_unlock+0x17/0xa0  ? finish_task_switch.isra.0+0x13b/0x760  ? __switch_to+0x385/0xda0  ? __kasan_check_write+0x14/0x30  ? mutex_lock+0x8d/0xe0  ? __pfx_mutex_lock+0x10/0x10  ceph_con_workfn+0x248/0x10c0 [libceph]  process_one_work+0x629/0xf80  ? __kasan_check_write+0x14/0x30  worker_thread+0x87f/0x1570  ? __pfx__raw_spin_lock_irqsave+0x10/0x10  ? __pfx_try_to_wake_up+0x10/0x10  ? kasan_print_address_stack_frame+0x1f7/0x280  ? __pfx_worker_thread+0x10/0x10  kthread+0x396/0x830  ? __pfx__raw_spin_lock_irq+0x10/0x10  ? __pfx_kthread+0x10/0x10  ? __kasan_check_write+0x14/0x30  ? recalc_sigpending+0x180/0x210  ? __pfx_kthread+0x10/0x10  ret_from_fork+0x3f7/0x610  ? __pfx_ret_from_fork+0x10/0x10  ? __switch_to+0x385/0xda0  ? __pfx_kthread+0x10/0x10  ret_from_fork_asm+0x1a/0x30  </TASK>  [ idryomov: replace if statements with ceph_decode_need() for   payload_len and result_msg_len ]",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-08 15:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43406",
                                "url": "https://ubuntu.com/security/CVE-2026-43406",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  libceph: prevent potential out-of-bounds reads in process_message_header()  If the message frame is (maliciously) corrupted in a way that the length of the control segment ends up being less than the size of the message header or a different frame is made to look like a message frame, out-of-bounds reads may ensue in process_message_header().  Perform an explicit bounds check before decoding the message header.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-08 15:16:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * jammy/linux-riscv-6.8: 6.8.0-131.131~22.04.1 -proposed tracker (LP: #2157195)",
                            "",
                            "  [ Ubuntu: 6.8.0-131.131 ]",
                            "",
                            "  * noble/linux: 6.8.0-131.131 -proposed tracker (LP: #2157196)",
                            "  * Packaging resync (LP: #1786013)",
                            "    - [Packaging] update annotations scripts",
                            "  * CVE-2026-46244",
                            "    - netfilter: nft_inner: Fix IPv6 inner_thoff desync",
                            "  * CVE-2026-43185",
                            "    - ksmbd: fix signededness bug in smb_direct_prepare_negotiation()",
                            "  * CVE-2026-46289",
                            "    - lib/scatterlist: fix length calculations in extract_kvec_to_sg",
                            "  * CVE-2026-46119",
                            "    - libceph: Fix slab-out-of-bounds access in auth message processing",
                            "  * CVE-2026-46135",
                            "    - nvmet-tcp: fix race between ICReq handling and queue teardown",
                            "  * CVE-2026-46185",
                            "    - smb/client: fix out-of-bounds read in symlink_data()",
                            "  * CVE-2026-46195",
                            "    - smb: client: validate dacloffset before building DACL pointers",
                            "  * CVE-2026-46115",
                            "    - block: add pgmap check to biovec_phys_mergeable",
                            "  * CVE-2026-43501",
                            "    - ipv6: rpl: reserve mac_len headroom when recompressed SRH grows",
                            "  * CVE-2026-45988",
                            "    - rxrpc: Fix re-decryption of RESPONSE packets",
                            "  * CVE-2026-46043",
                            "    - RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv",
                            "  * CVE-2026-43493",
                            "    - crypto: pcrypt - Fix handling of MAY_BACKLOG requests",
                            "  * CVE-2026-43071",
                            "    - dcache: Limit the minimal number of bucket to two",
                            "  * CVE-2026-31685",
                            "    - netfilter: ip6t_eui64: reject invalid MAC header for all packets",
                            "  * CVE-2026-43117",
                            "    - btrfs: tracepoints: get correct superblock from dentry in event",
                            "      btrfs_sync_file()",
                            "  * CVE-2026-43114",
                            "    - netfilter: nft_set_pipapo_avx2: don't return non-matching entry on",
                            "      expiry",
                            "  * CVE-2026-31607",
                            "    - usbip: validate number_of_packets in usbip_pack_ret_submit()",
                            "  * CVE-2026-31659",
                            "    - batman-adv: reject oversized global TT response buffers",
                            "  * CVE-2026-31649",
                            "    - net: stmmac: fix integer underflow in chain mode",
                            "  * CVE-2026-31657",
                            "    - batman-adv: hold claim backbone gateways by reference",
                            "  * CVE-2026-31637",
                            "    - rxrpc: reject undecryptable rxkad response tickets",
                            "  * CVE-2026-31669",
                            "    - mptcp: fix slab-use-after-free in __inet_lookup_established",
                            "  * CVE-2026-31668",
                            "    - seg6: separate dst_cache for input and output paths in seg6 lwtunnel",
                            "  * CVE-2026-43011",
                            "    - net/x25: Fix potential double free of skb",
                            "  * CVE-2026-43037",
                            "    - ip6_tunnel: clear skb2->cb[] in ip4ip6_err()",
                            "  * CVE-2026-43341",
                            "    - net/ipv6: ioam6: prevent schema length wraparound in trace fill",
                            "  * CVE-2026-43038",
                            "    - ipv6: icmp: clear skb2->cb[] in ip6_err_gen_icmpv6_unreach()",
                            "  * CVE-2026-31682",
                            "    - bridge: br_nd_send: linearize skb before parsing ND options",
                            "  * CVE-2026-31436",
                            "    - dmaengine: idxd: fix possible wrong descriptor completion in",
                            "      llist_abort_desc()",
                            "  * CVE-2026-43384",
                            "    - net/tcp-ao: Fix MAC comparison to be constant-time",
                            "  * CVE-2026-31448",
                            "    - ext4: get rid of ppath in ext4_find_extent()",
                            "    - ext4: get rid of ppath in ext4_ext_create_new_leaf()",
                            "    - ext4: get rid of ppath in ext4_ext_insert_extent()",
                            "    - ext4: avoid infinite loops caused by residual data",
                            "  * CVE-2026-31478",
                            "    - ksmbd: replace hardcoded hdr2_len with offsetof() in",
                            "      smb2_calc_max_out_buf_len()",
                            "  * CVE-2026-23428",
                            "    - ksmbd: fix use-after-free of share_conf in compound request",
                            "  * CVE-2026-23450",
                            "    - net/smc: fix NULL dereference and UAF in smc_tcp_syn_recv_sock()",
                            "  * CVE-2026-23455",
                            "    - netfilter: nf_conntrack_h323: check for zero length in DecodeQ931()",
                            "  * CVE-2026-31402",
                            "    - nfsd: fix heap overflow in NFSv4.0 LOCK replay cache",
                            "  * CVE-2026-43383",
                            "    - net/tcp-md5: Fix MAC comparison to be constant-time",
                            "  * CVE-2026-43378",
                            "    - smb: server: fix use-after-free in smb2_open()",
                            "  * CVE-2026-46243",
                            "    - smb: client: reject userspace cifs.spnego descriptions",
                            "  * CVE-2026-43414",
                            "    - scsi: qla2xxx: Completely fix fcport double free",
                            "  * CVE-2026-43407",
                            "    - libceph: Fix potential out-of-bounds access in ceph_handle_auth_reply()",
                            "  * CVE-2026-43406",
                            "    - libceph: prevent potential out-of-bounds reads in",
                            "      process_message_header()",
                            ""
                        ],
                        "package": "linux-riscv-6.8",
                        "version": "6.8.0-131.131~22.04.1",
                        "urgency": "medium",
                        "distributions": "jammy",
                        "launchpad_bugs_fixed": [
                            2157195,
                            2157196,
                            1786013
                        ],
                        "author": "Alessio Faina <alessio.faina@canonical.com>",
                        "date": "Tue, 23 Jun 2026 10:45:49 +0200"
                    },
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-23249",
                                "url": "https://ubuntu.com/security/CVE-2026-23249",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  xfs: check for deleted cursors when revalidating two btrees  The free space and inode btree repair functions will rebuild both btrees at the same time, after which it needs to evaluate both btrees to confirm that the corruptions are gone.  However, Jiaming Zhang ran syzbot and produced a crash in the second xchk_allocbt call.  His root-cause analysis is as follows (with minor corrections):   In xrep_revalidate_allocbt(), xchk_allocbt() is called twice (first  for BNOBT, second for CNTBT). The cause of this issue is that the  first call nullified the cursor required by the second call.   Let's first enter xrep_revalidate_allocbt() via following call chain:   xfs_file_ioctl() ->  xfs_ioc_scrubv_metadata() ->  xfs_scrub_metadata() ->  `sc->ops->repair_eval(sc)` ->  xrep_revalidate_allocbt()   xchk_allocbt() is called twice in this function. In the first call:   /* Note that sc->sm->sm_type is XFS_SCRUB_TYPE_BNOPT now */  xchk_allocbt() ->  xchk_btree() ->  `bs->scrub_rec(bs, recp)` ->  xchk_allocbt_rec() ->  xchk_allocbt_xref() ->  xchk_allocbt_xref_other()   since sm_type is XFS_SCRUB_TYPE_BNOBT, pur is set to &sc->sa.cnt_cur.  Kernel called xfs_alloc_get_rec() and returned -EFSCORRUPTED. Call  chain:   xfs_alloc_get_rec() ->  xfs_btree_get_rec() ->  xfs_btree_check_block() ->  (XFS_IS_CORRUPT || XFS_TEST_ERROR), the former is false and the latter  is true, return -EFSCORRUPTED. This should be caused by  ioctl$XFS_IOC_ERROR_INJECTION I guess.   Back to xchk_allocbt_xref_other(), after receiving -EFSCORRUPTED from  xfs_alloc_get_rec(), kernel called xchk_should_check_xref(). In this  function, *curpp (points to sc->sa.cnt_cur) is nullified.   Back to xrep_revalidate_allocbt(), since sc->sa.cnt_cur has been  nullified, it then triggered null-ptr-deref via xchk_allocbt() (second  call) -> xchk_btree().  So.  The bnobt revalidation failed on a cross-reference attempt, so we deleted the cntbt cursor, and then crashed when we tried to revalidate the cntbt.  Therefore, check for a null cntbt cursor before that revalidation, and mark the repair incomplete.  Also we can ignore the second tree entirely if the first tree was rebuilt but is already corrupt.  Apply the same fix to xrep_revalidate_iallocbt because it has the same problem.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-18 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2025-71267",
                                "url": "https://ubuntu.com/security/CVE-2025-71267",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  fs: ntfs3: fix infinite loop triggered by zero-sized ATTR_LIST  We found an infinite loop bug in the ntfs3 file system that can lead to a Denial-of-Service (DoS) condition.  A malformed NTFS image can cause an infinite loop when an ATTR_LIST attribute indicates a zero data size while the driver allocates memory for it.  When ntfs_load_attr_list() processes a resident ATTR_LIST with data_size set to zero, it still allocates memory because of al_aligned(0). This creates an inconsistent state where ni->attr_list.size is zero, but ni->attr_list.le is non-null. This causes ni_enum_attr_ex to incorrectly assume that no attribute list exists and enumerates only the primary MFT record. When it finds ATTR_LIST, the code reloads it and restarts the enumeration, repeating indefinitely. The mount operation never completes, hanging the kernel thread.  This patch adds validation to ensure that data_size is non-zero before memory allocation. When a zero-sized ATTR_LIST is detected, the function returns -EINVAL, preventing a DoS vulnerability.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-18 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2025-71265",
                                "url": "https://ubuntu.com/security/CVE-2025-71265",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  fs: ntfs3: fix infinite loop in attr_load_runs_range on inconsistent metadata  We found an infinite loop bug in the ntfs3 file system that can lead to a Denial-of-Service (DoS) condition.  A malformed NTFS image can cause an infinite loop when an attribute header indicates an empty run list, while directory entries reference it as containing actual data. In NTFS, setting evcn=-1 with svcn=0 is a valid way to represent an empty run list, and run_unpack() correctly handles this by checking if evcn + 1 equals svcn and returning early without parsing any run data. However, this creates a problem when there is metadata inconsistency, where the attribute header claims to be empty (evcn=-1) but the caller expects to read actual data. When run_unpack() immediately returns success upon seeing this condition, it leaves the runs_tree uninitialized with run->runs as a NULL. The calling function attr_load_runs_range() assumes that a successful return means that the runs were loaded and sets clen to 0, expecting the next run_lookup_entry() call to succeed. Because runs_tree remains uninitialized, run_lookup_entry() continues to fail, and the loop increments vcn by zero (vcn += 0), leading to an infinite loop.  This patch adds a retry counter to detect when run_lookup_entry() fails consecutively after attr_load_runs_vcn(). If the run is still not found on the second attempt, it indicates corrupted metadata and returns -EINVAL, preventing the Denial-of-Service (DoS) vulnerability.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-18 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2025-71266",
                                "url": "https://ubuntu.com/security/CVE-2025-71266",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  fs: ntfs3: check return value of indx_find to avoid infinite loop  We found an infinite loop bug in the ntfs3 file system that can lead to a Denial-of-Service (DoS) condition.  A malformed dentry in the ntfs3 filesystem can cause the kernel to hang during the lookup operations. By setting the HAS_SUB_NODE flag in an INDEX_ENTRY within a directory's INDEX_ALLOCATION block and manipulating the VCN pointer, an attacker can cause the indx_find() function to repeatedly read the same block, allocating 4 KB of memory each time. The kernel lacks VCN loop detection and depth limits, causing memory exhaustion and an OOM crash.  This patch adds a return value check for fnd_push() to prevent a memory exhaustion vulnerability caused by infinite loops. When the index exceeds the size of the fnd->nodes array, fnd_push() returns -EINVAL. The indx_find() function checks this return value and stops processing, preventing further memory allocation.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-18 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-23241",
                                "url": "https://ubuntu.com/security/CVE-2026-23241",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  audit: add missing syscalls to read class  The \"at\" variant of getxattr() and listxattr() are missing from the audit read class. Calling getxattrat() or listxattrat() on a file to read its extended attributes will bypass audit rules such as:  -w /tmp/test -p rwa -k test_rwa  The current patch adds missing syscalls to the audit read class.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-17 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2025-71239",
                                "url": "https://ubuntu.com/security/CVE-2025-71239",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  audit: add fchmodat2() to change attributes class  fchmodat2(), introduced in version 6.6 is currently not in the change attribute class of audit. Calling fchmodat2() to change a file attribute in the same fashion than chmod() or fchmodat() will bypass audit rules such as:  -w /tmp/test -p rwa -k test_rwa  The current patch adds fchmodat2() to the change attributes class.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-17 10:15:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-31411",
                                "url": "https://ubuntu.com/security/CVE-2026-31411",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: atm: fix crash due to unvalidated vcc pointer in sigd_send()  Reproducer available at [1].  The ATM send path (sendmsg -> vcc_sendmsg -> sigd_send) reads the vcc pointer from msg->vcc and uses it directly without any validation. This pointer comes from userspace via sendmsg() and can be arbitrarily forged:      int fd = socket(AF_ATMSVC, SOCK_DGRAM, 0);     ioctl(fd, ATMSIGD_CTRL);  // become ATM signaling daemon     struct msghdr msg = { .msg_iov = &iov, ... };     *(unsigned long *)(buf + 4) = 0xdeadbeef;  // fake vcc pointer     sendmsg(fd, &msg, 0);  // kernel dereferences 0xdeadbeef  In normal operation, the kernel sends the vcc pointer to the signaling daemon via sigd_enq() when processing operations like connect(), bind(), or listen(). The daemon is expected to return the same pointer when responding. However, a malicious daemon can send arbitrary pointer values.  Fix this by introducing find_get_vcc() which validates the pointer by searching through vcc_hash (similar to how sigd_close() iterates over all VCCs), and acquires a reference via sock_hold() if found.  Since struct atm_vcc embeds struct sock as its first member, they share the same lifetime. Therefore using sock_hold/sock_put is sufficient to keep the vcc alive while it is being used.  Note that there may be a race with sigd_close() which could mark the vcc with various flags (e.g., ATM_VF_RELEASED) after find_get_vcc() returns. However, sock_hold() guarantees the memory remains valid, so this race only affects the logical state, not memory safety.  [1]: https://gist.github.com/mrpre/1ba5949c45529c511152e2f4c755b0f3",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-08 14:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-23243",
                                "url": "https://ubuntu.com/security/CVE-2026-23243",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/umad: Reject negative data_len in ib_umad_write  ib_umad_write computes data_len from user-controlled count and the MAD header sizes. With a mismatched user MAD header size and RMPP header length, data_len can become negative and reach ib_create_send_mad(). This can make the padding calculation exceed the segment size and trigger an out-of-bounds memset in alloc_send_rmpp_list().  Add an explicit check to reject negative data_len before creating the send buffer.  KASAN splat: [  211.363464] BUG: KASAN: slab-out-of-bounds in ib_create_send_mad+0xa01/0x11b0 [  211.364077] Write of size 220 at addr ffff88800c3fa1f8 by task spray_thread/102 [  211.365867] ib_create_send_mad+0xa01/0x11b0 [  211.365887] ib_umad_write+0x853/0x1c80",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-18 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-23242",
                                "url": "https://ubuntu.com/security/CVE-2026-23242",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/siw: Fix potential NULL pointer dereference in header processing  If siw_get_hdr() returns -EINVAL before set_rx_fpdu_context(), qp->rx_fpdu can be NULL. The error path in siw_tcp_rx_data() dereferences qp->rx_fpdu->more_ddp_segs without checking, which may lead to a NULL pointer deref. Only check more_ddp_segs when rx_fpdu is present.  KASAN splat: [  101.384271] KASAN: null-ptr-deref in range [0x00000000000000c0-0x00000000000000c7] [  101.385869] RIP: 0010:siw_tcp_rx_data+0x13ad/0x1e50",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-18 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2025-71233",
                                "url": "https://ubuntu.com/security/CVE-2025-71233",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  PCI: endpoint: Avoid creating sub-groups asynchronously  The asynchronous creation of sub-groups by a delayed work could lead to a NULL pointer dereference when the driver directory is removed before the work completes.  The crash can be easily reproduced with the following commands:    # cd /sys/kernel/config/pci_ep/functions/pci_epf_test   # for i in {1..20}; do mkdir test && rmdir test; done    BUG: kernel NULL pointer dereference, address: 0000000000000088   ...   Call Trace:    configfs_register_group+0x3d/0x190    pci_epf_cfs_work+0x41/0x110    process_one_work+0x18f/0x350    worker_thread+0x25a/0x3a0  Fix this issue by using configfs_add_default_group() API which does not have the deadlock problem as configfs_register_group() and does not require the delayed work handler.  [mani: slightly reworded the description and added stable list]",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-02-18 16:22:00 UTC"
                            },
                            {
                                "cve": "CVE-2025-71231",
                                "url": "https://ubuntu.com/security/CVE-2025-71231",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  crypto: iaa - Fix out-of-bounds index in find_empty_iaa_compression_mode  The local variable 'i' is initialized with -EINVAL, but the for loop immediately overwrites it and -EINVAL is never returned.  If no empty compression mode can be found, the function would return the out-of-bounds index IAA_COMP_MODES_MAX, which would cause an invalid array access in add_iaa_compression_mode().  Fix both issues by returning either a valid index or -EINVAL.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-02-18 16:22:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-23169",
                                "url": "https://ubuntu.com/security/CVE-2026-23169",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mptcp: fix race in mptcp_pm_nl_flush_addrs_doit()  syzbot and Eulgyu Kim reported crashes in mptcp_pm_nl_get_local_id() and/or mptcp_pm_nl_is_backup()  Root cause is list_splice_init() in mptcp_pm_nl_flush_addrs_doit() which is not RCU ready.  list_splice_init_rcu() can not be called here while holding pernet->lock spinlock.  Many thanks to Eulgyu Kim for providing a repro and testing our patches.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-02-14 16:15:00 UTC"
                            },
                            {
                                "cve": "CVE-2025-40005",
                                "url": "https://ubuntu.com/security/CVE-2025-40005",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: cadence-quadspi: Implement refcount to handle unbind during busy  driver support indirect read and indirect write operation with assumption no force device removal(unbind) operation. However force device removal(removal) is still available to root superuser.  Unbinding driver during operation causes kernel crash. This changes ensure driver able to handle such operation for indirect read and indirect write by implementing refcount to track attached devices to the controller and gracefully wait and until attached devices remove operation completed before proceed with removal operation.",
                                "cve_priority": "medium",
                                "cve_public_date": "2025-10-20 16:15:00 UTC"
                            },
                            {
                                "cve": "CVE-2025-71232",
                                "url": "https://ubuntu.com/security/CVE-2025-71232",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  scsi: qla2xxx: Free sp in error path to fix system crash  System crash seen during load/unload test in a loop,  [61110.449331] qla2xxx [0000:27:00.0]-0042:0: Disabled MSI-X. [61110.467494] ============================================================================= [61110.467498] BUG qla2xxx_srbs (Tainted: G           OE    --------  --- ): Objects remaining in qla2xxx_srbs on __kmem_cache_shutdown() [61110.467501] -----------------------------------------------------------------------------  [61110.467502] Slab 0x000000000ffc8162 objects=51 used=1 fp=0x00000000e25d3d85 flags=0x57ffffc0010200(slab|head|node=1|zone=2|lastcpupid=0x1fffff) [61110.467509] CPU: 53 PID: 455206 Comm: rmmod Kdump: loaded Tainted: G          OE    --------  ---  5.14.0-284.11.1.el9_2.x86_64 #1 [61110.467513] Hardware name: HPE ProLiant DL385 Gen10 Plus v2/ProLiant DL385 Gen10 Plus v2, BIOS A42 08/17/2023 [61110.467515] Call Trace: [61110.467516]  <TASK> [61110.467519]  dump_stack_lvl+0x34/0x48 [61110.467526]  slab_err.cold+0x53/0x67 [61110.467534]  __kmem_cache_shutdown+0x16e/0x320 [61110.467540]  kmem_cache_destroy+0x51/0x160 [61110.467544]  qla2x00_module_exit+0x93/0x99 [qla2xxx] [61110.467607]  ? __do_sys_delete_module.constprop.0+0x178/0x280 [61110.467613]  ? syscall_trace_enter.constprop.0+0x145/0x1d0 [61110.467616]  ? do_syscall_64+0x5c/0x90 [61110.467619]  ? exc_page_fault+0x62/0x150 [61110.467622]  ? entry_SYSCALL_64_after_hwframe+0x63/0xcd [61110.467626]  </TASK> [61110.467627] Disabling lock debugging due to kernel taint [61110.467635] Object 0x0000000026f7e6e6 @offset=16000 [61110.467639] ------------[ cut here ]------------ [61110.467639] kmem_cache_destroy qla2xxx_srbs: Slab cache still has objects when called from qla2x00_module_exit+0x93/0x99 [qla2xxx] [61110.467659] WARNING: CPU: 53 PID: 455206 at mm/slab_common.c:520 kmem_cache_destroy+0x14d/0x160 [61110.467718] CPU: 53 PID: 455206 Comm: rmmod Kdump: loaded Tainted: G   B      OE    --------  ---  5.14.0-284.11.1.el9_2.x86_64 #1 [61110.467720] Hardware name: HPE ProLiant DL385 Gen10 Plus v2/ProLiant DL385 Gen10 Plus v2, BIOS A42 08/17/2023 [61110.467721] RIP: 0010:kmem_cache_destroy+0x14d/0x160 [61110.467724] Code: 99 7d 07 00 48 89 ef e8 e1 6a 07 00 eb b3 48 8b 55 60 48 8b 4c 24 20 48 c7 c6 70 fc 66 90 48 c7 c7 f8 ef a1 90 e8 e1 ed 7c 00 <0f> 0b eb 93 c3 cc cc cc cc 66 2e 0f 1f 84 00 00 00 00 00 55 48 89 [61110.467725] RSP: 0018:ffffa304e489fe80 EFLAGS: 00010282 [61110.467727] RAX: 0000000000000000 RBX: ffffffffc0d9a860 RCX: 0000000000000027 [61110.467729] RDX: ffff8fd5ff9598a8 RSI: 0000000000000001 RDI: ffff8fd5ff9598a0 [61110.467730] RBP: ffff8fb6aaf78700 R08: 0000000000000000 R09: 0000000100d863b7 [61110.467731] R10: ffffa304e489fd20 R11: ffffffff913bef48 R12: 0000000040002000 [61110.467731] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [61110.467733] FS:  00007f64c89fb740(0000) GS:ffff8fd5ff940000(0000) knlGS:0000000000000000 [61110.467734] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [61110.467735] CR2: 00007f0f02bfe000 CR3: 00000020ad6dc005 CR4: 0000000000770ee0 [61110.467736] PKRU: 55555554 [61110.467737] Call Trace: [61110.467738]  <TASK> [61110.467739]  qla2x00_module_exit+0x93/0x99 [qla2xxx] [61110.467755]  ? __do_sys_delete_module.constprop.0+0x178/0x280  Free sp in the error path to fix the crash.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-02-18 16:22:00 UTC"
                            },
                            {
                                "cve": "CVE-2025-71235",
                                "url": "https://ubuntu.com/security/CVE-2025-71235",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  scsi: qla2xxx: Delay module unload while fabric scan in progress  System crash seen during load/unload test in a loop.  [105954.384919] RBP: ffff914589838dc0 R08: 0000000000000000 R09: 0000000000000086 [105954.384920] R10: 000000000000000f R11: ffffa31240904be5 R12: ffff914605f868e0 [105954.384921] R13: ffff914605f86910 R14: 0000000000008010 R15: 00000000ddb7c000 [105954.384923] FS:  0000000000000000(0000) GS:ffff9163fec40000(0000) knlGS:0000000000000000 [105954.384925] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [105954.384926] CR2: 000055d31ce1d6a0 CR3: 0000000119f5e001 CR4: 0000000000770ee0 [105954.384928] PKRU: 55555554 [105954.384929] Call Trace: [105954.384931]  <IRQ> [105954.384934]  qla24xx_sp_unmap+0x1f3/0x2a0 [qla2xxx] [105954.384962]  ? qla_async_scan_sp_done+0x114/0x1f0 [qla2xxx] [105954.384980]  ? qla24xx_els_ct_entry+0x4de/0x760 [qla2xxx] [105954.384999]  ? __wake_up_common+0x80/0x190 [105954.385004]  ? qla24xx_process_response_queue+0xc2/0xaa0 [qla2xxx] [105954.385023]  ? qla24xx_msix_rsp_q+0x44/0xb0 [qla2xxx] [105954.385040]  ? __handle_irq_event_percpu+0x3d/0x190 [105954.385044]  ? handle_irq_event+0x58/0xb0 [105954.385046]  ? handle_edge_irq+0x93/0x240 [105954.385050]  ? __common_interrupt+0x41/0xa0 [105954.385055]  ? common_interrupt+0x3e/0xa0 [105954.385060]  ? asm_common_interrupt+0x22/0x40  The root cause of this was that there was a free (dma_free_attrs) in the interrupt context.  There was a device discovery/fabric scan in progress.  A module unload was issued which set the UNLOADING flag.  As part of the discovery, after receiving an interrupt a work queue was scheduled (which involved a work to be queued).  Since the UNLOADING flag is set, the work item was not allocated and the mapped memory had to be freed.  The free occurred in interrupt context leading to system crash.  Delay the driver unload until the fabric scan is complete to avoid the crash.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-02-18 16:22:00 UTC"
                            },
                            {
                                "cve": "CVE-2025-71236",
                                "url": "https://ubuntu.com/security/CVE-2025-71236",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  scsi: qla2xxx: Validate sp before freeing associated memory  System crash with the following signature [154563.214890] nvme nvme2: NVME-FC{1}: controller connect complete [154564.169363] qla2xxx [0000:b0:00.1]-3002:2: nvme: Sched: Set ZIO exchange threshold to 3. [154564.169405] qla2xxx [0000:b0:00.1]-ffffff:2: SET ZIO Activity exchange threshold to 5. [154565.539974] qla2xxx [0000:b0:00.1]-5013:2: RSCN database changed – 0078 0080 0000. [154565.545744] qla2xxx [0000:b0:00.1]-5013:2: RSCN database changed – 0078 00a0 0000. [154565.545857] qla2xxx [0000:b0:00.1]-11a2:2: FEC=enabled (data rate). [154565.552760] qla2xxx [0000:b0:00.1]-11a2:2: FEC=enabled (data rate). [154565.553079] BUG: kernel NULL pointer dereference, address: 00000000000000f8 [154565.553080] #PF: supervisor read access in kernel mode [154565.553082] #PF: error_code(0x0000) - not-present page [154565.553084] PGD 80000010488ab067 P4D 80000010488ab067 PUD 104978a067 PMD 0 [154565.553089] Oops: 0000 1 PREEMPT SMP PTI [154565.553092] CPU: 10 PID: 858 Comm: qla2xxx_2_dpc Kdump: loaded Tainted: G           OE     -------  ---  5.14.0-503.11.1.el9_5.x86_64 #1 [154565.553096] Hardware name: HPE Synergy 660 Gen10/Synergy 660 Gen10 Compute Module, BIOS I43 09/30/2024 [154565.553097] RIP: 0010:qla_fab_async_scan.part.0+0x40b/0x870 [qla2xxx] [154565.553141] Code: 00 00 e8 58 a3 ec d4 49 89 e9 ba 12 20 00 00 4c 89 e6 49 c7 c0 00 ee a8 c0 48 c7 c1 66 c0 a9 c0 bf 00 80 00 10 e8 15 69 00 00 <4c> 8b 8d f8 00 00 00 4d 85 c9 74 35 49 8b 84 24 00 19 00 00 48 8b [154565.553143] RSP: 0018:ffffb4dbc8aebdd0 EFLAGS: 00010286 [154565.553145] RAX: 0000000000000000 RBX: ffff8ec2cf0908d0 RCX: 0000000000000002 [154565.553147] RDX: 0000000000000000 RSI: ffffffffc0a9c896 RDI: ffffb4dbc8aebd47 [154565.553148] RBP: 0000000000000000 R08: ffffb4dbc8aebd45 R09: 0000000000ffff0a [154565.553150] R10: 0000000000000000 R11: 000000000000000f R12: ffff8ec2cf0908d0 [154565.553151] R13: ffff8ec2cf090900 R14: 0000000000000102 R15: ffff8ec2cf084000 [154565.553152] FS:  0000000000000000(0000) GS:ffff8ed27f800000(0000) knlGS:0000000000000000 [154565.553154] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [154565.553155] CR2: 00000000000000f8 CR3: 000000113ae0a005 CR4: 00000000007706f0 [154565.553157] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [154565.553158] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [154565.553159] PKRU: 55555554 [154565.553160] Call Trace: [154565.553162]  <TASK> [154565.553165]  ? show_trace_log_lvl+0x1c4/0x2df [154565.553172]  ? show_trace_log_lvl+0x1c4/0x2df [154565.553177]  ? qla_fab_async_scan.part.0+0x40b/0x870 [qla2xxx] [154565.553215]  ? __die_body.cold+0x8/0xd [154565.553218]  ? page_fault_oops+0x134/0x170 [154565.553223]  ? snprintf+0x49/0x70 [154565.553229]  ? exc_page_fault+0x62/0x150 [154565.553238]  ? asm_exc_page_fault+0x22/0x30  Check for sp being non NULL before freeing any associated memory",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-02-18 16:22:00 UTC"
                            },
                            {
                                "cve": "CVE-2025-71229",
                                "url": "https://ubuntu.com/security/CVE-2025-71229",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: rtw88: Fix alignment fault in rtw_core_enable_beacon()  rtw_core_enable_beacon() reads 4 bytes from an address that is not a multiple of 4. This results in a crash on some systems.  Do 1 byte reads/writes instead.  Unable to handle kernel paging request at virtual address ffff8000827e0522 Mem abort info:   ESR = 0x0000000096000021   EC = 0x25: DABT (current EL), IL = 32 bits   SET = 0, FnV = 0   EA = 0, S1PTW = 0   FSC = 0x21: alignment fault Data abort info:   ISV = 0, ISS = 0x00000021, ISS2 = 0x00000000   CM = 0, WnR = 0, TnD = 0, TagAccess = 0   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000005492000 [ffff8000827e0522] pgd=0000000000000000, p4d=10000001021d9403, pud=10000001021da403, pmd=100000011061c403, pte=00780000f3200f13 Internal error: Oops: 0000000096000021 [#1]  SMP Modules linked in: [...] rtw88_8822ce rtw88_8822c rtw88_pci rtw88_core [...] CPU: 0 UID: 0 PID: 73 Comm: kworker/u32:2 Tainted: G        W          6.17.9 #1-NixOS VOLUNTARY Tainted: [W]=WARN Hardware name: FriendlyElec NanoPC-T6 LTS (DT) Workqueue: phy0 rtw_c2h_work [rtw88_core] pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : rtw_pci_read32+0x18/0x40 [rtw88_pci] lr : rtw_core_enable_beacon+0xe0/0x148 [rtw88_core] sp : ffff800080cc3ca0 x29: ffff800080cc3ca0 x28: ffff0001031fc240 x27: ffff000102100828 x26: ffffd2cb7c9b4088 x25: ffff0001031fc2c0 x24: ffff000112fdef00 x23: ffff000112fdef18 x22: ffff000111c29970 x21: 0000000000000001 x20: 0000000000000001 x19: ffff000111c22040 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000000 x10: 0000000000000000 x9 : ffffd2cb6507c090 x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000 x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000 x2 : 0000000000007f10 x1 : 0000000000000522 x0 : ffff8000827e0522 Call trace:  rtw_pci_read32+0x18/0x40 [rtw88_pci] (P)  rtw_hw_scan_chan_switch+0x124/0x1a8 [rtw88_core]  rtw_fw_c2h_cmd_handle+0x254/0x290 [rtw88_core]  rtw_c2h_work+0x50/0x98 [rtw88_core]  process_one_work+0x178/0x3f8  worker_thread+0x208/0x418  kthread+0x120/0x220  ret_from_fork+0x10/0x20 Code: d28fe202 8b020000 f9524400 8b214000 (b9400000) ---[ end trace 0000000000000000 ]---",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-02-18 16:22:00 UTC"
                            },
                            {
                                "cve": "CVE-2025-71237",
                                "url": "https://ubuntu.com/security/CVE-2025-71237",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  nilfs2: Fix potential block overflow that cause system hang  When a user executes the FITRIM command, an underflow can occur when calculating nblocks if end_block is too small. Since nblocks is of type sector_t, which is u64, a negative nblocks value will become a very large positive integer. This ultimately leads to the block layer function __blkdev_issue_discard() taking an excessively long time to process the bio chain, and the ns_segctor_sem lock remains held for a long period. This prevents other tasks from acquiring the ns_segctor_sem lock, resulting in the hang reported by syzbot in [1].  If the ending block is too small, typically if it is smaller than 4KiB range, depending on the usage of the segment 0, it may be possible to attempt a discard request beyond the device size causing the hang.  Exiting successfully and assign the discarded size (0 in this case) to range->len.  Although the start and len values in the user input range are too small, a conservative strategy is adopted here to safely ignore them, which is equivalent to a no-op; it will not perform any trimming and will not throw an error.  [1] task:segctord state:D stack:28968 pid:6093 tgid:6093  ppid:2 task_flags:0x200040 flags:0x00080000 Call Trace:  rwbase_write_lock+0x3dd/0x750 kernel/locking/rwbase_rt.c:272  nilfs_transaction_lock+0x253/0x4c0 fs/nilfs2/segment.c:357  nilfs_segctor_thread_construct fs/nilfs2/segment.c:2569 [inline]  nilfs_segctor_thread+0x6ec/0xe00 fs/nilfs2/segment.c:2684  [ryusuke: corrected part of the commit message about the consequences]",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-02-18 16:22:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-23229",
                                "url": "https://ubuntu.com/security/CVE-2026-23229",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  crypto: virtio - Add spinlock protection with virtqueue notification  When VM boots with one virtio-crypto PCI device and builtin backend, run openssl benchmark command with multiple processes, such as   openssl speed -evp aes-128-cbc -engine afalg  -seconds 10 -multi 32  openssl processes will hangup and there is error reported like this:  virtio_crypto virtio0: dataq.0:id 3 is not a head!  It seems that the data virtqueue need protection when it is handled for virtio done notification. If the spinlock protection is added in virtcrypto_done_task(), openssl benchmark with multiple processes works well.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-02-18 16:22:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-23222",
                                "url": "https://ubuntu.com/security/CVE-2026-23222",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  crypto: omap - Allocate OMAP_CRYPTO_FORCE_COPY scatterlists correctly  The existing allocation of scatterlists in omap_crypto_copy_sg_lists() was allocating an array of scatterlist pointers, not scatterlist objects, resulting in a 4x too small allocation.  Use sizeof(*new_sg) to get the correct object size.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-02-18 16:22:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-23228",
                                "url": "https://ubuntu.com/security/CVE-2026-23228",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb: server: fix leak of active_num_conn in ksmbd_tcp_new_connection()  On kthread_run() failure in ksmbd_tcp_new_connection(), the transport is freed via free_transport(), which does not decrement active_num_conn, leaking this counter.  Replace free_transport() with ksmbd_tcp_disconnect().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-02-18 16:22:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-23220",
                                "url": "https://ubuntu.com/security/CVE-2026-23220",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ksmbd: fix infinite loop caused by next_smb2_rcv_hdr_off reset in error paths  The problem occurs when a signed request fails smb2 signature verification check. In __process_request(), if check_sign_req() returns an error, set_smb2_rsp_status(work, STATUS_ACCESS_DENIED) is called. set_smb2_rsp_status() set work->next_smb2_rcv_hdr_off as zero. By resetting next_smb2_rcv_hdr_off to zero, the pointer to the next command in the chain is lost. Consequently, is_chained_smb2_message() continues to point to the same request header instead of advancing. If the header's NextCommand field is non-zero, the function returns true, causing __handle_ksmbd_work() to repeatedly process the same failed request in an infinite loop. This results in the kernel log being flooded with \"bad smb2 signature\" messages and high CPU usage.  This patch fixes the issue by changing the return value from SERVER_HANDLER_CONTINUE to SERVER_HANDLER_ABORT. This ensures that the processing loop terminates immediately rather than attempting to continue from an invalidated offset.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-02-18 16:22:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-23230",
                                "url": "https://ubuntu.com/security/CVE-2026-23230",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb: client: split cached_fid bitfields to avoid shared-byte RMW races  is_open, has_lease and on_list are stored in the same bitfield byte in struct cached_fid but are updated in different code paths that may run concurrently. Bitfield assignments generate byte read–modify–write operations (e.g. `orb $mask, addr` on x86_64), so updating one flag can restore stale values of the others.  A possible interleaving is:     CPU1: load old byte (has_lease=1, on_list=1)     CPU2: clear both flags (store 0)     CPU1: RMW store (old | IS_OPEN) -> reintroduces cleared bits  To avoid this class of races, convert these flags to separate bool fields.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-02-18 16:22:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-23272",
                                "url": "https://ubuntu.com/security/CVE-2026-23272",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: nf_tables: unconditionally bump set->nelems before insertion  In case that the set is full, a new element gets published then removed without waiting for the RCU grace period, while RCU reader can be walking over it already.  To address this issue, add the element transaction even if set is full, but toggle the set_full flag to report -ENFILE so the abort path safely unwinds the set to its previous state.  As for element updates, decrement set->nelems to restore it.  A simpler fix is to call synchronize_rcu() in the error path. However, with a large batch adding elements to already maxed-out set, this could cause noticeable slowdown of such batches.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-20 09:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-31418",
                                "url": "https://ubuntu.com/security/CVE-2026-31418",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: ipset: drop logically empty buckets in mtype_del  mtype_del() counts empty slots below n->pos in k, but it only drops the bucket when both n->pos and k are zero. This misses buckets whose live entries have all been removed while n->pos still points past deleted slots.  Treat a bucket as empty when all positions below n->pos are unused and release it directly instead of shrinking it further.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-13 14:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-23392",
                                "url": "https://ubuntu.com/security/CVE-2026-23392",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: nf_tables: release flowtable after rcu grace period on error  Call synchronize_rcu() after unregistering the hooks from error path, since a hook that already refers to this flowtable can be already registered, exposing this flowtable to packet path and nfnetlink_hook control plane.  This error path is rare, it should only happen by reaching the maximum number hooks or by failing to set up to hardware offload, just call synchronize_rcu().  There is a check for already used device hooks by different flowtable that could result in EEXIST at this late stage. The hook parser can be updated to perform this check earlier to this error path really becomes rarely exercised.  Uncovered by KASAN reported as use-after-free from nfnetlink_hook path when dumping hooks.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-03-25 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-23278",
                                "url": "https://ubuntu.com/security/CVE-2026-23278",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: nf_tables: always walk all pending catchall elements  During transaction processing we might have more than one catchall element: 1 live catchall element and 1 pending element that is coming as part of the new batch.  If the map holding the catchall elements is also going away, its required to toggle all catchall elements and not just the first viable candidate.  Otherwise, we get:  WARNING: ./include/net/netfilter/nf_tables.h:1281 at nft_data_release+0xb7/0xe0 [nf_tables], CPU#2: nft/1404  RIP: 0010:nft_data_release+0xb7/0xe0 [nf_tables]  [..]  __nft_set_elem_destroy+0x106/0x380 [nf_tables]  nf_tables_abort_release+0x348/0x8d0 [nf_tables]  nf_tables_abort+0xcf2/0x3ac0 [nf_tables]  nfnetlink_rcv_batch+0x9c9/0x20e0 [..]",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-20 09:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-47337",
                                "url": "https://ubuntu.com/security/CVE-2026-47337",
                                "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a possible NULL pointer dereference in the handling of AF_INET/AF_INET6 socket mediation. The bug can be triggered by an unprivileged local user. This can lead to a kernel oops.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 19:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-47336",
                                "url": "https://ubuntu.com/security/CVE-2026-47336",
                                "cve_description": "Ubuntu Linux 6.8 contains SAUCE patches with a possible use of an uninitialized variable in AppArmor AF_INET/AF_INET6 socket mediation code. The bug can be triggered by an unprivileged local user and could result in incorrect fine-grained mediation of network sockets.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-05-28 19:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-47335",
                                "url": "https://ubuntu.com/security/CVE-2026-47335",
                                "cve_description": "Ubuntu Linux 6.8 contains SAUCE patches with a possible NULL pointer dereference in the handling of AppArmor notifications. The bug can be triggered by an unprivileged local user. This can lead to a kernel panic.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 19:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-47334",
                                "url": "https://ubuntu.com/security/CVE-2026-47334",
                                "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly sleep while holding a spinlock in notification handling code. The bug can be triggered by an unprivileged local user and can result in kernel panic or deadlock.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 19:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-47333",
                                "url": "https://ubuntu.com/security/CVE-2026-47333",
                                "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which can potentially incorrectly compute the size of an internal buffer, leading to a heap memory out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in invalid data being processed by the AppArmor DFA policy engine.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-28 19:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-47332",
                                "url": "https://ubuntu.com/security/CVE-2026-47332",
                                "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly validate the size of an internal structure, leading to an out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in information disclosure from adjacent slab objects.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 19:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-47331",
                                "url": "https://ubuntu.com/security/CVE-2026-47331",
                                "cve_description": "Ubuntu Linux 6.8 contains AppArmor SAUCE patches which fail to acquire a lock when modifying a linked list. An unprivileged local user could trigger the race condition that can lead to a use-after-free (UAF) and, theoretically, arbitrary code execution.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-28 19:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-47330",
                                "url": "https://ubuntu.com/security/CVE-2026-47330",
                                "cve_description": "Ubuntu Linux 6.8, 7.17 and 7.0 contain AppArmor SAUCE patches which can, under certain circumstances, use an uninitialized variable in notification handling code. The bug can be triggered by an unprivileged local user and can result in the incorrect caching of AppArmor notification responses.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-05-28 19:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-47329",
                                "url": "https://ubuntu.com/security/CVE-2026-47329",
                                "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches which fail to validate invalid sizes of the name field in AppAmor notification responses. The bug can be triggered by an unprivileged local user and could result in handling of crafted responses.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-05-28 19:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-47327",
                                "url": "https://ubuntu.com/security/CVE-2026-47327",
                                "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a possible NULL pointer dereference in the handling of AppArmor notifications. The bug can be triggered by an unprivileged local user. This can lead to a kernel oops.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 19:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-47328",
                                "url": "https://ubuntu.com/security/CVE-2026-47328",
                                "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly attempt to free a pointer which was not previously kmalloc()d, while at the same time leaking allocated memory. The bug can be triggered by an unprivileged local user and can result in the corruption of slab metadata and could lead to resource exhaustion.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 19:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-47326",
                                "url": "https://ubuntu.com/security/CVE-2026-47326",
                                "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a memory leak in the handling of big responses to AppArmor notifications. The bug can be triggered by an unprivileged local user. The memory leak could lead to resource exhaustion.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 19:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46300",
                                "url": "https://ubuntu.com/security/CVE-2026-46300",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: skbuff: preserve shared-frag marker during coalescing  skb_try_coalesce() can attach paged frags from @from to @to.  If @from has SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same externally-owned or page-cache-backed frags, but the shared-frag marker is currently lost.  That breaks the invariant relied on by later in-place writers.  In particular, ESP input checks skb_has_shared_frag() before deciding whether an uncloned nonlinear skb can skip skb_cow_data().  If TCP receive coalescing has moved shared frags into an unmarked skb, ESP can see skb_has_shared_frag() as false and decrypt in place over page-cache backed frags.  Propagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged frags.  The tailroom copy path does not need the marker because it copies bytes into @to's linear data rather than transferring frag descriptors.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-23 12:17:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46333",
                                "url": "https://ubuntu.com/security/CVE-2026-46333",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ptrace: slightly saner 'get_dumpable()' logic  The 'dumpability' of a task is fundamentally about the memory image of the task - the concept comes from whether it can core dump or not - and makes no sense when you don't have an associated mm.  And almost all users do in fact use it only for the case where the task has a mm pointer.  But we have one odd special case: ptrace_may_access() uses 'dumpable' to check various other things entirely independently of the MM (typically explicitly using flags like PTRACE_MODE_READ_FSCREDS).  Including for threads that no longer have a VM (and maybe never did, like most kernel threads).  It's not what this flag was designed for, but it is what it is.  The ptrace code does check that the uid/gid matches, so you do have to be uid-0 to see kernel thread details, but this means that the traditional \"drop capabilities\" model doesn't make any difference for this all.  Make it all make a *bit* more sense by saying that if you don't have a MM pointer, we'll use a cached \"last dumpability\" flag if the thread ever had a MM (it will be zero for kernel threads since it is never set), and require a proper CAP_SYS_PTRACE capability to override.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-15 14:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43500",
                                "url": "https://ubuntu.com/security/CVE-2026-43500",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present  The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE handler in rxrpc_verify_response() copy the skb to a linear one before calling into the security ops only when skb_cloned() is true.  An skb that is not cloned but still carries externally-owned paged fragments (e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via __ip_append_data, or a chained skb_has_frag_list()) falls through to the in-place decryption path, which binds the frag pages directly into the AEAD/skcipher SGL via skb_to_sgvec().  Extend the gate to also unshare when skb_has_frag_list() or skb_has_shared_frag() is true.  This catches the splice-loopback vector and other externally-shared frag sources while preserving the zero-copy fast path for skbs whose frags are kernel-private (e.g. NIC page_pool RX, GRO).  The OOM/trace handling already in place is reused.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-11 08:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-31676",
                                "url": "https://ubuntu.com/security/CVE-2026-31676",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  rxrpc: only handle RESPONSE during service challenge  Only process RESPONSE packets while the service connection is still in RXRPC_CONN_SERVICE_CHALLENGING. Check that state under state_lock before running response verification and security initialization, then use a local secured flag to decide whether to queue the secured-connection work after the state transition. This keeps duplicate or late RESPONSE packets from re-running the setup path and removes the unlocked post-transition state test.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-25 09:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43284",
                                "url": "https://ubuntu.com/security/CVE-2026-43284",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  xfrm: esp: avoid in-place decrypt on shared skb frags  MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later paths that may modify packet data can first make a private copy. The IPv4/IPv6 datagram append paths did not set this flag when splicing pages into UDP skbs.  That leaves an ESP-in-UDP packet made from shared pipe pages looking like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW fast path for uncloned skbs without a frag_list and decrypts in place over data that is not owned privately by the skb.  Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching TCP. Also make ESP input fall back to skb_cow_data() when the flag is present, so ESP does not decrypt externally backed frags in place. Private nonlinear skb frags still use the existing fast path.  This intentionally does not change ESP output. In esp_output_head(), the path that appends the ESP trailer to existing skb tailroom without calling skb_cow_data() is not reachable for nonlinear skbs: skb_tailroom() returns zero when skb->data_len is nonzero, while ESP tailen is positive. Thus ESP output will either use the separate destination-frag path or fall back to skb_cow_data().",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-08 08:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-31419",
                                "url": "https://ubuntu.com/security/CVE-2026-31419",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: bonding: fix use-after-free in bond_xmit_broadcast()  bond_xmit_broadcast() reuses the original skb for the last slave (determined by bond_is_last_slave()) and clones it for others. Concurrent slave enslave/release can mutate the slave list during RCU-protected iteration, changing which slave is \"last\" mid-loop. This causes the original skb to be double-consumed (double-freed).  Replace the racy bond_is_last_slave() check with a simple index comparison (i + 1 == slaves_count) against the pre-snapshot slave count taken via READ_ONCE() before the loop.  This preserves the zero-copy optimization for the last slave while making the \"last\" determination stable against concurrent list mutations.  The UAF can trigger the following crash:  ================================================================== BUG: KASAN: slab-use-after-free in skb_clone Read of size 8 at addr ffff888100ef8d40 by task exploit/147  CPU: 1 UID: 0 PID: 147 Comm: exploit Not tainted 7.0.0-rc3+ #4 PREEMPTLAZY Call Trace:  <TASK>  dump_stack_lvl (lib/dump_stack.c:123)  print_report (mm/kasan/report.c:379 mm/kasan/report.c:482)  kasan_report (mm/kasan/report.c:597)  skb_clone (include/linux/skbuff.h:1724 include/linux/skbuff.h:1792 include/linux/skbuff.h:3396 net/core/skbuff.c:2108)  bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5334)  bond_start_xmit (drivers/net/bonding/bond_main.c:5567 drivers/net/bonding/bond_main.c:5593)  dev_hard_start_xmit (include/linux/netdevice.h:5325 include/linux/netdevice.h:5334 net/core/dev.c:3871 net/core/dev.c:3887)  __dev_queue_xmit (include/linux/netdevice.h:3601 net/core/dev.c:4838)  ip6_finish_output2 (include/net/neighbour.h:540 include/net/neighbour.h:554 net/ipv6/ip6_output.c:136)  ip6_finish_output (net/ipv6/ip6_output.c:208 net/ipv6/ip6_output.c:219)  ip6_output (net/ipv6/ip6_output.c:250)  ip6_send_skb (net/ipv6/ip6_output.c:1985)  udp_v6_send_skb (net/ipv6/udp.c:1442)  udpv6_sendmsg (net/ipv6/udp.c:1733)  __sys_sendto (net/socket.c:730 net/socket.c:742 net/socket.c:2206)  __x64_sys_sendto (net/socket.c:2209)  do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)  entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)  </TASK>  Allocated by task 147:  Freed by task 147:  The buggy address belongs to the object at ffff888100ef8c80  which belongs to the cache skbuff_head_cache of size 224 The buggy address is located 192 bytes inside of  freed 224-byte region [ffff888100ef8c80, ffff888100ef8d60)  Memory state around the buggy address:  ffff888100ef8c00: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc  ffff888100ef8c80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff888100ef8d00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc                                                     ^  ffff888100ef8d80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb  ffff888100ef8e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================",
                                "cve_priority": "high",
                                "cve_public_date": "2026-04-13 14:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-31431",
                                "url": "https://ubuntu.com/security/CVE-2026-31431",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  crypto: algif_aead - Revert to operating out-of-place  This mostly reverts commit 72548b093ee3 except for the copying of the associated data.  There is no benefit in operating in-place in algif_aead since the source and destination come from different mappings.  Get rid of all the complexity added for in-place operation and just copy the AD directly.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-04-22 09:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-31533",
                                "url": "https://ubuntu.com/security/CVE-2026-31533",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/tls: fix use-after-free in -EBUSY error path of tls_do_encryption  The -EBUSY handling in tls_do_encryption(), introduced by commit 859054147318 (\"net: tls: handle backlogging of crypto requests\"), has a use-after-free due to double cleanup of encrypt_pending and the scatterlist entry.  When crypto_aead_encrypt() returns -EBUSY, the request is enqueued to the cryptd backlog and the async callback tls_encrypt_done() will be invoked upon completion. That callback unconditionally restores the scatterlist entry (sge->offset, sge->length) and decrements ctx->encrypt_pending. However, if tls_encrypt_async_wait() returns an error, the synchronous error path in tls_do_encryption() performs the same cleanup again, double-decrementing encrypt_pending and double-restoring the scatterlist.  The double-decrement corrupts the encrypt_pending sentinel (initialized to 1), making tls_encrypt_async_wait() permanently skip the wait for pending async callbacks. A subsequent sendmsg can then free the tls_rec via bpf_exec_tx_verdict() while a cryptd callback is still pending, resulting in a use-after-free when the callback fires on the freed record.  Fix this by skipping the synchronous cleanup when the -EBUSY async wait returns an error, since the callback has already handled encrypt_pending and sge restoration.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-23 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-31504",
                                "url": "https://ubuntu.com/security/CVE-2026-31504",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: fix fanout UAF in packet_release() via NETDEV_UP race  `packet_release()` has a race window where `NETDEV_UP` can re-register a socket into a fanout group's `arr[]` array. The re-registration is not cleaned up by `fanout_release()`, leaving a dangling pointer in the fanout array. `packet_release()` does NOT zero `po->num` in its `bind_lock` section. After releasing `bind_lock`, `po->num` is still non-zero and `po->ifindex` still matches the bound device. A concurrent `packet_notifier(NETDEV_UP)` that already found the socket in `sklist` can re-register the hook. For fanout sockets, this re-registration calls `__fanout_link(sk, po)` which adds the socket back into `f->arr[]` and increments `f->num_members`, but does NOT increment `f->sk_ref`.  The fix sets `po->num` to zero in `packet_release` while `bind_lock` is held to prevent NETDEV_UP from linking, preventing the race window.  This bug was found following an additional audit with Claude Code based on CVE-2025-38617.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-04-22 14:16:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * jammy/linux-riscv-6.8: 6.8.0-130.130~22.04.1 -proposed tracker (LP: #2151948)",
                            "",
                            "  [ Ubuntu: 6.8.0-130.130 ]",
                            "",
                            "  * noble/linux: 6.8.0-130.130 -proposed tracker (LP: #2154560)",
                            "  * Noble update: upstream stable patchset 2026-03-26 (LP: #2146465)",
                            "    - Revert \"UBUNTU: SAUCE: Fix skb_vlan_inet_prepare() usage\"",
                            "  * Kernel regression (6.8.0-117.generic) (LP: #2153556)",
                            "    - net: bonding: update the slave array for broadcast mode",
                            "    - bonding: do not set usable_slaves for broadcast mode",
                            "  * perf_cpu_map__merge fails to compile on ppc46el, s390x on noble linux",
                            "    (LP: #2152194)",
                            "    - SAUCE: temporary fix attempt for size eceed",
                            "  * Some powerpc test from ubuntu_kernel_selftests timeout with 45 seconds",
                            "    (LP: #2141536)",
                            "    - selftests/powerpc: Lower run time of count_stcx_fail test",
                            "    - selftests/powerpc: Give all tests 2 minutes timeout",
                            "  * Noble update: upstream stable patchset 2026-05-01 (LP: #2150809)",
                            "    - auxdisplay: arm-charlcd: fix release_mem_region() size",
                            "    - hfsplus: return error when node already exists in hfs_bnode_create",
                            "    - rcu: s/boost_kthread_mutex/kthread_mutex",
                            "    - rcu/exp: Move expedited kthread worker creation functions above",
                            "      rcutree_prepare_cpu()",
                            "    - rcu: Refactor expedited handling check in rcu_read_unlock_special()",
                            "    - rcu: Remove local_irq_save/restore() in",
                            "      rcu_preempt_deferred_qs_handler()",
                            "    - rcu: Fix rcu_read_unlock() deadloop due to softirq",
                            "    - audit: move the compat_xxx_class[] extern declarations to audit_arch.h",
                            "    - i3c: Move device name assignment after i3c_bus_init",
                            "    - fs: add <linux/init_task.h> for 'init_fs'",
                            "    - i3c: master: Update hot-join flag only on success",
                            "    - gfs2: Retries missing in gfs2_{rename,exchange}",
                            "    - gfs2: Fix use-after-free in iomap inline data write path",
                            "    - i3c: dw: Initialize spinlock to avoid upsetting lockdep",
                            "    - tpm: tpm_i2c_infineon: Fix locality leak on get_burstcount() failure",
                            "    - tpm: st33zp24: Fix missing cleanup on get_burstcount() error",
                            "    - btrfs: qgroup: return correct error when deleting qgroup relation item",
                            "    - btrfs: fix block_group_tree dirty_list corruption",
                            "    - smb: client: fix potential UAF and double free in smb2_open_file()",
                            "    - xen/virtio: Don't use grant-dma-ops when running as Dom0",
                            "    - ACPICA: Fix NULL pointer dereference in acpi_ev_address_space_dispatch()",
                            "    - io_uring/sync: validate passed in offset",
                            "    - cpuidle: menu: Cleanup after loadavg removal",
                            "    - cpuidle: governors: menu: Always check timers with tick stopped",
                            "    - md/raid10: fix any_working flag handling in raid10_sync_request",
                            "    - iomap: fix submission side handling of completion side errors",
                            "    - ublk: Validate SQE128 flag before accessing the cmd",
                            "    - x86/xen: make some functions static",
                            "    - Partial revert \"x86/xen: fix balloon target initialization for PVH dom0\"",
                            "    - PM: wakeup: Handle empty list in wakeup_sources_walk_start()",
                            "    - perf: arm_spe: Properly set hw.state on failures",
                            "    - PM: sleep: wakeirq: harden dev_pm_clear_wake_irq() against races",
                            "    - s390/cio: Fix device lifecycle handling in css_alloc_subchannel()",
                            "    - crypto: qat - fix warning on adf_pfvf_pf_proto.c",
                            "    - selftests/bpf: veristat: fix printing order in output_stats()",
                            "    - libbpf: Fix OOB read in btf_dump_get_bitfield_value",
                            "    - ARM: VDSO: Patch out __vdso_clock_getres() if unavailable",
                            "    - crypto: cavium - fix dma_free_coherent() size",
                            "    - crypto: octeontx - fix dma_free_coherent() size",
                            "    - crypto: hisilicon/zip - adjust the way to obtain the req in the callback",
                            "      function",
                            "    - crypto: hisilicon/sec2 - support skcipher/aead fallback for hardware",
                            "      queue unavailable",
                            "    - hrtimer: Fix trace oddity",
                            "    - bpf, sockmap: Fix incorrect copied_seq calculation",
                            "    - bpf, sockmap: Fix FIONREAD for sockmap",
                            "    - crypto: hisilicon/trng - modifying the order of header files",
                            "    - crypto: hisilicon/trng - support tfms sharing the device",
                            "    - bpf: Fix bpf_xdp_store_bytes proto for read-only arg",
                            "    - scsi: efct: Use IRQF_ONESHOT and default primary handler",
                            "    - EDAC/altera: Remove IRQF_ONESHOT",
                            "    - mfd: wm8350-core: Use IRQF_ONESHOT",
                            "    - sched/rt: Skip currently executing CPU in rto_next_cpu()",
                            "    - pstore/ram: fix buffer overflow in persistent_ram_save_old()",
                            "    - soc: qcom: smem: handle ENOMEM error during probe",
                            "    - EDAC/i5000: Fix snprintf() size calculation in calculate_dimm_size()",
                            "    - EDAC/i5400: Fix snprintf() limit calculation in calculate_dimm_size()",
                            "    - arm64: dts: tqma8mpql-mba8mpxl: Fix HDMI CEC pad control settings",
                            "    - clk: qcom: Return correct error code in qcom_cc_probe_by_index()",
                            "    - arm64: dts: qcom: sdm630: fix gpu_speed_bin size",
                            "    - arm64: dts: qcom: sdm845-oneplus: Don't mark ts supply boot-on",
                            "    - ARM: dts: allwinner: sun5i-a13-utoo-p66: delete \"power-gpios\" property",
                            "    - powerpc/uaccess: Move barrier_nospec() out of",
                            "      allow_read_{from/write}_user()",
                            "    - soc: qcom: cmd-db: Use devm_memremap() to fix memory leak in",
                            "      cmd_db_dev_probe",
                            "    - soc: mediatek: svs: Fix memory leak in svs_enable_debug_write()",
                            "    - powerpc/eeh: fix recursive pci_lock_rescan_remove locking in EEH event",
                            "      handling",
                            "    - ARM: dts: lpc32xx: Set motor PWM #pwm-cells property value to 3 cells",
                            "    - arm: dts: lpc32xx: add clocks property to Motor Control PWM device tree",
                            "      node",
                            "    - arm64: dts: amlogic: axg: assign the MMC signal clocks",
                            "    - arm64: dts: amlogic: gx: assign the MMC signal clocks",
                            "    - arm64: dts: amlogic: g12: assign the MMC B and C signal clocks",
                            "    - arm64: dts: amlogic: g12: assign the MMC A signal clock",
                            "    - arm64: dts: qcom: sdm845-db845c: drop CS from SPIO0",
                            "    - arm64: dts: qcom: sdm845-db845c: specify power for WiFi CH1",
                            "    - arm64: dts: qcom: sm6115: Add CX_MEM/DBGC GPU regions",
                            "    - workqueue: Factor out assign_rescuer_work()",
                            "    - workqueue: Only assign rescuer work when really needed",
                            "    - workqueue: Process rescuer work items one-by-one using a cursor",
                            "    - smack: /smack/doi must be > 0",
                            "    - smack: /smack/doi: accept previously used values",
                            "    - ASoC: nau8821: Consistently clear interrupts before unmasking",
                            "    - ASoC: nau8821: Avoid unnecessary blocking in IRQ handler",
                            "    - ASoC: nau8821: Fixup nau8821_enable_jack_detect()",
                            "    - drm/amdgpu: Use explicit VCN instance 0 in SR-IOV init",
                            "    - drm/msm/disp/dpu: add merge3d support for sc7280",
                            "    - regulator: core: move supply check earlier in set_machine_constraints()",
                            "    - HID: playstation: Add missing check for input_ff_create_memless",
                            "    - drm/msm/dpu: fix CMD panels on DPU 1.x - 3.x",
                            "    - media: ccs: Accommodate C-PHY into the calculation",
                            "    - drm/msm/a2xx: fix pixel shader start on A225",
                            "    - platform/chrome: cros_typec_switch: Don't touch struct",
                            "      fwnode_handle::dev",
                            "    - media: uvcvideo: Fix allocation for small frame sizes",
                            "    - platform/chrome: cros_ec_lightbar: Fix response size initialization",
                            "    - spi: tools: Add include folder to .gitignore",
                            "    - Revert \"hwmon: (ibmpex) fix use-after-free in high/low store\"",
                            "    - PCI: mediatek: Fix IRQ domain leak when MSI allocation fails",
                            "    - Documentation: PCI: endpoint: Fix ntb/vntb copy & paste errors",
                            "    - PCI/PM: Avoid redundant delays on D3hot->D3cold",
                            "    - PCI/P2PDMA: Release per-CPU pgmap ref when vm_insert_page() fails",
                            "    - Documentation: tracing: Add ring-buffer mapping",
                            "    - docs: fix WARNING document not included in any toctree",
                            "    - Documentation: trace: Refactor toctree",
                            "    - Documentation: tracing: Add PCI tracepoint documentation",
                            "    - PCI: Do not attempt to set ExtTag for VFs",
                            "    - PCI/portdrv: Fix potential resource leak",
                            "    - quota: fix livelock between quotactl and freeze_super",
                            "    - net: mctp-i2c: fix duplicate reception of old data",
                            "    - mctp i2c: initialise event handler read bytes",
                            "    - wifi: cfg80211: stop NAN and P2P in cfg80211_leave",
                            "    - netfilter: nf_tables: reset table validation state on abort",
                            "    - netfilter: nf_conncount: make nf_conncount_gc_list() to disable BH",
                            "    - netfilter: nf_conncount: increase the connection clean up limit to 64",
                            "    - netfilter: nft_compat: add more restrictions on netlink attributes",
                            "    - netfilter: nf_conncount: fix tracking of connections from localhost",
                            "    - module: add helper function for reading module_buildid()",
                            "    - kallsyms/ftrace: set module buildid in ftrace_mod_address_lookup()",
                            "    - PCI: Mark 3ware-9650SA Root Port Extended Tags as broken",
                            "    - iommu/vt-d: Flush cache for PASID table before using it",
                            "    - dm: use bio_clone_blkg_association",
                            "    - nfsd: never defer requests during idmap lookup",
                            "    - fat: avoid parent link count underflow in rmdir",
                            "    - tcp: tcp_tx_timestamp() must look at the rtx queue",
                            "    - wifi: ath10k: sdio: add missing lock protection in",
                            "      ath10k_sdio_fw_crashed_dump()",
                            "    - PCI: Initialize RCB from pci_configure_device()",
                            "    - PCI: Add PCIE_MSG_CODE_ASSERT_INTx message macros",
                            "    - PCI: Add defines for bridge window indexing",
                            "    - PCI/ACPI: Restrict program_hpx_type2() to AER bits",
                            "    - ipc: don't audit capability check in ipc_permissions()",
                            "    - ucount: check for CAP_SYS_RESOURCE using ns_capable_noaudit()",
                            "    - of: unittest: fix possible null-pointer dereferences in",
                            "      of_unittest_property_copy()",
                            "    - mptcp: fix receive space timestamp initialization",
                            "    - octeontx2-af: Fix PF driver crash with kexec kernel booting",
                            "    - bonding: only set speed/duplex to unknown, if getting speed failed",
                            "    - inet: RAW sockets using IPPROTO_RAW MUST drop incoming ICMP",
                            "    - nfc: hci: shdlc: Stop timers and work before freeing context",
                            "    - netfilter: nft_set_hash: fix get operation on big endian",
                            "    - netfilter: nft_counter: fix reset of counters on 32bit archs",
                            "    - netfilter: nft_set_rbtree: check for partial overlaps in anonymous sets",
                            "    - PCI: Add ACS quirk for Pericom PI7C9X2G404 switches [12d8:b404]",
                            "    - net: hns3: fix double free issue for tx spare buffer",
                            "    - procfs: fix missing RCU protection when reading real_parent in",
                            "      do_task_stat()",
                            "    - smb: client: correct value for smbd_max_fragmented_recv_size",
                            "    - net: sunhme: Fix sbus regression",
                            "    - net: Add skb_dstref_steal and skb_dstref_restore",
                            "    - net: Switch to skb_dstref_steal/skb_dstref_restore for ip_route_input",
                            "      callers",
                            "    - xfrm: fix ip_rt_bug race in icmp_route_lookup reverse path",
                            "    - serial: caif: fix use-after-free in caif_serial ldisc_close()",
                            "    - octeon_ep: disable per ring interrupts",
                            "    - octeon_ep: ensure dbell BADDR updation",
                            "    - ionic: Rate limit unknown xcvr type messages",
                            "    - octeontx2-pf: Unregister devlink on probe failure",
                            "    - RDMA/rtrs: server: remove dead code",
                            "    - IB/cache: update gid cache on client reregister event",
                            "    - RDMA/hns: Fix WQ_MEM_RECLAIM warning",
                            "    - RDMA/hns: Notify ULP of remaining soft-WCs during reset",
                            "    - power: supply: ab8500: Fix use-after-free in power_supply_changed()",
                            "    - power: supply: act8945a: Fix use-after-free in power_supply_changed()",
                            "    - power: supply: bq256xx: Fix use-after-free in power_supply_changed()",
                            "    - power: supply: bq25980: Fix use-after-free in power_supply_changed()",
                            "    - power: supply: cpcap-battery: Fix use-after-free in",
                            "      power_supply_changed()",
                            "    - power: supply: goldfish: Fix use-after-free in power_supply_changed()",
                            "    - power: supply: rt9455: Fix use-after-free in power_supply_changed()",
                            "    - power: supply: sbs-battery: Fix use-after-free in power_supply_changed()",
                            "    - power: reset: nvmem-reboot-mode: respect cell size for nvmem_cell_write",
                            "    - power: supply: bq27xxx: fix wrong errno when bus ops are unsupported",
                            "    - power: supply: wm97xx: Fix NULL pointer dereference in",
                            "      power_supply_changed()",
                            "    - RDMA/rtrs-srv: fix SG mapping",
                            "    - RDMA/rxe: Fix double free in rxe_srq_from_init",
                            "    - tools/power/x86/intel-speed-select: Fix file descriptor leak in",
                            "      isolate_cpus()",
                            "    - mtd: rawnand: cadence: Fix return type of CDMA send-and-wait helper",
                            "    - crypto: ccp - Add an S4 restore flow",
                            "    - crypto: ccp - Factor out ring destroy handling to a helper",
                            "    - crypto: ccp - Send PSP_CMD_TEE_RING_DESTROY when PSP_CMD_TEE_RING_INIT",
                            "      fails",
                            "    - mtd: parsers: Fix memory leak in mtd_parser_tplink_safeloader_parse()",
                            "    - RDMA/uverbs: Validate wqe_size before using it in ib_uverbs_post_send",
                            "    - RDMA/rxe: Fix race condition in QP timer handlers",
                            "    - svcrdma: Increase the per-transport rw_ctx count",
                            "    - svcrdma: Reduce the number of rdma_rw contexts per-QP",
                            "    - RDMA/core: add rdma_rw_max_sge() helper for SQ sizing",
                            "    - cxl: Fix premature commit_end increment on decoder commit failure",
                            "    - mtd: parsers: ofpart: fix OF node refcount leak in",
                            "      parse_fixed_partitions()",
                            "    - mtd: spinand: Fix kernel doc",
                            "    - power: supply: qcom_battmgr: Recognize \"LiP\" as lithium-polymer",
                            "    - RDMA/uverbs: Add __GFP_NOWARN to ib_uverbs_unmarshall_recv() kmalloc",
                            "    - pNFS: fix a missing wake up while waiting on NFS_LAYOUT_DRAIN",
                            "    - scsi: smartpqi: Fix memory leak in pqi_report_phys_luns()",
                            "    - scsi: ufs: host: mediatek: Require CONFIG_PM",
                            "    - scsi: csiostor: Fix dereference of null pointer rn",
                            "    - nvdimm: virtio_pmem: serialize flush requests",
                            "    - fs/nfs: Fix readdir slow-start regression",
                            "    - tracing: Properly process error handling in event_hist_trigger_parse()",
                            "    - tracing: Remove duplicate ENABLE_EVENT_STR and DISABLE_EVENT_STR macros",
                            "    - fbdev: of_display_timing: Fix device node reference leak in",
                            "      of_get_display_timings()",
                            "    - fbdev: au1200fb: Fix a memory leak in au1200fb_drv_probe()",
                            "    - clk: qcom: gcc-sm8550: Use floor ops for SDCC RCGs",
                            "    - clk: qcom: rcg2: compute 2d using duty fraction directly",
                            "    - clk: meson: gxbb: Limit the HDMI PLL OD to /4 on GXL/GXM SoCs",
                            "    - clk: qcom: gcc-sm8450: Update the SDCC RCGs to use shared_floor_ops",
                            "    - clk: qcom: gcc-sdx75: Update the SDCC RCGs to use shared_floor_ops",
                            "    - clk: qcom: gcc-qdu1000: Update the SDCC RCGs to use shared_floor_ops",
                            "    - clk: qcom: gcc-msm8953: Remove ALWAYS_ON flag from cpp_gdsc",
                            "    - clk: qcom: gcc-msm8917: Remove ALWAYS_ON flag from cpp_gdsc",
                            "    - clk: qcom: gcc-ipq5018: flag sleep clock as critical",
                            "    - clk: Move clk_{save,restore}_context() to COMMON_CLK section",
                            "    - clk: qcom: dispcc-sdm845: Enable parents for pixel clocks",
                            "    - clk: qcom: gfx3d: add parent to parent request map",
                            "    - clk: mediatek: Fix error handling in runtime PM setup",
                            "    - dmaengine: mediatek: uart-apdma: Fix above 4G addressing TX/RX",
                            "    - dma: dma-axi-dmac: fix SW cyclic transfers",
                            "    - staging: greybus: lights: avoid NULL deref",
                            "    - serial: imx: change SERIAL_IMX_CONSOLE to bool",
                            "    - serial: SH_SCI: improve \"DMA support\" prompt",
                            "    - mmc: rtsx_pci_sdmmc: increase power-on settling delay to 5ms",
                            "    - iio: pressure: mprls0025pa: fix scan_type struct",
                            "    - watchdog: starfive-wdt: Fix PM reference leak in probe error path",
                            "    - coresight: etm3x: Fix cpulocked warning on cpuhp",
                            "    - Revert \"mmc: rtsx_pci_sdmmc: increase power-on settling delay to 5ms\"",
                            "    - mfd: arizona: Fix regulator resource leak on",
                            "      wm5102_clear_write_sequencer() failure",
                            "    - mfd: simple-mfd-i2c: Add MAX77705 support",
                            "    - mfd: simple-mfd-i2c: Add compatible strings for Layerscape QIXIS FPGA",
                            "    - mfd: simple-mfd-i2c: Add SpacemiT P1 support",
                            "    - mfd: simple-mfd-i2c: Keep compatible strings in alphabetical order",
                            "    - mfd: simple-mfd-i2c: Add Delta TN48M CPLD support",
                            "    - [Config] Disable new Delta TN48M CPLD support by default",
                            "    - drivers: iio: mpu3050: use dev_err_probe for regulator request",
                            "    - usb: bdc: fix sleep during atomic",
                            "    - pinctrl: equilibrium: Fix device node reference leak in pinbank_init()",
                            "    - ovl: Fix uninit-value in ovl_fill_real",
                            "    - iio: sca3000: Fix a resource leak in sca3000_probe()",
                            "    - pinctrl: qcom: sm8250-lpass-lpi: Fix i2s2_data_groups definition",
                            "    - pinctrl: single: fix refcount leak in pcs_add_gpio_func()",
                            "    - leds: qcom-lpg: Check the return value of regmap_bulk_write()",
                            "    - backlight: qcom-wled: Support ovp values for PMI8994",
                            "    - backlight: qcom-wled: Change PM8950 WLED configurations",
                            "    - dmaengine: fsl-edma: don't explicitly disable clocks in .remove()",
                            "    - io_uring/cancel: de-unionize file and user_data in struct io_cancel_data",
                            "    - fs/ntfs3: prevent infinite loops caused by the next valid being the same",
                            "    - fs/ntfs3: Fix slab-out-of-bounds read in DeleteIndexEntryRoot",
                            "    - ACPI: CPPC: Fix remaining for_each_possible_cpu() to use online CPUs",
                            "    - powercap: intel_rapl_tpmi: Remove FW_BUG from invalid version check",
                            "    - kbuild: Add objtool to top-level clean target",
                            "    - selftests/memfd: delete unused declarations",
                            "    - selftests/memfd: use IPC semaphore instead of SIGSTOP/SIGCONT",
                            "    - ACPI: PM: Add unused power resource quirk for THUNDEROBOT ZERO",
                            "    - cpuidle: Skip governor when only one idle state is available",
                            "    - selftests: mlxsw: tc_restrictions: Fix test failure with new iproute2",
                            "    - net: sparx5/lan969x: fix DWRR cost max to match hardware register width",
                            "    - net: mscc: ocelot: extract ocelot_xmit_timestamp() helper",
                            "    - net: mscc: ocelot: split xmit into FDMA and register injection paths",
                            "    - net: mscc: ocelot: add missing lock protection in ocelot_port_xmit_inj()",
                            "    - ipv6: Fix out-of-bound access in fib6_add_rt2node().",
                            "    - net: sparx5/lan969x: fix PTP clock max_adj value",
                            "    - net: usb: catc: enable basic endpoint checking",
                            "    - xen-netback: reject zero-queue configuration from guest",
                            "    - net/rds: rds_sendmsg should not discard payload_len",
                            "    - net: bridge: mcast: always update mdb_n_entries for vlan contexts",
                            "    - selftests: forwarding: vxlan_bridge_1d: fix test failure with",
                            "      br_netfilter enabled",
                            "    - selftests: forwarding: vxlan_bridge_1d_ipv6: fix test failure with",
                            "      br_netfilter enabled",
                            "    - netfilter: nf_conntrack_h323: don't pass uninitialised l3num value",
                            "    - net: remove WARN_ON_ONCE when accessing forward path array",
                            "    - ipv6: fix a race in ip6_sock_set_v6only()",
                            "    - bpftool: Fix truncated netlink dumps",
                            "    - ping: annotate data-races in ping_lookup()",
                            "    - icmp: move icmp_global.credit and icmp_global.stamp to per netns storage",
                            "    - icmp: icmp_msgs_per_sec and icmp_msgs_burst sysctls become per netns",
                            "    - icmp: prevent possible overflow in icmp_global_allow()",
                            "    - cache: add __cacheline_group_{begin, end}_aligned() (+ couple more)",
                            "    - inet: move icmp_global_{credit,stamp} to a separate cache line",
                            "    - octeontx2-af: Fix default entries mcam entry action",
                            "    - bonding: alb: fix UAF in rlb_arp_recv during bond up/down",
                            "    - net/mlx5: Fix multiport device check over light SFs",
                            "    - apparmor: fix NULL sock in aa_sock_file_perm",
                            "    - apparmor: return -ENOMEM in unpack_perms_table upon alloc failure",
                            "    - apparmor: fix rlimit for posix cpu timers",
                            "    - apparmor: remove apply_modes_to_perms from label_match",
                            "    - apparmor: make label_match return a consistent value",
                            "    - apparmor: fix invalid deref of rawdata when export_binary is unset",
                            "    - apparmor: fix aa_label to return state from compount and component match",
                            "    - drm/amdgpu: Fix memory leak in amdgpu_acpi_enumerate_xcc()",
                            "    - drm/amdgpu: Fix memory leak in amdgpu_ras_init()",
                            "    - drm/i915/acpi: free _DSM package when no connectors",
                            "    - ASoC: codecs: aw88261: Fix erroneous bitmask logic in Awinic init",
                            "    - drm/amdkfd: fix debug watchpoints for logical devices",
                            "    - drm/amdkfd: Fix watch_id bounds checking in debug address watch v2",
                            "    - spi: wpcm-fiu: Use devm_platform_ioremap_resource_byname()",
                            "    - spi: wpcm-fiu: Fix uninitialized res",
                            "    - spi: wpcm-fiu: Simplify with dev_err_probe()",
                            "    - spi: wpcm-fiu: Fix potential NULL pointer dereference in",
                            "      wpcm_fiu_probe()",
                            "    - s390/kexec: Make KEXEC_SIG available when CONFIG_MODULES=n",
                            "    - efi: Fix reservation of unaccepted memory table",
                            "    - btrfs: fix invalid leaf access in btrfs_quota_enable() if ref key not",
                            "      found",
                            "    - x86/hyperv: Fix error pointer dereference",
                            "    - ASoC: rockchip: i2s-tdm: Use param rate if not provided by set_sysclk",
                            "    - drm/amd/display: Use same max plane scaling limits for all 64 bpp",
                            "      formats",
                            "    - MIPS: Work around LLVM bug when gp is used as global register variable",
                            "    - ext4: don't cache extent during splitting extent",
                            "    - ext4: fix memory leak in ext4_ext_shift_extents()",
                            "    - ext4: use optimized mballoc scanning regardless of inode format",
                            "    - ata: pata_ftide010: Fix some DMA timings",
                            "    - ata: libata-scsi: refactor ata_scsi_translate()",
                            "    - SUNRPC: auth_gss: fix memory leaks in XDR decoding error paths",
                            "    - SUNRPC: fix gss_auth kref leak in gss_alloc_msg error path",
                            "    - ASoC: dt-bindings: asahi-kasei,ak4458: Fix the supply names",
                            "    - ASoC: dt-bindings: asahi-kasei,ak5558: Fix the supply names",
                            "    - perf test stat: Update test expectations and events",
                            "    - perf test stat tests: Fix for virtualized machines",
                            "    - perf unwind-libdw: Fix invalid reference counts",
                            "    - perf callchain: Fix srcline printing with inlines",
                            "    - libsubcmd: Fix null intersection case in exclude_cmds()",
                            "    - libperf: Don't remove -g when EXTRA_CFLAGS are used",
                            "    - libperf build: Always place libperf includes first",
                            "    - rtc: interface: Alarm race handling should not discard preceding error",
                            "    - hfsplus: fix volume corruption issue for generic/498",
                            "    - fs/buffer: add alert in try_to_free_buffers() for folios without buffers",
                            "    - hfsplus: pretend special inodes as regular files",
                            "    - i3c: master: svc: Initialize 'dev' to NULL in svc_i3c_master_ibi_isr()",
                            "    - minix: Add required sanity checking to minix_check_superblock()",
                            "    - btrfs: handle user interrupt properly in btrfs_trim_fs()",
                            "    - smb: client: add proper locking around ses->iface_last_update",
                            "    - gfs2: fiemap page fault fix",
                            "    - smb: client: prevent races in ->query_interfaces()",
                            "    - tools/power cpupower: Reset errno before strtoull()",
                            "    - s390/purgatory: Add -Wno-default-const-init-unsafe to KBUILD_CFLAGS",
                            "    - perf/arm-cmn: Support CMN-600AE",
                            "    - arm64: Add support for TSV110 Spectre-BHB mitigation",
                            "    - rnbd-srv: Zero the rsp buffer before using it",
                            "    - x86/xen/pvh: Enable PAE mode for 32-bit guest only when CONFIG_X86_PAE",
                            "      is set",
                            "    - EFI/CPER: don't dump the entire memory region",
                            "    - APEI/GHES: ensure that won't go past CPER allocated record",
                            "    - EFI/CPER: don't go past the ARM processor CPER record buffer",
                            "    - ACPI: processor: Fix NULL-pointer dereference in",
                            "      acpi_processor_errata_piix4()",
                            "    - ACPICA: Abort AML bytecode execution when executing AML_FATAL_OP",
                            "    - md-cluster: fix NULL pointer dereference in process_metadata_update",
                            "    - cpufreq: dt-platdev: Block the driver from probing on more QC platforms",
                            "    - s390/perf: Disable register readout on sampling events",
                            "    - perf/cxlpmu: Replace IRQF_ONESHOT with IRQF_NO_THREAD",
                            "    - xenbus: Use .freeze/.thaw to handle xenbus devices",
                            "    - blk-mq-debugfs: add missing debugfs_mutex in",
                            "      blk_mq_debugfs_register_hctxs()",
                            "    - sparc: Synchronize user stack on fork and clone",
                            "    - sparc: don't reference obsolete termio struct for TC* constants",
                            "    - bpf: verifier improvement in 32bit shift sign extension pattern",
                            "    - clocksource/drivers/sh_tmu: Always leave device running after probe",
                            "    - clocksource/drivers/timer-integrator-ap: Add missing Kconfig dependency",
                            "      on OF",
                            "    - PCI/MSI: Unmap MSI-X region on error",
                            "    - crypto: hisilicon/qm - move the barrier before writing to the mailbox",
                            "      register",
                            "    - mailbox: bcm-ferxrm-mailbox: Use default primary handler",
                            "    - char: tpm: cr50: Remove IRQF_ONESHOT",
                            "    - pstore: ram_core: fix incorrect success return when vmap() fails",
                            "    - arm64: tegra: smaug: Add usb-role-switch support",
                            "    - parisc: Prevent interrupts during reboot",
                            "    - drm/display/dp_mst: Add protection against 0 vcpi",
                            "    - spi-geni-qcom: initialize mode related registers to 0",
                            "    - spi-geni-qcom: use xfer->bits_per_word for can_dma()",
                            "    - media: dvb-core: dmxdevfilter must always flush bufs",
                            "    - spi: stm32: fix Overrun issue at < 8bpw",
                            "    - drm/v3d: Set DMA segment size to avoid debug warnings",
                            "    - media: omap3isp: isp_video_mbus_to_pix/pix_to_mbus fixes",
                            "    - media: omap3isp: isppreview: always clamp in preview_try_format()",
                            "    - media: omap3isp: set initial format",
                            "    - media: mediatek: vcodec: Don't try to decode 422/444 VP9",
                            "    - drm/amdgpu: add support for HDP IP version 6.1.1",
                            "    - drm/amdgpu: avoid a warning in timedout job handler",
                            "    - HID: apple: Add \"SONiX KN85 Keyboard\" to the list of non-apple keyboards",
                            "    - ASoC: wm8962: Add WM8962_ADC_MONOMIX to \"3D Coefficients\" mask",
                            "    - ASoC: wm8962: Don't report a microphone if it's shorted to ground on",
                            "      plug",
                            "    - spi: spi-mem: Limit octal DTR constraints to octal DTR situations",
                            "    - media: amphion: Clear last_buffer_dequeued flag for DEC_CMD_START",
                            "    - media: adv7180: fix frame interval in progressive mode",
                            "    - media: pvrusb2: fix URB leak in pvr2_send_request_ex",
                            "    - media: solo6x10: Check for out of bounds chip_id",
                            "    - media: cx25821: Fix a resource leak in cx25821_dev_setup()",
                            "    - media: v4l2-async: Fix error handling on steps after finding a match",
                            "    - drm/amdkfd: Fix GART PTE for non-4K pagesize in svm_migrate_gart_map()",
                            "    - drm: Account property blob allocations to memcg",
                            "    - hyper-v: Mark inner union in hv_kvp_exchg_msg_value as packed",
                            "    - virt: vbox: uapi: Mark inner unions in packed structs as packed",
                            "    - drm/atmel-hlcdc: fix memory leak from the atomic_destroy_state callback",
                            "    - drm/atmel-hlcdc: don't reject the commit if the src rect has fractional",
                            "      parts",
                            "    - drm/atmel-hlcdc: fix use-after-free of drm_crtc_commit after release",
                            "    - media: rkisp1: Fix filter mode register configuration",
                            "    - HID: multitouch: add eGalaxTouch EXC3188 support",
                            "    - HID: elecom: Add support for ELECOM HUGE Plus M-HT1MRBK",
                            "    - ALSA: hda/conexant: Add headset mic fix for MECHREVO Wujie 15X Pro",
                            "    - gpio: aspeed-sgpio: Change the macro to support deferred probe",
                            "    - ASoC: sunxi: sun50i-dmic: Add missing check for devm_regmap_init_mmio",
                            "    - spi: spi-mem: Protect dirmap_create() with spi_mem_access_start/end",
                            "    - ASoC: codecs: max98390: Check return value of devm_gpiod_get_optional()",
                            "      in max98390_i2c_probe()",
                            "    - hwmon: (nct6775) Add ASUS Pro WS WRX90E-SAGE SE",
                            "    - hwmon: (f71882fg) Add F81968 support",
                            "    - ASoC: es8328: Add error unwind in resume",
                            "    - modpost: Amend ppc64 save/restfpr symnames for -Os build",
                            "    - ALSA: usb-audio: Add iface reset and delay quirk for AB13X USB Audio",
                            "    - jfs: Add missing set_freezable() for freezable kthread",
                            "    - jfs: nlink overflow in jfs_rename",
                            "    - wifi: rtw88: fix DTIM period handling when conf->dtim_period is zero",
                            "    - wifi: rtw88: 8822b: Avoid WARNING in rtw8822b_config_trx_mode()",
                            "    - wifi: rtw88: rtw8821cu: Add ID for Mercusys MU6H",
                            "    - dm: replace -EEXIST with -EBUSY",
                            "    - dm: remove fake timeout to avoid leak request",
                            "    - iommu/arm-smmu-v3: Improve CMDQ lock fairness and efficiency",
                            "    - wifi: libertas: fix WARNING in usb_tx_block",
                            "    - iommu/amd: move wait_on_sem() out of spinlock",
                            "    - wifi: rtw89: wow: add reason codes for disassociation in WoWLAN mode",
                            "    - PCI: dw-rockchip: Disable BAR 0 and BAR 1 for Root Port",
                            "    - wifi: ath11k: add pm quirk for Thinkpad Z13/Z16 Gen1",
                            "    - wifi: ath12k: fix preferred hardware mode calculation",
                            "    - ipv6: annotate data-races in ip6_multipath_hash_{policy,fields}()",
                            "    - ipv6: exthdrs: annotate data-race over multiple sysctl",
                            "    - ext4: mark group add fast-commit ineligible",
                            "    - ext4: move ext4_percpu_param_init() before ext4_mb_init()",
                            "    - ext4: mark group extend fast-commit ineligible",
                            "    - netfilter: nf_conntrack: Add allow_clash to generic protocol handler",
                            "    - netfilter: xt_tcpmss: check remaining length before reading optlen",
                            "    - openrisc: define arch-specific version of nop()",
                            "    - net: usb: r8152: fix transmit queue timeout",
                            "    - wifi: iwlwifi: mvm: check the validity of noa_len",
                            "    - net/rds: No shortcut out of RDS_CONN_ERROR",
                            "    - gro: change the BUG_ON() in gro_pull_from_frag0()",
                            "    - ipv4: igmp: annotate data-races around idev->mr_maxdelay",
                            "    - net: hns3: extend HCLGE_FD_AD_QID to 11 bits",
                            "    - wifi: iwlegacy: add missing mutex protection in il4965_store_tx_power()",
                            "    - wifi: iwlegacy: add missing mutex protection in",
                            "      il3945_store_measurement()",
                            "    - ipv4: fib: Annotate access to struct fib_alias.fa_state.",
                            "    - Bluetooth: hci_conn: Set link_policy on incoming ACL connections",
                            "    - Bluetooth: hci_conn: use mod_delayed_work for active mode timeout",
                            "    - Bluetooth: btusb: Add new VID/PID for RTL8852CE",
                            "    - Bluetooth: btusb: Add device ID for Realtek RTL8761BU",
                            "    - octeontx2-af: Workaround SQM/PSE stalls by disabling sticky",
                            "    - wifi: rtw89: pci: restore LDO setting after device resume",
                            "    - wifi: ath10k: fix lock protection in",
                            "      ath10k_wmi_event_peer_sta_ps_state_chg()",
                            "    - net: usb: sr9700: remove code to drive nonexistent multicast filter",
                            "    - vmw_vsock: bypass false-positive Wnonnull warning with gcc-16",
                            "    - net/rds: Clear reconnect pending bit",
                            "    - PCI: Mark ASM1164 SATA controller to avoid bus reset",
                            "    - PCI: Fix pci_slot_lock () device locking",
                            "    - PCI: Enable ACS after configuring IOMMU for OF platforms",
                            "    - PCI: Add ACS quirk for Qualcomm Hamoa & Glymur",
                            "    - PCI: Mark Nvidia GB10 to avoid bus reset",
                            "    - myri10ge: avoid uninitialized variable use",
                            "    - nfc: nxp-nci: remove interrupt trigger type",
                            "    - RDMA/rtrs-clt: For conn rejection use actual err number",
                            "    - ata: libata: avoid long timeouts on hot-unplugged SATA DAS",
                            "    - hisi_acc_vfio_pci: update status after RAS error",
                            "    - scsi: buslogic: Reduce stack usage",
                            "    - vhost: fix caching attributes of MMIO regions by setting them explicitly",
                            "    - tracing: Fix false sharing in hwlat get_sample()",
                            "    - remoteproc: imx_dsp_rproc: Skip RP_MBOX_SUSPEND_SYSTEM when mailbox TX",
                            "      channel is uninitialized",
                            "    - mailbox: pcc: Remove spurious IRQF_ONESHOT usage",
                            "    - mailbox: imx: Skip the suspend flag for i.MX7ULP",
                            "    - mailbox: sprd: mask interrupts that are not handled",
                            "    - remoteproc: mediatek: Break lock dependency to `prepare_lock`",
                            "    - mailbox: sprd: clear delivery flag before handling TX done",
                            "    - clk: microchip: core: correct return value on *_get_parent()",
                            "    - m68k: nommu: fix memmove() with differently aligned src and dest for",
                            "      68000",
                            "    - soundwire: dmi-quirks: add mapping for Avell B.ON (OEM rebranded of",
                            "      NUC15)",
                            "    - staging: rtl8723bs: fix missing status update on sdio_alloc_irq()",
                            "      failure",
                            "    - serial: 8250_dw: handle clock enable errors in runtime_resume",
                            "    - usb: typec: ucsi: psy: Fix voltage and current max for non-Fixed PDOs",
                            "    - fpga: of-fpga-region: Fail if any bridge is missing",
                            "    - dmaengine: sun6i: Choose appropriate burst length under maxburst",
                            "    - dmaengine: stm32-mdma: initialize m2m_hw_period and ccr to fix warnings",
                            "    - misc: bcm_vk: Fix possible null-pointer dereferences in bcm_vk_read()",
                            "    - misc: eeprom: Fix EWEN/EWDS/ERAL commands for 93xx56 and 93xx66",
                            "    - staging: rtl8723bs: fix memory leak on failure path",
                            "    - serial: 8250: 8250_omap.c: Clear DMA RX running status only after DMA",
                            "      termination is done",
                            "    - fix it87_wdt early reboot by reporting running timer",
                            "    - binder: don't use %pK through printk",
                            "    - watchdog: imx7ulp_wdt: handle the nowayout option",
                            "    - phy: mvebu-cp110-utmi: fix dr_mode property read from dts",
                            "    - phy: fsl-imx8mq-usb: disable bind/unbind platform driver feature",
                            "    - Revert \"mfd: da9052-spi: Change read-mask to write-mask\"",
                            "    - iio: Use IRQF_NO_THREAD",
                            "    - iio: magnetometer: Remove IRQF_ONESHOT",
                            "    - MIPS: Loongson: Make cpumask_of_node() robust against NUMA_NO_NODE",
                            "    - fs/ntfs3: drop preallocated clusters for sparse and compressed files",
                            "    - fs/ntfs3: avoid calling run_get_entry() when run == NULL in",
                            "      ntfs_read_run_nb_ra()",
                            "    - ceph: supply snapshot context in ceph_uninline_data()",
                            "    - libceph: define and enforce CEPH_MAX_KEY_LEN",
                            "    - thermal: int340x: Fix sysfs group leak on DLVR registration failure",
                            "    - include: uapi: netfilter_bridge.h: Cover for musl libc",
                            "    - ARM: 9467/1: mm: Don't use %pK through printk",
                            "    - drm/amd/display: Avoid updating surface with the same surface under MPO",
                            "    - drm/amdgpu: Adjust usleep_range in fence wait",
                            "    - ALSA: usb-audio: Update the number of packets properly at receiving",
                            "    - drm/amdgpu: Add HAINAN clock adjustment",
                            "    - drm/radeon: Add HAINAN clock adjustment",
                            "    - ALSA: usb-audio: Add sanity check for OOB writes at silencing",
                            "    - btrfs: replace BUG() with error handling in __btrfs_balance()",
                            "    - drm/amd/display: Remove conditional for shaper 3DLUT power-on",
                            "    - rtc: zynqmp: correct frequency value",
                            "    - ntb: ntb_hw_switchtec: Fix array-index-out-of-bounds access",
                            "    - ntb: ntb_hw_switchtec: Fix shift-out-of-bounds for 0 mw lut",
                            "    - xfrm6: fix uninitialized saddr in xfrm6_get_saddr()",
                            "    - xfrm: skip templates check for packet offload tunnel mode",
                            "    - ipmi: ipmb: initialise event handler read bytes",
                            "    - xfrm: always flush state and policy upon NETDEV_UNREGISTER event",
                            "    - net: usb: kaweth: remove TX queue manipulation in kaweth_set_rx_mode",
                            "    - net: usb: lan78xx: scan all MDIO addresses on LAN7801",
                            "    - net: ixp4xx_eth: convert to ndo_hwtstamp_get() and ndo_hwtstamp_set()",
                            "    - net: ethernet: xscale: Check for PTP support properly",
                            "    - wifi: cfg80211: wext: fix IGTK key ID off-by-one",
                            "    - Remove WARN_ALL_UNSEEDED_RANDOM kernel config option",
                            "    - [Config] Remove WARN_ALL_UNSEEDED_RANDOM",
                            "    - Bluetooth: L2CAP: Fix invalid response to L2CAP_ECRED_RECONF_REQ",
                            "    - Bluetooth: hci_qca: Cleanup on all setup failures",
                            "    - Bluetooth: L2CAP: Fix response to L2CAP_ECRED_CONN_REQ",
                            "    - Bluetooth: L2CAP: Fix not checking output MTU is acceptable on",
                            "      L2CAP_ECRED_CONN_REQ",
                            "    - Bluetooth: L2CAP: Fix missing key size check for L2CAP_LE_CONN_REQ",
                            "    - tipc: fix duplicate publication key in tipc_service_insert_publ()",
                            "    - RDMA/core: Fix stale RoCE GIDs during netdev events at registration",
                            "    - net: wan: farsync: Fix use-after-free bugs caused by unfinished tasklets",
                            "    - RDMA/efa: Fix typo in efa_alloc_mr()",
                            "    - net: usb: pegasus: enable basic endpoint checking",
                            "    - RDMA/umem: Fix double dma_buf_unpin in failure path",
                            "    - net/mlx5: DR, Fix circular locking dependency in dump",
                            "    - net/mlx5: Fix missing devlink lock in SRIOV enable error path",
                            "    - net: consume xmit errors of GSO frames",
                            "    - dpaa2-switch: validate num_ifs to prevent out-of-bounds write",
                            "    - netfilter: nf_conntrack_h323: fix OOB read in decode_choice()",
                            "    - rpmsg: core: fix race in driver_override_show() and use core helper",
                            "    - clk: renesas: rzg2l: Fix intin variable size",
                            "    - clk: renesas: rzg2l: Select correct div round macro",
                            "    - ASoC: SOF: ipc4-control: If there is no data do not send bytes update",
                            "    - ASoC: SOF: ipc4-topology: Correct the allocation size for bytes controls",
                            "    - ASoC: SOF: ipc4-control: Use the correct size for",
                            "      scontrol->ipc_control_data",
                            "    - ASoC: SOF: ipc4-control: Keep the payload size up to date",
                            "    - fpga: dfl: use subsys_initcall to allow built-in drivers to be added",
                            "    - dm-verity: correctly handle dm_bufio_client_create() failure",
                            "    - media: mediatek: encoder: Fix uninitialized scalar variable issue",
                            "    - media: mtk-mdp: Fix error handling in probe function",
                            "    - media: mtk-mdp: Fix a reference leak bug in mtk_mdp_remove()",
                            "    - media: verisilicon: AV1: Fix enable cdef computation",
                            "    - media: verisilicon: AV1: Fix tx mode bit setting",
                            "    - ARM: omap2: Fix reference count leaks in omap_control_init()",
                            "    - KVM: nSVM: Remove a user-triggerable WARN on nested_svm_load_cr3()",
                            "      succeeding",
                            "    - arm64: Disable branch profiling for all arm64 code",
                            "    - HID: hid-pl: handle probe errors",
                            "    - HID: magicmouse: Do not crash on missing msc->input",
                            "    - HID: prodikeys: Check presence of pm->input_ep82",
                            "    - HID: logitech-hidpp: Check maxfield in hidpp_get_report_length()",
                            "    - arm64: dts: apple: t8112-j473: Keep the HDMI port powered on",
                            "    - media: verisilicon: AV1: Set IDR flag for intra_only frame type",
                            "    - media: radio-keene: fix memory leak in error path",
                            "    - media: cx88: Add missing unmap in snd_cx88_hw_params()",
                            "    - media: cx23885: Add missing unmap in snd_cx23885_hw_params()",
                            "    - media: cx25821: Add missing unmap in snd_cx25821_hw_params()",
                            "    - media: i2c/tw9903: Fix potential memory leak in tw9903_probe()",
                            "    - media: i2c/tw9906: Fix potential memory leak in tw9906_probe()",
                            "    - media: i2c: ov01a10: Fix the horizontal flip control",
                            "    - media: i2c: ov01a10: Fix reported pixel-rate value",
                            "    - media: i2c: ov01a10: Fix analogue gain range",
                            "    - media: i2c: ov01a10: Add missing v4l2_subdev_cleanup() calls",
                            "    - media: i2c: ov01a10: Fix test-pattern disabling",
                            "    - media: qcom: camss: vfe: Fix out-of-bounds access in",
                            "      vfe_isr_reg_update()",
                            "    - media: ccs: Avoid possible division by zero",
                            "    - media: i2c: ov5647: Initialize subdev before controls",
                            "    - media: i2c: ov5647: Correct pixel array offset",
                            "    - media: i2c: ov5647: Correct minimum VBLANK value",
                            "    - media: i2c: ov5647: Sensor should report RAW color space",
                            "    - media: i2c: ov5647: Fix PIXEL_RATE value for VGA mode",
                            "    - media: i2c: ov5647: use our own mutex for the ctrl lock",
                            "    - dm-integrity: fix a typo in the code for write/discard race",
                            "    - dm: clear cloned request bio pointer when last clone bio completes",
                            "    - soc: ti: k3-socinfo: Fix regmap leak on probe failure",
                            "    - soc: ti: pruss: Fix double free in pruss_clk_mux_setup()",
                            "    - KVM: nSVM: Always use vmcb01 in VMLOAD/VMSAVE emulation",
                            "    - clk: clk-apple-nco: Add \"apple,t8103-nco\" compatible",
                            "    - media: i2c: ov01a10: Fix digital gain range",
                            "    - clk: tegra: tegra124-emc: Fix potential memory leak in",
                            "      tegra124_clk_register_emc()",
                            "    - s390/pci: Handle futile config accesses of disabled devices directly",
                            "    - dm-integrity: fix recalculation in bitmap mode",
                            "    - dm-unstripe: fix mapping bug when there are multiple targets in a table",
                            "    - arm64: dts: rockchip: Do not enable hdmi_sound node on Pinebook Pro",
                            "    - media: venus: vdec: fix error state assignment for zero bytesused",
                            "    - media: venus: vdec: restrict EOS addr quirk to IRIS2 only",
                            "    - drm: of: drm_of_panel_bridge_remove(): fix device_node leak",
                            "    - mm, page_alloc, thp: prevent reclaim for __GFP_THISNODE THP allocations",
                            "    - selftests/mm/charge_reserved_hugetlb: drop mount size for hugetlbfs",
                            "    - xfs: mark data structures corrupt on EIO and ENODATA",
                            "    - media: verisilicon: AV1: Fix tile info buffer size",
                            "    - iommu/vt-d: Flush dev-IOTLB only when PCIe device is accessible in",
                            "      scalable mode",
                            "    - mfd: core: Add locking around 'mfd_of_node_list'",
                            "    - xfs: delete attr leaf freemap entries when empty",
                            "    - xfs: fix freemap adjustments when adding xattrs to leaf blocks",
                            "    - xfs: fix remote xattr valuelblk check",
                            "    - KVM: x86: Add SRCU protection for reading PDPTRs in __get_sregs2()",
                            "    - PCI: endpoint: Fix swapped parameters in",
                            "      pci_{primary/secondary}_epc_epf_unlink() functions",
                            "    - md/bitmap: fix GPF in write_page caused by resize race",
                            "    - nfsd: fix return error code for nfsd_map_name_to_[ug]id",
                            "    - nvmem: Drop OF node reference on nvmem_add_one_cell() failure",
                            "    - usb: gadget: tegra-xudc: Add handling for BLCG_COREPLL_PWRDN",
                            "    - bus: fsl-mc: fix an error handling in fsl_mc_device_add()",
                            "    - dm mpath: make pg_init_delay_msecs settable",
                            "    - tools: Fix bitfield dependency failure",
                            "    - powerpc/smp: Add check for kcalloc() failure in parse_thread_groups()",
                            "    - iio: gyro: itg3200: Fix unchecked return value in read_raw",
                            "    - mm/highmem: fix __kmap_to_page() build error",
                            "    - rapidio: replace rio_free_net() with kfree() in rio_scan_alloc_net()",
                            "    - ocfs2: fix reflink preserve cleanup issue",
                            "    - kexec: derive purgatory entry from symbol",
                            "    - Revert \"PCI/IOV: Add PCI rescan-remove locking when enabling/disabling",
                            "      SR-IOV\"",
                            "    - PCI/IOV: Fix race between SR-IOV enable/disable and hotplug",
                            "    - arm64: Fix non-atomic __READ_ONCE() with CONFIG_LTO=y",
                            "    - btrfs: continue trimming remaining devices on failure",
                            "    - remoteproc: imx_rproc: Fix invalid loaded resource table detection",
                            "    - perf/arm-cmn: Reject unsupported hardware configurations",
                            "    - scsi: ufs: core: Flush exception handling work when RPM level is zero",
                            "    - usb: dwc3: gadget: Move vbus draw to workqueue context",
                            "    - usb: dwc2: fix resume failure if dr_mode is host",
                            "    - mtd: rawnand: pl353: Fix software ECC support",
                            "    - tipc: fix RCU dereference race in tipc_aead_users_dec()",
                            "    - drm/amdkfd: Fix out-of-bounds write in kfd_event_page_set()",
                            "    - net: cpsw_new: Fix unnecessary netdev unregistration in cpsw_probe()",
                            "      error path",
                            "    - PCI: Fix pci_slot_trylock() error handling",
                            "    - parisc: kernel: replace kfree() with put_device() in create_tree_node()",
                            "    - staging: rtl8723bs: fix null dereference in find_network",
                            "    - cifs: Fix locking usage for tcon fields",
                            "    - MIPS: rb532: Fix MMIO UART resource registration",
                            "    - ceph: supply snapshot context in ceph_zero_partial_object()",
                            "    - LoongArch: Make cpumask_of_node() robust against NUMA_NO_NODE",
                            "    - LoongArch: Prefer top-down allocation after arch_mem_init()",
                            "    - LoongArch: Guard percpu handler under !CONFIG_PREEMPT_RT",
                            "    - LoongArch: Disable instrumentation for setup_ptwalker()",
                            "    - net: ethernet: marvell: skge: remove incorrect conflicting PCI ID",
                            "    - net: wan/fsl_ucc_hdlc: Fix dma_free_coherent() in uhdlc_memclean()",
                            "    - octeontx2-af: CGX: fix bitmap leaks",
                            "    - net: macb: Fix tx/rx malfunction after phy link down and up",
                            "    - tracing: Fix to set write permission to per-cpu buffer_size_kb",
                            "    - io_uring/filetable: clamp alloc_hint to the configured alloc range",
                            "    - net: intel: fix PCI device ID conflict between i40e and ipw2200",
                            "    - atm: fore200e: fix use-after-free in tasklets during device removal",
                            "    - ipv6: ioam: fix heap buffer overflow in __ioam6_fill_trace_data()",
                            "    - fbcon: check return value of con2fb_acquire_newinfo()",
                            "    - fbdev: vt8500lcdfb: fix missing dma_free_coherent()",
                            "    - fbdev: of: display_timing: fix refcount leak in of_get_display_timings()",
                            "    - fbdev: ffb: fix corrupted video output on Sun FFB1",
                            "    - fbcon: Remove struct fbcon_display.inverse",
                            "    - cifs: some missing initializations on replay",
                            "    - ASoC: amd: yc: Add DMI quirk for ASUS Vivobook Pro 15X M6501RR",
                            "    - net: ethernet: ec_bhf: Fix dma_free_coherent() dma handle",
                            "    - net/sched: act_skbedit: fix divide-by-zero in tcf_skbedit_hash()",
                            "    - x86/kexec: Copy ACPI root pointer address from config table",
                            "    - arm64: Force the use of CNTVCT_EL0 in __delay()",
                            "    - net: nfc: nci: Fix parameter validation for packet data",
                            "    - tracing: Fix checking of freed trace_event_file for hist files",
                            "    - tracing: Wake up poll waiters for hist files when removing an event",
                            "    - NTB: ntb_transport: Fix too small buffer for debugfs_name",
                            "    - drm/i915/wakeref: clean up INTEL_WAKEREF_PUT_* flag macros",
                            "    - arm64: Fix sampling the \"stable\" virtual counter in preemptible section",
                            "    - gfs2: Fix slab-use-after-free in qd_put",
                            "    - io_uring: use release-acquire ordering for IORING_SETUP_R_DISABLED",
                            "    - thermal: intel: x86_pkg_temp_thermal: Handle invalid temperature",
                            "    - OPP: Return correct value in dev_pm_opp_get_level",
                            "    - cpufreq: scmi: Fix device_node reference leak in scmi_cpu_domain_id()",
                            "    - perf/x86/core: Do not set bit width for unavailable counters",
                            "    - genirq: Set IRQF_COND_ONESHOT in devm_request_irq().",
                            "    - platform/x86: int0002: Remove IRQF_ONESHOT from request_irq()",
                            "    - media: pci: mg4b: Use IRQF_NO_THREAD",
                            "    - firmware: arm_ffa: Correct 32-bit response handling in",
                            "      NOTIFICATION_INFO_GET",
                            "    - arm64: dts: qcom: msm8994-octagon: Fix Analog Devices vendor prefix of",
                            "      AD7147",
                            "    - arm64: dts: mediatek: mt8183-jacuzzi-pico6: Fix typo in pinmux node",
                            "    - arm64: dts: qcom: qrb4210-rb2: Fix UART3 wakeup IRQ storm",
                            "    - arm64: dts: qcom: x1e: bus is 40-bits (fix 64GB models)",
                            "    - media: chips-media: wave5: Fix memory leak on codec_info allocation",
                            "      failure",
                            "    - drm/amd: Drop \"amdgpu kernel modesetting enabled\" message",
                            "    - drm/amdkfd: Fix signal_eviction_fence() bool return value",
                            "    - drm/xe: Unregister drm device on probe error",
                            "    - HID: intel-ish-hid: fix NULL-ptr-deref in ishtp_bus_remove_all_clients",
                            "    - wifi: cfg80211: Fix use_for flag update on BSS refresh",
                            "    - PCI: Check parent for NULL in of_pci_bus_release_domain_nr()",
                            "    - netfilter: nfnetlink_queue: optimize verdict lookup with hash table",
                            "    - netfilter: nfnetlink_queue: do shared-unconfirmed check before",
                            "      segmentation",
                            "    - netfilter: nft_set_rbtree: fix bogus EEXIST with NLM_F_CREATE with null",
                            "      interval",
                            "    - power: supply: pm8916_bms_vm: Fix use-after-free in",
                            "      power_supply_changed()",
                            "    - power: supply: pm8916_lbc: Fix use-after-free in power_supply_changed()",
                            "    - RDMA/mlx5: Fix UMR hang in LAG error state unload",
                            "    - IB/mlx5: Fix port speed query for representors",
                            "    - platform/x86/amd/pmf: Prevent TEE errors after hibernate",
                            "    - crypto: ccp - Declare PSP dead if PSP_CMD_TEE_RING_INIT fails",
                            "    - power: supply: pm8916_lbc: Fix use-after-free for extcon in IRQ handler",
                            "    - clk: qcom: gcc-sm8650: Use floor ops for SDCC RCGs",
                            "    - clk: qcom: gcc-sm4450: Update the SDCC RCGs to use shared_floor_ops",
                            "    - clk: qcom: gcc-x1e80100: Update the SDCC RCGs to use shared_floor_ops",
                            "    - dma: dma-axi-dmac: fix HW scatter-gather not looking at the queue",
                            "    - iio: pressure: mprls0025pa: fix interrupt flag",
                            "    - objpool: fix the overestimation of object pooling metadata size",
                            "    - ipvs: do not keep dest_dst if dev is going down",
                            "    - net/mlx5e: Use unsigned for mlx5e_get_max_num_channels",
                            "    - AppArmor: Allow apparmor to handle unaligned dfa tables",
                            "    - apparmor: Fix & Optimize table creation from possibly unaligned memory",
                            "    - apparmor: avoid per-cpu hold underflow in aa_get_buffer",
                            "    - drm/amd/display: Fix out-of-bounds stream encoder index v3",
                            "    - btrfs: use the correct type to initialize block reserve for delayed refs",
                            "    - Drivers: hv: vmbus: Use kthread for vmbus interrupts on PREEMPT_RT",
                            "    - i3c: mipi-i3c-hci: Reset RING_OPERATION1 fields during init",
                            "    - APEI/GHES: ARM processor Error: don't go past allocated memory",
                            "    - ACPI: resource: Add JWIPC JVC9100 to irq1_level_low_skip_override[]",
                            "    - powercap: intel_rapl: Add PL4 support for Ice Lake",
                            "    - alpha: fix user-space corruption during memory compaction",
                            "    - ACPI: x86: s2idle: Invoke Microsoft _DSM Function 9 (Turn On Display)",
                            "    - ACPI: battery: fix incorrect charging status when current is zero",
                            "    - perf/x86/msr: Add Airmont NP",
                            "    - perf/x86/cstate: Add Airmont NP",
                            "    - bpf: Recognize special arithmetic shift in the verifier",
                            "    - firmware: arm_ffa: Unmap Rx/Tx buffers on init failure",
                            "    - gpu/panel-edp: add AUO panel entry for B140HAN06.4",
                            "    - drm/amdgpu: fix NULL pointer issue buffer funcs",
                            "    - ASoC: SOF: ipc4: Support for sending payload along with LARGE_CONFIG_GET",
                            "    - media: chips-media: wave5: Fix conditional in start_streaming",
                            "    - media: chips-media: wave5: Process ready frames when CMD_STOP sent to",
                            "      Encoder",
                            "    - drm/amd/display: Fix dsc eDP issue",
                            "    - drm/panel: Fix a possible null-pointer dereference in",
                            "      jdi_panel_dsi_remove()",
                            "    - media: mt9m114: Avoid a reset low spike during probe()",
                            "    - media: mt9m114: Return -EPROBE_DEFER if no endpoint is found",
                            "    - ALSA: hda/realtek: add HP Victus 16-e0xxx mute LED quirk",
                            "    - PCI: Add Intel Nova Lake audio Device ID",
                            "    - drm/amd/display: Disable FEC when powering down encoders",
                            "    - drm/amd/display: avoid dig reg access timeout on usb4 link training fail",
                            "    - hwmon: (dell-smm) Add support for Dell OptiPlex 7080",
                            "    - HID: logitech-hidpp: Add support for Logitech K980",
                            "    - ASoC: SOF: Intel: hda: Fix NULL pointer dereference",
                            "    - spi: geni-qcom: Fix abort sequence execution for serial engine errors",
                            "    - ALSA: hda/realtek - Enable mute LEDs on HP ENVY x360 15-es0xxx",
                            "    - wifi: rtw89: 8922a: set random mac if efuse contains zeroes",
                            "    - wifi: rtw89: ser: enable error IMR after recovering from L1",
                            "    - wifi: rtw88: Use devm_kmemdup() in rtw_set_supported_band()",
                            "    - wifi: rtw89: mac: correct page number for CSI response",
                            "    - wifi: ath11k: Fix failure to connect to a 6 GHz AP",
                            "    - ipv6: annotate data-races over sysctl.flowlabel_reflect",
                            "    - ext4: use reserved metadata blocks when splitting extent on endio",
                            "    - Bluetooth: btusb: Add support for MediaTek7920 0489:e158",
                            "    - net: sfp: add quirk for Lantech 8330-265D",
                            "    - PCI/AER: Clear stale errors on reporting agents upon probe",
                            "    - scsi: ufs: mediatek: Fix page faults in ufs_mtk_clk_scale() trace event",
                            "    - riscv: vector: init vector context with proper vlenb",
                            "    - HID: i2c-hid: Add FocalTech FT8112",
                            "    - 9p/xen: protect xen_9pfs_front_free against concurrent calls",
                            "    - soundwire: intel_auxdevice: add cs42l45 codec to wake_capable_list",
                            "    - most: remove usage of the deprecated ida_simple_xx() API",
                            "    - most: core: fix resource leak in most_register_interface error paths",
                            "    - usb: chipidea: udc: fix DMA and SG cleanup in _ep_nuke()",
                            "    - serial: 8250: 8250_omap.c: Add support for handling UART error",
                            "      conditions",
                            "    - mfd: intel-lpss: Add Intel Nova Lake-S PCI IDs",
                            "    - ACPI: x86: Force enabling of PWM2 on the Yogabook YB1-X90",
                            "    - drm/amd/display: Fix writeback on DCN 3.2+",
                            "    - drm/amd/display: Fix system resume lag issue",
                            "    - drm/amd/display: bypass post csc for additional color spaces in dal",
                            "    - spi: spidev: fix lock inversion between spi_lock and buf_lock",
                            "    - Bluetooth: L2CAP: Avoid -Wflex-array-member-not-at-end warnings",
                            "    - Bluetooth: L2CAP: Fix result of L2CAP_ECRED_CONN_RSP when MTU is too",
                            "      short",
                            "    - kcm: fix zero-frag skb in frag_list on partial sendmsg error",
                            "    - net/mlx5: E-switch, Clear legacy flag when moving to switchdev",
                            "    - net/mlx5e: Separate address related variables to be in struct",
                            "    - net/mlx5e: Support routed networks during IPsec MACs initialization",
                            "    - net/mlx5e: Fix \"scheduling while atomic\" in IPsec MAC address query",
                            "    - drm/tests: shmem: Swap names of export tests",
                            "    - KVM: x86: Return \"unsupported\" instead of \"invalid\" on access to",
                            "      unsupported PV MSR",
                            "    - media: amphion: Drop min_queued_buffers assignment",
                            "    - media: rockchip: rga: Fix possible ERR_PTR dereference in rga_buf_init()",
                            "    - media: i2c: ov01a10: Fix passing stream instead of pad to",
                            "      v4l2_subdev_state_get_format()",
                            "    - media: ccs: Fix setting initial sub-device state",
                            "    - platform/x86: ISST: Add missing write block check",
                            "    - bus: omap-ocp2scp: fix OF populate on driver rebind",
                            "    - media: stm32: dcmipp: bytecap: clear all interrupts upon stream stop",
                            "    - drm/buddy: Prevent BUG_ON by validating rounded allocation",
                            "    - xfs: remove xfs_attr_leaf_hasname",
                            "    - mfd: qcom-pm8xxx: Fix OF populate on driver rebind",
                            "    - mfd: omap-usb-host: Fix OF populate on driver rebind",
                            "    - xfs: fix the xattr scrub to detect freemap/entries array collisions",
                            "    - pinctrl: intel: Add code name documentation",
                            "    - vhost: move vdpa group bound check to vhost_vdpa",
                            "    - clk: rs9: Reserve 8 struct clk_hw slots for for 9FGV0841",
                            "    - mm/slab: use unsigned long for orig_size to ensure proper metadata align",
                            "    - drm/amd/display: Increase DCN35 SR enter/exit latency",
                            "    - drm/amdgpu: fix sync handling in amdgpu_dma_buf_move_notify",
                            "    - mm: numa_memblks: Identify the accurate NUMA ID of CFMW",
                            "    - drm/amdgpu: keep vga memory on MacBooks with switchable graphics",
                            "    - most: core: fix leak on early registration failure",
                            "    - Bluetooth: L2CAP: Fix stack-out-of-bounds read in l2cap_ecred_conn_req",
                            "    - Upstream stable to v6.6.128, v6.12.75",
                            "  * Noble update: upstream stable patchset 2026-05-01 (LP: #2150809) //",
                            "    CVE-2026-23249",
                            "    - xfs: check for deleted cursors when revalidating two btrees",
                            "  * Noble update: upstream stable patchset 2026-05-01 (LP: #2150809) //",
                            "    CVE-2025-71267",
                            "    - fs: ntfs3: fix infinite loop triggered by zero-sized ATTR_LIST",
                            "  * Noble update: upstream stable patchset 2026-05-01 (LP: #2150809) //",
                            "    CVE-2025-71265",
                            "    - fs: ntfs3: fix infinite loop in attr_load_runs_range on inconsistent",
                            "      metadata",
                            "  * Noble update: upstream stable patchset 2026-05-01 (LP: #2150809) //",
                            "    CVE-2025-71266",
                            "    - fs: ntfs3: check return value of indx_find to avoid infinite loop",
                            "  * Noble update: upstream stable patchset 2026-05-01 (LP: #2150809) //",
                            "    CVE-2026-23241",
                            "    - audit: add missing syscalls to read class",
                            "  * Noble update: upstream stable patchset 2026-05-01 (LP: #2150809) //",
                            "    CVE-2025-71239",
                            "    - audit: add fchmodat2() to change attributes class",
                            "  * Noble update: upstream stable patchset 2026-05-01 (LP: #2150809) //",
                            "    CVE-2026-31411",
                            "    - net: atm: fix crash due to unvalidated vcc pointer in sigd_send()",
                            "  * Noble update: upstream stable patchset 2026-05-01 (LP: #2150809) //",
                            "    CVE-2026-23243",
                            "    - RDMA/umad: Reject negative data_len in ib_umad_write",
                            "  * Noble update: upstream stable patchset 2026-05-01 (LP: #2150809) //",
                            "    CVE-2026-23242",
                            "    - RDMA/siw: Fix potential NULL pointer dereference in header processing",
                            "  * Noble update: upstream stable patchset 2026-04-17 (LP: #2148714)",
                            "    - scsi: qla2xxx: Fix bsg_done() causing double free",
                            "    - PCI: endpoint: Remove unused field in struct pci_epf_group",
                            "    - bus: fsl-mc: Replace snprintf and sprintf with sysfs_emit in sysfs show",
                            "      functions",
                            "    - bus: fsl-mc: fix use-after-free in driver_override_show()",
                            "    - ASoC: amd: yc: Add ASUS ExpertBook PM1503CDA to quirks list",
                            "    - gpio: sprd: Change sprd_gpio lock to raw_spin_lock",
                            "    - ALSA: hda/realtek: Add quirk for Inspur S14-G1",
                            "    - ASoC: cs35l45: Corrects ASP_TX5 DAPM widget channel",
                            "    - romfs: check sb_set_blocksize() return value",
                            "    - drm/tegra: hdmi: sor: Fix error: variable ‘j’ set but not used",
                            "    - platform/x86: classmate-laptop: Add missing NULL pointer checks",
                            "    - ASoC: Intel: sof_es8336: Add DMI quirk for Huawei BOD-WXX9",
                            "    - ASoC: amd: yc: Add quirk for HP 200 G2a 16",
                            "    - platform/x86/amd/pmc: Add quirk for MECHREVO Wujie 15X Pro",
                            "    - platform/x86: panasonic-laptop: Fix sysfs group leak in error path",
                            "    - ASoC: cs42l43: Correct handling of 3-pole jack load detection",
                            "    - ASoC: fsl_xcvr: fix missing lock in fsl_xcvr_mode_put()",
                            "    - gpiolib: acpi: Fix gpio count with string references",
                            "    - LoongArch: Rework KASAN initialization for PTW-enabled systems",
                            "    - Revert \"wireguard: device: enable threaded NAPI\"",
                            "    - mm/hugetlb: fix copy_hugetlb_page_range() to use ->pt_share_count",
                            "    - mm/hugetlb: fix hugetlb_pmd_shared()",
                            "    - mm/hugetlb: fix two comments related to huge_pmd_unshare()",
                            "    - mm/hugetlb: fix excessive IPI broadcasts when unsharing PMD tables using",
                            "      mmu_gather",
                            "    - cpuset: Fix missing adaptation for cpuset_is_populated",
                            "    - LoongArch: Add writecombine support for DMW-based ioremap()",
                            "    - fbdev: rivafb: fix divide error in nv3_arb()",
                            "    - fbdev: smscufx: properly copy ioctl memory to kernelspace",
                            "    - f2fs: fix to add gc count stat in f2fs_gc_range",
                            "    - f2fs: fix out-of-bounds access in sysfs attribute read/write",
                            "    - f2fs: fix IS_CHECKPOINTED flag inconsistency issue caused by concurrent",
                            "      atomic commit and checkpoint writes",
                            "    - f2fs: fix to avoid UAF in f2fs_write_end_io()",
                            "    - f2fs: fix to avoid mapping wrong physical block for swapfile",
                            "    - USB: serial: option: add Telit FN920C04 RNDIS compositions",
                            "    - bnxt_en: Change FW message timeout warning",
                            "    - bnxt_en: hide CONFIG_DETECT_HUNG_TASK specific code",
                            "    - ALSA: hda/realtek: Enable headset mic for Acer Nitro 5",
                            "    - drm/amd/display: remove assert around dpp_base replacement",
                            "    - ASoC: fsl_xcvr: Revert fix missing lock in fsl_xcvr_mode_put()",
                            "    - Upstream stable to v6.6.126, v6.6.127, v6.12.73, v6.12.74",
                            "  * Noble update: upstream stable patchset 2026-04-13 (LP: #2148260)",
                            "    - Bluetooth: btusb: Add USB ID 7392:e611 for Edimax EW-7611UXB",
                            "    - crypto: octeontx - Fix length check to avoid truncation in",
                            "      ucode_load_store",
                            "    - crypto: virtio - Remove duplicated virtqueue_kick in",
                            "      virtio_crypto_skcipher_crypt_req",
                            "    - scsi: qla2xxx: Allow recovery for tape devices",
                            "    - scsi: qla2xxx: Query FW again before proceeding with login",
                            "    - Revert \"netfilter: nf_tables: missing objects with no memcg accounting\"",
                            "    - netfilter: nf_tables: missing objects with no memcg accounting",
                            "    - vsock/test: verify socket options after setting them",
                            "    - selftests: mptcp: pm: ensure unknown flags are ignored",
                            "    - gpio: omap: do not register driver in probe()",
                            "    - net: tunnel: make skb_vlan_inet_prepare() return drop reasons",
                            "    - Upstream stable to v6.6.125, v6.12.71, v6.12.72",
                            "  * Noble update: upstream stable patchset 2026-04-13 (LP: #2148260) //",
                            "    CVE-2025-71233",
                            "    - PCI: endpoint: Avoid creating sub-groups asynchronously",
                            "  * Noble update: upstream stable patchset 2026-04-13 (LP: #2148260) //",
                            "    CVE-2025-71231",
                            "    - crypto: iaa - Fix out-of-bounds index in find_empty_iaa_compression_mode",
                            "  * Noble update: upstream stable patchset 2026-04-13 (LP: #2148260) //",
                            "    CVE-2026-23169",
                            "    - mptcp: fix race in mptcp_pm_nl_flush_addrs_doit()",
                            "  * Noble update: upstream stable patchset 2026-04-13 (LP: #2148260) //",
                            "    CVE-2025-40005",
                            "    - spi: cadence-quadspi: Implement refcount to handle unbind during busy",
                            "  * Noble update: upstream stable patchset 2026-04-13 (LP: #2148260) //",
                            "    CVE-2025-71232",
                            "    - scsi: qla2xxx: Free sp in error path to fix system crash",
                            "  * Noble update: upstream stable patchset 2026-04-13 (LP: #2148260) //",
                            "    CVE-2025-71235",
                            "    - scsi: qla2xxx: Delay module unload while fabric scan in progress",
                            "  * Noble update: upstream stable patchset 2026-04-13 (LP: #2148260) //",
                            "    CVE-2025-71236",
                            "    - scsi: qla2xxx: Validate sp before freeing associated memory",
                            "  * Noble update: upstream stable patchset 2026-04-13 (LP: #2148260) //",
                            "    CVE-2025-71229",
                            "    - wifi: rtw88: Fix alignment fault in rtw_core_enable_beacon()",
                            "  * Noble update: upstream stable patchset 2026-04-13 (LP: #2148260) //",
                            "    CVE-2025-71237",
                            "    - nilfs2: Fix potential block overflow that cause system hang",
                            "  * Noble update: upstream stable patchset 2026-04-13 (LP: #2148260) //",
                            "    CVE-2026-23229",
                            "    - crypto: virtio - Add spinlock protection with virtqueue notification",
                            "  * Noble update: upstream stable patchset 2026-04-13 (LP: #2148260) //",
                            "    CVE-2026-23222",
                            "    - crypto: omap - Allocate OMAP_CRYPTO_FORCE_COPY scatterlists correctly",
                            "  * Noble update: upstream stable patchset 2026-04-13 (LP: #2148260) //",
                            "    CVE-2026-23228",
                            "    - smb: server: fix leak of active_num_conn in ksmbd_tcp_new_connection()",
                            "  * Noble update: upstream stable patchset 2026-04-13 (LP: #2148260) //",
                            "    CVE-2026-23220",
                            "    - ksmbd: fix infinite loop caused by next_smb2_rcv_hdr_off reset in error",
                            "      paths",
                            "  * Noble update: upstream stable patchset 2026-04-13 (LP: #2148260) //",
                            "    CVE-2026-23230",
                            "    - smb: client: split cached_fid bitfields to avoid shared-byte RMW races",
                            "  * CVE-2026-23272",
                            "    - netfilter: nf_tables: unconditionally bump set->nelems before insertion",
                            "  * CVE-2026-31418",
                            "    - netfilter: ipset: drop logically empty buckets in mtype_del",
                            "  * CVE-2026-23392",
                            "    - netfilter: nf_tables: release flowtable after rcu grace period on error",
                            "  * CVE-2026-23278",
                            "    - netfilter: nf_tables: always walk all pending catchall elements",
                            "  * GRO managed-frag use-after-free leading to local privilege escalation",
                            "    (LP: #2154172)",
                            "    - net: gro: don't merge zcopy skbs",
                            "  * AppArmor Vulnerabilities  (LP: #2151747)",
                            "    - apparmor: Fix incorrect profile->signal range check",
                            "    - SAUCE: apparmor: pass big_resp to handler",
                            "    - SAUCE: apparmor: remove redundant kref_init for listener->count",
                            "    - SAUCE: apparmor: fix NULL pointer dereference in unpack_pdb",
                            "  * AppArmor Vulnerabilities  (LP: #2151747) // CVE-2026-47337",
                            "    - SAUCE: apparmor: fix NULL pointer dereference in bind_map_addr",
                            "  * AppArmor Vulnerabilities  (LP: #2151747) // CVE-2026-47336",
                            "    - SAUCE: apparmor: fix use of unintialized variable in net opt level",
                            "  * AppArmor Vulnerabilities  (LP: #2151747) // CVE-2026-47335",
                            "    - SAUCE: apparmor: fix possible NULL pointer dereference by adding a NULL",
                            "      check",
                            "  * AppArmor Vulnerabilities  (LP: #2151747) // CVE-2026-47334",
                            "    - SAUCE: apparmor: fix sleep prone memory allocation under a spin_lock",
                            "  * AppArmor Vulnerabilities  (LP: #2151747) // CVE-2026-47333",
                            "    - SAUCE: apparmor: fix dfa unpacking size of the notification filter",
                            "  * AppArmor Vulnerabilities  (LP: #2151747) // CVE-2026-47332",
                            "    - SAUCE: apparmor: fix size check against type instead of pointer",
                            "  * AppArmor Vulnerabilities  (LP: #2151747) // CVE-2026-47331",
                            "    - SAUCE: apparmor: fix changing rules list without a lock",
                            "  * apparmor: LLVM/clang build failure due to uninitialized variable in",
                            "    notify.c (LP: #2148809) // CVE-2026-47330",
                            "    - SAUCE: apparmor: initialize variable used in uninitialized context",
                            "  * AppArmor Vulnerabilities  (LP: #2151747) // CVE-2026-47329",
                            "    - SAUCE: apparmor: fix name validation bypass on notification",
                            "  * AppArmor Vulnerabilities  (LP: #2151747) // CVE-2026-47327 //",
                            "    CVE-2026-47328",
                            "    - SAUCE: apparmor: fix glob memory leak after kstrdup",
                            "  * AppArmor Vulnerabilities  (LP: #2151747) // CVE-2026-47326",
                            "    - SAUCE: apparmor: fix inverted NULL check after aa_get_buffer",
                            "  * CVE-2026-46300",
                            "    - net: skbuff: preserve shared-frag marker during coalescing",
                            "    - net: skbuff: propagate shared-frag marker through frag-transfer helpers",
                            "  * net/rds: reset op_nents when zerocopy page pin fails (LP: #2153962)",
                            "    - net/rds: reset op_nents when zerocopy page pin fails",
                            "  * CVE-2026-46333",
                            "    - ptrace: slightly saner 'get_dumpable()' logic",
                            "  * CVE-2026-43500",
                            "    - rxrpc: Fix conn-level packet handling to unshare RESPONSE packets",
                            "    - rxrpc: Parse received packets before dealing with timeouts",
                            "    - rxrpc: Fix potential UAF after skb_unshare() failure",
                            "    - rxrpc: Fix rxrpc_input_call_event() to only unshare DATA packets",
                            "    - rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present",
                            "  * CVE-2026-31676 // CVE-2026-43500",
                            "    - rxrpc: only handle RESPONSE during service challenge",
                            "  * CVE-2026-43284",
                            "    - xfrm: esp: avoid in-place decrypt on shared skb frags",
                            "  * CVE-2026-31419",
                            "    - net: bonding: fix use-after-free in bond_xmit_broadcast()",
                            "  * CVE-2026-31431",
                            "    - crypto: scatterwalk - Backport memcpy_sglist()",
                            "    - crypto: algif_aead - use memcpy_sglist() instead of null skcipher",
                            "    - crypto: algif_aead - Revert to operating out-of-place",
                            "    - crypto: algif_aead - snapshot IV for async AEAD requests",
                            "    - crypto: authenc - use memcpy_sglist() instead of null skcipher",
                            "    - crypto: authencesn - Do not place hiseq at end of dst for out-of-place",
                            "      decryption",
                            "    - crypto: authencesn - Fix src offset when decrypting in-place",
                            "    - crypto: af_alg - Fix page reassignment overflow in af_alg_pull_tsgl",
                            "    - crypto: algif_aead - Fix minimum RX size check for decryption",
                            "  * CVE-2026-31533",
                            "    - net/tls: fix use-after-free in -EBUSY error path of tls_do_encryption",
                            "  * CVE-2026-31504",
                            "    - net: fix fanout UAF in packet_release() via NETDEV_UP race",
                            ""
                        ],
                        "package": "linux-riscv-6.8",
                        "version": "6.8.0-130.130~22.04.1",
                        "urgency": "medium",
                        "distributions": "jammy",
                        "launchpad_bugs_fixed": [
                            2151948,
                            2154560,
                            2146465,
                            2153556,
                            2152194,
                            2141536,
                            2150809,
                            2150809,
                            2150809,
                            2150809,
                            2150809,
                            2150809,
                            2150809,
                            2150809,
                            2150809,
                            2150809,
                            2148714,
                            2148260,
                            2148260,
                            2148260,
                            2148260,
                            2148260,
                            2148260,
                            2148260,
                            2148260,
                            2148260,
                            2148260,
                            2148260,
                            2148260,
                            2148260,
                            2148260,
                            2148260,
                            2154172,
                            2151747,
                            2151747,
                            2151747,
                            2151747,
                            2151747,
                            2151747,
                            2151747,
                            2151747,
                            2148809,
                            2151747,
                            2151747,
                            2151747,
                            2153962
                        ],
                        "author": "Sarah Emery <sarah.emery@canonical.com>",
                        "date": "Wed, 03 Jun 2026 17:23:35 +0200"
                    }
                ],
                "notes": "linux-riscv-6.8-headers-6.8.0-134 version '6.8.0-134.134~22.04.1' (source package linux-riscv-6.8 version '6.8.0-134.134~22.04.1') was added. linux-riscv-6.8-headers-6.8.0-134 version '6.8.0-134.134~22.04.1' has the same source package name, linux-riscv-6.8, as removed package linux-headers-6.8.0-124-generic. As such we can use the source package version of the removed package, '6.8.0-124.124~22.04.1', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.",
                "is_version_downgrade": false
            }
        ],
        "snap": []
    },
    "removed": {
        "deb": [
            {
                "name": "linux-headers-6.8.0-124-generic",
                "from_version": {
                    "source_package_name": "linux-riscv-6.8",
                    "source_package_version": "6.8.0-124.124~22.04.1",
                    "version": "6.8.0-124.124~22.04.1"
                },
                "to_version": {
                    "source_package_name": null,
                    "source_package_version": null,
                    "version": null
                },
                "cves": [],
                "launchpad_bugs_fixed": [],
                "changes": [],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "linux-image-6.8.0-124-generic",
                "from_version": {
                    "source_package_name": "linux-riscv-6.8",
                    "source_package_version": "6.8.0-124.124~22.04.1",
                    "version": "6.8.0-124.124~22.04.1"
                },
                "to_version": {
                    "source_package_name": null,
                    "source_package_version": null,
                    "version": null
                },
                "cves": [],
                "launchpad_bugs_fixed": [],
                "changes": [],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "linux-modules-6.8.0-124-generic",
                "from_version": {
                    "source_package_name": "linux-riscv-6.8",
                    "source_package_version": "6.8.0-124.124~22.04.1",
                    "version": "6.8.0-124.124~22.04.1"
                },
                "to_version": {
                    "source_package_name": null,
                    "source_package_version": null,
                    "version": null
                },
                "cves": [],
                "launchpad_bugs_fixed": [],
                "changes": [],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "linux-riscv-6.8-headers-6.8.0-124",
                "from_version": {
                    "source_package_name": "linux-riscv-6.8",
                    "source_package_version": "6.8.0-124.124~22.04.1",
                    "version": "6.8.0-124.124~22.04.1"
                },
                "to_version": {
                    "source_package_name": null,
                    "source_package_version": null,
                    "version": null
                },
                "cves": [],
                "launchpad_bugs_fixed": [],
                "changes": [],
                "notes": null,
                "is_version_downgrade": false
            }
        ],
        "snap": []
    },
    "notes": "Changelog diff for Ubuntu 22.04 jammy image from release image serial 20260627 to 20260705",
    "from_series": "jammy",
    "to_series": "jammy",
    "from_serial": "20260627",
    "to_serial": "20260705",
    "from_manifest_filename": "release_manifest.previous",
    "to_manifest_filename": "manifest.current"
}