Thank you for your contribution to Debian.


Accepted:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 02 Jul 2026 15:50:42 +0200
Source: linux
Architecture: source
Version: 6.1.176-1
Distribution: bookworm-security
Urgency: high
Maintainer: Debian Kernel Team <[email protected]>
Changed-By: Ben Hutchings <[email protected]>
Closes: 1130365
Changes:
 linux (6.1.176-1) bookworm-security; urgency=high
 .
   * New upstream stable update:
     https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.1.175
     - [x86] ASoC: amd: yc: Add DMI quirk for ASUS EXPERTBOOK BM1403CDA
     - [x86] ALSA: hda/realtek: Add HP ENVY Laptop 13-ba0xxx quirk
     - [arm64] media: rkvdec: reduce stack usage in
       rkvdec_init_v4l2_vp9_count_tbl()
     - [x86] ALSA: asihpi: avoid write overflow check warning
     - [x86] ASoC: amd: yc: Add DMI quirk for Thin A15 B7VF
     - can: mcp251x: add error handling for power enable in open and resume
     - btrfs: tracepoints: get correct superblock from dentry in event
       btrfs_sync_file() (CVE-2026-43117)
     - [x86] ALSA: hda/realtek: Add mute LED quirk for HP Pavilion 15-eg0xxx
     - [x86] netfilter: nft_set_pipapo_avx2: don't return non-matching entry on
       expiry (CVE-2026-43114)
     - [x86] ALSA: hda/realtek: add quirk for Framework F111:000F
     - wifi: wl1251: validate packet IDs before indexing tx_frames
       (CVE-2026-43113)
     - ASoC: soc-core: call missing INIT_LIST_HEAD() for card_aux_list
     - ALSA: usb-audio: Fix quirk flags for NeuralDSP Quad Cortex
     - fs/smb/client: fix out-of-bounds read in cifs_sanitize_prepath
       (CVE-2026-43112)
     - [x86] ASoC: amd: yc: Add DMI entry for HP Laptop 15-fc0xxx
     - [x86] pinctrl: intel: Fix the revision for new features (1kOhm PD, HW
       debouncer)
     - HID: quirks: add HID_QUIRK_ALWAYS_POLL for 8BitDo Pro 3
     - [x86] ALSA: hda/realtek: Add quirk for Lenovo Yoga Pro 7 14IAH10
     - HID: roccat: fix use-after-free in roccat_report_event (CVE-2026-43111)
     - ata: ahci: force 32-bit DMA for JMicron JMB582/JMB585
     - wifi: brcmfmac: validate bsscfg indices in IF events (CVE-2026-43110)
     - [armhf] ASoC: stm32_sai: fix incorrect BCLK polarity for DSP_A/B, LEFT_J
     - [armhf] soc: aspeed: socinfo: Mask table entries for accurate SoC ID
       matching
     - [arm64] dts: imx8mq: Set the correct gpu_ahb clock frequency
     - PCI: hv: Set default NUMA node to 0 for devices without affinity info
     - [arm*] drm/vc4: Release runtime PM reference after binding V3D
     - [arm*] drm/vc4: Fix memory leak of BO array in hang state
       (CVE-2026-43105)
     - [arm*] drm/vc4: Fix a memory leak in hang state error path
       (CVE-2026-43104)
     - [arm*] drm/vc4: Protect madv read in vc4_gem_object_mmap() with madv_lock
     - epoll: use refcount to reduce ep_mutex contention
     - eventpoll: defer struct eventpoll free to RCU grace period
       (CVE-2026-43074)
     - net: sched: act_csum: validate nested VLAN headers (CVE-2026-31684)
     - net: lapbether: handle NETDEV_PRE_TYPE_CHANGE (CVE-2026-43103)
     - ipv4: icmp: fix null-ptr-deref in icmp_build_probe() (CVE-2026-43099)
     - nfc: s3fwrn5: allocate rx skb before consuming bytes (CVE-2026-43098)
     - tracing/probe: reject non-closed empty immediate strings
     - ixgbevf: add missing negotiate_features op to Hyper-V ops table
       (CVE-2026-43094)
     - e1000: check return value of e1000_read_eeprom
     - xsk: tighten UMEM headroom validation to account for tailroom and min
       frame (CVE-2026-43093)
     - xfrm_user: fix info leak in build_mapping() (CVE-2026-43089)
     - netfilter: nfnetlink_log: initialize nfgenmsg in NLMSG_DONE terminator
       (CVE-2026-43085)
     - netfilter: xt_multiport: validate range encoding in checkentry
       (CVE-2026-31681)
     - netfilter: ip6t_eui64: reject invalid MAC header for all packets
       (CVE-2026-31685)
     - af_unix: read UNIX_DIAG_VFS data under unix_state_lock (CVE-2026-31673)
     - l2tp: Drop large packets with UDP encap (CVE-2026-43080)
     - [arm64,armhf] gpio: tegra: fix irq_release_resources calling enable
       instead of disable
     - [x86] perf/x86/intel/uncore: Skip discovery table for offline dies
       (CVE-2026-43079)
     - Revert "drm: Fix use-after-free on framebuffers and property blobs when
       calling drm_dev_unplug" (regression in 6.1.167)
     - netfilter: conntrack: add missing netlink policy validations
       (CVE-2026-31407)
     - [x86] drm/i915/psr: Do not use pipe_src as borders for SU area
     - nfc: llcp: add missing return after LLCP_CLOSED checks (CVE-2026-31629)
     - can: raw: fix ro->uniq use-after-free in raw_rcv() (CVE-2026-31532)
     - [arm*] i2c: s3c24xx: check the size of the SMBUS message before using it
       (CVE-2026-31627)
     - staging: rtl8723bs: initialize le_tmp64 in rtw_BIP_verify()
       (CVE-2026-31626)
     - HID: alps: fix NULL pointer dereference in alps_raw_event()
       (CVE-2026-31625)
     - HID: core: clamp report_size in s32ton() to avoid undefined shift
       (CVE-2026-31624)
     - net: usb: cdc-phonet: fix skb frags[] overflow in rx_complete()
       (CVE-2026-31623)
     - NFC: digital: Bounds check NFC-A cascade depth in SDD response handler
       (CVE-2026-31622)
     - [arm*] drm/vc4: platform_get_irq_byname() returns an int (CVE-2026-43072)
     - ALSA: fireworks: bound device-supplied status before string array lookup
       (CVE-2026-31619)
     - fbdev: tdfxfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO
       (CVE-2026-31618)
     - usb: gadget: f_ncm: validate minimum block_len in ncm_unwrap_ntb()
       (CVE-2026-31617)
     - usb: gadget: f_phonet: fix skb frags[] overflow in pn_rx_complete()
       (CVE-2026-31616)
     - [arm64,armhf] usb: gadget: renesas_usb3: validate endpoint index in
       standard request handlers (CVE-2026-31615)
     - ksmbd: validate EaNameLength in smb2_get_ea() (CVE-2026-31612)
     - ksmbd: require 3 sub-authorities before reading sub_auth[2]
       (CVE-2026-31611)
     - usbip: validate number_of_packets in usbip_pack_ret_submit()
       (CVE-2026-31607)
     - usb: storage: Expand range of matched versions for VL817 quirks entry
     - USB: cdc-acm: Add quirks for Yoga Book 9 14IAH10 INGENIC touchscreen
     - usb: port: add delay after usb_hub_set_port_power()
     - fbdev: udlfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO
       (CVE-2026-31605)
     - staging: sm750fb: fix division by zero in ps_to_hz() (CVE-2026-31603)
     - USB: serial: option: add Telit Cinterion FN990A MBIM composition
     - ALSA: ctxfi: Limit PTP to a single page (CVE-2026-31602)
     - dcache: Limit the minimal number of bucket to two (CVE-2026-43071)
     - media: vidtv: fix NULL pointer dereference in
       vidtv_channel_pmt_match_sections (CVE-2026-31599)
     - ocfs2: fix possible deadlock between unlink and dio_end_io_write
       (CVE-2026-31598)
     - ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY
       (CVE-2026-31597)
     - ocfs2: handle invalid dinode in ocfs2_group_extend (CVE-2026-31596)
     - [x86] KVM: SEV: Drop WARN on large size for KVM_MEMORY_ENCRYPT_REG_REGION
       (CVE-2026-31590)
     - Revert "dmaengine: idxd: Fix not releasing workqueue on .release()"
       (regression in 6.1.168)
     - ALSA: usb-audio: fix race condition to UAF in snd_usbmidi_free
       (CVE-2025-39997)
     - net: add proper RCU protection to /proc/net/ptype (CVE-2026-23255)
     - net: sched: fix TCF_LAYER_TRANSPORT handling in tcf_get_base_ptr()
     - bonding: return detailed error when loading native XDP fails
     - bonding: check xdp prog when set bond mode (CVE-2025-22105)
     - drm/amdgpu: remove two invalid BUG_ON()s (CVE-2025-68201)
     - nf_tables: nft_dynset: fix possible stateful expression memleak in error
       path (CVE-2026-23399)
     - rxrpc: proc: size address buffers for %pISpc output (CVE-2026-31630)
     - [x86] KVM: x86: Use scratch field in MMIO fragment to hold small write
       values (CVE-2026-31588)
     - mm/kasan: fix double free for kasan pXds (CVE-2026-31686)
     - mm: blk-cgroup: fix use-after-free in cgwb_release_workfn()
       (CVE-2026-31586)
     - media: vidtv: fix nfeeds state corruption on start_streaming failure
       (CVE-2026-31585)
     - media: em28xx: fix use-after-free in em28xx_v4l2_open() (CVE-2026-31583)
     - ALSA: 6fire: fix use-after-free on disconnect (CVE-2026-31581)
     - bcache: fix cached_dev.sb_bio use-after-free and crash (CVE-2026-31580)
     - media: as102: fix to not free memory after the device is registered in
       as102_usb_probe() (CVE-2026-31578)
     - nilfs2: fix NULL i_assoc_inode dereference in 
nilfs_mdt_save_to_shadow_map
       (CVE-2026-31577)
     - media: vidtv: fix pass-by-value structs causing MSAN warnings
       (CVE-2026-43058)
     - media: hackrf: fix to not free memory after the device is registered in
       hackrf_probe() (CVE-2026-31576)
     - PCI: endpoint: pci-epf-vntb: Remove duplicate resource teardown
       (CVE-2026-31594)
     - ipv6: add NULL checks for idev in SRv6 paths (CVE-2026-23442)
     - gfs2: Improve gfs2_consist_inode() usage
     - gfs2: Validate i_depth for exhash directories (CVE-2025-38710)
     - wifi: mac80211: always free skb on ieee80211_tx_prepare_skb() failure
       (CVE-2026-23444)
     - net: dsa: clean up FDB, MDB, VLAN entries on unbind (CVE-2025-37864)
     - [arm64: dts: imx8mq-librem5: Bump BUCK1 suspend voltage to 0.81V
     - [arm64] dts: imx8mq-librem5: Bump BUCK1 suspend voltage up to 0.85V
     - ocfs2: add inline inode consistency check to ocfs2_validate_inode_block()
     - ocfs2: validate inline data i_size during inode read (CVE-2026-43076)
     - ocfs2: fix out-of-bounds write in ocfs2_write_end_inline (CVE-2026-43075)
     - rxrpc: Fix key quota calculation for multitoken keys
     - rxrpc: Fix call removal to use RCU safe deletion (CVE-2026-31642)
     - rxrpc: reject undecryptable rxkad response tickets (CVE-2026-31637)
     - [x86] KVM: x86: Use __DECLARE_FLEX_ARRAY() for UAPI structures with VLAs
     - ublk: fix deadlock when reading partition table (CVE-2025-68823)
     - PCI: endpoint: pci-epf-vntb: Stop cmd_handler work in epf_ntb_epc_cleanup
       (CVE-2026-31595)
     - [arm64,armhf] ASoC: qcom: q6apm: move component registration to unmanaged
       version (CVE-2026-31587)
     - rxrpc: Fix recvmsg() unconditional requeue (CVE-2026-23066)
     - scsi: ufs: core: Fix use-after free in init error and remove paths
       (CVE-2025-21739)
     - ALSA: control: Avoid WARN() for symlink errors (CVE-2024-56657)
     - f2fs: fix null-ptr-deref in f2fs_submit_page_bio() (CVE-2024-53221)
     - wifi: iwlwifi: read txq->read_ptr under lock (CVE-2024-36922)
     - [arm64] mm: fix VA-range sanity check (CVE-2023-53989)
     - rxrpc: Fix anonymous key handling
     - rxrpc: only handle RESPONSE during service challenge (CVE-2026-31676)
     - fs/ntfs3: validate rec->used in journal-replay file record check
       (CVE-2026-31716)
     - fuse: reject oversized dirents in page cache (CVE-2026-31694)
     - fuse: quiet down complaints in fuse_conn_limit_write
     - smb: server: fix active_num_conn leak on transport allocation failure
       (CVE-2026-31711)
     - smb: server: fix max_connections off-by-one in tcp accept path
     - smb: client: require a full NFS mode SID before reading mode bits
       (CVE-2026-43350)
     - smb: client: fix OOB read in smb2_ioctl_query_info QUERY_INFO path
       (CVE-2026-31708)
     - ksmbd: fix out-of-bounds write in smb2_get_ea() EA alignment
       (CVE-2026-31705)
     - ksmbd: use check_add_overflow() to prevent u16 DACL size overflow
       (CVE-2026-31704)
     - f2fs: fix use-after-free of sbi in f2fs_compress_write_end_io()
       (CVE-2026-31702)
     - ALSA: usb-audio: apply quirk for MOONDROP JU Jiu
     - ALSA: caiaq: take a reference on the USB device in create_card()
       (CVE-2026-31701)
     - crypto: ccp: Don't attempt to copy CSR to userspace if PSP command failed
       (CVE-2026-31699)
     - crypto: ccp: Don't attempt to copy PDH cert to userspace if PSP command
       failed (CVE-2026-31698)
     - crypto: ccp: Don't attempt to copy ID to userspace if PSP command failed
       (CVE-2026-31697)
     - rxrpc: Fix missing validation of ticket length in non-XDR key preparsing
       (CVE-2026-31696)
     - ALSA: usb-audio: stop parsing UAC2 rates at MAX_NR_RATES (CVE-2026-46018)
     - ALSA: usb-audio: Avoid false E-MU sample-rate notifications
     - ALSA: usb-audio: Fix Audio Advantage Micro II SPDIF switch
     - usb: xhci: Make usb_host_endpoint.hcpriv survive endpoint_disable()
     - ALSA: usb-audio: Evaluate packsize caps at the right place
     - drm/nouveau: fix u32 overflow in pushbuf reloc bounds check
       (CVE-2026-46006)
     - [x86] misc: ibmasm: fix OOB MMIO read in ibmasm_handle_mouse_interrupt()
       (CVE-2026-46022)
     - [x86] ibmasm: fix OOB reads in command_file_write due to missing size
       checks (CVE-2026-45994)
     - [x86] ibmasm: fix heap over-read in ibmasm_send_i2o_message()
       (CVE-2026-46064)
     - firmware: google: framebuffer: Do not mark framebuffer as busy
     - padata: Fix pd UAF once and for all (CVE-2025-38584)
     - padata: Remove comment for reorder_work
     - drm/amdgpu: Use vmemdup_array_user in amdgpu_bo_create_list_entry_array
     - drm/amdgpu: Limit BO list entry count to prevent resource exhaustion
       (CVE-2026-23468)
     - net: enetc: fix the deadlock of enetc_mdio_lock (CVE-2025-40347)
     - blk-mq: fix NULL dereference on q->elevator in blk_mq_elv_switch_none
       (CVE-2023-53292)
     - [arm64] set __exception_irq_entry with __irq_entry as a default
       (CVE-2023-54322)
     - regset: use kvzalloc() for regset_get_alloc()
     - device property: Make modifications of fwnode "flags" thread safe
     - ocfs2: split transactions in dio completion to avoid credit exhaustion
       (CVE-2026-46080)
     - driver core: Don't let a device probe until it's ready
     - wifi: rtw88: check for PCI upstream bridge existence
     - f2fs: fix to detect potential corrupted nid in free_nid_list
       (CVE-2025-68315)
     - crypto: pcrypt - Fix handling of MAY_BACKLOG requests (CVE-2026-43493)
     - [arm*] media: amphion: Fix race between m2m job_abort and device_run
       (CVE-2026-46058)
     - ALSA: control: Validate buf_len before strnlen() in
       snd_ctl_elem_init_enum_names() (CVE-2026-46088)
     - net: caif: clear client service pointer on teardown (CVE-2026-46098)
     - net: strparser: fix skb_head leak in strp_abort_strp() (CVE-2026-46102)
     - PCI: endpoint: pci-epf-ntb: Remove duplicate resource teardown
       (CVE-2026-46009)
     - Revert "ALSA: usb: Increase volume range that triggers a warning"
       (regression in 6.1.162)
     - lib/ts_kmp: fix integer overflow in pattern length calculation
     - net: qrtr: ns: Fix use-after-free in driver remove() (CVE-2026-46047)
     - ext2: reject inodes with zero i_nlink and valid mode in ext2_iget()
       (CVE-2026-46002)
     - ALSA: ctxfi: Add fallback to default RSR for S/PDIF (CVE-2026-46049)
     - ALSA: seq_oss: return full count for successful SEQ_FULLSIZE writes
     - erofs: fix the out-of-bounds nameoff handling for trailing dirents
       (CVE-2026-46078)
     - md/raid10: fix deadlock with check operation and nowait requests
       (CVE-2026-46050)
     - nvme-pci: add NVME_QUIRK_DISABLE_WRITE_ZEROES for Kingston OM3SGP4
     - nvme: respect NVME_QUIRK_DISABLE_WRITE_ZEROES when wzsl is set
     - rbd: fix null-ptr-deref when device_add_disk() fails (CVE-2026-46079)
     - io_uring/timeout: check unused sqe fields
     - iio: adc: ti-ads7950: use iio_push_to_buffers_with_ts_unaligned()
     - io_uring/poll: fix signed comparison in io_poll_get_ownership()
       (CVE-2026-52933)
     - io_uring/poll: ensure EPOLL_ONESHOT is propagated for EPOLL_URING_WAKE
     - ALSA: core: Fix potential data race at fasync handling
     - ALSA: caiaq: Fix control_put() result and cache rollback
     - ALSA: caiaq: Handle probe errors properly (CVE-2026-46004)
     - ALSA: 6fire: Fix input volume change detection
     - iio: adc: ad7768-1: fix one-shot mode data acquisition
     - net: rds: fix MR cleanup on copy error (CVE-2026-46053)
     - net/smc: avoid early lgr access in smc_clc_wait_msg (CVE-2026-46027)
     - net: ks8851: Reinstate disabling of BHs around IRQ handler
       (CVE-2026-46031)
     - RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv
       (CVE-2026-46043)
     - ipv4: icmp: validate reply type before using icmp_pointers
       (CVE-2026-46037)
     - libceph: Prevent potential null-ptr-deref in ceph_handle_auth_reply()
       (CVE-2026-46024)
     - power: supply: axp288_charger: Do not cancel work before initializing it
     - randomize_kstack: Maintain kstack_offset per task
     - mmc: block: use single block write in retry
     - [arm64] mmc: sdhci-of-dwcmshc: Disable clock before DLL configuration
     - tpm: tpm_tis: add error logging for data transfer
     - userfaultfd: allow registration of ranges below mmap_min_addr
     - [x86] KVM: nSVM: Mark all of vmcb02 dirty when restoring nested state
     - [x86] KVM: nSVM: Sync NextRIP to cached vmcb12 after VMRUN of L2
     - [x86] KVM: nSVM: Sync interrupt shadow to cached vmcb12 after VMRUN of L2
       (CVE-2026-45987)
     - [x86] KVM: SVM: Inject #UD for INVLPGA if EFER.SVME=0 (CVE-2026-46082)
     - [x86] KVM: SVM: Explicitly mark vmcb01 dirty after modifying VMCB
       intercepts
     - [x86] KVM: nSVM: Ensure AVIC is inhibited when restoring a vCPU to guest
       mode
     - [x86] KVM: nSVM: Use vcpu->arch.cr2 when updating vmcb12 on nested 
#VMEXIT
     - [x86] KVM: nSVM: Always inject a #GP if mapping VMCB12 fails on nested
       VMRUN
     - [x86] KVM: nSVM: Clear GIF on nested #VMEXIT(INVALID)
     - [x86] KVM: nSVM: Clear tracking of L1->L2 NMI and soft IRQ on nested
       #VMEXIT
     - [x86] KVM: nSVM: Add missing consistency check for EFER, CR0, CR4, and CS
     - [x86] KVM: nSVM: Add missing consistency check for nCR3 validity
     - mtd: docg3: fix use-after-free in docg3_release() (CVE-2026-46285)
     - io_uring/poll: fix multishot recv missing EOF on wakeup race
     - ext4: fix missing brelse() in ext4_xattr_inode_dec_ref_all()
       (CVE-2026-46046)
     - md/raid5: fix soft lockup in retry_aligned_read() (CVE-2026-46051)
     - md/raid5: validate payload size before accessing journal metadata
       (CVE-2026-46070)
     - inotify: fix watch count leak when fsnotify_add_inode_mark_locked() fails
       (CVE-2026-46040)
     - tcp: call sk_data_ready() after listener migration (CVE-2026-46015)
     - taskstats: set version in TGID exit notifications
     - Bluetooth: hci_event: fix potential UAF in SSP passkey handlers
       (CVE-2026-46056)
     - can: ucan: fix devres lifetime (CVE-2026-46103)
     - [arm64] crypto: arm64/aes - Fix 32-bit aes_mac_update() arg treated as
       64-bit
     - [armel,armhf] crypto: atmel-aes - Fix 3-page memory leak in
       atmel_aes_buff_cleanup (CVE-2026-46019)
     - [arm*] crypto: ccree - fix a memory leak in cc_mac_digest()
       (CVE-2026-45986)
     - [armel,armhf] crypto: atmel-tdes - fix DMA sync direction
       (CVE-2026-46077)
     - crypto: atmel-sha204a - Fix potential UAF and memory leak in remove path
       (CVE-2026-46075)
     - dm mirror: fix integer overflow in create_dirty_log() (CVE-2026-46023)
     - IB/core: Fix zero dmac race in neighbor resolution
     - ntfs3: add buffer boundary checks to run_unpack() (CVE-2026-46072)
     - ntfs3: fix integer overflow in run_unpack() volume boundary check
       (CVE-2026-46062)
     - rtmutex: Use waiter::task instead of current in remove_waiter()
       (CVE-2026-43499)
     - scsi: sd: fix missing put_disk() when device_add(&disk_dev) fails
       (CVE-2026-45997)
     - seg6: fix seg6 lwtunnel output redirect for L2 reduced encap mode
     - crypto: authencesn - reject short ahash digests during instance creation
       (CVE-2026-46033)
     - ALSA: caiaq: Fix potentially leftover ep1_in_urb at error path
     - ALSA: caiaq: Don't abort when no input device is available
     - ipv6: rpl: reserve mac_len headroom when recompressed SRH grows
       (CVE-2026-43501)
     - drm/amdgpu: fix zero-size GDS range init on RDNA4 (CVE-2026-46276)
     - ALSA: caiaq: fix usb_dev refcount leak on probe failure
     - net: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels (CVE-2026-46099)
     - netfilter: reject zero shift in nft_bitwise (CVE-2026-46101)
     - scsi: target: configfs: Bound snprintf() return in 
tg_pt_gp_members_show()
       (CVE-2026-46149)
     - ipmi: Add limits to event and receive message requests (CVE-2026-46177)
     - ipmi: Check event message buffer response for bad data (CVE-2026-46128)
     - ipmi:si: Return state to normal if message allocation fails
       (CVE-2026-46108)
     - fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free
       (CVE-2026-43497)
     - ACPI: scan: Use acpi_dev_put() in object add error paths
     - ACPI: CPPC: Fix related_cpus inconsistency during CPU hotplug
     - [x86] ACPI: video: force native backlight on HP OMEN 16 (8A44)
     - ASoC: SOF: Don't allow pointer operations on unconfigured streams
       (CVE-2026-46179)
     - [arm64,armhf] spi: rockchip: fix controller deregistration
     - drm/amd/display: Do not skip unrelated mode changes in DSC validation
       (CVE-2026-31488)
     - [arm64,armhf] spi: meson-spicc: Fix double-put in remove path
       (CVE-2026-31489)
     - ext4: validate p_idx bounds in ext4_ext_correct_indexes (CVE-2026-31449)
     - [x86] KVM: x86: Fix shadow paging use-after-free due to unexpected GFN
       (CVE-2026-46113)
     - flow_dissector: do not dissect PPPoE PFC frames (CVE-2026-46306)
     - net/sched: sch_red: Replace direct dequeue call with peek and
       qdisc_dequeue_peeked (CVE-2026-43496)
     - Bluetooth: hci_sync: Remove remaining dependencies of hci_request
     - Bluetooth: btintel: serialize btintel_hw_error() with hci_req_sync_lock
       (CVE-2026-31500)
     - ice: Fix memory leak in ice_set_ringparam() (CVE-2026-23389)
     - exit: prevent preemption of oopsing TASK_DEAD task (CVE-2026-46173)
     - wifi: mt76: mt7921: fix a potential clc buffer length underflow
       (CVE-2026-46136)
     - wifi: b43legacy: enforce bounds check on firmware key index in RX path
       (CVE-2026-46163)
     - wifi: rsi: fix kthread lifetime race between self-exit and external-stop
       (CVE-2026-46187)
     - wifi: ath5k: do not access array OOB (CVE-2026-46307)
     - wifi: b43: enforce bounds check on firmware key index in b43_rx()
       (CVE-2026-46122)
     - usb: usblp: fix heap leak in IEEE 1284 device ID via short response
       (CVE-2026-46151)
     - usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl
       (CVE-2026-46167)
     - ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3()
       (CVE-2026-46146)
     - ALSA: usb-audio: Fix UAC3 cluster descriptor size check
     - USB: serial: option: add Telit Cinterion LE910Cx compositions
     - usb: ulpi: fix memory leak on ulpi_register() error paths
       (CVE-2026-46109)
     - ALSA: firewire-tascam: Do not drop unread control events
     - xfrm: provide message size for XFRM_MSG_MAPPING
     - ipv6: xfrm6: release dst on error in xfrm6_rcv_encap() (CVE-2026-46172)
     - Bluetooth: virtio_bt: clamp rx length before skb_put (CVE-2026-46123)
     - Bluetooth: virtio_bt: validate rx pkt_type header length (CVE-2026-46186)
     - Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb()
       (CVE-2026-45835)
     - Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb()
       (CVE-2026-45834)
     - fanotify: fix false positive on permission events (CVE-2026-46150)
     - net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in
       rtnl_fill_vfinfo (CVE-2026-46132)
     - sound: ua101: fix division by zero at probe (CVE-2026-46184)
     - ip6_gre: Use cached t->net in ip6erspan_changelink(). (CVE-2026-46120)
     - net/rds: handle zerocopy send cleanup before the message is queued
       (CVE-2026-43502)
     - [x86] hwmon: (corsair-psu) Close HID device on probe errors
     - cifs: abort open_cached_dir if we don't request leases
     - cifs: change_conf needs to be called for session setup
     - [arm64] extcon: ptn5150: handle pending IRQ events during system resume
     - [arm64] hv_sock: fix ARM64 support
     - [ppc64el] ibmveth: Disable GSO for packets with small MSS
       (CVE-2026-46273)
     - udf: reject descriptors with oversized CRC length
     - spi: topcliff-pch: fix use-after-free on unbind (CVE-2026-46301)
     - [ppc64el] cpuidle: powerpc: avoid double clear when breaking snooze
     - [x86] ASoC: amd: yc: Add HP OMEN Gaming Laptop 16-ap0xxx product line in
       quirk table
     - [arm64,armhf] ASoC: qcom: q6apm-dai: reset queue ptr on trigger stop
     - [arm64,armhf] ASoC: qcom: q6apm-lpass-dai: Fix multiple graph opens
       (CVE-2026-46143)
     - [arm64,armhf] ASoC: qcom: q6apm: remove child devices when apm is removed
     - btrfs: fix double free in create_space_info() error path (CVE-2026-46129)
     - dm-thin: fix metadata refcount underflow (CVE-2026-46107)
     - dm: don't report warning when doing deferred remove
     - dm: fix a buffer overflow in ioctl processing (CVE-2026-46294)
     - dm-verity-fec: correctly reject too-small FEC devices
     - dm-verity-fec: correctly reject too-small hash devices
     - isofs: validate Rock Ridge CE continuation extent against volume size
       (CVE-2026-46303)
     - isofs: validate block number from NFS file handle in isofs_export_iget
       (CVE-2026-46124)
     - libceph: Fix slab-out-of-bounds access in auth message processing
       (CVE-2026-46119)
     - md/raid10: fix divide-by-zero in setup_geo() with zero far_copies
       (CVE-2026-46161)
     - nvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free (CVE-2026-46304)
     - openvswitch: vport: fix self-deadlock on release of tunnel ports
       (CVE-2026-46165)
     - [arm64] RDMA/hns: Fix unlocked call to hns_roce_qp_remove()
       (CVE-2026-46112)
     - [s390x] debug: Reject zero-length input in debug_input_flush_fn()
     - smb/client: fix out-of-bounds read in symlink_data() (CVE-2026-46185)
     - PCI/AER: Clear only error bits in PCIe Device Status
     - PCI/AER: Stop ruling out unbound devices as error source
     - [x86] power: supply: max17042: avoid overflow when determining health
     - RDMA/mlx4: Fix resource leak on error in mlx4_ib_create_srq()
       (CVE-2026-46178)
     - RDMA/ocrdma: Don't NULL deref uctx on errors in ocrdma_copy_pd_uresp()
       (CVE-2026-46127)
     - RDMA/rxe: Reject unknown opcodes before ICRC processing (CVE-2026-46133)
     - RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path
       (CVE-2026-46189)
     - mptcp: use MPJoinSynAckHMacFailure for SynAck HMAC failure
     - mptcp: use MPTCP_RST_EMPTCP for ACK HMAC validation failure
     - mptcp: sockopt: set timestamp flags on subflow socket, not msk
     - mptcp: fix scheduling with atomic in timestamp sockopt (CVE-2026-46168)
     - f2fs: add READ_ONCE() for i_blocks in f2fs_update_inode()
     - f2fs: fix fiemap boundary handling when read extent cache is incomplete
     - f2fs: fix incorrect multidevice info in trace_f2fs_map_blocks()
     - [arm64] KVM: arm64: vgic: Fix IIDR revision field extracted from wrong
       value
     - f2fs: compress: change the first parameter of page_array_{alloc,free} to
       sbi
     - f2fs: compress: fix UAF of f2fs_inode_info in f2fs_free_dic
       (CVE-2025-38627)
     - exit: Sleep at TASK_IDLE when waiting for application core dump
     - media: uvcvideo: Enable VB2_DMABUF for metadata stream
     - [x86] staging: media: atomisp: Disallow all private IOCTLs
       (CVE-2026-46205)
     - media: rc: xbox_remote: heed DMA restrictions (CVE-2026-46236)
     - media: rc: streamzap: Error handling in probe
     - media: saa7164: add ioremap return checks and cleanups (CVE-2026-46235)
     - [x86] platform/x86: hp-wmi: Ignore backlight and FnLock events
     - media: pci: zoran: fix potential memory leak in zoran_probe()
     - media: dib8000: avoid division by 0 in dib8000_set_dds()
     - [armhf] media: omap3isp: drop the use count of v4l2 pipeline
     - [arm64,armhf] spi: imx: fix runtime pm leak on probe deferral
     - [armel,armhf] spi: orion: fix clock imbalance on registration failure
     - drm/amdgpu: Add bounds checking to ib_{get,set}_value (CVE-2026-46218)
     - drm/amdgpu/vce: Prevent partial address patches
     - drm/amdgpu/vcn4: Prevent OOB reads when parsing dec msg (CVE-2026-46199)
     - drm/amdgpu/vcn3: Prevent OOB reads when parsing dec msg (CVE-2026-46230)
     - drm/gem: Fix inconsistent plane dimension calculation in
       drm_gem_fb_init_with_funcs() (CVE-2026-46209)
     - drm/amdkfd: validate SVM ioctl nattr against buffer size (CVE-2026-46197)
     - drm/radeon: add missing revision check for CI
     - drm/amdgpu: zero-initialize GART table on allocation
     - drm/amdgpu/gfx9: drop unnecessary 64-bit fence flag check in KIQ
     - drm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission
       (CVE-2026-46220)
     - drm/amdgpu/pm: add missing revision check for CI
     - drm/amdgpu/pm: align Hawaii mclk workaround with radeon
     - sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL
       (CVE-2026-46227)
     - batman-adv: fix integer overflow on buff_pos (CVE-2026-46198)
     - batman-adv: reject new tp_meter sessions during teardown (CVE-2026-46206)
     - batman-adv: stop caching unowned originator pointers in BAT IV
       (CVE-2026-46238)
     - batman-adv: bla: prevent use-after-free when deleting claims
       (CVE-2026-46212)
     - batman-adv: bla: only purge non-released claims (CVE-2026-46233)
     - batman-adv: bla: put backbone reference on failed claim hash insert
       (CVE-2026-46231)
     - Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb()
       (CVE-2026-45836)
     - mtd: spi-nor: sst: Factor out common write operation to
       `sst_nor_write_data()`
     - mtd: spi-nor: sst: Fix write enable before AAI sequence
     - vsock: fix buffer size clamping order (CVE-2026-46234)
     - vsock/virtio: fix accept queue count leak on transport mismatch
       (CVE-2026-46214)
     - drm/amdgpu/vcn3: Avoid overflow on msg bound check
     - drm/amdgpu/vcn4: Avoid overflow on msg bound check
     - mtd: spi-nor: sst: Fix SST write failure
     - bcache: fix uninitialized closure object
     - blk-cgroup: wait for blkcg cleanup before initializing new disk
     - fs/omfs: reject s_sys_blocksize smaller than OMFS_DIR_START
       (CVE-2026-53130)
     - drbd: Balance RCU calls in drbd_adm_dump_devices() (CVE-2026-53128)
     - nilfs2: reject zero bd_oblocknr in nilfs_ioctl_mark_blocks_dirty()
       (CVE-2026-53320)
     - pstore/ram: fix resource leak when ioremap() fails
     - devres: fix missing node debug info in devm_krealloc()
     - debugfs: check for NULL pointer in debugfs_create_str()
     - hrtimers: Update the return type of enqueue_hrtimer()
     - hrtimer: Avoid pointless reprogramming in __hrtimer_start_range_ns()
     - hrtimer: Reduce trace noise in hrtimer_start()
     - locking: Fix rwlock support in <linux/spinlock_up.h>
     - firmware: dmi: Correct an indexing error in dmi.h
     - wifi: mwifiex: Fix memory leak in mwifiex_11n_aggregate_pkt()
     - wifi: rtlwifi: pci: fix possible use-after-free caused by unfinished
       irq_prepare_bcn_tasklet (CVE-2026-53112)
     - bpf: Add CHECKSUM_COMPLETE to bpf test progs
     - bpf: test_run: Fix the null pointer dereference issue in
       bpf_lwt_xmit_push_encap (CVE-2026-53111)
     - kernel: param: rename locate_module_kobject
     - kernel: globalize lookup_or_create_module_kobject()
     - bpf, devmap: Remove unnecessary if check in for loop
     - bpf: Use RCU-safe iteration in dev_map_redirect_multi() SKB path
       (CVE-2026-53096)
     - wifi: rtw89: phy: fix uninitialized variable access in
       rtw89_phy_cfo_set_crystal_cap()
     - r8152: fix incorrect register write to USB_UPHY_XTAL
     - [ppc64el] powerpc/crash: fix backup region offset update to elfcorehdr
     - macvlan: annotate data-races around port->bc_queue_len_used
     - bpf: fix end-of-list detection in cgroup_storage_get_next_key()
       (CVE-2026-45838)
     - wifi: brcmfmac: Fix error pointer dereference (CVE-2026-53093)
     - bpf: Drop task_to_inode and inet_conn_established from lsm sleepable 
hooks
     - bpf: reject negative CO-RE accessor indices in bpf_core_parse_spec()
       (CVE-2026-45839)
     - [arm64] ACPI: AGDI: fix missing newline in error message
     - [arm64] kexec: Remove duplicate allocation for trans_pgd
     - [arm64] net: bcmgenet: fix off-by-one in bcmgenet_put_txcb
       (CVE-2026-53088)
     - [arm64] net: bcmgenet: Remove TX ring full logging
     - [arm64] net: bcmgenet: Remove custom ndo_poll_controller()
     - [arm64] net: bcmgenet: add bcmgenet_has_* helpers
     - [arm64] net: bcmgenet: move DESC_INDEX flow to ring 0
     - [arm64] net: bcmgenet: support reclaiming unsent Tx packets
     - [arm64] net: bcmgenet: switch to use 64bit statistics
     - [arm64] net: bcmgenet: fix racing timeout handler (CVE-2026-53086)
     - netfilter: xt_socket: enable defrag after all other checks
     - netfilter: nft_fwd_netdev: check ttl/hl before forwarding
     - 6pack: propagage new tty types
     - net: hamradio: 6pack: fix uninit-value in sixpack_receive_buf
       (CVE-2026-53082)
     - net/sched: act_ct: Only release RCU read lock after ct_ft
       (CVE-2026-46319)
     - net/rds: Optimize rds_ib_laddr_check
     - net/rds: Restrict use of RDS/IB to the initial network namespace
       (CVE-2026-53077)
     - ppp: require CAP_NET_ADMIN in target netns for unattached ioctls
       (CVE-2026-53075)
     - bpf: reject short IPv4/IPv6 inputs in bpf_prog_test_run_skb
       (CVE-2026-53074)
     - Bluetooth: L2CAP: Fix printing wrong information if SDU length exceeds 
MTU
     - Bluetooth: hci_ldisc: Clear HCI_UART_PROTO_INIT on error (CVE-2026-53073)
     - Bluetooth: fix locking in hci_conn_request_evt() with HCI_PROTO_DEFER
       (CVE-2026-53072)
     - Bluetooth: l2cap: Add missing chan lock in l2cap_ecred_reconf_rsp
       (CVE-2026-53071)
     - sctp: fix missing encap_port propagation for GSO fragments
     - net, bpf: fix null-ptr-deref in xdp_master_redirect() for down master
       (CVE-2026-53069)
     - [arm*] drm/komeda: fix integer overflow in AFBC framebuffer size check
       (CVE-2026-53068)
     - [arm*] drm/sun4i: backend: fix error pointer dereference (CVE-2026-53066)
     * [armhf] ASoC: sti: use managed regmap_field allocations (CVE-2026-53065)
     - dm cache: fix null-deref with concurrent writes in passthrough mode
       (CVE-2026-53064)
     - dm cache: fix write path cache coherency in passthrough mode
     - dm cache: fix write hang in passthrough mode (CVE-2026-53063)
     - dm cache policy smq: fix missing locks in invalidating cache blocks
       (CVE-2026-53062)
     - dm cache: fix concurrent write failure in passthrough mode
     - dm cache: support shrinking the origin device
     - dm cache: fix dirty mapping checking in passthrough mode switching
       (CVE-2026-53061)
     - dm cache metadata: fix memory leak on metadata abort retry
       (CVE-2026-53060)
     - dm log: fix out-of-bounds write due to region_count overflow
       (CVE-2026-53059)
     - [arm64] spi: fsl-qspi: Use reinit_completion() for repeated operations
     - [arm*] drm/sun4i: Fix resource leaks
     - drm/amdgpu: Add default case in DVI mode validation
     - dm init: ensure device probing has finished in dm-mod.waitfor=
     - padata: Remove cpu online check from cpu add and removal
     - padata: Put CPU offline callback in ONLINE section to allow failure
       (CVE-2026-53314)
     - drm/amdgpu/gfx10: look at the right prop for gfx queue priority
     - [arm64] drm/msm/dpu: fix mismatch between power and frequency
       (CVE-2026-53056)
     - [arm64] drm/msm/dsi: rename MSM8998 DSI version from V2_2_0 to V2_0_0
     - [arm64,armhf] drm/panel: simple: Correct G190EAN01 prepare timing
     - ALSA: core: Validate compress device numbers without dynamic minors
     - drm/amd/pm/ci: Use highest MCLK on CI when MCLK DPM is disabled
     - drm/amd/pm/ci: Disable MCLK DPM on problematic CI ASICs
     - drm/amd/pm/smu7: Fix SMU7 voltage dependency on display clock
     - drm/amd/pm/ci: Fix powertune defaults for Hawaii 0x67B0
     - drm/amd/pm/ci: Clear EnabledForActivity field for memory levels
     - drm/amd/pm/ci: Fill DW8 fields from SMC
     - drm/amd/pm/smu7: Add SCLK cap for quirky Hawaii board
     - [arm64] drm/msm/a6xx: Fix HLSQ register dumping
     - [arm64] drm/msm/shrinker: Fix can_block() logic
     - [arm64] drm/msm/a6xx: Use barriers while updating HFI Q headers
     - [armhf] pmdomain: ti: omap_prm: Fix a reference leak on device node
     - [arm64] ASoC: fsl_micfil: Fix event generation in micfil_quality_set()
     - [arm*] ASoC: qcom: qdsp6: topology: check widget type before accessing
       data (CVE-2026-53052)
     - PCI: Enable AtomicOps only if Root Port supports them
     - ALSA: scarlett2: Add missing sentinel initializer field
     - [x86] ASoC: SOF: amd: Fix for reading position updates from stream box.
     - [x86] ASoC: SOF: Prepare ipc_msg_data to be used with compress API
     - [x86] ASoC: SOF: Prepare set_stream_data_offset for compress API
     - [x86] ASoC: SOF: Add support for compress API for stream data/offset
     - [x86] ASoC: SOF: compress: return the configured codec from get_params
     - [i386] ALSA: sc6000: Use standard print API
     - [i386] ALSA: sc6000: Keep the programmed board state in card-private data
     - dm cache: fix missing return in invalidate_committed's error path
     - gfs2: Call unlock_new_inode before d_instantiate
     - quota: Fix race of dquot_scan_active() with quota deactivation
       (CVE-2026-53050)
     - gfs2: add some missing log locking (CVE-2026-53049)
     - gfs2: prevent NULL pointer dereference during unmount (CVE-2026-53048)
     - efi/capsule-loader: fix incorrect sizeof in phys array reallocation
       (CVE-2026-53047)
     - ksmbd: fix use-after-free from async crypto on Qualcomm crypto engine
       (CVE-2026-53046)
     - [armhf] dts: mediatek: mt7623: fix efuse fallback compatible
     - [armhf] memory: tegra124-emc: Fix dll_change check (CVE-2026-53045)
     - [arm64] dts: imx8mp-evk: Enable pull select bit for PCIe regulator GPIO
       (M.2 W_DISABLE1)
     - [arm64] dts: mediatek: mt6795: Fix gpio-ranges pin count
     - [arm64] dts: mediatek: mt7986a: Fix gpio-ranges pin count
     - [arm64] dts: qcom: sm8450: Fix GIC_ITS range length
     - [arm64] dts: qcom: sm8450: Enable UHS-I SDR50 and SDR104 SD card modes
     - [arm64] dts: qcom: sdm845-xiaomi-beryllium: Mark l1a regulator as powered
       during boot
     - unshare: fix nsproxy leak in ksys_unshare() on set_cred_ucounts() failure
     - ocfs2/dlm: validate qr_numregions in dlm_match_regions() (CVE-2026-53043)
     - ocfs2/dlm: fix off-by-one in dlm_match_regions() region comparison
       (CVE-2026-53309)
     - [arm64] soc: qcom: aoss: compare against normalized cooling state
     - [arm64] dts: qcom: sm8250: Add missing CPU7 3.09GHz OPP
     - [arm64] xor: fix conflicting attributes for xor_block_template
     - ocfs2: fix listxattr handling when the buffer is full (CVE-2026-53041)
     - ocfs2: validate bg_bits during freefrag scan (CVE-2026-53040)
     - ocfs2: validate group add input before caching (CVE-2026-53039)
     - soundwire: bus: demote UNATTACHED state warnings to dev_dbg()
     - [armhf] dmaengine: mxs-dma: Fix missing return value from
       of_dma_controller_register()
     - tracing: Rebuild full_name on each hist_field_name() call
     - ima: check return value of crypto_shash_final() in boot aggregate
     - HID: asus: make asus_resume adhere to linux kernel coding standards
     - HID: asus: do not abort probe when not necessary
     - mtd: spi-nor: core: correct the op.dummy.nbytes when check read 
operations
     - mtd: spi-nor: spansion: Rename s28hs512t prefix
     - mtd: spi-nor: spansion: Replace hardcoded values for addr_nbytes/
       addr_mode_nbytes
     - mtd: spi-nor: spansion: Make RD_ANY_REG_OP macro take number of dummy
       bytes
     - mtd: spi-nor: spansion: Add support for Infineon S25FS256T
     - mtd: spi-nor: Allow post_sfdp hook to return errors
     - mtd: spi-nor: sfdp: introduce smpt_read_dummy fixup hook
     - mtd: spi-nor: sfdp: introduce smpt_map_id fixup hook
     - mtd: spi-nor: update spi_nor_fixups::post_sfdp() documentation
     - mtd: spi-nor: swp: check SR_TB flag when getting tb_mask
     - mtd: parsers: ofpart: call of_node_put() only in ofpart_fail path
     - mtd: parsers: ofpart: call of_node_get() for dedicated subpartitions
     - [armhf] mtd: rawnand: sunxi: fix sunxi_nfc_hw_ecc_read_extra_oob
     - HID: usbhid: fix deadlock in hid_post_reset() (CVE-2026-53037)
     - [arm64] bpf, arm64: Fix off-by-one in check_imm signed range check
       (CVE-2026-53036)
     - bpf, sockmap: Fix af_unix iter deadlock (CVE-2026-53035)
     - bpf, sockmap: Fix af_unix null-ptr-deref in proto update (CVE-2026-53034)
     - bpf, sockmap: Take state lock for af_unix iter (CVE-2026-53033)
     - bpf: Fix precedence bug in convert_bpf_ld_abs alignment check
     - bpf: allow UTF-8 literals in bpf_bprintf_prepare()
     - [armel,armhf] bpf, arm32: Reject BPF-to-BPF calls and callbacks in the
       JIT
     - perf branch: Avoid incrementing NULL
     - perf: tools: cs-etm: Fix print issue for Coresight debug in ETE/TRBE 
trace
     - perf expr: Return -EINVAL for syntax error in expr__find_ids()
     - perf util: Kill die() prototype, dead for a long time
     - i3c: mipi-i3c-hci: fix IBI payload length calculation for final status
     - dev_printk: add new dev_err_probe() helpers
     - [x86] platform/surface: surfacepro3_button: Drop wakeup source on remove
     - [s390x] tty: hvc_iucv: fix off-by-one in number of supported devices
       (CVE-2026-53306)
     - [x86] platform/x86: panasonic-laptop: Fix OPTD notifier registration and
       cleanup
     - [armhf] mfd: mc13xxx-core: Fix memory leak in
       mc13xxx_add_subdevice_pdata()
     - nfs/blocklayout: Fix compilation error (`make W=1`) in 
bl_write_pagelist()
     - fs/ntfs3: terminate the cached volume label after UTF-8 conversion
       (CVE-2026-53023)
     - [x86] platform/x86: dell_rbu: avoid uninit value usage in
       packet_size_write()
     - [x86] platform/x86: dell-wmi-sysman: bound enumeration string aggregation
       (CVE-2026-53022)
     - RDMA/core: Prefer NLA_NUL_STRING
     - scsi: sg: Resolve soft lockup issue when opening /dev/sgX
       (CVE-2026-53304)
     - scsi: target: core: Fix integer overflow in UNMAP bounds check
       (CVE-2026-53021)
     - [armhf] clk: imx: imx6q: Fix device node reference leak in 
pll6_bypassed()
     - [armhf] clk: imx: imx6q: Fix device node reference leak in
       of_assigned_ldb_sels()
     - [arm64] clk: imx8mq: Correct the CSI PHY sels
     - [arm64] clk: qoriq: avoid format string warning
     - [arm64] clk: xgene: Fix mapping leak in xgene_pllclk_init()
     - f2fs: Use sysfs_emit_at() to simplify code
     - f2fs: protect extension_list reading with sb_lock in f2fs_sbi_show()
       (CVE-2026-53303)
     - [x86] drm/i915: Constify watermark state checker
     - [x86] drm/i915: Extract intel_dbuf_mdclk_cdclk_ratio_update()
     - [x86] drm/i915: Loop over all active pipes in intel_mbus_dbox_update
     - [x86] drm/i915/wm: Verify the correct plane DDB entry
     - crypto: ccp - copy IV using skcipher ivsize (CVE-2026-53016)
     - [arm64] dts: imx8mp-icore-mx8mp: Correct PAD settings for PMIC_nINT
     - [arm64] dts: imx8mp-dhcom-som: Correct PAD settings for PMIC_nINT
     - [x86] PCMCIA: Fix garbled log messages for KERN_CONT
     - [arm64] dts: imx8mn-tqma8mqnl: Correct PAD settings for PMIC_nINT
     - [arm64] dts: imx8mm-tqma8mqml: Correct PAD settings for PMIC_nINT
     - net/sched: sch_cake: fix NAT destination port not being updated in
       cake_update_flowkeys
     - nexthop: fix IPv6 route referencing IPv4 nexthop (CVE-2026-53012)
     - net/sched: taprio: continue with other TXQs if one dequeue() failed
     - net/sched: taprio: refactor one skb dequeue from TXQ to separate function
     - net/sched: taprio: rename close_time to end_time
     - net/sched: taprio: fix use-after-free in advance_sched() on schedule
       switch (CVE-2026-53011)
     - container_of: remove container_of_safe()
     - container_of: add container_of_const() that preserves const-ness of the
       pointer
     - tcp: preserve const qualifier in tcp_sk()
     - tcp: add data-race annotations around tp->data_segs_out and
       tp->total_retrans
     - tcp: annotate data-races around tp->bytes_sent
     - tcp: annotate data-races around tp->bytes_retrans
     - tcp: annotate data-races around tp->dsack_dups
     - tcp: annotate data-races around (tp->write_seq - tp->snd_nxt)
     - i40e: don't advertise IFF_SUPP_NOFCS
     - e1000e: Unroll PTP in probe error handling
     - ipv6: fix possible UAF in icmpv6_rcv() (CVE-2026-53006)
     - sctp: fix OOB write to userspace in sctp_getsockopt_peer_auth_chunks
       (CVE-2026-53004)
     - pppoe: drop PFC frames (CVE-2026-53003)
     - openvswitch: cap upcall PID array size and pre-size vport replies
       (CVE-2026-45840)
     - netfilter: nft_osf: restrict it to ipv4
     - netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO
       (CVE-2026-45841)
     - netfilter: conntrack: remove sprintf usage (CVE-2026-53002)
     - netfilter: xtables: restrict several matches to inet family
       (CVE-2026-53001)
     - ipvs: fix MTU check for GSO packets in tunnel mode
     - netfilter: nfnetlink_osf: fix out-of-bounds read on option matching
       (CVE-2026-52999)
     - netfilter: nfnetlink_osf: fix potential NULL dereference in ttl check
       (CVE-2026-52998)
     - slip: reject VJ receive packets on instances with no rstate array
       (CVE-2026-45842)
     - slip: bound decode() reads against the compressed packet length
       (CVE-2026-45843)
     - [arm64] dts: meson-gxl-p230: fix ethernet PHY interrupt number
     - ksmbd: destroy tree_conn_ida in ksmbd_session_destroy()
     - ksmbd: scope conn->binding slowpath to bound sessions only
       (CVE-2026-52911)
     - net/rds: zero per-item info buffer before handing it to visitors
       (CVE-2026-52995)
     - net_sched: sch_hhf: annotate data-races in hhf_dump_stats()
     - net/sched: sch_pie: annotate data-races in pie_dump_stats()
     - net/sched: sch_fq_codel: remove data-races from fq_codel_dump_stats()
     - net/sched: sch_red: annotate data-races in red_dump_stats()
     - net/sched: sch_sfb: annotate data-races in sfb_dump_stats()
     - nfp: fix swapped arguments in nfp_encode_basic_qdr() calls
     - tipc: fix double-free in tipc_buf_append() (CVE-2026-52993)
     - vhost_net: fix sleeping with preempt-disabled in vhost_net_busy_poll()
     - fs/adfs: validate nzones in adfs_validate_bblk() (CVE-2026-52992)
     - fbdev: offb: fix PCI device reference leak on probe failure
     - mailbox: mailbox-test: free channels on probe error (CVE-2026-53296)
     - cgroup/rdma: fix integer overflow in rdmacg_try_charge()
     - mailbox: add sanity check for channel array (CVE-2026-53295)
     - mailbox: mailbox-test: don't free the reused channel (CVE-2026-53294)
     - btrfs: fix double-decrement of bytes_may_use in submit_one_async_extent()
     - tracing: branch: Fix inverted check on stat tracer registration
     - nvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers
       (CVE-2026-52989)
     - netfilter: arp_tables: fix IEEE1394 ARP payload parsing (CVE-2026-45844)
     - nvme-pci: fix missed admin queue sq doorbell write
     - drm/amdgpu: fix spelling typos
     - drm/amdgpu/uvd3.1: Don't validate the firmware when already validated
     - drm/amdgpu/gfx6: Support harvested SI chips with disabled TCCs (v2)
     - netfilter: xt_policy: fix strict mode inbound policy matching
       (CVE-2026-52920)
     - netfilter: nf_conntrack_sip: don't use simple_strtoul (CVE-2026-52986)
     - [arm64,armhf] drivers/spi-rockchip.c : Remove redundant variable slave
     - [arm64,armhf] spi: rockchip: switch to use modern name
     - [arm64.armhf] spi: rockchip: Read ISR, not IMR, to detect cs-inactive IRQ
     - cdrom, scsi: sr: propagate read-only status to block layer via
       set_disk_ro()
     - netdevsim: zero initialize struct iphdr in dummy sk_buff (CVE-2026-52985)
     - net/sched: netem: fix probability gaps in 4-state loss model
     - net/sched: netem: fix queue limit check to include reordered packets
       (CVE-2026-52984)
     - net/sched: netem: validate slot configuration
     - net/sched: netem: fix slot delay calculation overflow
     - net/sched: sch_choke: annotate data-races in choke_dump_stats()
     - net/sched: sch_fq_pie: annotate data-races in fq_pie_dump_stats()
     - vrf: Fix a potential NPD when removing a port from a VRF (CVE-2026-52925)
     - net: usb: rtl8150: fix use-after-free in rtl8150_start_xmit()
       (CVE-2026-52982)
     - net: usb: rtl8150: free skb on usb_submit_urb() failure in xmit
     - neighbour: add RCU protection to neigh_tables[]
     - neigh: let neigh_xmit take skb ownership (CVE-2026-52981)
     - ALSA: usb-audio: Fix potential leak of pd at parsing UAC3 streams
     - net: mctp i2c: check length before marking flow active
     - netfilter: skip recording stale or retransmitted INIT
     - sctp: discard stale INIT after handshake completion
     - ipv4: rename and move ip_route_output_tunnel()
     - ipv4: remove "proto" argument from udp_tunnel_dst_lookup()
     - ipv4: add new arguments to udp_tunnel_dst_lookup()
     - ipv6: rename and move ip6_dst_lookup_tunnel()
     - bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst()
       (CVE-2026-45846)
     - net/sched: sch_cake: annotate data-races in cake_dump_stats() (V)
     - net: netconsole: move newline trimming to function
     - netconsole: propagate device name truncation in dev_name_store()
     - ALSA: hda/conexant: fix some typos
     - ALSA: hda/conexant: Renaming the codec with device ID 0x1f86 and 0x1f87
     - ALSA: hda/conexant: Fix missing error check for jack detection
       (CVE-2026-53291)
     - futex: Prevent lockup in requeue-PI during signal/ timeout wakeup
       (CVE-2026-52977)
     - drm/amd/display: Allow DCE link encoder without AUX registers
     - drm/amd/display: Read EDID from VBIOS embedded panel info
     - bonding: 802.3ad replace MAC_ADDRESS_EQUAL with __agg_has_partner
     - net: bonding: add broadcast_neighbor option for 802.3ad
     - bonding: add support for per-port LACP actor priority
     - bonding: print churn state via netlink
     - bonding: 3ad: implement proper RCU rules for port->aggregator
       (CVE-2026-52975)
     - iavf: stop removing VLAN filters from PF on interface down
     - iavf: wait for PF confirmation before removing VLAN filters
     - iavf: add VIRTCHNL_OP_ADD_VLAN to success completion handler
     - ice: Pull common tasks into ice_vf_post_vsi_rebuild
     - ice: fix NULL pointer dereference in ice_reset_all_vfs()
       (CVE-2026-53289)
     - net: tls: fix strparser anchor skb leak on offload RX setup failure
       (CVE-2026-52974)
     - net/sched: cls_flower: revert unintended changes
     - smb: client: correctly handle ErrorContextData as a flexible array
     - smb: client: fix OOB reads parsing symlink error response
       (CVE-2026-31613)
     - net/sched: sch_pie: annotate more data-races in pie_dump_stats()
     - [arm64] net: bcmgenet: Initialize u64 stats seq counter
     - [arm64] net: bcmgenet: fix leaking free_bds
     - btrfs: tracepoints: fix sleep while in atomic context in
       btrfs_sync_file()
     - ALSA: misc: Use guard() for spin locks
     - ALSA: core: Serialize deferred fasync state checks
     - [x86] ASoC: SOF: pcm: Clear the susbstream pointer to NULL on close
     - [x86] ASoC: SOF: stream-ipc: Check for cstream nullity in
       sof_ipc_msg_data()
     - mtd: spi-nor: spansion: Enable JFFS2 write buffer for S25FS256T
     - netconsole: avoid out-of-bounds access on empty string in trim_newline()
     - bonding: fix NULL pointer dereference in actor_port_prio setting
     - net: bonding: update the slave array for broadcast mode
     - crypto: af_alg - Cap AEAD AD length to 0x80000000 (CVE-2026-52972)
     - i40e: Cleanup PTP pins on probe failure
     - netfilter: nf_conntrack_sip: get helper before allocating expectation
     - audit: fix incorrect inheritable capability in CAPSET records
       (CVE-2026-53287)
     - netfilter: nft_ct: fix missing expect put in obj eval (CVE-2026-52970)
     - net: atlantic: preserve PCI wake-from-D3 on shutdown when WOL enabled
     - audit: enforce AUDIT_LOCKED for AUDIT_TRIM and AUDIT_MAKE_EQUIV
     - KVM: Reject wrapped offset in kvm_reset_dirty_gfn() (CVE-2026-52969)
     - [s390x] KVM: s390: pci: fix GAIT table indexing due to double-scaling
       pointer arithmetic (CVE-2026-52968)
     - [x86] KVM: x86: Fix Xen hypercall tracepoint argument assignment
     - smb/client: fix possible infinite loop and oob read in symlink_data()
       (CVE-2026-52967)
     - [x86] drm/i915/dp: Fix VSC dynamic range signaling for RGB formats
     - ALSA: usb-audio: Bound MIDI endpoint descriptor scans (CVE-2026-52963)
     - ceph: fix a buffer leak in __ceph_setxattr() (CVE-2026-52962)
     - libceph: Fix potential out-of-bounds access in osdmap_decode()
       (CVE-2026-52958)
     - libceph: Fix potential null-ptr-deref in decode_choose_args()
       (CVE-2026-52957)
     - libceph: Fix potential out-of-bounds access in crush_decode()
       (CVE-2026-52955)
     - libceph: handle rbtree insertion error in decode_choose_args()
       (CVE-2026-52954)
     - [x86] iommu/vt-d: Disable DMAR for Intel Q35 IGFX
     - [x86] drm/i915: skip __i915_request_skip() for already signaled requests
     - [arm64,armhf] drm/panfrost: Fix wait_bo ioctl leaking positive return
       from dma_resv_wait_timeout()
     - [x86] drm/gma500/oaktrail_hdmi: fix i2c adapter leak on setup
     - [x86] drm/gma500/oaktrail_lvds: fix hang on init failure (CVE-2026-53279)
     - [x86] drm/gma500/oaktrail_lvds: fix i2c adapter leaks on init
     - io-wq: check that the predecessor is hashed in io_wq_remove_pending()
     - net/rds: reset op_nents when zerocopy page pin fails (CVE-2026-43494)
     - io_uring: prevent opcode speculation (CVE-2025-21863)
     - [s390x] debug: Reject zero-length input before trimming a newline
     - wifi: mac80211: check tdls flag in ieee80211_tdls_oper (CVE-2026-43052)
     - [x86] Revert "x86/vdso: Fix output operand size of RDPID"
     - [s390x] Revert "s390/cio: Fix device lifecycle handling in
       css_alloc_subchannel()" (regression in 6.1.165)
     - sysfs: don't remove existing directory on update failure
     - ALSA: ua101: Reject too-short USB descriptors
     - ALSA: asihpi: Fix potential OOB array access at reading cache
     - net: wwan: iosm: fix potential memory leaks in ipc_imem_init()
     - Bluetooth: fix UAF in l2cap_sock_cleanup_listen() vs l2cap_conn_del()
     - Bluetooth: ISO: drop ISO_END frames received without prior ISO_START
     - Bluetooth: bnep: Fix UAF read of dev->name
     - Bluetooth: hci_uart: fix UAFs and race conditions in close and init paths
       (CVE-2026-46275)
     - Bluetooth: MGMT: validate Add Extended Advertising Data length
     - phonet/pep: disable BH around forwarded sk_receive_skb()
     - [arm64] net: bcmgenet: keep RBUF EEE/PM disabled
     - net: ifb: report ethtool stats over num_tx_queues
     - netfilter: ip6t_hbh: reject oversized option lists (CVE-2026-52915)
     - netfilter: nf_queue: hold bridge skb->dev while queued (CVE-2026-52912)
     - netfilter: ipset: stop hash:* range iteration at end (CVE-2026-52921)
     - qed: fix double free in qed_cxt_tables_alloc()
     - ring-buffer: Fix reporting of missed events in iterator
     - vsock/vmci: fix UAF when peer resets connection during handshake
     - vsock/virtio: reset connection on receiving queue overflow
     - wifi: ath11k: clear shared SRNG pointer state on restart
     - ipv4: raw: reject IP_HDRINCL packets with ihl < 5
     - ixgbevf: fix use-after-free in VEPA multicast source pruning
     - ice: fix setting promisc mode while adding VID filter
     - wifi: cfg80211: advance loop vars in cfg80211_merge_profile()
     - cifs: Fix busy dentry used after unmounting
     - tracing: Do not call map->ops->elt_free() if elt_alloc() fails
     - [arm64] KVM: arm64: vgic-its: Reject restored DTE with out-of-range
       num_eventid_bits
     - [x86] scsi: isci: Fix use-after-free in device removal path
     - [armhf] spi: ti-qspi: fix use-after-free after DMA setup failure
     - RDMA/siw: Reject MPA FPDU length underflow before signed receive math
     - device property: set fwnode->secondary to NULL in fwnode_init()
     - drm/virtio: use uninterruptible resv lock for plane updates
     - drm/amd/display: Fix integer overflow in bios_get_image()
     - drm/amd/display: Validate GPIO pin LUT table size before iterating
     - drm/amd/display: Validate payload length and link_index in
       dc_process_dmub_aux_transfer_async
     - batman-adv: mcast: fix use-after-free in orig_node RCU release
     - batman-adv: clear current gateway during teardown (CVE-2026-52926)
     - batman-adv: dat: handle forward allocation error (CVE-2026-52922)
     - batman-adv: fix fragment reassembly length accounting (CVE-2026-52914)
     - batman-adv: fix tp_meter counter underflow during shutdown
       (CVE-2026-52919)
     - batman-adv: frag: disallow unicast fragment in fragment (CVE-2026-52916)
     - batman-adv: bla: fix report_work leak on backbone_gw purge
     - batman-adv: tp_meter: avoid use of uninit sender vars (CVE-2026-52931)
     - batman-adv: tt: fix negative last_changeset_len
     - batman-adv: tt: fix negative tt_buff_len
     - HID: uclogic: Fix regression of input name assignment
     - netfilter: x_tables: unregister the templates first
     - tcp: Fix imbalanced icsk_accept_queue count.
     - ice: fix locking in ice_dcb_rebuild()
     - [arm64,armhf] phy: marvell: mvebu-a3700-utmi: fix incorrect
       USB2_PHY_CTRL register access
     - irq_work: Fix use-after-free in irq_work_single() on PREEMPT_RT
     - wifi: ath11k: fix error path leaks in some WMI WOW calls
     - HID: quirks: really enable the intended work around for appledisplay
     - net/smc: avoid NULL deref of conn->lnk in smc_msg_event tracepoint
       (CVE-2026-52941)
     - ethtool: fix ethnl_bitmap32_not_zero() bit interval semantics
     - [arm64] drm/msm/dsi: don't dump registers past the mapped region
     - [arm64] drm/msm: Fix iommu_map_sgtable() return value check and avoid
       WARN
     - [ppc64el] powerpc/time: Remove redundant preempt_disable|enable() calls
       from arch_irq_work_raise()
     - net/smc: reject CHID-0 ACCEPT that matches an empty ism_dev slot
     - net: tls: fix off-by-one in sg_chain entry count for wrapped sk_msg ring
     - net: tls: prevent chain-after-chain in plain text SG
     - [arm64] drm/msm/snapshot: fix dumping of the unaligned regions
     - wifi: ath11k: Trigger sta disconnect on hardware restart
     - wifi: ath11k: update hw params for IPQ5018
     - wifi: ath11k: update ce configurations for IPQ5018
     - wifi: ath11k: remap ce register space for IPQ5018
     - wifi: ath11k: update hal srng regs for IPQ5018
     - wifi: ath11k: initialize hw_ops for IPQ5018
     - wifi: ath11k: add new hw ops for IPQ5018 to get rx dest ring hashmap
     - wifi: ath11k: fix rssi station dump not updated in QCN9074
     - wifi: ath11k: fix peer resolution on rx path when peer_id=0
     - net: mana: Fix TOCTOU double-fetch of hwc_msg_id from DMA buffer
     - [x86] platform/x86: hp_accel: Check ACPI_COMPANION() against NULL
     - [x86] platform/x86: intel-hid: Check ACPI_HANDLE() against NULL
     - [x86] platform/x86: intel-vbtn: Check ACPI_HANDLE() against NULL
     - RDMA/rtrs: Fix use-after-free in path file creation cleanup
     - net: bridge: Flush multicast groups when snooping is disabled
     - bridge: mcast: Fix a possible use-after-free when removing a bridge port
     - tracing: Avoid NULL return from hist_field_name() on truncation
     - string: add mem_is_zero() helper to check if memory area is all zeros
     - gpiolib: cdev: use !mem_is_zero() instead of memchr_inv(s, 0, n)
     - gpio: cdev: check if uAPI v2 config attributes are correctly zeroed
     - net: mana: validate rx_req_idx to prevent out-of-bounds array access
     - security/keys: fix missed RCU read section on lookup
     https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.1.176
     - Input: usbtouchscreen - clamp NEXIO data_len/x_len to URB buffer size
     - net/sched: cls_fw: fix NULL dereference of "old" filters before change()
       (CVE-2026-53080)
     - net: mctp: ensure our nlmsg responses are initialised (CVE-2026-45930)
     - net/sched: sch_sfb: Replace direct dequeue call with peek and
       qdisc_dequeue_peeked
     - drm: Remove plane hsub/vsub alignment requirement for core helpers
     - [armhf] net: cpsw_new: Fix potential unregister of netdev that has not
       been registered yet (CVE-2026-43219)
     - nfc: llcp: Fix use-after-free in llcp_sock_release()
     - nfc: llcp: Fix use-after-free race in nfc_llcp_recv_cc()
     - xfrm: Check for underflow in xfrm_state_mtu
     - nfc: nxp-nci: i2c: use rising-edge IRQ on ACPI systems
     - netfilter: synproxy: refresh tcphdr after skb_ensure_writable
     - netfilter: xt_cpu: prefer raw_smp_processor_id
     - netfilter: ebtables: fix OOB read in compat_mtw_from_user
       (CVE-2026-52927)
     - tun: free page on short-frame rejection in tun_xdp_one() (CVE-2026-46321)
     - tun: free page on build_skb failure in tun_xdp_one() (CVE-2026-46322)
     - net: netlink: fix sending unassigned nsid after assigned one
     - net: netlink: don't set nsid on local notifications
     - net/smc: Do not re-initialize smc hashtables
     - [s390x] net/iucv: fix locking in .getsockopt
     - ipv4: free net->ipv4.sysctl_local_reserved_ports after
       unregister_net_sysctl_table()
     - [x86] ASoC: Intel: bytcht_es8316: Fix MCLK leak on init errors
     - net: hsr: fix potential OOB access in supervision frame handling
     - tunnels: load network headers after skb_cow() in
       iptunnel_pmtud_build_icmp[v6]()
     - vxlan: do not reuse cached ip_hdr() value after skb_tunnel_check_pmtu()
     - tunnels: do not assume transport header in iptunnel_pmtud_check_icmp()
     - ASoC: codecs: simple-mux: Fix enum control bounds check
     - Bluetooth: 6lowpan: check skb_clone() return value in send_mcast_pkt()
     - bonding: refuse to enslave CAN devices
     - ethtool: eeprom: add more safeties to EEPROM Netlink fallback
     - ipv6: rpl: fix hdrlen overflow in ipv6_rpl_srh_decompress()
     - Bluetooth: l2cap: clear chan->ident on ECRED reconfiguration success
     - Bluetooth: L2CAP: Fix possible crash on l2cap_ecred_conn_rsp
     - [arm*] gpio: rockchip: convert bank->clk to devm_clk_get_enabled()
     - net: mana: Add NULL guards in teardown path to prevent panic on attach
       failure
     - sctp: fix race between sctp_wait_for_connect and peeloff
     - ipv6: fix possible infinite loop in rt6_fill_node()
     - ipv6: fix possible infinite loop in fib6_select_path()
     - net: skbuff: fix pskb_carve leaking zcopy pages
     - batman-adv: v: stop OGMv2 on disabled interface (CVE-2026-52913)
     - batman-adv: tvlv: abort OGM send on tvlv append failure
     - batman-adv: tt: reject oversized local TVLV buffers
     - batman-adv: bla: avoid NULL-ptr deref for claim via dropped interface
     - batman-adv: tvlv: reject oversized TVLV packets (CVE-2026-52934)
     - batman-adv: iv: recover OGM scheduling after forward packet error
     - batman-adv: tp_meter: directly shut down timer on cleanup
     - batman-adv: tt: fix TOCTOU race for reported vlans
     - batman-adv: tt: avoid empty VLAN responses
     - batman-adv: bla: avoid double decrement of bla.num_requests
     - mm/page_alloc: clear page->private in free_pages_prepare()
       (CVE-2026-43303)
     - bpf: Fix a few selftest failures due to llvm18 change
     - net/packet: convert po->tp_tx_has_off to an atomic flag
     - net/packet: convert po->tp_loss to an atomic flag
     - net/packet: convert po->has_vnet_hdr to an atomic flag
     - net/packet: convert po->running to an atomic flag
     - net/packet: fix TOCTOU race on mmap'd vnet_hdr in tpacket_snd()
       (CVE-2026-31700)
     - [x86] drm/i915/psr: Add defininitions for INTEL_WA_REGISTER_CAPS DPCD
       register
     - drm/dp: Add eDP 1.5 bit definition
     - [x86] drm/i915/psr: Read Intel DPCD workaround register
     - [x86] drm/i915/psr: Apply Intel DPCD workaround when SDP on prior line
       used
     - net: gro: don't merge zcopy skbs (CVE-2026-46323)
     - phy: mscc: Use PHY_ID_MATCH_VENDOR to minimize PHY ID table
     - phy: mscc: Use PHY_ID_MATCH_EXACT for VSC8584, VSC8582, VSC8575, VSC856X
     - hwmon: (pmbus/adm1266) serialize GPIO PMBus accesses with pmbus_lock
     - hwmon: (pmbus/adm1266) serialize sequencer_state debugfs read with
       pmbus_lock
     - hwmon: (pmbus/adm1266) serialize NVMEM blackbox read with pmbus_lock
     - iio: imu: st_lsm6dsx: fix stack leak in tagged FIFO buffer
     - usb: typec: ucsi: ccg: reject firmware images without a ':' record header
     - usb: typec: ucsi: displayport: NAK DP_CMD_CONFIGURE without a payload VDO
     - usb: typec: altmodes/displayport: validate count before reading Status
       Update VDO
     - [x86] usb: typec: wcove: don't write past struct pd_message in
       wcove_read_rx_buffer()
     - usb: typec: ucsi: validate connector number in ucsi_connector_change()
     - USB: serial: safe_serial: fix memory corruption with small endpoint
     - HID: quirks: Add ALWAYS_POLL quirk for SIGMACHIP USB mouse
     - Bluetooth: btusb: Allow firmware re-download when version matches
     - hpfs: fix a crash if hpfs_map_dnode_bitmap fails
     - ipc: limit next_id allocation to the valid ID range (CVE-2026-52923)
     - auxdisplay: line-display: fix OOB read on zero-length message_store()
     - Bluetooth: L2CAP: use chan timer to close channels in cleanup_listen()
     - Bluetooth: L2CAP: fix chan ref leak in l2cap_chan_timeout() on !conn
     - Bluetooth: HIDP: fix missing length checks in hidp_input_report()
     - Bluetooth: ISO: fix UAF in iso_recv_frame
     - Bluetooth: ISO: serialize iso_sock_clear_timer with socket lock
     - parport: Fix race between port and client registration (Closes: #1130365)
     - USB: cdc-acm: Fix bit overlap and move quirk definitions to header
     - wireguard: send: append trailer after expanding head
     - iio: dac: ad5686: fix input raw value check
     - iio: dac: ad5686: acquire lock when doing powerdown control
     - iio: adc: viperboard: Fix error handling in vprbrd_iio_read_raw
     - iio: gyro: itg3200: fix i2c read into the wrong stack location
     - iio: ssp_sensors: cancel delayed work_refresh on remove
     - iio: temperature: tsys01: fix broken PROM checksum validation
     - iio: magnetometer: st_magn: fix default DRDY pin selection for LIS2MDL
     - iio: light: cm3323: fix reg_conf not being initialized correctly
     - iio: buffer: hw-consumer: fix use-after-free in error path
     - USB: serial: omninet: fix memory corruption with small endpoint
     - usb: dwc2: Fix use after free in debug code
     - Input: elan_i2c - validate firmware size before use
     - bpf: sockmap: fix tail fragment offset in bpf_msg_push_data
     - macsec: fix replay protection at XPN lower-PN wrap
     - ipv6: exthdrs: refresh nh pointer after ipv6_hop_jumbo()
     - [arm64] ASoC: qcom: q6asm-dai: fix error handling in prepare and
       set_params
     - ipv6: exthdrs: refresh nh after handling HAO option
     - ip6: vti: Use ip6_tnl.net in vti6_siocdevprivate().
     - ipv6: validate extension header length before copying to cmsg
     - xfrm: input: hold netns during deferred transport reinjection
     - ip6: vti: Use ip6_tnl.net in vti6_changelink().
     - HID: wacom: Fix OOB write in wacom_hid_set_device_mode()
     - iommu, debugobjects: avoid gcc-16.1 section mismatch warnings
     - nfc: hci: fix out-of-bounds read in HCP header parsing
     - xfrm: route MIGRATE notifications to caller's netns
     - xfrm: ah: use skb_to_full_sk in async output callbacks
     - netfilter: conntrack: tcp: do not force CLOSE on invalid-seq RST without
       direction check
     - [arm64] ASoC: qcom: q6asm-dai: close stream only when running
     - [arm64] ASoC: qcom: q6asm-dai: do not set stream state in event and
       trigger callbacks
     - xfrm: esp: restore combined single-frag length gate
     - Input: atmel_mxt_ts - fix boundary check in mxt_prepare_cfg_mem
     - [x86] Input: synaptics - add LEN2058 to SMBus passlist for ThinkPad E490
     - [x86] comedi: comedi_test: fix check for valid scan_begin_src in
       waveform_ai_cmdtest()
     - [x86] comedi: comedi_test: Fix limiting of convert_arg in
       waveform_ai_cmdtest()
     - counter: Fix refcount leak in counter_alloc() error path
     - [i386] tty: serial: pch_uart: add check for dma_alloc_coherent()
     - [arm*] usb: chipidea: core: convert ci_role_switch to local variable
     - usb: core: Fix up Interrupt IN endpoints with bogus wBytesPerInterval
     - USB: quirks: add NO_LPM for Lenovo ThinkPad USB-C Dock Gen2 hub
       controllers
     - usb: storage: Add quirks for PNY Elite Portable SSD
     - usbip: vudc: Fix use after free bug in vudc_remove due to race condition
     - usb: usbtmc: check URB actual_length for interrupt-IN notifications
     - usb: usbtmc: reject interrupt endpoints with small wMaxPacketSize
     - USB: serial: option: add MeiG SRM813Q
     - USB: serial: option: add missing RSVD(5) flag for Rolling RW135R-GL
     - USB: serial: belkin_sa: validate interrupt status length
     - USB: serial: cypress_m8: validate interrupt packet headers
     - USB: serial: keyspan: fix missing indat transfer sanity check
     - USB: serial: mxuport: fix memory corruption with small endpoint
     - USB: serial: mct_u232: fix missing interrupt-in transfer sanity check
     - usb: gadget: net2280: Fix double free in probe error path
     - usb: gadget: dummy_hcd: Reject hub port requests for non-existent ports
     - usb: gadget: f_fs: copy only received bytes on short ep0 read
     - thunderbolt: property: Reject u32 wrap in tb_property_entry_valid()
     - thunderbolt: property: Reject dir_len < 4 to prevent size_t underflow
     - scsi: fcoe: Reject FIP descriptors with zero fip_dlen in CVL walker
     - scsi: scsi_transport_fc: Widen FPIN pname walker counter to u32
     - scsi: target: iscsi: Bound iscsi_encode_text_output() appends to rsp_buf
     - scsi: target: iscsi: Validate CHAP_R length before base64 decode
     - drm/hyperv: validate resolution_count and fix WIN8 fallback
     - drm/hyperv: validate VMBus packet size in receive callback
     - [x86] drm/i915: Fix potential UAF in TTM object purge
     - drm/amd/pm/si: Disregard vblank time when no displays are connected
     - [arm64] serial: sh-sci: fix memory region release in error path
     - [arm64] serial: fsl_lpuart: fix rx buffer and DMA map leaks in
       start_rx_dma
     - drm/amdkfd: fix NULL pointer bug in svm_range_set_attr
     - drm/amdkfd: Check for pdd drm file first in CRIU restore path
     - HID: core: Add printk_ratelimited variants to hid_warn() etc
     - HID: pass the buffer size to hid_report_raw_event
     - HID: core: Fix size_t specifier in hid_report_raw_event()
     - RDMA/rxe: Complete the rxe_cleanup_task backport
     - USB: serial: digi_acceleport: fix memory corruption with small endpoints
     - [arm*] xhci: tegra: Fix ghost USB device on dual-role port unplug
     - netfilter: nf_tables: restore set elements when delete set fails
       (CVE-2024-27012)
     - USB: serial: cypress_m8: fix memory corruption with small endpoint
     - bpf/bonding: reject vlan+srcmac xmit_hash_policy change when XDP is
       loaded (CVE-2026-23310)
     - usb: core: Fix SuperSpeed root hub wMaxPacketSize
     - bpf: Free reuseport cBPF prog after RCU grace period. (CVE-2026-52910)
     - USB: serial: mct_u232: fix memory corruption with small endpoint
     - [amd64] dmaengine: idxd: Fix not releasing workqueue on .release()
       (CVE-2026-43064)
     - i2c: dev: prevent integer overflow in I2C_TIMEOUT ioctl (CVE-2026-52948)
     - ipv6: mcast: Fix use-after-free when processing MLD queries
       (CVE-2026-53275)
     - net/smc: fix sleep-inside-lock in __smc_setsockopt() causing local DoS
       (CVE-2026-53274)
     - tee: optee: prevent use-after-free when the client exits before the
       supplicant (CVE-2026-53273)
     - netfilter: xt_NFQUEUE: prefer raw_smp_processor_id
     - ipvs: clear the svc scheduler ptr early on edit (CVE-2026-53270)
     - netfilter: synproxy: add mutex to guard hook reference counting
       (CVE-2026-53269)
     - netfilter: conntrack_irc: fix possible out-of-bounds read
       (CVE-2026-53268)
     - netfilter: bridge: make ebt_snat ARP rewrite writable (CVE-2026-53266)
     - dm cache policy smq: check allocation under invalidate lock
       (CVE-2026-53265)
     - net/sched: act_api: use RCU with deferred freeing for action lifecycle
       (CVE-2026-53264)
     - 6lowpan: fix off-by-one in multicast context address compression
       (CVE-2026-53263)
     - pcnet32: stop holding device spin lock during napi_complete_done
     - net: Annotate sk->sk_write_space() for UDP SOCKMAP.
     - net: garp: fix unsigned integer underflow in garp_pdu_parse_attr
     - net: lan743x: permit VLAN-tagged packets up to configured MTU
     - [arm*] net: fec: fix pinctrl default state restore order on resume
     - Bluetooth: RFCOMM: hold listener socket in rfcomm_connect_ind()
       (CVE-2026-53256)
     - Bluetooth: MGMT: validate advertising TLV before type checks
       (CVE-2026-53255)
     - Bluetooth: RFCOMM: validate skb length in MCC handlers (CVE-2026-53254)
     - Bluetooth: bnep: fix incorrect length parsing in bnep_rx_frame()
       extension handling
     - Bluetooth: bnep: reject short frames before parsing (CVE-2026-53253)
     - Bluetooth: fix memory leak in error path of hci_alloc_dev()
       (CVE-2026-53252)
     - Bluetooth: MGMT: Fix backward compatibility with userspace
     - ipv4: restrict IPOPT_SSRR and IPOPT_LSRR options (CVE-2026-53249)
     - ptp: vclock: Switch from RCU to SRCU
     - vxlan: vnifilter: send notification on VNI add
     - vxlan: vnifilter: fix spurious notification on VNI update
     - ieee802154: 6lowpan: only accept IPv6 packets in lowpan_xmit()
     - net/802/mrp: fix vector attribute parsing in mrp_pdu_parse_vecattr
       (CVE-2026-53245)
     - sctp: purge outqueue on stale COOKIE-ECHO handling (CVE-2026-52924)
     - ipmi: Fix rcu_read_unlock to srcu_read_unlock in handle_read_event_rsp
     - signal: clear JOBCTL_PENDING_MASK for caller in zap_other_threads()
       (CVE-2026-53352)
     - time: Fix off-by-one in settimeofday() usec validation
     - ALSA: PCM: Fix wait queue list corruption in snd_pcm_drain() on linked
       streams (CVE-2026-53242)
     - fs/ntfs3: Return error for inconsistent extended attributes
       (CVE-2023-54125)
     - usb: gadget: f_ncm: Fix net_device lifecycle with device_move
       (CVE-2026-43421)
     - usb: gadget: u_ether: Fix NULL pointer deref in eth_get_drvinfo
     - net: skbuff: fix missing zerocopy reference in pskb_carve helpers
       (CVE-2026-52943)
     - tap: free page on error paths in tap_get_user_xdp() (CVE-2026-46320)
     - [arm64] KVM: arm64: Remove VPIPT I-cache handling
     - [arm64] tlb: Allow XZR argument to TLBI ops
     - [arm64] tlb: Optimize ARM64_WORKAROUND_REPEAT_TLBI
     - iomap: don't revert iov_iter on partially completed buffered writes
     - xfrm: policy: fix use-after-free on inexact bin in
       xfrm_policy_bysel_ctx() (CVE-2026-53239)
     - netlabel: validate unlabeled address and mask attribute lengths
       (CVE-2026-53238)
     - ASoC: wm_adsp: Fix NULL dereference when removing firmware controls
       (CVE-2026-53350)
     - tcp: restrict SO_ATTACH_FILTER to priv users (CVE-2026-53236)
     - net/mlx4: avoid GCC 10 __bad_copy_from() false positive
     - net: qrtr: fix refcount saturation and potential UAF in qrtr_port_remove
       (CVE-2026-52947)
     - ipv6: sit: reload inner IPv6 header after GSO offloads (CVE-2026-53228)
     - net: openvswitch: fix possible kfree_skb of ERR_PTR (CVE-2026-53227)
     - r8152: reduce the control transfer of rtl8152_get_version()
     - r8152: Block future register access if register access fails
     - r8152: handle the return value of usb_reset_device()
     - sctp: fix uninit-value in __sctp_rcv_asconf_lookup() (CVE-2026-53225)
     - net: guard timestamp cmsgs to real error queue skbs (CVE-2026-53223)
     - net/rds: fix NULL deref in rds_ib_send_cqe_handler() on masked atomic
       completion (CVE-2026-52939)
     - ip6_vti: fix incorrect tunnel matching in vti6_tnl_lookup()
       (CVE-2026-53221)
     - rds: mark snapshot pages dirty in rds_info_getsockopt()
     - netfilter: nf_conntrack: destroy stale expectfn expectations on
       unregister (CVE-2026-53349)
     - netfilter: x_tables: avoid leaking percpu counter pointers
       (CVE-2026-53219)
     - netfilter: nf_log: validate MAC header was set before dumping it
       (CVE-2026-52942)
     - netfilter: nft_exthdr: fix register tracking for F_PRESENT flag
       (CVE-2026-53218)
     - [arm*] net: mvpp2: sync RX data at the hardware packet offset
       (CVE-2026-53217)
     - [arm*] net: mvpp2: limit XDP frame size to the RX buffer (CVE-2026-53216)
     - [arm*] net: mvpp2: Add metadata support for xdp mode
     - [arm*] net: mvpp2: refill RX buffers before XDP or skb use
       (CVE-2026-53215)
     - [arm*] net: mvpp2: build skb from XDP-adjusted data on XDP_PASS
     - netfilter: ctnetlink: ensure safe access to master conntrack
       (CVE-2026-43116)
     - [arm*] drm/vc4: fix krealloc() memory leak (CVE-2026-53213)
     - netfilter: nft_tunnel: fix use-after-free on object destroy
       (CVE-2026-53212)
     - Bluetooth: hci_sync: reject oversized Broadcast Announcement prepend
       (CVE-2026-53209)
     - Bluetooth: L2CAP: reject BR/EDR signaling packets over MTUsig
       (CVE-2026-53208)
     - [x86] drm/i915/gem: Fix phys BO pread/pwrite with offset (CVE-2026-53356)
     - ksmbd: fix use-after-free of a deferred file_lock on double SMB2_CANCEL
       (CVE-2026-53198)
     - xfrm: espintcp: do not reuse an in-progress partial send (CVE-2026-52935)
     - USB: serial: io_ti: fix heap overflow in get_manuf_info()
       (CVE-2026-53196)
     - USB: serial: io_ti: fix heap overflow in build_i2c_fw_hdr()
       (CVE-2026-53195)
     - USB: serial: option: add usb-id for Dell Wireless DW5826e-m
     - USB: serial: kl5kusb105: fix bulk-out buffer overflow (CVE-2026-53194)
     - ALSA: timer: Fix UAF at snd_timer_user_params()
     - drm/amd/display: Reject gpio_bitshift >= 32 in
       bios_parser_get_gpio_pin_info()
     - RDMA/srp: bound SRP_RSP sense copy by the received length
       (CVE-2026-53186)
     - udp: clear skb->dev before running a sockmap verdict (CVE-2026-53184)
     - [armhf] socfpga: Fix OF node refcount leak in SMP setup
     - [armel,armhf] 9474/1: io: avoid KASAN instrumentation of raw halfword I/O
     - [armel,armhf] 9475/1: entry: use byte load for KASAN VMAP stack shadow
       (CVE-2026-53343)
     - mptcp: fix retransmission loop when csum is enabled
     - mptcp: close TOCTOU race while computing rcv_wnd
     - mptcp: allow subflow rcv wnd to shrink (CVE-2026-53183)
     - mptcp: sockopt: check timestamping ret value
     - wifi: nl80211: reject oversized EMA RNR lists (CVE-2026-53182)
     - vsock/vmci: fix sk_ack_backlog leak on failed handshake (CVE-2026-53181)
     - bnxt_en: Fix NULL pointer dereference (CVE-2026-53177)
     - IB/isert: Reject login PDUs shorter than ISER_HEADERS_LEN
       (CVE-2026-53176)
     - pidfd: refuse access to tasks that have started exiting harder
     - fuse: reject fuse_notify() pagecache ops on directories (CVE-2026-53168)
     - [arm*] i2c: qcom-cci: Fix NULL pointer dereference in cci_remove()
       (CVE-2026-53339)
     - [armhf] i2c: stm32f7: fix timing computation ignoring i2c-analog-filter
     - [arm*] i2c: tegra: Fix NOIRQ suspend/resume
     - [x86] Input: atkbd - add DMI quirk for Lenovo Yoga Air 14 (83QK)
     - [x86] Input: atkbd - skip deactivate for HONOR BCC-N's internal keyboard
     - ipc/shm: serialize orphan cleanup with shm_nattch updates
       (CVE-2026-52930)
     - [arm*] misc: fastrpc: fix use-after-free of fastrpc_user in workqueue
       context (CVE-2026-53161)
     - [arm*] misc: fastrpc: fix use-after-free race in fastrpc_map_create
       (CVE-2026-53160)
     - [arm*] misc: fastrpc: fix DMA address corruption due to find_vma misuse
       (CVE-2026-53159)
     - net/mlx5: Reorder completion before putting command entry in
       cmd_work_handler
     - net: bonding: fix NULL pointer dereference in bond_do_ioctl()
       (CVE-2026-53337)
     - [armel,armhf] net: mv643xx: fix OF node refcount
     - net: rds: clear i_sends on setup unwind (CVE-2026-53355)
     - mmc: core: Fix host controller programming for fixed driver type
     - [arm64] mmc: renesas_sdhi: Add OF entry for RZ/G2H SoC
     - mmc: sdhci: add signal voltage switch in sdhci_resume_host
     - sctp: diag: reject stale associations in dump_one path (CVE-2026-52917)
     - sctp: stream: fully roll back denied add-stream state (CVE-2026-52929)
     - thunderbolt: Reject zero-length property entries in validator
       (CVE-2026-53150)
     - thunderbolt: Bound root directory content to block size (CVE-2026-53149)
     - thunderbolt: Clamp XDomain response data copy to allocation size
       (CVE-2026-53148)
     - thunderbolt: Validate XDomain request packet size before type cast
       (CVE-2026-53147)
     - thunderbolt: Limit XDomain response copy to actual frame size
       (CVE-2026-53146)
     - slimbus: qcom-ngd-ctrl: Avoid ABBA on tx_lock/ctrl->lock (CVE-2026-53331)
     - drm/amdgpu: restart the CS if some parts of the VM are still invalidated
     - drm/amd/display: Clamp HDMI HDCP2 rx_id_list read to buffer size
       (CVE-2026-53137)
     - drm/amd/display: Clamp VBIOS HDMI retimer register count to array size
       (CVE-2026-53136)
     - drm/amd/display: Fix NULL deref and buffer over-read in SDP debugfs
       (CVE-2026-53135)
     - drm/amd/display: Use krealloc_array() in dal_vector_reserve()
       (CVE-2026-53329)
     - fs/fcntl: fix SOFTIRQ-unsafe lock order in fasync signaling
       (CVE-2026-52946)
     - mm/hugetlb: avoid false positive lockdep assertion
     - mm/damon/ops-common: call folio_test_lru() after folio_get()
     - mm/huge_memory: update file PMD counter before folio_put()
       (CVE-2026-53189)
     - f2fs: use kfree() instead of kvfree() to free some memory
     - f2fs: fix to do sanity check on dcc->discard_cmd_cnt conditionally
     - f2fs: fix UAF caused by decrementing sbi->nr_pages[] in
       f2fs_write_end_io() (CVE-2026-31715)
     - ksmbd: require minimum ACE size in smb_check_perm_dacl() (CVE-2026-31712)
     - smb: client: validate the whole DACL before rewriting it in cifsacl
       (CVE-2026-31709)
     - [arm64] mm: Enable batched TLB flush in unmap_hotplug_range()
     - lib: test_hmm: evict device pages on file close to avoid use-after-free
       (CVE-2026-46280)
     - wifi: mwifiex: fix use-after-free in mwifiex_adapter_cleanup()
       (CVE-2026-46069)
     - [arm*] spi: imx: Convert to platform remove callback returning void
     - [arm*] spi: imx: fix use-after-free on unbind (CVE-2026-45996)
     - thermal: core: Fix thermal zone governor cleanup issues (CVE-2026-46021)
     - media: rc: ttusbir: respect DMA coherency rules
     - media: rc: igorplugusb: heed coherency rules
     - sched: Use u64 for bandwidth ratio calculations
     - net: qrtr: ns: Limit the maximum number of lookups (CVE-2026-46026)
     - net: qrtr: ns: Change servers radix tree to xarray
     - net: qrtr: ns: Free the node during ctrl_cmd_bye() (CVE-2026-46038)
     - net: qrtr: ns: Limit the total number of nodes (CVE-2026-46003)
     - net: bridge: use a stable FDB dst snapshot in RCU readers
       (CVE-2026-46086)
     - spi: fix resource leaks on device setup failure (CVE-2026-46083)
     - fbdev: defio: Disconnect deferred I/O from the lifetime of struct fb_info
       (CVE-2026-46065)
     - xfs: fix a resource leak in xfs_alloc_buftarg() (CVE-2026-46005)
     - udf: fix partition descriptor append bookkeeping (CVE-2026-45991)
     - hfsplus: fix uninit-value by validating catalog record size
       (CVE-2026-46169)
     - hfsplus: fix held lock freed on hfsplus_fill_super() (CVE-2026-46299)
     - erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap()
       (CVE-2026-45999)
     - ceph: only d_add() negative dentries when they are unhashed
       (CVE-2026-46052)
     - printk: add print_hex_dump_devel()
     - [arm*] crypto: caam - guard HMAC key hex dumps in hash_digest_key
       (CVE-2026-46291)
     - net: stmmac: avoid shadowing global buf_sz
     - net: stmmac: rename STMMAC_GET_ENTRY() -> STMMAC_NEXT_ENTRY()
     - net: stmmac: Prevent NULL deref when RX memory exhausted (CVE-2026-46110)
     - tracepoint: balance regfunc() on func_add() failure in
       tracepoint_add_func() (CVE-2026-46196)
     - wifi: mac80211: remove station if connection prep fails (CVE-2026-46125)
     - wifi: brcmfmac: Fix potential use-after-free issue when stopping watchdog
       task (CVE-2026-46180)
     - [arm*] usb: dwc3: Move GUID programming after PHY initialization
     - net: ipv4: stop checking crypto_ahash_alignmask
     - net: ipv6: stop checking crypto_ahash_alignmask
     - xfrm: ah: account for ESN high bits in async callbacks (CVE-2026-46193)
     - xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete
       (CVE-2026-46116)
     - [armhf] spi: sun4i: Convert to platform remove callback returning void
     - [armfh] spi: sun4i: switch to use modern name
     - [armhf] spi: sun4i: fix controller deregistration
     - spi: Convert to SPI_CONTROLLER_HALF_DUPLEX
     - [armhf] spi: spi-ti-qspi: Convert to platform remove callback returning
       void
     - [armhf] spi: spi-ti-qspi: switch to use modern name
     - [armhf] spi: ti-qspi: fix controller deregistration
     - [arm*] spi: sun6i: fix controller deregistration
     - [arm*] spi: s3c64xx: Use devm_clk_get_enabled()
     - [arm*] spi: s3c64xx: fix NULL-deref on driver unbind (CVE-2026-46296)
     - mtd: spi-nor: core: fix implicit declaration warning
     - mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show()
       (CVE-2026-46190)
     - [arm*] spi: tegra114: fix controller deregistration
     - [arm*] spi: tegra20-sflash: fix controller deregistration
     - mm/hugetlb_cma: round up per_node before logging it
     - net: wwan: t7xx: validate port_count against message length in
       t7xx_port_enum_msg_handler (CVE-2026-43495)
     - fbcon: Avoid OOB font access if console rotation fails (CVE-2026-46191)
     - [i386] spi: topcliff-pch: Convert to platform remove callback returning
       void
     - btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to
       info-leak (CVE-2026-46159)
     - tracing/probes: Limit size of event probe to 3K
     - btrfs: remove fs_info argument from btrfs_sysfs_add_space_info_type()
     - btrfs: fix double free in create_space_info_sub_group() error path
       (CVE-2026-46164)
     - pmdomain: core: Fix detach procedure for virtual devices in genpd
       (CVE-2026-46292)
     - smb: client: validate dacloffset before building DACL pointers
       (CVE-2026-46195)
     - smb: client: Use FullSessionKey for AES-256 encryption key derivation
     - btrfs: fix missing last_unlink_trans update when removing a directory
       (CVE-2026-46160)
     - mptcp: fastclose msk when linger time is 0
     - mptcp: pm: prio: skip closed subflows
     - mptcp: pm: kernel: correctly retransmit ADD_ADDR ID 0
     - mptcp: pm: ADD_ADDR rtx: allow ID 0
     - mptcp: pm: ADD_ADDR rtx: fix potential data-race (CVE-2026-46137)
     - mptcp: pm: ADD_ADDR rtx: resched blocked ADD_ADDR quicker
     - f2fs: fix incorrect file address mapping when inline inode is unwritten
     - f2fs: fix false alarm of lockdep on cp_global_sem lock
     - cgroup/cpuset: Reset DL migration state on can_attach() failure
     - genetlink: Use internal flags for multicast groups
     - smb: client: require net admin for CIFS SWN netlink
     - Bluetooth: hci_qca: Convert timeout from jiffies to ms
     - mm/memory: fix spurious warning when unmapping device-private/exclusive
       pages
     - Bluetooth: Init sk_peer_* on bt_sock_alloc
     - Bluetooth: serialize accept_q access (CVE-2026-52918)
     - net: hsr: defer node table free until after RCU readers
     - ipv6: ioam: add NULL check for idev in ipv6_hop_ioam()
     - ice: fix VF queue configuration with low MTU values
     - mptcp: pm: fix ADD_ADDR timer infinite retry on option space insufficient
     - [arm64] octeontx2-af: CGX: add bounds check to cgx_speed_mbps index
     - mptcp: reset rcv wnd on disconnect
     - mptcp: do not drop partial packets
     - [x86] platform/x86/intel/vsec: Add private data for per-device data
     - [x86] platform/x86/intel/vsec: Create wrapper to walk PCI config space
     - [x86] platform/x86/intel/vsec: Make driver_data info const
     - [x86] platform/x86/intel/vsec: Fix enable_cnt imbalance on PCIe error
       recovery
     - [arm64] spi: qup: switch to use modern name
     - [arm64] spi: qup: fix error pointer deref after DMA setup failure
     - [arm64] tlb: Flush walk cache when unsharing PMD tables
     - phy: tegra: xusb: Disable trk clk when not in use
     - phy: tegra: xusb: Fix per-pad high-speed termination calibration
     - iio: gyro: adis16260: fix division by zero in write_raw
     - iio: dac: ad5686: fix ref bit initialization for single-channel parts
     - ALSA: firewire-motu: Protect register DSP event queue positions
     - [armhf] serial: samsung_tty: Use port lock wrappers
     - [armhf] tty: serial: samsung: use u32 for register interactions
     - [armhf] tty: serial: samsung: Remove redundant port lock acquisition in
       rx helpers
     - [arm64] usb: dwc3: xilinx: fix error handling in zynqmp init error paths
     - [armhf] usb: musb: omap2430: Fix use-after-free in omap2430_probe()
     - usb: gadget: f_hid: tidy error handling in hidg_alloc
     - usb: gadget: f_hid: fix device reference leak in hidg_alloc()
     - usb: typec: ucsi: Check if power role change actually happened before
       handling
     - thunderbolt: property: Cap recursion depth in __tb_property_parse_dir()
     - [arm64] tty: serial: qcom-geni-serial: remove unused symbols
     - [arm64] tty: serial: qcom-geni-serial: align #define values
     - [arm64] serial: qcom-geni: fix UART_RX_PAR_EN bit position
     - scsi: target: iscsi: Fix CRC overread and double-free in
       iscsit_handle_text_cmd()
     - usb: typec: ucsi: Don't update power_supply on power role change if not
       connected
     - netfilter: nft_fib: fix stale stack leak via the OIFNAME register
       (CVE-2026-53134)
     - hv_netvsc: use kmap_local_page in netvsc_copy_to_send_buf
       (CVE-2026-53199)
     - mm/hugetlb: rename isolate_hugetlb() to folio_isolate_hugetlb()
     - mm/migrate: don't call folio_putback_active_hugetlb() on dst hugetlb
       folio
     - mm/hugetlb: rename folio_putback_active_hugetlb() to
       folio_putback_hugetlb()
     - mm/memory-failure: fix missing ->mf_stats count in hugetlb poison
     - mm/memory-failure: fix hugetlb_lock AA deadlock in
       get_huge_page_for_hwpoison (CVE-2026-53207)
     - RDMA: Move DMA block iterator logic into dedicated files
     - RDMA/umem: Fix truncation for block sizes >= 4G (CVE-2026-53133)
     - ipvs: skip ipv6 extension headers for csum checks (CVE-2026-45850)
     - blk-cgroup: Fix NULL deref caused by blkg_policy_data being installed
       before init (CVE-2023-54271)
     - batman-adv: stop tp_meter sessions during mesh teardown (CVE-2026-46208)
     - batman-adv: tp_meter: fix tp_num leak on kmalloc failure
     - [x86] ALSA: hda/hdmi: Add quirk for TUXEDO IBS14G6
     - perf build: Conditionally define NDEBUG
     - perf parse-events: Make YYDEBUG dependent on doing a debug build
     - perf build: Disable fewer bison warnings
     - [arm64] KVM: arm64: Wake-up from WFI when iqrchip is in userspace
     - ipmi:ssif: Fix a shutdown race
     - ipmi:ssif: Clean up kthread on errors (CVE-2026-46044)
     - usb: typec: tcpm: reset internal port states on soft reset AMS
     - lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl()
       (CVE-2026-43492)
     - ipmi:ssif: Remove unnecessary indention
     - ipmi:ssif: NULL thread on error
     - [arm*] drm/v3d: Reject empty multisync extension to prevent infinite
       loop (CVE-2026-46314)
     - [arm64] Mitigate TLBI errata on various CPU cores (CVE-2025-10263):
       + cputype: Add NVIDIA Olympus definitions
       + cputype: Add C1-Ultra definitions
       + cputype: Add C1-Premium definitions
       + errata: Mitigate TLBI errata on various Arm CPUs (CVE-2026-53354)
       + errata: Mitigate TLBI errata on NVIDIA Olympus CPU
       + errata: Mitigate TLBI errata on Microsoft Azure Cobalt 100 CPU
     - [armhf] fbdev: vt8500lcdfb: Fix dma_free_coherent() cpu_addr parameter
       (regression in 6.1.165)
     - [x86] CPU/AMD: Move the Zen3 BTC_NO detection to the Zen3 init function
       (regression in 6.1.173)
     - r8152: Hold the rtnl_lock for all of reset
     - media: rc: ttusbir: fix inverted error logic
     - batman-adv: tp_meter: fix tp_vars reference leak in receiver shutdown
     - media: rc: igorplugusb: fix control request setup packet (CVE-2026-46091)
     - ksmbd: OOB read regression in smb_check_perm_dacl() ACE-walk loops
     - batman-adv: tp_meter: fix race condition in send error reporting
     - batman-adv: tp_meter: avoid role confusion in tp_list
     - netfilter: require Ethernet MAC header before using eth_hdr()
       (CVE-2026-53131)
 .
   [ Ben Hutchings ]
   * Refresh "rxrpc: Fix conn-level packet handling to unshare RESPONSE packets"
   * [rt] Add new signing key for Clark Williams
   * [rt] Update to 6.1.176-rt64:
     - ipv6: fix a BUG in rt6_get_pcpu_route() under PREEMPT_RT
     - [x86] kvm/vmx: guard regparm(0) on vmread_error_trampoline for x86_32
       only
   * [x86] Revert "x86/CPU: Only try to mitigate FPDSS on Zen1" as redundant
   * Revert "net: ipv4: stop checking crypto_ahash_alignmask"
   * Revert "net: ipv6: stop checking crypto_ahash_alignmask"
   * Revert "Bluetooth: L2CAP: use chan timer to close channels in
     cleanup_listen()"
   * cgroup/cpuset: Fix misplaced call to reset_migrate_dl_data()
   * media: uvcvideo: Create an ID namespace for streaming output terminals
   * [ppc64el] cpuidle: Set CPUIDLE_FLAG_POLLING for snooze state
   * Revert "media: rc: streamzap: Error handling in probe"
   * Revert "epoll: use refcount to reduce ep_mutex contention"
     (CVE-2025-38349, CVE-2026-46242)
 .
   [ Salvatore Bonaccorso ]
   * ip6_vti: set netns_immutable on the fallback device. (CVE-2026-52909)
   * net/sched: act_pedit: check static offsets a priori
   * net/sched: act_pedit: rate limit datapath messages
   * net/sched: fix pedit partial COW leading to page cache corruption
     (CVE-2026-46331)
   * net/sched: act_pedit: free pedit keys on bail from offset check
Checksums-Sha1:
 bda1e6c17284d2a8be3bb0629cc8de4517f26484 290776 linux_6.1.176-1.dsc
 4441b32974d18ee4e4be15a51f647a221bc4d94a 137945728 linux_6.1.176.orig.tar.xz
 e2287221a33002c0596427f28f9863b0902c82d7 1873136 linux_6.1.176-1.debian.tar.xz
 9f6f6bf45c2d76c5048813acc08383a9c5299bf8 6537 linux_6.1.176-1_source.buildinfo
Checksums-Sha256:
 640124b35c5d7e32af9a9d536c47cfebf723fbb86bfbb25d0f2729b798bca35e 290776 
linux_6.1.176-1.dsc
 9aad4025973feea3f0d978e82ab7db97d8d5ce3f59fcc6b1f316153d66e3a504 137945728 
linux_6.1.176.orig.tar.xz
 10477b04dc15f7c1c52d8c812c889be5fd37aa178163e352755cd137c73ade6b 1873136 
linux_6.1.176-1.debian.tar.xz
 02c7115da0c0a2aa72b251ad98090388f0842bb2136a0c1113519b607878a664 6537 
linux_6.1.176-1_source.buildinfo
Files:
 5293dfe525a253ae95342e2b28388a1a 290776 kernel optional linux_6.1.176-1.dsc
 8ed41488a97b99fe31a4e16184f7bef7 137945728 kernel optional 
linux_6.1.176.orig.tar.xz
 7e40cb422a15f62b48d9e077cce6d2a9 1873136 kernel optional 
linux_6.1.176-1.debian.tar.xz
 d545a16aa102ac5761527c46a969e0f1 6537 kernel optional 
linux_6.1.176-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEErCspvTSmr92z9o8157/I7JWGEQkFAmpG9AoACgkQ57/I7JWG
EQlMcw//dwk7T9atm43n4jPrNWFT2uAsmi4joSJ9D2KErm3K85g68zHxJeVZmBc8
o3/Mu9FNsk7b4SE+w/snoSTQQnLnk3Fy0StLbwEhBZpjOIyRkktTNu8QP5ed0Kar
vIWH+h2auc4jXgtS3jkVOJ27QFcfOcCzf+UQeoFn6VrHAezqubIU1uqrqyWgcrOa
RL12+nv/FEkMob61Br05kFVv5vSzi/6CrhyT3dRRUErJu0r8Jyr8xTTIUFyhSRso
vGhJ5qaO/EoQUQyiV+rRmFC0B7wn+kgDL4ZGzmPP363Iyhn79/LZ+JFbl/9I9TIM
tsNA5K8KnYr0Ae6ymKCah3um5/6FP5aw/qIknBV3+Xl0o6Vy/Rpq2OIg2URpQPzx
W2t2326xVIpmqTDvww0lE+L2cx657f4cBS3MOP0y1efYf92A+zFbKOqx0xZ+lCpS
UP+XPy6oM1abvakYAGbVTdFHZSMts8cjLiI8aYwVvTCy9XFhW4RgWCQt6mxdepiH
oZ+v38ZOvbbXP7LaE/qDnpJWhYpa2J+C+NAllY1aBq1iCFXt/DSfH4jkgBvwt54+
Qo0KCtJzcczau2I/QmrZOXWJQLCJrTrAx1TS4ew9WJfUxtFYLCzaQpRzGgpJfnRZ
rjR0llEiv8dHD0l+P9ZO/oAFwldLrowlEfzVoiiY/GR9ueWMVyU=
=ch9X
-----END PGP SIGNATURE-----

Attachment: pgpZLMK_TnWvW.pgp
Description: PGP signature

Reply via email to