Your message dated Sat, 04 Jul 2026 14:43:25 +0000
with message-id <[email protected]>
and subject line Bug#1130365: fixed in linux 6.1.176-1
has caused the Debian Bug report #1130365,
regarding linux-image-6.17.13+deb14-amd64: One time kernel NULL pointer
dereference, trace shows lp and parport
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1130365: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130365
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: src:linux
Version: 6.17.13-1
Severity: important
X-Debbugs-Cc: [email protected]
Dear Maintainer,
* What led up to the situation?
I noticed that my system is taking longer than usual to boot, so I
investigated and found that the systemd-modules service hanging for
quite long (>2 mins).
* What exactly did you do (or not do) that was effective (or
ineffective)?
I hard-resetted the laptop and changed to an older kernel. After some
searching around, I tried to recreate the problem unsuccessfully.
Subsequent boots of this suspected kernel did not exhibit the error.
I noticed Bug #1124075 regarding lp crashes in 6.17.12, which is the
closest to what I'm having. I tried the reporter approach of manually
unloading and loading lp/parport using 'sudo modprobe -v lp' and 'sudo
modprobe -v parport'. Found no error with 'dmesg -w'. parport can not be
unloaded due to being in use.
Here's the excerpt from the journalctl command for the boot with error:
---
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor instruction fetch in kernel mode
#PF: error_code(0x0010) - not-present page
Oops: Oops: 0010 [#1] SMP PTI
CPU: 2 UID: 0 PID: 343 Comm: systemd-modules Not tainted
6.17.13+deb14-amd64 #1 PREEMPT(lazy) Debian 6.17.13-1
Hardware name: Dell Inc. Latitude E5470/0VHKV0, BIOS 1.34.3 11/20/2022
RIP: 0010:0x0
Code: Unable to access opcode bytes at 0xffffffffffffffd6.
RSP: 0000:ffffd0998064fa40 EFLAGS: 00010286
RAX: 0000000000000000 RBX: ffff8bde160a0800 RCX: 0000000000000007
RDX: ffffffffc116fac0 RSI: ffff8bde28714ca0 RDI: ffff8bde09b76800
RBP: ffffd0998064fa98 R08: 00000000fffffff3 R09: 0000000000000000
R10: ffff8bde1946c000 R11: fffff78544651a00 R12: ffff8bde160a0840
R13: ffff8bde09b76850 R14: ffff8bde09b76800 R15: ffff8bde10767f68
FS: 00007fd7004d6c80(0000) GS:ffff8be184308000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 00000001353fe006 CR4: 00000000003706f0
Call Trace:
<TASK>
parport_register_dev_model+0x26c/0x340 [parport]
lp_register+0x86/0x1b0 [lp]
? __pfx_lp_preempt+0x10/0x10 [lp]
? __pfx_port_check+0x10/0x10 [parport]
lp_attach+0x89/0x110 [lp]
port_check+0x24/0x30 [parport]
bus_for_each_dev+0x82/0xd0
__parport_register_driver+0x82/0xb0 [parport]
lp_init_module+0x39f/0xff0 [lp]
? __pfx_lp_init_module+0x10/0x10 [lp]
do_one_initcall+0x58/0x300
do_init_module+0x62/0x250
? init_module_from_file+0x8a/0xe0
init_module_from_file+0x8a/0xe0
idempotent_init_module+0x114/0x310
__x64_sys_finit_module+0x6d/0xd0
do_syscall_64+0x82/0x320
? restore_fpregs_from_fpstate+0x46/0xa0
? switch_fpu_return+0x5b/0xe0
? do_syscall_64+0x200/0x320
? __x64_sys_openat+0x61/0xa0
? do_syscall_64+0xbb/0x320
? count_memcg_events+0xd6/0x220
? handle_mm_fault+0x1d6/0x2d0
? do_user_addr_fault+0x21a/0x690
? exc_page_fault+0x74/0x180
entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x7fd700311aa9
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
01 f0 ff ff 73 01 c3 48 8b 0d 37 13 10 00 f7 d8 64 8>
RSP: 002b:00007ffe8f710d98 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
RAX: ffffffffffffffda RBX: 000055db35eb5570 RCX: 00007fd700311aa9
RDX: 0000000000000004 RSI: 00007fd7004b144d RDI: 0000000000000009
RBP: 0000000000000004 R08: 0000000000000000 R09: 000055db35eb73c0
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fd7004b144d
R13: 0000000000020000 R14: 000055db35eb5690 R15: 0000000000000000
</TASK>
Modules linked in: lp(+) parport_pc(+) nvme_fabrics parport i2c_dev
configfs efi_pstore nfnetlink efivarfs autofs4 ext4 crc16 mbcache jbd2
crc32c_cryptoapi hid_logitech_hidpp hid_logitech_dj h>
CR2: 0000000000000000
---[ end trace 0000000000000000 ]---
RIP: 0010:0x0
Code: Unable to access opcode bytes at 0xffffffffffffffd6.
RSP: 0000:ffffd0998064fa40 EFLAGS: 00010286
RAX: 0000000000000000 RBX: ffff8bde160a0800 RCX: 0000000000000007
RDX: ffffffffc116fac0 RSI: ffff8bde28714ca0 RDI: ffff8bde09b76800
RBP: ffffd0998064fa98 R08: 00000000fffffff3 R09: 0000000000000000
R10: ffff8bde1946c000 R11: fffff78544651a00 R12: ffff8bde160a0840
R13: ffff8bde09b76850 R14: ffff8bde09b76800 R15: ffff8bde10767f68
FS: 00007fd7004d6c80(0000) GS:ffff8be184308000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 00000001353fe006 CR4: 00000000003706f0
---
-- Package-specific info:
** Version:
Linux version 6.17.13+deb14-amd64 ([email protected])
(x86_64-linux-gnu-gcc-15 (Debian 15.2.0-12) 15.2.0, GNU ld (GNU Binutils for
Debian) 2.45.50.20251209) #1 SMP PREEMPT_DYNAMIC Debian 6.17.13-1 (2025-12-20)
** Command line:
BOOT_IMAGE=/vmlinuz-6.17.13+deb14-amd64 root=/dev/mapper/debian--vg-root ro
quiet
** Not tainted
** Kernel log:
[ 7.663592] RAPL PMU: hw unit of domain psys 2^-14 Joules
[ 8.090489] iwlwifi 0000:01:00.0: base HW address: f4:8c:50:b3:09:66, OTP
minor version: 0x4
[ 8.135073] EXT4-fs (nvme0n1p2): mounting ext2 file system using the ext4
subsystem
[ 8.150230] EXT4-fs (nvme0n1p2): mounted filesystem
0acb81bf-9d43-4ad2-b245-bff154213d6a r/w without journal. Quota mode: none.
[ 8.150357] intel_rapl_common: Found RAPL domain package
[ 8.150360] intel_rapl_common: Found RAPL domain core
[ 8.150362] intel_rapl_common: Found RAPL domain uncore
[ 8.150364] intel_rapl_common: Found RAPL domain dram
[ 8.150366] intel_rapl_common: Found RAPL domain psys
[ 8.158916] dell_laptop: Using i8042 filter function for receiving events
[ 8.188553] ieee80211 phy0: Selected rate control algorithm 'iwl-mvm-rs'
[ 8.199355] ACPI: battery: new hook: Dell Primary Battery Extension
[ 8.425734] Bluetooth: Core ver 2.22
[ 8.425764] NET: Registered PF_BLUETOOTH protocol family
[ 8.425767] Bluetooth: HCI device and connection manager initialized
[ 8.425771] Bluetooth: HCI socket layer initialized
[ 8.425774] Bluetooth: L2CAP socket layer initialized
[ 8.425780] Bluetooth: SCO socket layer initialized
[ 8.446295] mc: Linux media interface: v0.10
[ 8.528866] videodev: Linux video capture interface: v2.00
[ 8.600194] iwlwifi 0000:01:00.0 wlp1s0: renamed from wlan0
[ 8.651084] audit: type=1400 audit(1767275583.595:4): apparmor="STATUS"
operation="profile_load" profile="unconfined" name="QtWebEngineProcess" pid=838
comm="apparmor_parser"
[ 8.651156] audit: type=1400 audit(1767275583.595:5): apparmor="STATUS"
operation="profile_load" profile="unconfined" name="Discord" pid=836
comm="apparmor_parser"
[ 8.651551] audit: type=1400 audit(1767275583.595:6): apparmor="STATUS"
operation="profile_load" profile="unconfined"
name=4D6F6E676F444220436F6D70617373 pid=837 comm="apparmor_parser"
[ 8.651787] audit: type=1400 audit(1767275583.595:7): apparmor="STATUS"
operation="profile_load" profile="unconfined" name="1password" pid=835
comm="apparmor_parser"
[ 8.655588] audit: type=1400 audit(1767275583.599:8): apparmor="STATUS"
operation="profile_load" profile="unconfined" name="balena-etcher" pid=840
comm="apparmor_parser"
[ 8.659157] audit: type=1400 audit(1767275583.603:9): apparmor="STATUS"
operation="profile_load" profile="unconfined" name="brave" pid=841
comm="apparmor_parser"
[ 8.659754] audit: type=1400 audit(1767275583.603:10): apparmor="STATUS"
operation="profile_load" profile="unconfined" name="busybox" pid=843
comm="apparmor_parser"
[ 8.659876] audit: type=1400 audit(1767275583.603:11): apparmor="STATUS"
operation="profile_load" profile="unconfined" name="buildah" pid=842
comm="apparmor_parser"
[ 8.665658] audit: type=1400 audit(1767275583.611:12): apparmor="STATUS"
operation="profile_load" profile="unconfined" name="cam" pid=844
comm="apparmor_parser"
[ 8.665753] audit: type=1400 audit(1767275583.611:13): apparmor="STATUS"
operation="profile_load" profile="unconfined" name="ch-checkns" pid=845
comm="apparmor_parser"
[ 8.704256] usb 1-2: Found UVC 1.00 device Integrated_Webcam_HD (1bcf:28b8)
[ 8.716729] usbcore: registered new interface driver btusb
[ 8.718089] Bluetooth: hci0: Bootloader revision 0.0 build 2 week 52 2014
[ 8.726352] Bluetooth: hci0: Device revision is 5
[ 8.726358] Bluetooth: hci0: Secure boot is enabled
[ 8.726360] Bluetooth: hci0: OTP lock is enabled
[ 8.726362] Bluetooth: hci0: API lock is enabled
[ 8.726363] Bluetooth: hci0: Debug lock is disabled
[ 8.726365] Bluetooth: hci0: Minimum firmware build 1 week 10 2014
[ 8.730931] Bluetooth: hci0: Found device firmware: intel/ibt-11-5.sfi
[ 8.781243] usbcore: registered new interface driver uvcvideo
[ 8.908516] snd_hda_intel 0000:00:1f.3: enabling device (0000 -> 0002)
[ 8.908723] snd_hda_intel 0000:00:1f.3: bound 0000:00:02.0 (ops
intel_audio_component_bind_ops [i915])
[ 9.039993] snd_hda_codec_alc269 hdaudioC0D0: ALC3235: picked fixup for PCI
SSID 1028:06de
[ 9.040621] snd_hda_codec_alc269 hdaudioC0D0: autoconfig for ALC3235:
line_outs=1 (0x16/0x0/0x0/0x0/0x0) type:line
[ 9.040628] snd_hda_codec_alc269 hdaudioC0D0: speaker_outs=1
(0x14/0x0/0x0/0x0/0x0)
[ 9.040633] snd_hda_codec_alc269 hdaudioC0D0: hp_outs=1
(0x15/0x0/0x0/0x0/0x0)
[ 9.040636] snd_hda_codec_alc269 hdaudioC0D0: mono: mono_out=0x0
[ 9.040639] snd_hda_codec_alc269 hdaudioC0D0: inputs:
[ 9.040641] snd_hda_codec_alc269 hdaudioC0D0: Internal Mic=0x13
[ 9.040645] snd_hda_codec_alc269 hdaudioC0D0: Headset Mic=0x1a
[ 9.040648] snd_hda_codec_alc269 hdaudioC0D0: Headphone Mic=0x18
[ 9.040651] snd_hda_codec_alc269 hdaudioC0D0: Dock Mic=0x19
[ 9.100782] input: HDA Digital PCBeep as
/devices/pci0000:00/0000:00:1f.3/sound/card0/input22
[ 9.100867] input: HDA Intel PCH Headphone Mic as
/devices/pci0000:00/0000:00:1f.3/sound/card0/input23
[ 9.101169] input: HDA Intel PCH Dock Mic as
/devices/pci0000:00/0000:00:1f.3/sound/card0/input24
[ 9.101249] input: HDA Intel PCH Dock Line Out as
/devices/pci0000:00/0000:00:1f.3/sound/card0/input25
[ 9.101323] input: HDA Intel PCH HDMI/DP,pcm=3 as
/devices/pci0000:00/0000:00:1f.3/sound/card0/input26
[ 9.101406] input: HDA Intel PCH HDMI/DP,pcm=7 as
/devices/pci0000:00/0000:00:1f.3/sound/card0/input27
[ 9.104587] input: HDA Intel PCH HDMI/DP,pcm=8 as
/devices/pci0000:00/0000:00:1f.3/sound/card0/input28
[ 9.255422] input: keyd virtual keyboard as /devices/virtual/input/input29
[ 9.273323] nvme nvme0: using unchecked data buffer
[ 9.345002] input: keyd virtual pointer as /devices/virtual/input/input30
[ 9.488044] evm: overlay not supported
[ 9.514282] Bluetooth: BNEP (Ethernet Emulation) ver 1.3
[ 9.514289] Bluetooth: BNEP filters: protocol multicast
[ 9.514296] Bluetooth: BNEP socket layer initialized
[ 9.722668] block nvme0n1: No UUID available providing old NGUID
[ 9.793404] NET: Registered PF_QIPCRTR protocol family
[ 10.741539] Bluetooth: hci0: Waiting for firmware download to complete
[ 10.744459] Bluetooth: hci0: Firmware loaded in 1966329 usecs
[ 10.744539] Bluetooth: hci0: Waiting for device to boot
[ 10.755932] Bluetooth: hci0: Device booted in 11166 usecs
[ 10.756116] Bluetooth: hci0: Found Intel DDC parameters: intel/ibt-11-5.ddc
[ 10.759970] Bluetooth: hci0: Applying Intel DDC parameters completed
[ 10.761413] Bluetooth: hci0: Firmware revision 0.0 build 14 week 44 2021
[ 10.762923] Bluetooth: hci0: Reading supported features failed (-16)
[ 10.763520] Bluetooth: hci0: Error reading debug features
[ 10.763524] Bluetooth: hci0: HCI LE Coded PHY feature bit is set, but its
usage is not supported.
[ 10.808292] Bluetooth: MGMT ver 1.23
[ 10.825174] NET: Registered PF_ALG protocol family
[ 10.922796] Bluetooth: RFCOMM TTY layer initialized
[ 10.922805] Bluetooth: RFCOMM socket layer initialized
[ 10.922814] Bluetooth: RFCOMM ver 1.11
[ 13.851908] wlp1s0: authenticate with c0:51:5c:c8:46:69 (local
address=f4:8c:50:b3:09:66)
[ 13.853312] wlp1s0: send auth to c0:51:5c:c8:46:69 (try 1/3)
[ 13.859522] wlp1s0: authenticated
[ 13.864477] wlp1s0: associate with c0:51:5c:c8:46:69 (try 1/3)
[ 13.866157] wlp1s0: RX AssocResp from c0:51:5c:c8:46:69 (capab=0x1831
status=0 aid=2)
[ 13.870321] wlp1s0: associated
[ 13.927872] wlp1s0: Limiting TX power to 27 (27 - 0) dBm as advertised by
c0:51:5c:c8:46:69
[ 14.174884] Lockdown: systemd-logind: hibernation is restricted; see man
kernel_lockdown.7
[ 14.441210] rfkill: input handler disabled
[ 17.056140] usb 1-8: USB disconnect, device number 5
[ 20.466224] rfkill: input handler enabled
[ 22.735647] Lockdown: systemd-logind: hibernation is restricted; see man
kernel_lockdown.7
[ 23.468590] rfkill: input handler disabled
[ 27.647641] SCSI subsystem initialized
[ 36.725892] logitech-hidpp-device 0003:046D:4094.0003: HID++ 4.5 device
connected.
** Model information
sys_vendor: Dell Inc.
product_name: Latitude E5470
product_version:
chassis_vendor: Dell Inc.
chassis_version:
bios_vendor: Dell Inc.
bios_version: 1.34.3
board_vendor: Dell Inc.
board_name: 0VHKV0
board_version: A00
** Configuration for modprobe:
blacklist microcode
blacklist arkfb
blacklist aty128fb
blacklist atyfb
blacklist radeonfb
blacklist cirrusfb
blacklist cyber2000fb
blacklist kyrofb
blacklist matroxfb_base
blacklist mb862xxfb
blacklist neofb
blacklist pm2fb
blacklist pm3fb
blacklist s3fb
blacklist savagefb
blacklist sisfb
blacklist tdfxfb
blacklist tridentfb
blacklist vt8623fb
blacklist microcode
options snd_pcsp index=-2
options cx88_alsa index=-2
options snd_atiixp_modem index=-2
options snd_intel8x0m index=-2
options snd_via82xx_modem index=-2
options bonding max_bonds=0
options dummy numdummies=0
options ifb numifbs=0
** Loaded modules:
sd_mod
scsi_mod
scsi_common
ccm
snd_seq_dummy
snd_hrtimer
snd_seq
snd_seq_device
rfcomm
cmac
algif_hash
algif_skcipher
af_alg
qrtr
bnep
overlay
uinput
snd_hda_codec_intelhdmi
snd_hda_codec_alc269
snd_hda_scodec_component
snd_hda_codec_realtek_lib
snd_hda_codec_generic
snd_hda_intel
snd_sof_pci_intel_skl
snd_sof_intel_hda_generic
soundwire_intel
soundwire_generic_allocation
snd_sof_intel_hda_sdw_bpt
snd_sof_intel_hda_common
binfmt_misc
snd_soc_hdac_hda
snd_sof_intel_hda_mlink
snd_sof_intel_hda
uvcvideo
snd_hda_codec_hdmi
videobuf2_vmalloc
btusb
uvc
soundwire_cadence
videobuf2_memops
btrtl
snd_sof_pci
videobuf2_v4l2
snd_sof_xtensa_dsp
videodev
btintel
btbcm
videobuf2_common
snd_sof
x86_pkg_temp_thermal
nls_ascii
btmtk
nls_cp437
mc
intel_powerclamp
snd_sof_utils
bluetooth
vfat
fat
snd_soc_acpi_intel_match
coretemp
snd_soc_acpi_intel_sdca_quirks
snd_soc_acpi
mei_pxp
dell_pc
crc8
ecdh_generic
platform_profile
snd_ctl_led
soundwire_bus
kvm_intel
mei_hdcp
mei_wdt
snd_soc_sdca
intel_rapl_msr
dell_laptop
kvm
snd_soc_avs
iwlmvm
snd_soc_hda_codec
snd_hda_ext_core
irqbypass
dell_smm_hwmon
ghash_clmulni_intel
snd_hda_codec
mac80211
snd_hda_core
snd_intel_dspcfg
aesni_intel
snd_intel_sdw_acpi
snd_hwdep
libarc4
rapl
snd_soc_core
intel_cstate
dell_wmi
intel_uncore
firmware_attributes_class
snd_compress
iwlwifi
snd_pcm_dmaengine
processor_thermal_device_pci_legacy
snd_pcm
dell_smbios
processor_thermal_device
dcdbas
processor_thermal_wt_hint
sparse_keymap
intel_wmi_thunderbolt
pcspkr
wmi_bmof
dell_wmi_descriptor
ee1004
snd_timer
platform_temperature_control
cfg80211
snd
processor_thermal_rfim
processor_thermal_rapl
soundcore
mei_me
intel_rapl_common
processor_thermal_wt_req
mei
processor_thermal_power_floor
processor_thermal_mbox
intel_xhci_usb_role_switch
intel_soc_dts_iosf
roles
intel_pch_thermal
intel_pmc_core
pmt_telemetry
pmt_discovery
pmt_class
dell_lis3lv02d
dell_rbtn
int3403_thermal
intel_pmc_ssram_telemetry
int3400_thermal
dell_smo8800
int340x_thermal_zone
rfkill
intel_vsec
ac
acpi_thermal_rel
acpi_pad
evdev
joydev
msr
lp
ppdev
parport_pc
nvme_fabrics
i2c_dev
parport
configfs
efi_pstore
nfnetlink
efivarfs
autofs4
ext4
crc16
mbcache
jbd2
crc32c_cryptoapi
hid_logitech_hidpp
hid_logitech_dj
hid_generic
usbhid
hid
i915
drm_buddy
ttm
i2c_algo_bit
dm_mod
drm_display_helper
cec
rc_core
drm_client_lib
iTCO_wdt
drm_kms_helper
intel_pmc_bxt
rtsx_pci_sdmmc
xhci_pci
iTCO_vendor_support
mmc_core
psmouse
drm
watchdog
nvme
xhci_hcd
nvme_core
serio_raw
rtsx_pci
nvme_keyring
video
i2c_i801
e1000e
usbcore
nvme_auth
button
battery
i2c_smbus
wmi
usb_common
** Network interface configuration:
*** /etc/network/interfaces:
source /etc/network/interfaces.d/*
auto lo
iface lo inet loopback
** Network status:
*** IP interfaces and addresses:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host noprefixroute
valid_lft forever preferred_lft forever
2: enp0s31f6: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state
DOWN group default qlen 1000
link/ether d4:81:d7:77:be:f4 brd ff:ff:ff:ff:ff:ff
altname enxd481d777bef4
3: wlp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
group default qlen 1000
link/ether f4:8c:50:b3:09:66 brd ff:ff:ff:ff:ff:ff
altname wlxf48c50b30966
inet 192.168.1.11/24 brd 192.168.1.255 scope global dynamic noprefixroute
wlp1s0
valid_lft 2470sec preferred_lft 2470sec
inet6 2402:800:62a7:9bfa:2403:4cae:cb0c:ccb0/64 scope global temporary
dynamic
valid_lft 68765sec preferred_lft 68765sec
inet6 2402:800:62a7:9bfa:f68c:50ff:feb3:966/64 scope global dynamic
mngtmpaddr noprefixroute
valid_lft 68765sec preferred_lft 68765sec
inet6 fe80::f68c:50ff:feb3:966/64 scope link noprefixroute
valid_lft forever preferred_lft forever
*** Device statistics:
Inter-| Receive | Transmit
face |bytes packets errs drop fifo frame compressed multicast|bytes
packets errs drop fifo colls carrier compressed
lo: 30870 325 0 0 0 0 0 0 30870
325 0 0 0 0 0 0
enp0s31f6: 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0
wlp1s0: 7111323 10357 0 0 0 0 0 0 4843883
8730 0 0 0 0 0 0
*** Protocol statistics:
Ip:
Forwarding: 2
895 total packets received
0 forwarded
0 incoming packets discarded
892 incoming packets delivered
920 requests sent out
OutTransmits: 920
Icmp:
0 ICMP messages received
0 input ICMP message failed
ICMP input histogram:
4 ICMP messages sent
0 ICMP messages failed
ICMP output histogram:
destination unreachable: 4
IcmpMsg:
OutType3: 4
Tcp:
155 active connection openings
0 passive connection openings
11 failed connection attempts
15 connection resets received
8 connections established
4592 segments received
4436 segments sent out
20 segments retransmitted
0 bad segments received
197 resets sent
Udp:
410 packets received
4 packets to unknown port received
0 packet receive errors
353 packets sent
0 receive buffer errors
0 send buffer errors
IgnoredMulti: 1
UdpLite:
TcpExt:
57 TCP sockets finished time wait in fast timer
8 packets rejected in established connections because of timestamp
PAWSTimewait: 2
105 delayed acks sent
Quick ack mode was activated 7 times
391 packet headers predicted
776 acknowledgments not containing data payload received
674 predicted acknowledgments
Detected reordering 117 times using SACK
TCPTimeouts: 3
TCPLossProbes: 17
TCPBacklogCoalesce: 8
TCPDSACKOldSent: 7
TCPDSACKRecv: 11
35 connections reset due to unexpected data
15 connections reset due to early user close
TCPSACKDiscard: 2
TCPDSACKIgnoredNoUndo: 2
TCPSackMerged: 1
TCPSackShiftFallback: 151
IPReversePathFilter: 1
TCPRcvCoalesce: 989
TCPOFOQueue: 16
TCPSpuriousRtxHostQueues: 1
TCPAutoCorking: 213
TCPSynRetrans: 3
TCPOrigDataSent: 1975
TCPACKSkippedTimeWait: 19
TCPKeepAlive: 48
TCPDelivered: 2050
TcpTimeoutRehash: 3
TCPDSACKRecvSegs: 9
TCPDSACKIgnoredDubious: 2
IpExt:
InMcastPkts: 122
OutMcastPkts: 69
InBcastPkts: 1
InOctets: 274030
OutOctets: 134664
InMcastOctets: 15440
OutMcastOctets: 8513
InBcastOctets: 229
InNoECTPkts: 937
MPTcpExt:
** PCI devices:
00:00.0 Host bridge [0600]: Intel Corporation Xeon E3-1200 v5/E3-1500 v5/6th
Gen Core Processor Host Bridge/DRAM Registers [8086:1904] (rev 08)
Subsystem: Dell Device [1028:06de]
Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr-
Stepping- SERR- FastB2B- DisINTx-
Status: Cap+ 66MHz- UDF- FastB2B+ ParErr- DEVSEL=fast >TAbort- <TAbort-
<MAbort- >SERR- <PERR- INTx-
Latency: 0
IOMMU group: 1
Capabilities: <access denied>
Kernel driver in use: skl_uncore
00:02.0 VGA compatible controller [0300]: Intel Corporation Skylake GT2 [HD
Graphics 520] [8086:1916] (rev 07) (prog-if 00 [VGA controller])
DeviceName: Onboard IGD
Subsystem: Dell Device [1028:06de]
Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr-
Stepping- SERR- FastB2B- DisINTx+
Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort-
<MAbort- >SERR- <PERR- INTx-
Latency: 0
Interrupt: pin A routed to IRQ 138
IOMMU group: 0
Region 0: Memory at e0000000 (64-bit, non-prefetchable) [size=16M]
Region 2: Memory at d0000000 (64-bit, prefetchable) [size=256M]
Region 4: I/O ports at f000 [size=64]
Expansion ROM at 000c0000 [virtual] [disabled] [size=128K]
Capabilities: <access denied>
Kernel driver in use: i915
Kernel modules: i915
00:04.0 Signal processing controller [1180]: Intel Corporation Xeon E3-1200
v5/E3-1500 v5/6th Gen Core Processor Thermal Subsystem [8086:1903] (rev 08)
Subsystem: Dell Device [1028:06de]
Control: I/O- Mem+ BusMaster- SpecCycle- MemWINV- VGASnoop- ParErr-
Stepping- SERR- FastB2B- DisINTx-
Status: Cap+ 66MHz- UDF- FastB2B+ ParErr- DEVSEL=fast >TAbort- <TAbort-
<MAbort- >SERR- <PERR- INTx-
Interrupt: pin A routed to IRQ 16
IOMMU group: 2
Region 0: Memory at e1340000 (64-bit, non-prefetchable) [size=32K]
Capabilities: <access denied>
Kernel driver in use: proc_thermal
Kernel modules: processor_thermal_device_pci_legacy
00:14.0 USB controller [0c03]: Intel Corporation Sunrise Point-LP USB 3.0 xHCI
Controller [8086:9d2f] (rev 21) (prog-if 30 [XHCI])
Subsystem: Dell Device [1028:06de]
Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr-
Stepping- SERR- FastB2B- DisINTx+
Status: Cap+ 66MHz- UDF- FastB2B+ ParErr- DEVSEL=medium >TAbort-
<TAbort- <MAbort- >SERR- <PERR- INTx-
Latency: 0
Interrupt: pin A routed to IRQ 133
IOMMU group: 3
Region 0: Memory at e1330000 (64-bit, non-prefetchable) [size=64K]
Capabilities: <access denied>
Kernel driver in use: xhci_hcd
Kernel modules: xhci_pci
00:14.2 Signal processing controller [1180]: Intel Corporation Sunrise Point-LP
Thermal subsystem [8086:9d31] (rev 21)
Subsystem: Dell Device [1028:06de]
Control: I/O- Mem+ BusMaster- SpecCycle- MemWINV- VGASnoop- ParErr-
Stepping- SERR- FastB2B- DisINTx-
Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort-
<MAbort- >SERR- <PERR- INTx-
Interrupt: pin C routed to IRQ 18
IOMMU group: 3
Region 0: Memory at e1353000 (64-bit, non-prefetchable) [size=4K]
Capabilities: <access denied>
Kernel driver in use: intel_pch_thermal
Kernel modules: intel_pch_thermal
00:16.0 Communication controller [0780]: Intel Corporation Sunrise Point-LP
CSME HECI #1 [8086:9d3a] (rev 21)
Subsystem: Dell Device [1028:06de]
Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr-
Stepping- SERR- FastB2B- DisINTx+
Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort-
<MAbort- >SERR- <PERR- INTx-
Latency: 0
Interrupt: pin A routed to IRQ 139
IOMMU group: 4
Region 0: Memory at e1352000 (64-bit, non-prefetchable) [size=4K]
Capabilities: <access denied>
Kernel driver in use: mei_me
Kernel modules: mei_me
00:16.3 Serial controller [0700]: Intel Corporation Sunrise Point-LP Active
Management Technology - SOL [8086:9d3d] (rev 21) (prog-if 02 [16550])
Subsystem: Dell Device [1028:06de]
Control: I/O+ Mem+ BusMaster- SpecCycle- MemWINV- VGASnoop- ParErr-
Stepping- SERR- FastB2B- DisINTx-
Status: Cap+ 66MHz+ UDF- FastB2B+ ParErr- DEVSEL=fast >TAbort- <TAbort-
<MAbort- >SERR- <PERR- INTx-
Interrupt: pin D routed to IRQ 19
IOMMU group: 4
Region 0: I/O ports at f060 [size=8]
Region 1: Memory at e1351000 (32-bit, non-prefetchable) [size=4K]
Capabilities: <access denied>
Kernel driver in use: serial
00:1c.0 PCI bridge [0604]: Intel Corporation Sunrise Point-LP PCI Express Root
Port #5 [8086:9d14] (rev f1) (prog-if 00 [Normal decode])
Subsystem: Dell Device [1028:06de]
Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr-
Stepping- SERR- FastB2B- DisINTx+
Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort-
<MAbort- >SERR- <PERR- INTx-
Latency: 0
Interrupt: pin A routed to IRQ 123
IOMMU group: 5
Bus: primary=00, secondary=01, subordinate=01, sec-latency=0
I/O behind bridge: [disabled] [16-bit]
Memory behind bridge: e1200000-e12fffff [size=1M] [32-bit]
Prefetchable memory behind bridge: [disabled] [64-bit]
Secondary status: 66MHz- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort-
<MAbort- <SERR- <PERR-
BridgeCtl: Parity- SERR+ NoISA- VGA- VGA16+ MAbort- >Reset- FastB2B-
PriDiscTmr- SecDiscTmr- DiscTmrStat- DiscTmrSERREn-
Capabilities: <access denied>
Kernel driver in use: pcieport
00:1d.0 PCI bridge [0604]: Intel Corporation Sunrise Point-LP PCI Express Root
Port #9 [8086:9d18] (rev f1) (prog-if 00 [Normal decode])
Subsystem: Dell Device [1028:06de]
Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr-
Stepping- SERR- FastB2B- DisINTx+
Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort-
<MAbort- >SERR- <PERR- INTx-
Latency: 0
Interrupt: pin A routed to IRQ 124
IOMMU group: 6
Bus: primary=00, secondary=02, subordinate=02, sec-latency=0
I/O behind bridge: [disabled] [16-bit]
Memory behind bridge: e1100000-e11fffff [size=1M] [32-bit]
Prefetchable memory behind bridge: [disabled] [64-bit]
Secondary status: 66MHz- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort-
<MAbort- <SERR- <PERR-
BridgeCtl: Parity- SERR+ NoISA- VGA- VGA16+ MAbort- >Reset- FastB2B-
PriDiscTmr- SecDiscTmr- DiscTmrStat- DiscTmrSERREn-
Capabilities: <access denied>
Kernel driver in use: pcieport
00:1d.2 PCI bridge [0604]: Intel Corporation Sunrise Point-LP PCI Express Root
Port #11 [8086:9d1a] (rev f1) (prog-if 00 [Normal decode])
Subsystem: Dell Device [1028:06de]
Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr-
Stepping- SERR- FastB2B- DisINTx+
Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort-
<MAbort- >SERR- <PERR- INTx-
Latency: 0
Interrupt: pin C routed to IRQ 125
IOMMU group: 7
Bus: primary=00, secondary=03, subordinate=03, sec-latency=0
I/O behind bridge: [disabled] [16-bit]
Memory behind bridge: e1000000-e10fffff [size=1M] [32-bit]
Prefetchable memory behind bridge: [disabled] [64-bit]
Secondary status: 66MHz- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort-
<MAbort- <SERR- <PERR-
BridgeCtl: Parity- SERR+ NoISA- VGA- VGA16+ MAbort- >Reset- FastB2B-
PriDiscTmr- SecDiscTmr- DiscTmrStat- DiscTmrSERREn-
Capabilities: <access denied>
Kernel driver in use: pcieport
00:1f.0 ISA bridge [0601]: Intel Corporation Sunrise Point-LP LPC Controller
[8086:9d48] (rev 21)
Subsystem: Dell Device [1028:06de]
Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr-
Stepping- SERR- FastB2B- DisINTx-
Status: Cap- 66MHz- UDF- FastB2B- ParErr- DEVSEL=medium >TAbort-
<TAbort- <MAbort- >SERR- <PERR- INTx-
Latency: 0
IOMMU group: 8
00:1f.2 Memory controller [0580]: Intel Corporation Sunrise Point-LP PMC
[8086:9d21] (rev 21)
Subsystem: Dell Device [1028:06de]
Control: I/O- Mem- BusMaster- SpecCycle- MemWINV- VGASnoop- ParErr-
Stepping- SERR- FastB2B- DisINTx-
Status: Cap- 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort-
<MAbort- >SERR- <PERR- INTx-
IOMMU group: 8
Region 0: Memory at e134c000 (32-bit, non-prefetchable) [disabled]
[size=16K]
00:1f.3 Audio device [0403]: Intel Corporation Sunrise Point-LP HD Audio
[8086:9d70] (rev 21) (prog-if 00 [HDA compatible])
Subsystem: Dell Device [1028:06de]
Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr-
Stepping- SERR- FastB2B- DisINTx+
Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort-
<MAbort- >SERR- <PERR- INTx-
Latency: 32
Interrupt: pin A routed to IRQ 141
IOMMU group: 8
Region 0: Memory at e1348000 (64-bit, non-prefetchable) [size=16K]
Region 4: Memory at e1320000 (64-bit, non-prefetchable) [size=64K]
Capabilities: <access denied>
Kernel driver in use: snd_hda_intel
Kernel modules: snd_soc_avs, snd_sof_pci_intel_skl, snd_hda_intel
00:1f.4 SMBus [0c05]: Intel Corporation Sunrise Point-LP SMBus [8086:9d23] (rev
21)
Subsystem: Dell Device [1028:06de]
Control: I/O+ Mem+ BusMaster- SpecCycle- MemWINV- VGASnoop- ParErr-
Stepping- SERR- FastB2B- DisINTx-
Status: Cap- 66MHz- UDF- FastB2B+ ParErr- DEVSEL=medium >TAbort-
<TAbort- <MAbort- >SERR- <PERR- INTx-
Interrupt: pin A routed to IRQ 16
IOMMU group: 8
Region 0: Memory at e1350000 (64-bit, non-prefetchable) [size=256]
Region 4: I/O ports at f040 [size=32]
Kernel driver in use: i801_smbus
Kernel modules: i2c_i801
00:1f.6 Ethernet controller [0200]: Intel Corporation Ethernet Connection
I219-LM [8086:156f] (rev 21)
Subsystem: Dell Device [1028:06de]
Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr-
Stepping- SERR- FastB2B- DisINTx+
Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort-
<MAbort- >SERR- <PERR- INTx-
Latency: 0
Interrupt: pin A routed to IRQ 126
IOMMU group: 8
Region 0: Memory at e1300000 (32-bit, non-prefetchable) [size=128K]
Capabilities: <access denied>
Kernel driver in use: e1000e
Kernel modules: e1000e
01:00.0 Network controller [0280]: Intel Corporation Wireless 8260 [8086:24f3]
(rev 3a)
Subsystem: Intel Corporation Device [8086:0050]
Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr-
Stepping- SERR- FastB2B- DisINTx+
Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort-
<MAbort- >SERR- <PERR- INTx-
Latency: 0
Interrupt: pin A routed to IRQ 140
IOMMU group: 9
Region 0: Memory at e1200000 (64-bit, non-prefetchable) [size=8K]
Capabilities: <access denied>
Kernel driver in use: iwlwifi
Kernel modules: iwlwifi
02:00.0 Non-Volatile memory controller [0108]: Sandisk Corp WD Blue SN580 NVMe
SSD (DRAM-less) [15b7:5041] (rev 01) (prog-if 02 [NVM Express])
Subsystem: Sandisk Corp WD Blue SN580 NVMe SSD (DRAM-less) [15b7:5041]
Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr-
Stepping- SERR- FastB2B- DisINTx+
Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort-
<MAbort- >SERR- <PERR- INTx-
Latency: 0
Interrupt: pin A routed to IRQ 16
IOMMU group: 10
Region 0: Memory at e1100000 (64-bit, non-prefetchable) [size=16K]
Capabilities: <access denied>
Kernel driver in use: nvme
Kernel modules: nvme
03:00.0 Unassigned class [ff00]: Realtek Semiconductor Co., Ltd. RTS525A PCI
Express Card Reader [10ec:525a] (rev 01)
Subsystem: Dell Device [1028:06de]
Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr-
Stepping- SERR- FastB2B- DisINTx+
Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort-
<MAbort- >SERR- <PERR- INTx-
Latency: 0
Interrupt: pin A routed to IRQ 127
IOMMU group: 11
Region 1: Memory at e1000000 (32-bit, non-prefetchable) [size=4K]
Capabilities: <access denied>
Kernel driver in use: rtsx_pci
Kernel modules: rtsx_pci
** USB devices:
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 001 Device 002: ID 1bcf:28b8 Sunplus Innovation Technology Inc.
Integrated_Webcam_HD
Bus 001 Device 003: ID 046d:c52f Logitech, Inc. Nano Receiver
Bus 001 Device 004: ID 0a5c:5832 Broadcom Corp. BCM5880 Secure Applications
Processor Smartcard reader
Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
-- System Information:
Debian Release: forky/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 6.17.13+deb14-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages linux-image-6.17.13+deb14-amd64 depends on:
ii initramfs-tools [linux-initramfs-tool] 0.150
ii kmod 34.2-2
ii linux-base 4.14
Versions of packages linux-image-6.17.13+deb14-amd64 recommends:
ii apparmor 4.1.0-1+b1
Versions of packages linux-image-6.17.13+deb14-amd64 suggests:
pn debian-kernel-handbook <none>
ii firmware-linux-free 20241210-2
ii grub-efi-amd64 2.14~git20250718.0e36779-2
pn linux-doc-6.17 <none>
Versions of packages linux-image-6.17.13+deb14-amd64 is related to:
ii firmware-amd-graphics 20251111-1
pn firmware-atheros <none>
pn firmware-bnx2 <none>
pn firmware-bnx2x <none>
pn firmware-brcm80211 <none>
pn firmware-cavium <none>
pn firmware-cirrus <none>
ii firmware-intel-graphics 20251111-1
ii firmware-intel-misc 20251111-1
pn firmware-intel-sound <none>
pn firmware-ipw2x00 <none>
pn firmware-ivtv <none>
ii firmware-iwlwifi 20251111-1
pn firmware-libertas <none>
pn firmware-marvell-prestera <none>
ii firmware-mediatek 20251111-1
ii firmware-misc-nonfree 20251111-1
pn firmware-myricom <none>
pn firmware-netronome <none>
pn firmware-netxen <none>
ii firmware-nvidia-graphics 20251111-1
pn firmware-qcom-soc <none>
pn firmware-qlogic <none>
pn firmware-realtek <none>
pn firmware-samsung <none>
pn firmware-siano <none>
pn firmware-ti-connectivity <none>
pn xen-hypervisor <none>
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: linux
Source-Version: 6.1.176-1
Done: Ben Hutchings <[email protected]>
We believe that the bug you reported is fixed in the latest version of
linux, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ben Hutchings <[email protected]> (supplier of updated linux package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 02 Jul 2026 15:50:42 +0200
Source: linux
Architecture: source
Version: 6.1.176-1
Distribution: bookworm-security
Urgency: high
Maintainer: Debian Kernel Team <[email protected]>
Changed-By: Ben Hutchings <[email protected]>
Closes: 1130365
Changes:
linux (6.1.176-1) bookworm-security; urgency=high
.
* New upstream stable update:
https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.1.175
- [x86] ASoC: amd: yc: Add DMI quirk for ASUS EXPERTBOOK BM1403CDA
- [x86] ALSA: hda/realtek: Add HP ENVY Laptop 13-ba0xxx quirk
- [arm64] media: rkvdec: reduce stack usage in
rkvdec_init_v4l2_vp9_count_tbl()
- [x86] ALSA: asihpi: avoid write overflow check warning
- [x86] ASoC: amd: yc: Add DMI quirk for Thin A15 B7VF
- can: mcp251x: add error handling for power enable in open and resume
- btrfs: tracepoints: get correct superblock from dentry in event
btrfs_sync_file() (CVE-2026-43117)
- [x86] ALSA: hda/realtek: Add mute LED quirk for HP Pavilion 15-eg0xxx
- [x86] netfilter: nft_set_pipapo_avx2: don't return non-matching entry on
expiry (CVE-2026-43114)
- [x86] ALSA: hda/realtek: add quirk for Framework F111:000F
- wifi: wl1251: validate packet IDs before indexing tx_frames
(CVE-2026-43113)
- ASoC: soc-core: call missing INIT_LIST_HEAD() for card_aux_list
- ALSA: usb-audio: Fix quirk flags for NeuralDSP Quad Cortex
- fs/smb/client: fix out-of-bounds read in cifs_sanitize_prepath
(CVE-2026-43112)
- [x86] ASoC: amd: yc: Add DMI entry for HP Laptop 15-fc0xxx
- [x86] pinctrl: intel: Fix the revision for new features (1kOhm PD, HW
debouncer)
- HID: quirks: add HID_QUIRK_ALWAYS_POLL for 8BitDo Pro 3
- [x86] ALSA: hda/realtek: Add quirk for Lenovo Yoga Pro 7 14IAH10
- HID: roccat: fix use-after-free in roccat_report_event (CVE-2026-43111)
- ata: ahci: force 32-bit DMA for JMicron JMB582/JMB585
- wifi: brcmfmac: validate bsscfg indices in IF events (CVE-2026-43110)
- [armhf] ASoC: stm32_sai: fix incorrect BCLK polarity for DSP_A/B, LEFT_J
- [armhf] soc: aspeed: socinfo: Mask table entries for accurate SoC ID
matching
- [arm64] dts: imx8mq: Set the correct gpu_ahb clock frequency
- PCI: hv: Set default NUMA node to 0 for devices without affinity info
- [arm*] drm/vc4: Release runtime PM reference after binding V3D
- [arm*] drm/vc4: Fix memory leak of BO array in hang state
(CVE-2026-43105)
- [arm*] drm/vc4: Fix a memory leak in hang state error path
(CVE-2026-43104)
- [arm*] drm/vc4: Protect madv read in vc4_gem_object_mmap() with madv_lock
- epoll: use refcount to reduce ep_mutex contention
- eventpoll: defer struct eventpoll free to RCU grace period
(CVE-2026-43074)
- net: sched: act_csum: validate nested VLAN headers (CVE-2026-31684)
- net: lapbether: handle NETDEV_PRE_TYPE_CHANGE (CVE-2026-43103)
- ipv4: icmp: fix null-ptr-deref in icmp_build_probe() (CVE-2026-43099)
- nfc: s3fwrn5: allocate rx skb before consuming bytes (CVE-2026-43098)
- tracing/probe: reject non-closed empty immediate strings
- ixgbevf: add missing negotiate_features op to Hyper-V ops table
(CVE-2026-43094)
- e1000: check return value of e1000_read_eeprom
- xsk: tighten UMEM headroom validation to account for tailroom and min
frame (CVE-2026-43093)
- xfrm_user: fix info leak in build_mapping() (CVE-2026-43089)
- netfilter: nfnetlink_log: initialize nfgenmsg in NLMSG_DONE terminator
(CVE-2026-43085)
- netfilter: xt_multiport: validate range encoding in checkentry
(CVE-2026-31681)
- netfilter: ip6t_eui64: reject invalid MAC header for all packets
(CVE-2026-31685)
- af_unix: read UNIX_DIAG_VFS data under unix_state_lock (CVE-2026-31673)
- l2tp: Drop large packets with UDP encap (CVE-2026-43080)
- [arm64,armhf] gpio: tegra: fix irq_release_resources calling enable
instead of disable
- [x86] perf/x86/intel/uncore: Skip discovery table for offline dies
(CVE-2026-43079)
- Revert "drm: Fix use-after-free on framebuffers and property blobs when
calling drm_dev_unplug" (regression in 6.1.167)
- netfilter: conntrack: add missing netlink policy validations
(CVE-2026-31407)
- [x86] drm/i915/psr: Do not use pipe_src as borders for SU area
- nfc: llcp: add missing return after LLCP_CLOSED checks (CVE-2026-31629)
- can: raw: fix ro->uniq use-after-free in raw_rcv() (CVE-2026-31532)
- [arm*] i2c: s3c24xx: check the size of the SMBUS message before using it
(CVE-2026-31627)
- staging: rtl8723bs: initialize le_tmp64 in rtw_BIP_verify()
(CVE-2026-31626)
- HID: alps: fix NULL pointer dereference in alps_raw_event()
(CVE-2026-31625)
- HID: core: clamp report_size in s32ton() to avoid undefined shift
(CVE-2026-31624)
- net: usb: cdc-phonet: fix skb frags[] overflow in rx_complete()
(CVE-2026-31623)
- NFC: digital: Bounds check NFC-A cascade depth in SDD response handler
(CVE-2026-31622)
- [arm*] drm/vc4: platform_get_irq_byname() returns an int (CVE-2026-43072)
- ALSA: fireworks: bound device-supplied status before string array lookup
(CVE-2026-31619)
- fbdev: tdfxfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO
(CVE-2026-31618)
- usb: gadget: f_ncm: validate minimum block_len in ncm_unwrap_ntb()
(CVE-2026-31617)
- usb: gadget: f_phonet: fix skb frags[] overflow in pn_rx_complete()
(CVE-2026-31616)
- [arm64,armhf] usb: gadget: renesas_usb3: validate endpoint index in
standard request handlers (CVE-2026-31615)
- ksmbd: validate EaNameLength in smb2_get_ea() (CVE-2026-31612)
- ksmbd: require 3 sub-authorities before reading sub_auth[2]
(CVE-2026-31611)
- usbip: validate number_of_packets in usbip_pack_ret_submit()
(CVE-2026-31607)
- usb: storage: Expand range of matched versions for VL817 quirks entry
- USB: cdc-acm: Add quirks for Yoga Book 9 14IAH10 INGENIC touchscreen
- usb: port: add delay after usb_hub_set_port_power()
- fbdev: udlfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO
(CVE-2026-31605)
- staging: sm750fb: fix division by zero in ps_to_hz() (CVE-2026-31603)
- USB: serial: option: add Telit Cinterion FN990A MBIM composition
- ALSA: ctxfi: Limit PTP to a single page (CVE-2026-31602)
- dcache: Limit the minimal number of bucket to two (CVE-2026-43071)
- media: vidtv: fix NULL pointer dereference in
vidtv_channel_pmt_match_sections (CVE-2026-31599)
- ocfs2: fix possible deadlock between unlink and dio_end_io_write
(CVE-2026-31598)
- ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY
(CVE-2026-31597)
- ocfs2: handle invalid dinode in ocfs2_group_extend (CVE-2026-31596)
- [x86] KVM: SEV: Drop WARN on large size for KVM_MEMORY_ENCRYPT_REG_REGION
(CVE-2026-31590)
- Revert "dmaengine: idxd: Fix not releasing workqueue on .release()"
(regression in 6.1.168)
- ALSA: usb-audio: fix race condition to UAF in snd_usbmidi_free
(CVE-2025-39997)
- net: add proper RCU protection to /proc/net/ptype (CVE-2026-23255)
- net: sched: fix TCF_LAYER_TRANSPORT handling in tcf_get_base_ptr()
- bonding: return detailed error when loading native XDP fails
- bonding: check xdp prog when set bond mode (CVE-2025-22105)
- drm/amdgpu: remove two invalid BUG_ON()s (CVE-2025-68201)
- nf_tables: nft_dynset: fix possible stateful expression memleak in error
path (CVE-2026-23399)
- rxrpc: proc: size address buffers for %pISpc output (CVE-2026-31630)
- [x86] KVM: x86: Use scratch field in MMIO fragment to hold small write
values (CVE-2026-31588)
- mm/kasan: fix double free for kasan pXds (CVE-2026-31686)
- mm: blk-cgroup: fix use-after-free in cgwb_release_workfn()
(CVE-2026-31586)
- media: vidtv: fix nfeeds state corruption on start_streaming failure
(CVE-2026-31585)
- media: em28xx: fix use-after-free in em28xx_v4l2_open() (CVE-2026-31583)
- ALSA: 6fire: fix use-after-free on disconnect (CVE-2026-31581)
- bcache: fix cached_dev.sb_bio use-after-free and crash (CVE-2026-31580)
- media: as102: fix to not free memory after the device is registered in
as102_usb_probe() (CVE-2026-31578)
- nilfs2: fix NULL i_assoc_inode dereference in
nilfs_mdt_save_to_shadow_map
(CVE-2026-31577)
- media: vidtv: fix pass-by-value structs causing MSAN warnings
(CVE-2026-43058)
- media: hackrf: fix to not free memory after the device is registered in
hackrf_probe() (CVE-2026-31576)
- PCI: endpoint: pci-epf-vntb: Remove duplicate resource teardown
(CVE-2026-31594)
- ipv6: add NULL checks for idev in SRv6 paths (CVE-2026-23442)
- gfs2: Improve gfs2_consist_inode() usage
- gfs2: Validate i_depth for exhash directories (CVE-2025-38710)
- wifi: mac80211: always free skb on ieee80211_tx_prepare_skb() failure
(CVE-2026-23444)
- net: dsa: clean up FDB, MDB, VLAN entries on unbind (CVE-2025-37864)
- [arm64: dts: imx8mq-librem5: Bump BUCK1 suspend voltage to 0.81V
- [arm64] dts: imx8mq-librem5: Bump BUCK1 suspend voltage up to 0.85V
- ocfs2: add inline inode consistency check to ocfs2_validate_inode_block()
- ocfs2: validate inline data i_size during inode read (CVE-2026-43076)
- ocfs2: fix out-of-bounds write in ocfs2_write_end_inline (CVE-2026-43075)
- rxrpc: Fix key quota calculation for multitoken keys
- rxrpc: Fix call removal to use RCU safe deletion (CVE-2026-31642)
- rxrpc: reject undecryptable rxkad response tickets (CVE-2026-31637)
- [x86] KVM: x86: Use __DECLARE_FLEX_ARRAY() for UAPI structures with VLAs
- ublk: fix deadlock when reading partition table (CVE-2025-68823)
- PCI: endpoint: pci-epf-vntb: Stop cmd_handler work in epf_ntb_epc_cleanup
(CVE-2026-31595)
- [arm64,armhf] ASoC: qcom: q6apm: move component registration to unmanaged
version (CVE-2026-31587)
- rxrpc: Fix recvmsg() unconditional requeue (CVE-2026-23066)
- scsi: ufs: core: Fix use-after free in init error and remove paths
(CVE-2025-21739)
- ALSA: control: Avoid WARN() for symlink errors (CVE-2024-56657)
- f2fs: fix null-ptr-deref in f2fs_submit_page_bio() (CVE-2024-53221)
- wifi: iwlwifi: read txq->read_ptr under lock (CVE-2024-36922)
- [arm64] mm: fix VA-range sanity check (CVE-2023-53989)
- rxrpc: Fix anonymous key handling
- rxrpc: only handle RESPONSE during service challenge (CVE-2026-31676)
- fs/ntfs3: validate rec->used in journal-replay file record check
(CVE-2026-31716)
- fuse: reject oversized dirents in page cache (CVE-2026-31694)
- fuse: quiet down complaints in fuse_conn_limit_write
- smb: server: fix active_num_conn leak on transport allocation failure
(CVE-2026-31711)
- smb: server: fix max_connections off-by-one in tcp accept path
- smb: client: require a full NFS mode SID before reading mode bits
(CVE-2026-43350)
- smb: client: fix OOB read in smb2_ioctl_query_info QUERY_INFO path
(CVE-2026-31708)
- ksmbd: fix out-of-bounds write in smb2_get_ea() EA alignment
(CVE-2026-31705)
- ksmbd: use check_add_overflow() to prevent u16 DACL size overflow
(CVE-2026-31704)
- f2fs: fix use-after-free of sbi in f2fs_compress_write_end_io()
(CVE-2026-31702)
- ALSA: usb-audio: apply quirk for MOONDROP JU Jiu
- ALSA: caiaq: take a reference on the USB device in create_card()
(CVE-2026-31701)
- crypto: ccp: Don't attempt to copy CSR to userspace if PSP command failed
(CVE-2026-31699)
- crypto: ccp: Don't attempt to copy PDH cert to userspace if PSP command
failed (CVE-2026-31698)
- crypto: ccp: Don't attempt to copy ID to userspace if PSP command failed
(CVE-2026-31697)
- rxrpc: Fix missing validation of ticket length in non-XDR key preparsing
(CVE-2026-31696)
- ALSA: usb-audio: stop parsing UAC2 rates at MAX_NR_RATES (CVE-2026-46018)
- ALSA: usb-audio: Avoid false E-MU sample-rate notifications
- ALSA: usb-audio: Fix Audio Advantage Micro II SPDIF switch
- usb: xhci: Make usb_host_endpoint.hcpriv survive endpoint_disable()
- ALSA: usb-audio: Evaluate packsize caps at the right place
- drm/nouveau: fix u32 overflow in pushbuf reloc bounds check
(CVE-2026-46006)
- [x86] misc: ibmasm: fix OOB MMIO read in ibmasm_handle_mouse_interrupt()
(CVE-2026-46022)
- [x86] ibmasm: fix OOB reads in command_file_write due to missing size
checks (CVE-2026-45994)
- [x86] ibmasm: fix heap over-read in ibmasm_send_i2o_message()
(CVE-2026-46064)
- firmware: google: framebuffer: Do not mark framebuffer as busy
- padata: Fix pd UAF once and for all (CVE-2025-38584)
- padata: Remove comment for reorder_work
- drm/amdgpu: Use vmemdup_array_user in amdgpu_bo_create_list_entry_array
- drm/amdgpu: Limit BO list entry count to prevent resource exhaustion
(CVE-2026-23468)
- net: enetc: fix the deadlock of enetc_mdio_lock (CVE-2025-40347)
- blk-mq: fix NULL dereference on q->elevator in blk_mq_elv_switch_none
(CVE-2023-53292)
- [arm64] set __exception_irq_entry with __irq_entry as a default
(CVE-2023-54322)
- regset: use kvzalloc() for regset_get_alloc()
- device property: Make modifications of fwnode "flags" thread safe
- ocfs2: split transactions in dio completion to avoid credit exhaustion
(CVE-2026-46080)
- driver core: Don't let a device probe until it's ready
- wifi: rtw88: check for PCI upstream bridge existence
- f2fs: fix to detect potential corrupted nid in free_nid_list
(CVE-2025-68315)
- crypto: pcrypt - Fix handling of MAY_BACKLOG requests (CVE-2026-43493)
- [arm*] media: amphion: Fix race between m2m job_abort and device_run
(CVE-2026-46058)
- ALSA: control: Validate buf_len before strnlen() in
snd_ctl_elem_init_enum_names() (CVE-2026-46088)
- net: caif: clear client service pointer on teardown (CVE-2026-46098)
- net: strparser: fix skb_head leak in strp_abort_strp() (CVE-2026-46102)
- PCI: endpoint: pci-epf-ntb: Remove duplicate resource teardown
(CVE-2026-46009)
- Revert "ALSA: usb: Increase volume range that triggers a warning"
(regression in 6.1.162)
- lib/ts_kmp: fix integer overflow in pattern length calculation
- net: qrtr: ns: Fix use-after-free in driver remove() (CVE-2026-46047)
- ext2: reject inodes with zero i_nlink and valid mode in ext2_iget()
(CVE-2026-46002)
- ALSA: ctxfi: Add fallback to default RSR for S/PDIF (CVE-2026-46049)
- ALSA: seq_oss: return full count for successful SEQ_FULLSIZE writes
- erofs: fix the out-of-bounds nameoff handling for trailing dirents
(CVE-2026-46078)
- md/raid10: fix deadlock with check operation and nowait requests
(CVE-2026-46050)
- nvme-pci: add NVME_QUIRK_DISABLE_WRITE_ZEROES for Kingston OM3SGP4
- nvme: respect NVME_QUIRK_DISABLE_WRITE_ZEROES when wzsl is set
- rbd: fix null-ptr-deref when device_add_disk() fails (CVE-2026-46079)
- io_uring/timeout: check unused sqe fields
- iio: adc: ti-ads7950: use iio_push_to_buffers_with_ts_unaligned()
- io_uring/poll: fix signed comparison in io_poll_get_ownership()
(CVE-2026-52933)
- io_uring/poll: ensure EPOLL_ONESHOT is propagated for EPOLL_URING_WAKE
- ALSA: core: Fix potential data race at fasync handling
- ALSA: caiaq: Fix control_put() result and cache rollback
- ALSA: caiaq: Handle probe errors properly (CVE-2026-46004)
- ALSA: 6fire: Fix input volume change detection
- iio: adc: ad7768-1: fix one-shot mode data acquisition
- net: rds: fix MR cleanup on copy error (CVE-2026-46053)
- net/smc: avoid early lgr access in smc_clc_wait_msg (CVE-2026-46027)
- net: ks8851: Reinstate disabling of BHs around IRQ handler
(CVE-2026-46031)
- RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv
(CVE-2026-46043)
- ipv4: icmp: validate reply type before using icmp_pointers
(CVE-2026-46037)
- libceph: Prevent potential null-ptr-deref in ceph_handle_auth_reply()
(CVE-2026-46024)
- power: supply: axp288_charger: Do not cancel work before initializing it
- randomize_kstack: Maintain kstack_offset per task
- mmc: block: use single block write in retry
- [arm64] mmc: sdhci-of-dwcmshc: Disable clock before DLL configuration
- tpm: tpm_tis: add error logging for data transfer
- userfaultfd: allow registration of ranges below mmap_min_addr
- [x86] KVM: nSVM: Mark all of vmcb02 dirty when restoring nested state
- [x86] KVM: nSVM: Sync NextRIP to cached vmcb12 after VMRUN of L2
- [x86] KVM: nSVM: Sync interrupt shadow to cached vmcb12 after VMRUN of L2
(CVE-2026-45987)
- [x86] KVM: SVM: Inject #UD for INVLPGA if EFER.SVME=0 (CVE-2026-46082)
- [x86] KVM: SVM: Explicitly mark vmcb01 dirty after modifying VMCB
intercepts
- [x86] KVM: nSVM: Ensure AVIC is inhibited when restoring a vCPU to guest
mode
- [x86] KVM: nSVM: Use vcpu->arch.cr2 when updating vmcb12 on nested
#VMEXIT
- [x86] KVM: nSVM: Always inject a #GP if mapping VMCB12 fails on nested
VMRUN
- [x86] KVM: nSVM: Clear GIF on nested #VMEXIT(INVALID)
- [x86] KVM: nSVM: Clear tracking of L1->L2 NMI and soft IRQ on nested
#VMEXIT
- [x86] KVM: nSVM: Add missing consistency check for EFER, CR0, CR4, and CS
- [x86] KVM: nSVM: Add missing consistency check for nCR3 validity
- mtd: docg3: fix use-after-free in docg3_release() (CVE-2026-46285)
- io_uring/poll: fix multishot recv missing EOF on wakeup race
- ext4: fix missing brelse() in ext4_xattr_inode_dec_ref_all()
(CVE-2026-46046)
- md/raid5: fix soft lockup in retry_aligned_read() (CVE-2026-46051)
- md/raid5: validate payload size before accessing journal metadata
(CVE-2026-46070)
- inotify: fix watch count leak when fsnotify_add_inode_mark_locked() fails
(CVE-2026-46040)
- tcp: call sk_data_ready() after listener migration (CVE-2026-46015)
- taskstats: set version in TGID exit notifications
- Bluetooth: hci_event: fix potential UAF in SSP passkey handlers
(CVE-2026-46056)
- can: ucan: fix devres lifetime (CVE-2026-46103)
- [arm64] crypto: arm64/aes - Fix 32-bit aes_mac_update() arg treated as
64-bit
- [armel,armhf] crypto: atmel-aes - Fix 3-page memory leak in
atmel_aes_buff_cleanup (CVE-2026-46019)
- [arm*] crypto: ccree - fix a memory leak in cc_mac_digest()
(CVE-2026-45986)
- [armel,armhf] crypto: atmel-tdes - fix DMA sync direction
(CVE-2026-46077)
- crypto: atmel-sha204a - Fix potential UAF and memory leak in remove path
(CVE-2026-46075)
- dm mirror: fix integer overflow in create_dirty_log() (CVE-2026-46023)
- IB/core: Fix zero dmac race in neighbor resolution
- ntfs3: add buffer boundary checks to run_unpack() (CVE-2026-46072)
- ntfs3: fix integer overflow in run_unpack() volume boundary check
(CVE-2026-46062)
- rtmutex: Use waiter::task instead of current in remove_waiter()
(CVE-2026-43499)
- scsi: sd: fix missing put_disk() when device_add(&disk_dev) fails
(CVE-2026-45997)
- seg6: fix seg6 lwtunnel output redirect for L2 reduced encap mode
- crypto: authencesn - reject short ahash digests during instance creation
(CVE-2026-46033)
- ALSA: caiaq: Fix potentially leftover ep1_in_urb at error path
- ALSA: caiaq: Don't abort when no input device is available
- ipv6: rpl: reserve mac_len headroom when recompressed SRH grows
(CVE-2026-43501)
- drm/amdgpu: fix zero-size GDS range init on RDNA4 (CVE-2026-46276)
- ALSA: caiaq: fix usb_dev refcount leak on probe failure
- net: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels (CVE-2026-46099)
- netfilter: reject zero shift in nft_bitwise (CVE-2026-46101)
- scsi: target: configfs: Bound snprintf() return in
tg_pt_gp_members_show()
(CVE-2026-46149)
- ipmi: Add limits to event and receive message requests (CVE-2026-46177)
- ipmi: Check event message buffer response for bad data (CVE-2026-46128)
- ipmi:si: Return state to normal if message allocation fails
(CVE-2026-46108)
- fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free
(CVE-2026-43497)
- ACPI: scan: Use acpi_dev_put() in object add error paths
- ACPI: CPPC: Fix related_cpus inconsistency during CPU hotplug
- [x86] ACPI: video: force native backlight on HP OMEN 16 (8A44)
- ASoC: SOF: Don't allow pointer operations on unconfigured streams
(CVE-2026-46179)
- [arm64,armhf] spi: rockchip: fix controller deregistration
- drm/amd/display: Do not skip unrelated mode changes in DSC validation
(CVE-2026-31488)
- [arm64,armhf] spi: meson-spicc: Fix double-put in remove path
(CVE-2026-31489)
- ext4: validate p_idx bounds in ext4_ext_correct_indexes (CVE-2026-31449)
- [x86] KVM: x86: Fix shadow paging use-after-free due to unexpected GFN
(CVE-2026-46113)
- flow_dissector: do not dissect PPPoE PFC frames (CVE-2026-46306)
- net/sched: sch_red: Replace direct dequeue call with peek and
qdisc_dequeue_peeked (CVE-2026-43496)
- Bluetooth: hci_sync: Remove remaining dependencies of hci_request
- Bluetooth: btintel: serialize btintel_hw_error() with hci_req_sync_lock
(CVE-2026-31500)
- ice: Fix memory leak in ice_set_ringparam() (CVE-2026-23389)
- exit: prevent preemption of oopsing TASK_DEAD task (CVE-2026-46173)
- wifi: mt76: mt7921: fix a potential clc buffer length underflow
(CVE-2026-46136)
- wifi: b43legacy: enforce bounds check on firmware key index in RX path
(CVE-2026-46163)
- wifi: rsi: fix kthread lifetime race between self-exit and external-stop
(CVE-2026-46187)
- wifi: ath5k: do not access array OOB (CVE-2026-46307)
- wifi: b43: enforce bounds check on firmware key index in b43_rx()
(CVE-2026-46122)
- usb: usblp: fix heap leak in IEEE 1284 device ID via short response
(CVE-2026-46151)
- usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl
(CVE-2026-46167)
- ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3()
(CVE-2026-46146)
- ALSA: usb-audio: Fix UAC3 cluster descriptor size check
- USB: serial: option: add Telit Cinterion LE910Cx compositions
- usb: ulpi: fix memory leak on ulpi_register() error paths
(CVE-2026-46109)
- ALSA: firewire-tascam: Do not drop unread control events
- xfrm: provide message size for XFRM_MSG_MAPPING
- ipv6: xfrm6: release dst on error in xfrm6_rcv_encap() (CVE-2026-46172)
- Bluetooth: virtio_bt: clamp rx length before skb_put (CVE-2026-46123)
- Bluetooth: virtio_bt: validate rx pkt_type header length (CVE-2026-46186)
- Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb()
(CVE-2026-45835)
- Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb()
(CVE-2026-45834)
- fanotify: fix false positive on permission events (CVE-2026-46150)
- net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in
rtnl_fill_vfinfo (CVE-2026-46132)
- sound: ua101: fix division by zero at probe (CVE-2026-46184)
- ip6_gre: Use cached t->net in ip6erspan_changelink(). (CVE-2026-46120)
- net/rds: handle zerocopy send cleanup before the message is queued
(CVE-2026-43502)
- [x86] hwmon: (corsair-psu) Close HID device on probe errors
- cifs: abort open_cached_dir if we don't request leases
- cifs: change_conf needs to be called for session setup
- [arm64] extcon: ptn5150: handle pending IRQ events during system resume
- [arm64] hv_sock: fix ARM64 support
- [ppc64el] ibmveth: Disable GSO for packets with small MSS
(CVE-2026-46273)
- udf: reject descriptors with oversized CRC length
- spi: topcliff-pch: fix use-after-free on unbind (CVE-2026-46301)
- [ppc64el] cpuidle: powerpc: avoid double clear when breaking snooze
- [x86] ASoC: amd: yc: Add HP OMEN Gaming Laptop 16-ap0xxx product line in
quirk table
- [arm64,armhf] ASoC: qcom: q6apm-dai: reset queue ptr on trigger stop
- [arm64,armhf] ASoC: qcom: q6apm-lpass-dai: Fix multiple graph opens
(CVE-2026-46143)
- [arm64,armhf] ASoC: qcom: q6apm: remove child devices when apm is removed
- btrfs: fix double free in create_space_info() error path (CVE-2026-46129)
- dm-thin: fix metadata refcount underflow (CVE-2026-46107)
- dm: don't report warning when doing deferred remove
- dm: fix a buffer overflow in ioctl processing (CVE-2026-46294)
- dm-verity-fec: correctly reject too-small FEC devices
- dm-verity-fec: correctly reject too-small hash devices
- isofs: validate Rock Ridge CE continuation extent against volume size
(CVE-2026-46303)
- isofs: validate block number from NFS file handle in isofs_export_iget
(CVE-2026-46124)
- libceph: Fix slab-out-of-bounds access in auth message processing
(CVE-2026-46119)
- md/raid10: fix divide-by-zero in setup_geo() with zero far_copies
(CVE-2026-46161)
- nvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free (CVE-2026-46304)
- openvswitch: vport: fix self-deadlock on release of tunnel ports
(CVE-2026-46165)
- [arm64] RDMA/hns: Fix unlocked call to hns_roce_qp_remove()
(CVE-2026-46112)
- [s390x] debug: Reject zero-length input in debug_input_flush_fn()
- smb/client: fix out-of-bounds read in symlink_data() (CVE-2026-46185)
- PCI/AER: Clear only error bits in PCIe Device Status
- PCI/AER: Stop ruling out unbound devices as error source
- [x86] power: supply: max17042: avoid overflow when determining health
- RDMA/mlx4: Fix resource leak on error in mlx4_ib_create_srq()
(CVE-2026-46178)
- RDMA/ocrdma: Don't NULL deref uctx on errors in ocrdma_copy_pd_uresp()
(CVE-2026-46127)
- RDMA/rxe: Reject unknown opcodes before ICRC processing (CVE-2026-46133)
- RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path
(CVE-2026-46189)
- mptcp: use MPJoinSynAckHMacFailure for SynAck HMAC failure
- mptcp: use MPTCP_RST_EMPTCP for ACK HMAC validation failure
- mptcp: sockopt: set timestamp flags on subflow socket, not msk
- mptcp: fix scheduling with atomic in timestamp sockopt (CVE-2026-46168)
- f2fs: add READ_ONCE() for i_blocks in f2fs_update_inode()
- f2fs: fix fiemap boundary handling when read extent cache is incomplete
- f2fs: fix incorrect multidevice info in trace_f2fs_map_blocks()
- [arm64] KVM: arm64: vgic: Fix IIDR revision field extracted from wrong
value
- f2fs: compress: change the first parameter of page_array_{alloc,free} to
sbi
- f2fs: compress: fix UAF of f2fs_inode_info in f2fs_free_dic
(CVE-2025-38627)
- exit: Sleep at TASK_IDLE when waiting for application core dump
- media: uvcvideo: Enable VB2_DMABUF for metadata stream
- [x86] staging: media: atomisp: Disallow all private IOCTLs
(CVE-2026-46205)
- media: rc: xbox_remote: heed DMA restrictions (CVE-2026-46236)
- media: rc: streamzap: Error handling in probe
- media: saa7164: add ioremap return checks and cleanups (CVE-2026-46235)
- [x86] platform/x86: hp-wmi: Ignore backlight and FnLock events
- media: pci: zoran: fix potential memory leak in zoran_probe()
- media: dib8000: avoid division by 0 in dib8000_set_dds()
- [armhf] media: omap3isp: drop the use count of v4l2 pipeline
- [arm64,armhf] spi: imx: fix runtime pm leak on probe deferral
- [armel,armhf] spi: orion: fix clock imbalance on registration failure
- drm/amdgpu: Add bounds checking to ib_{get,set}_value (CVE-2026-46218)
- drm/amdgpu/vce: Prevent partial address patches
- drm/amdgpu/vcn4: Prevent OOB reads when parsing dec msg (CVE-2026-46199)
- drm/amdgpu/vcn3: Prevent OOB reads when parsing dec msg (CVE-2026-46230)
- drm/gem: Fix inconsistent plane dimension calculation in
drm_gem_fb_init_with_funcs() (CVE-2026-46209)
- drm/amdkfd: validate SVM ioctl nattr against buffer size (CVE-2026-46197)
- drm/radeon: add missing revision check for CI
- drm/amdgpu: zero-initialize GART table on allocation
- drm/amdgpu/gfx9: drop unnecessary 64-bit fence flag check in KIQ
- drm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission
(CVE-2026-46220)
- drm/amdgpu/pm: add missing revision check for CI
- drm/amdgpu/pm: align Hawaii mclk workaround with radeon
- sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL
(CVE-2026-46227)
- batman-adv: fix integer overflow on buff_pos (CVE-2026-46198)
- batman-adv: reject new tp_meter sessions during teardown (CVE-2026-46206)
- batman-adv: stop caching unowned originator pointers in BAT IV
(CVE-2026-46238)
- batman-adv: bla: prevent use-after-free when deleting claims
(CVE-2026-46212)
- batman-adv: bla: only purge non-released claims (CVE-2026-46233)
- batman-adv: bla: put backbone reference on failed claim hash insert
(CVE-2026-46231)
- Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb()
(CVE-2026-45836)
- mtd: spi-nor: sst: Factor out common write operation to
`sst_nor_write_data()`
- mtd: spi-nor: sst: Fix write enable before AAI sequence
- vsock: fix buffer size clamping order (CVE-2026-46234)
- vsock/virtio: fix accept queue count leak on transport mismatch
(CVE-2026-46214)
- drm/amdgpu/vcn3: Avoid overflow on msg bound check
- drm/amdgpu/vcn4: Avoid overflow on msg bound check
- mtd: spi-nor: sst: Fix SST write failure
- bcache: fix uninitialized closure object
- blk-cgroup: wait for blkcg cleanup before initializing new disk
- fs/omfs: reject s_sys_blocksize smaller than OMFS_DIR_START
(CVE-2026-53130)
- drbd: Balance RCU calls in drbd_adm_dump_devices() (CVE-2026-53128)
- nilfs2: reject zero bd_oblocknr in nilfs_ioctl_mark_blocks_dirty()
(CVE-2026-53320)
- pstore/ram: fix resource leak when ioremap() fails
- devres: fix missing node debug info in devm_krealloc()
- debugfs: check for NULL pointer in debugfs_create_str()
- hrtimers: Update the return type of enqueue_hrtimer()
- hrtimer: Avoid pointless reprogramming in __hrtimer_start_range_ns()
- hrtimer: Reduce trace noise in hrtimer_start()
- locking: Fix rwlock support in <linux/spinlock_up.h>
- firmware: dmi: Correct an indexing error in dmi.h
- wifi: mwifiex: Fix memory leak in mwifiex_11n_aggregate_pkt()
- wifi: rtlwifi: pci: fix possible use-after-free caused by unfinished
irq_prepare_bcn_tasklet (CVE-2026-53112)
- bpf: Add CHECKSUM_COMPLETE to bpf test progs
- bpf: test_run: Fix the null pointer dereference issue in
bpf_lwt_xmit_push_encap (CVE-2026-53111)
- kernel: param: rename locate_module_kobject
- kernel: globalize lookup_or_create_module_kobject()
- bpf, devmap: Remove unnecessary if check in for loop
- bpf: Use RCU-safe iteration in dev_map_redirect_multi() SKB path
(CVE-2026-53096)
- wifi: rtw89: phy: fix uninitialized variable access in
rtw89_phy_cfo_set_crystal_cap()
- r8152: fix incorrect register write to USB_UPHY_XTAL
- [ppc64el] powerpc/crash: fix backup region offset update to elfcorehdr
- macvlan: annotate data-races around port->bc_queue_len_used
- bpf: fix end-of-list detection in cgroup_storage_get_next_key()
(CVE-2026-45838)
- wifi: brcmfmac: Fix error pointer dereference (CVE-2026-53093)
- bpf: Drop task_to_inode and inet_conn_established from lsm sleepable
hooks
- bpf: reject negative CO-RE accessor indices in bpf_core_parse_spec()
(CVE-2026-45839)
- [arm64] ACPI: AGDI: fix missing newline in error message
- [arm64] kexec: Remove duplicate allocation for trans_pgd
- [arm64] net: bcmgenet: fix off-by-one in bcmgenet_put_txcb
(CVE-2026-53088)
- [arm64] net: bcmgenet: Remove TX ring full logging
- [arm64] net: bcmgenet: Remove custom ndo_poll_controller()
- [arm64] net: bcmgenet: add bcmgenet_has_* helpers
- [arm64] net: bcmgenet: move DESC_INDEX flow to ring 0
- [arm64] net: bcmgenet: support reclaiming unsent Tx packets
- [arm64] net: bcmgenet: switch to use 64bit statistics
- [arm64] net: bcmgenet: fix racing timeout handler (CVE-2026-53086)
- netfilter: xt_socket: enable defrag after all other checks
- netfilter: nft_fwd_netdev: check ttl/hl before forwarding
- 6pack: propagage new tty types
- net: hamradio: 6pack: fix uninit-value in sixpack_receive_buf
(CVE-2026-53082)
- net/sched: act_ct: Only release RCU read lock after ct_ft
(CVE-2026-46319)
- net/rds: Optimize rds_ib_laddr_check
- net/rds: Restrict use of RDS/IB to the initial network namespace
(CVE-2026-53077)
- ppp: require CAP_NET_ADMIN in target netns for unattached ioctls
(CVE-2026-53075)
- bpf: reject short IPv4/IPv6 inputs in bpf_prog_test_run_skb
(CVE-2026-53074)
- Bluetooth: L2CAP: Fix printing wrong information if SDU length exceeds
MTU
- Bluetooth: hci_ldisc: Clear HCI_UART_PROTO_INIT on error (CVE-2026-53073)
- Bluetooth: fix locking in hci_conn_request_evt() with HCI_PROTO_DEFER
(CVE-2026-53072)
- Bluetooth: l2cap: Add missing chan lock in l2cap_ecred_reconf_rsp
(CVE-2026-53071)
- sctp: fix missing encap_port propagation for GSO fragments
- net, bpf: fix null-ptr-deref in xdp_master_redirect() for down master
(CVE-2026-53069)
- [arm*] drm/komeda: fix integer overflow in AFBC framebuffer size check
(CVE-2026-53068)
- [arm*] drm/sun4i: backend: fix error pointer dereference (CVE-2026-53066)
* [armhf] ASoC: sti: use managed regmap_field allocations (CVE-2026-53065)
- dm cache: fix null-deref with concurrent writes in passthrough mode
(CVE-2026-53064)
- dm cache: fix write path cache coherency in passthrough mode
- dm cache: fix write hang in passthrough mode (CVE-2026-53063)
- dm cache policy smq: fix missing locks in invalidating cache blocks
(CVE-2026-53062)
- dm cache: fix concurrent write failure in passthrough mode
- dm cache: support shrinking the origin device
- dm cache: fix dirty mapping checking in passthrough mode switching
(CVE-2026-53061)
- dm cache metadata: fix memory leak on metadata abort retry
(CVE-2026-53060)
- dm log: fix out-of-bounds write due to region_count overflow
(CVE-2026-53059)
- [arm64] spi: fsl-qspi: Use reinit_completion() for repeated operations
- [arm*] drm/sun4i: Fix resource leaks
- drm/amdgpu: Add default case in DVI mode validation
- dm init: ensure device probing has finished in dm-mod.waitfor=
- padata: Remove cpu online check from cpu add and removal
- padata: Put CPU offline callback in ONLINE section to allow failure
(CVE-2026-53314)
- drm/amdgpu/gfx10: look at the right prop for gfx queue priority
- [arm64] drm/msm/dpu: fix mismatch between power and frequency
(CVE-2026-53056)
- [arm64] drm/msm/dsi: rename MSM8998 DSI version from V2_2_0 to V2_0_0
- [arm64,armhf] drm/panel: simple: Correct G190EAN01 prepare timing
- ALSA: core: Validate compress device numbers without dynamic minors
- drm/amd/pm/ci: Use highest MCLK on CI when MCLK DPM is disabled
- drm/amd/pm/ci: Disable MCLK DPM on problematic CI ASICs
- drm/amd/pm/smu7: Fix SMU7 voltage dependency on display clock
- drm/amd/pm/ci: Fix powertune defaults for Hawaii 0x67B0
- drm/amd/pm/ci: Clear EnabledForActivity field for memory levels
- drm/amd/pm/ci: Fill DW8 fields from SMC
- drm/amd/pm/smu7: Add SCLK cap for quirky Hawaii board
- [arm64] drm/msm/a6xx: Fix HLSQ register dumping
- [arm64] drm/msm/shrinker: Fix can_block() logic
- [arm64] drm/msm/a6xx: Use barriers while updating HFI Q headers
- [armhf] pmdomain: ti: omap_prm: Fix a reference leak on device node
- [arm64] ASoC: fsl_micfil: Fix event generation in micfil_quality_set()
- [arm*] ASoC: qcom: qdsp6: topology: check widget type before accessing
data (CVE-2026-53052)
- PCI: Enable AtomicOps only if Root Port supports them
- ALSA: scarlett2: Add missing sentinel initializer field
- [x86] ASoC: SOF: amd: Fix for reading position updates from stream box.
- [x86] ASoC: SOF: Prepare ipc_msg_data to be used with compress API
- [x86] ASoC: SOF: Prepare set_stream_data_offset for compress API
- [x86] ASoC: SOF: Add support for compress API for stream data/offset
- [x86] ASoC: SOF: compress: return the configured codec from get_params
- [i386] ALSA: sc6000: Use standard print API
- [i386] ALSA: sc6000: Keep the programmed board state in card-private data
- dm cache: fix missing return in invalidate_committed's error path
- gfs2: Call unlock_new_inode before d_instantiate
- quota: Fix race of dquot_scan_active() with quota deactivation
(CVE-2026-53050)
- gfs2: add some missing log locking (CVE-2026-53049)
- gfs2: prevent NULL pointer dereference during unmount (CVE-2026-53048)
- efi/capsule-loader: fix incorrect sizeof in phys array reallocation
(CVE-2026-53047)
- ksmbd: fix use-after-free from async crypto on Qualcomm crypto engine
(CVE-2026-53046)
- [armhf] dts: mediatek: mt7623: fix efuse fallback compatible
- [armhf] memory: tegra124-emc: Fix dll_change check (CVE-2026-53045)
- [arm64] dts: imx8mp-evk: Enable pull select bit for PCIe regulator GPIO
(M.2 W_DISABLE1)
- [arm64] dts: mediatek: mt6795: Fix gpio-ranges pin count
- [arm64] dts: mediatek: mt7986a: Fix gpio-ranges pin count
- [arm64] dts: qcom: sm8450: Fix GIC_ITS range length
- [arm64] dts: qcom: sm8450: Enable UHS-I SDR50 and SDR104 SD card modes
- [arm64] dts: qcom: sdm845-xiaomi-beryllium: Mark l1a regulator as powered
during boot
- unshare: fix nsproxy leak in ksys_unshare() on set_cred_ucounts() failure
- ocfs2/dlm: validate qr_numregions in dlm_match_regions() (CVE-2026-53043)
- ocfs2/dlm: fix off-by-one in dlm_match_regions() region comparison
(CVE-2026-53309)
- [arm64] soc: qcom: aoss: compare against normalized cooling state
- [arm64] dts: qcom: sm8250: Add missing CPU7 3.09GHz OPP
- [arm64] xor: fix conflicting attributes for xor_block_template
- ocfs2: fix listxattr handling when the buffer is full (CVE-2026-53041)
- ocfs2: validate bg_bits during freefrag scan (CVE-2026-53040)
- ocfs2: validate group add input before caching (CVE-2026-53039)
- soundwire: bus: demote UNATTACHED state warnings to dev_dbg()
- [armhf] dmaengine: mxs-dma: Fix missing return value from
of_dma_controller_register()
- tracing: Rebuild full_name on each hist_field_name() call
- ima: check return value of crypto_shash_final() in boot aggregate
- HID: asus: make asus_resume adhere to linux kernel coding standards
- HID: asus: do not abort probe when not necessary
- mtd: spi-nor: core: correct the op.dummy.nbytes when check read
operations
- mtd: spi-nor: spansion: Rename s28hs512t prefix
- mtd: spi-nor: spansion: Replace hardcoded values for addr_nbytes/
addr_mode_nbytes
- mtd: spi-nor: spansion: Make RD_ANY_REG_OP macro take number of dummy
bytes
- mtd: spi-nor: spansion: Add support for Infineon S25FS256T
- mtd: spi-nor: Allow post_sfdp hook to return errors
- mtd: spi-nor: sfdp: introduce smpt_read_dummy fixup hook
- mtd: spi-nor: sfdp: introduce smpt_map_id fixup hook
- mtd: spi-nor: update spi_nor_fixups::post_sfdp() documentation
- mtd: spi-nor: swp: check SR_TB flag when getting tb_mask
- mtd: parsers: ofpart: call of_node_put() only in ofpart_fail path
- mtd: parsers: ofpart: call of_node_get() for dedicated subpartitions
- [armhf] mtd: rawnand: sunxi: fix sunxi_nfc_hw_ecc_read_extra_oob
- HID: usbhid: fix deadlock in hid_post_reset() (CVE-2026-53037)
- [arm64] bpf, arm64: Fix off-by-one in check_imm signed range check
(CVE-2026-53036)
- bpf, sockmap: Fix af_unix iter deadlock (CVE-2026-53035)
- bpf, sockmap: Fix af_unix null-ptr-deref in proto update (CVE-2026-53034)
- bpf, sockmap: Take state lock for af_unix iter (CVE-2026-53033)
- bpf: Fix precedence bug in convert_bpf_ld_abs alignment check
- bpf: allow UTF-8 literals in bpf_bprintf_prepare()
- [armel,armhf] bpf, arm32: Reject BPF-to-BPF calls and callbacks in the
JIT
- perf branch: Avoid incrementing NULL
- perf: tools: cs-etm: Fix print issue for Coresight debug in ETE/TRBE
trace
- perf expr: Return -EINVAL for syntax error in expr__find_ids()
- perf util: Kill die() prototype, dead for a long time
- i3c: mipi-i3c-hci: fix IBI payload length calculation for final status
- dev_printk: add new dev_err_probe() helpers
- [x86] platform/surface: surfacepro3_button: Drop wakeup source on remove
- [s390x] tty: hvc_iucv: fix off-by-one in number of supported devices
(CVE-2026-53306)
- [x86] platform/x86: panasonic-laptop: Fix OPTD notifier registration and
cleanup
- [armhf] mfd: mc13xxx-core: Fix memory leak in
mc13xxx_add_subdevice_pdata()
- nfs/blocklayout: Fix compilation error (`make W=1`) in
bl_write_pagelist()
- fs/ntfs3: terminate the cached volume label after UTF-8 conversion
(CVE-2026-53023)
- [x86] platform/x86: dell_rbu: avoid uninit value usage in
packet_size_write()
- [x86] platform/x86: dell-wmi-sysman: bound enumeration string aggregation
(CVE-2026-53022)
- RDMA/core: Prefer NLA_NUL_STRING
- scsi: sg: Resolve soft lockup issue when opening /dev/sgX
(CVE-2026-53304)
- scsi: target: core: Fix integer overflow in UNMAP bounds check
(CVE-2026-53021)
- [armhf] clk: imx: imx6q: Fix device node reference leak in
pll6_bypassed()
- [armhf] clk: imx: imx6q: Fix device node reference leak in
of_assigned_ldb_sels()
- [arm64] clk: imx8mq: Correct the CSI PHY sels
- [arm64] clk: qoriq: avoid format string warning
- [arm64] clk: xgene: Fix mapping leak in xgene_pllclk_init()
- f2fs: Use sysfs_emit_at() to simplify code
- f2fs: protect extension_list reading with sb_lock in f2fs_sbi_show()
(CVE-2026-53303)
- [x86] drm/i915: Constify watermark state checker
- [x86] drm/i915: Extract intel_dbuf_mdclk_cdclk_ratio_update()
- [x86] drm/i915: Loop over all active pipes in intel_mbus_dbox_update
- [x86] drm/i915/wm: Verify the correct plane DDB entry
- crypto: ccp - copy IV using skcipher ivsize (CVE-2026-53016)
- [arm64] dts: imx8mp-icore-mx8mp: Correct PAD settings for PMIC_nINT
- [arm64] dts: imx8mp-dhcom-som: Correct PAD settings for PMIC_nINT
- [x86] PCMCIA: Fix garbled log messages for KERN_CONT
- [arm64] dts: imx8mn-tqma8mqnl: Correct PAD settings for PMIC_nINT
- [arm64] dts: imx8mm-tqma8mqml: Correct PAD settings for PMIC_nINT
- net/sched: sch_cake: fix NAT destination port not being updated in
cake_update_flowkeys
- nexthop: fix IPv6 route referencing IPv4 nexthop (CVE-2026-53012)
- net/sched: taprio: continue with other TXQs if one dequeue() failed
- net/sched: taprio: refactor one skb dequeue from TXQ to separate function
- net/sched: taprio: rename close_time to end_time
- net/sched: taprio: fix use-after-free in advance_sched() on schedule
switch (CVE-2026-53011)
- container_of: remove container_of_safe()
- container_of: add container_of_const() that preserves const-ness of the
pointer
- tcp: preserve const qualifier in tcp_sk()
- tcp: add data-race annotations around tp->data_segs_out and
tp->total_retrans
- tcp: annotate data-races around tp->bytes_sent
- tcp: annotate data-races around tp->bytes_retrans
- tcp: annotate data-races around tp->dsack_dups
- tcp: annotate data-races around (tp->write_seq - tp->snd_nxt)
- i40e: don't advertise IFF_SUPP_NOFCS
- e1000e: Unroll PTP in probe error handling
- ipv6: fix possible UAF in icmpv6_rcv() (CVE-2026-53006)
- sctp: fix OOB write to userspace in sctp_getsockopt_peer_auth_chunks
(CVE-2026-53004)
- pppoe: drop PFC frames (CVE-2026-53003)
- openvswitch: cap upcall PID array size and pre-size vport replies
(CVE-2026-45840)
- netfilter: nft_osf: restrict it to ipv4
- netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO
(CVE-2026-45841)
- netfilter: conntrack: remove sprintf usage (CVE-2026-53002)
- netfilter: xtables: restrict several matches to inet family
(CVE-2026-53001)
- ipvs: fix MTU check for GSO packets in tunnel mode
- netfilter: nfnetlink_osf: fix out-of-bounds read on option matching
(CVE-2026-52999)
- netfilter: nfnetlink_osf: fix potential NULL dereference in ttl check
(CVE-2026-52998)
- slip: reject VJ receive packets on instances with no rstate array
(CVE-2026-45842)
- slip: bound decode() reads against the compressed packet length
(CVE-2026-45843)
- [arm64] dts: meson-gxl-p230: fix ethernet PHY interrupt number
- ksmbd: destroy tree_conn_ida in ksmbd_session_destroy()
- ksmbd: scope conn->binding slowpath to bound sessions only
(CVE-2026-52911)
- net/rds: zero per-item info buffer before handing it to visitors
(CVE-2026-52995)
- net_sched: sch_hhf: annotate data-races in hhf_dump_stats()
- net/sched: sch_pie: annotate data-races in pie_dump_stats()
- net/sched: sch_fq_codel: remove data-races from fq_codel_dump_stats()
- net/sched: sch_red: annotate data-races in red_dump_stats()
- net/sched: sch_sfb: annotate data-races in sfb_dump_stats()
- nfp: fix swapped arguments in nfp_encode_basic_qdr() calls
- tipc: fix double-free in tipc_buf_append() (CVE-2026-52993)
- vhost_net: fix sleeping with preempt-disabled in vhost_net_busy_poll()
- fs/adfs: validate nzones in adfs_validate_bblk() (CVE-2026-52992)
- fbdev: offb: fix PCI device reference leak on probe failure
- mailbox: mailbox-test: free channels on probe error (CVE-2026-53296)
- cgroup/rdma: fix integer overflow in rdmacg_try_charge()
- mailbox: add sanity check for channel array (CVE-2026-53295)
- mailbox: mailbox-test: don't free the reused channel (CVE-2026-53294)
- btrfs: fix double-decrement of bytes_may_use in submit_one_async_extent()
- tracing: branch: Fix inverted check on stat tracer registration
- nvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers
(CVE-2026-52989)
- netfilter: arp_tables: fix IEEE1394 ARP payload parsing (CVE-2026-45844)
- nvme-pci: fix missed admin queue sq doorbell write
- drm/amdgpu: fix spelling typos
- drm/amdgpu/uvd3.1: Don't validate the firmware when already validated
- drm/amdgpu/gfx6: Support harvested SI chips with disabled TCCs (v2)
- netfilter: xt_policy: fix strict mode inbound policy matching
(CVE-2026-52920)
- netfilter: nf_conntrack_sip: don't use simple_strtoul (CVE-2026-52986)
- [arm64,armhf] drivers/spi-rockchip.c : Remove redundant variable slave
- [arm64,armhf] spi: rockchip: switch to use modern name
- [arm64.armhf] spi: rockchip: Read ISR, not IMR, to detect cs-inactive IRQ
- cdrom, scsi: sr: propagate read-only status to block layer via
set_disk_ro()
- netdevsim: zero initialize struct iphdr in dummy sk_buff (CVE-2026-52985)
- net/sched: netem: fix probability gaps in 4-state loss model
- net/sched: netem: fix queue limit check to include reordered packets
(CVE-2026-52984)
- net/sched: netem: validate slot configuration
- net/sched: netem: fix slot delay calculation overflow
- net/sched: sch_choke: annotate data-races in choke_dump_stats()
- net/sched: sch_fq_pie: annotate data-races in fq_pie_dump_stats()
- vrf: Fix a potential NPD when removing a port from a VRF (CVE-2026-52925)
- net: usb: rtl8150: fix use-after-free in rtl8150_start_xmit()
(CVE-2026-52982)
- net: usb: rtl8150: free skb on usb_submit_urb() failure in xmit
- neighbour: add RCU protection to neigh_tables[]
- neigh: let neigh_xmit take skb ownership (CVE-2026-52981)
- ALSA: usb-audio: Fix potential leak of pd at parsing UAC3 streams
- net: mctp i2c: check length before marking flow active
- netfilter: skip recording stale or retransmitted INIT
- sctp: discard stale INIT after handshake completion
- ipv4: rename and move ip_route_output_tunnel()
- ipv4: remove "proto" argument from udp_tunnel_dst_lookup()
- ipv4: add new arguments to udp_tunnel_dst_lookup()
- ipv6: rename and move ip6_dst_lookup_tunnel()
- bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst()
(CVE-2026-45846)
- net/sched: sch_cake: annotate data-races in cake_dump_stats() (V)
- net: netconsole: move newline trimming to function
- netconsole: propagate device name truncation in dev_name_store()
- ALSA: hda/conexant: fix some typos
- ALSA: hda/conexant: Renaming the codec with device ID 0x1f86 and 0x1f87
- ALSA: hda/conexant: Fix missing error check for jack detection
(CVE-2026-53291)
- futex: Prevent lockup in requeue-PI during signal/ timeout wakeup
(CVE-2026-52977)
- drm/amd/display: Allow DCE link encoder without AUX registers
- drm/amd/display: Read EDID from VBIOS embedded panel info
- bonding: 802.3ad replace MAC_ADDRESS_EQUAL with __agg_has_partner
- net: bonding: add broadcast_neighbor option for 802.3ad
- bonding: add support for per-port LACP actor priority
- bonding: print churn state via netlink
- bonding: 3ad: implement proper RCU rules for port->aggregator
(CVE-2026-52975)
- iavf: stop removing VLAN filters from PF on interface down
- iavf: wait for PF confirmation before removing VLAN filters
- iavf: add VIRTCHNL_OP_ADD_VLAN to success completion handler
- ice: Pull common tasks into ice_vf_post_vsi_rebuild
- ice: fix NULL pointer dereference in ice_reset_all_vfs()
(CVE-2026-53289)
- net: tls: fix strparser anchor skb leak on offload RX setup failure
(CVE-2026-52974)
- net/sched: cls_flower: revert unintended changes
- smb: client: correctly handle ErrorContextData as a flexible array
- smb: client: fix OOB reads parsing symlink error response
(CVE-2026-31613)
- net/sched: sch_pie: annotate more data-races in pie_dump_stats()
- [arm64] net: bcmgenet: Initialize u64 stats seq counter
- [arm64] net: bcmgenet: fix leaking free_bds
- btrfs: tracepoints: fix sleep while in atomic context in
btrfs_sync_file()
- ALSA: misc: Use guard() for spin locks
- ALSA: core: Serialize deferred fasync state checks
- [x86] ASoC: SOF: pcm: Clear the susbstream pointer to NULL on close
- [x86] ASoC: SOF: stream-ipc: Check for cstream nullity in
sof_ipc_msg_data()
- mtd: spi-nor: spansion: Enable JFFS2 write buffer for S25FS256T
- netconsole: avoid out-of-bounds access on empty string in trim_newline()
- bonding: fix NULL pointer dereference in actor_port_prio setting
- net: bonding: update the slave array for broadcast mode
- crypto: af_alg - Cap AEAD AD length to 0x80000000 (CVE-2026-52972)
- i40e: Cleanup PTP pins on probe failure
- netfilter: nf_conntrack_sip: get helper before allocating expectation
- audit: fix incorrect inheritable capability in CAPSET records
(CVE-2026-53287)
- netfilter: nft_ct: fix missing expect put in obj eval (CVE-2026-52970)
- net: atlantic: preserve PCI wake-from-D3 on shutdown when WOL enabled
- audit: enforce AUDIT_LOCKED for AUDIT_TRIM and AUDIT_MAKE_EQUIV
- KVM: Reject wrapped offset in kvm_reset_dirty_gfn() (CVE-2026-52969)
- [s390x] KVM: s390: pci: fix GAIT table indexing due to double-scaling
pointer arithmetic (CVE-2026-52968)
- [x86] KVM: x86: Fix Xen hypercall tracepoint argument assignment
- smb/client: fix possible infinite loop and oob read in symlink_data()
(CVE-2026-52967)
- [x86] drm/i915/dp: Fix VSC dynamic range signaling for RGB formats
- ALSA: usb-audio: Bound MIDI endpoint descriptor scans (CVE-2026-52963)
- ceph: fix a buffer leak in __ceph_setxattr() (CVE-2026-52962)
- libceph: Fix potential out-of-bounds access in osdmap_decode()
(CVE-2026-52958)
- libceph: Fix potential null-ptr-deref in decode_choose_args()
(CVE-2026-52957)
- libceph: Fix potential out-of-bounds access in crush_decode()
(CVE-2026-52955)
- libceph: handle rbtree insertion error in decode_choose_args()
(CVE-2026-52954)
- [x86] iommu/vt-d: Disable DMAR for Intel Q35 IGFX
- [x86] drm/i915: skip __i915_request_skip() for already signaled requests
- [arm64,armhf] drm/panfrost: Fix wait_bo ioctl leaking positive return
from dma_resv_wait_timeout()
- [x86] drm/gma500/oaktrail_hdmi: fix i2c adapter leak on setup
- [x86] drm/gma500/oaktrail_lvds: fix hang on init failure (CVE-2026-53279)
- [x86] drm/gma500/oaktrail_lvds: fix i2c adapter leaks on init
- io-wq: check that the predecessor is hashed in io_wq_remove_pending()
- net/rds: reset op_nents when zerocopy page pin fails (CVE-2026-43494)
- io_uring: prevent opcode speculation (CVE-2025-21863)
- [s390x] debug: Reject zero-length input before trimming a newline
- wifi: mac80211: check tdls flag in ieee80211_tdls_oper (CVE-2026-43052)
- [x86] Revert "x86/vdso: Fix output operand size of RDPID"
- [s390x] Revert "s390/cio: Fix device lifecycle handling in
css_alloc_subchannel()" (regression in 6.1.165)
- sysfs: don't remove existing directory on update failure
- ALSA: ua101: Reject too-short USB descriptors
- ALSA: asihpi: Fix potential OOB array access at reading cache
- net: wwan: iosm: fix potential memory leaks in ipc_imem_init()
- Bluetooth: fix UAF in l2cap_sock_cleanup_listen() vs l2cap_conn_del()
- Bluetooth: ISO: drop ISO_END frames received without prior ISO_START
- Bluetooth: bnep: Fix UAF read of dev->name
- Bluetooth: hci_uart: fix UAFs and race conditions in close and init paths
(CVE-2026-46275)
- Bluetooth: MGMT: validate Add Extended Advertising Data length
- phonet/pep: disable BH around forwarded sk_receive_skb()
- [arm64] net: bcmgenet: keep RBUF EEE/PM disabled
- net: ifb: report ethtool stats over num_tx_queues
- netfilter: ip6t_hbh: reject oversized option lists (CVE-2026-52915)
- netfilter: nf_queue: hold bridge skb->dev while queued (CVE-2026-52912)
- netfilter: ipset: stop hash:* range iteration at end (CVE-2026-52921)
- qed: fix double free in qed_cxt_tables_alloc()
- ring-buffer: Fix reporting of missed events in iterator
- vsock/vmci: fix UAF when peer resets connection during handshake
- vsock/virtio: reset connection on receiving queue overflow
- wifi: ath11k: clear shared SRNG pointer state on restart
- ipv4: raw: reject IP_HDRINCL packets with ihl < 5
- ixgbevf: fix use-after-free in VEPA multicast source pruning
- ice: fix setting promisc mode while adding VID filter
- wifi: cfg80211: advance loop vars in cfg80211_merge_profile()
- cifs: Fix busy dentry used after unmounting
- tracing: Do not call map->ops->elt_free() if elt_alloc() fails
- [arm64] KVM: arm64: vgic-its: Reject restored DTE with out-of-range
num_eventid_bits
- [x86] scsi: isci: Fix use-after-free in device removal path
- [armhf] spi: ti-qspi: fix use-after-free after DMA setup failure
- RDMA/siw: Reject MPA FPDU length underflow before signed receive math
- device property: set fwnode->secondary to NULL in fwnode_init()
- drm/virtio: use uninterruptible resv lock for plane updates
- drm/amd/display: Fix integer overflow in bios_get_image()
- drm/amd/display: Validate GPIO pin LUT table size before iterating
- drm/amd/display: Validate payload length and link_index in
dc_process_dmub_aux_transfer_async
- batman-adv: mcast: fix use-after-free in orig_node RCU release
- batman-adv: clear current gateway during teardown (CVE-2026-52926)
- batman-adv: dat: handle forward allocation error (CVE-2026-52922)
- batman-adv: fix fragment reassembly length accounting (CVE-2026-52914)
- batman-adv: fix tp_meter counter underflow during shutdown
(CVE-2026-52919)
- batman-adv: frag: disallow unicast fragment in fragment (CVE-2026-52916)
- batman-adv: bla: fix report_work leak on backbone_gw purge
- batman-adv: tp_meter: avoid use of uninit sender vars (CVE-2026-52931)
- batman-adv: tt: fix negative last_changeset_len
- batman-adv: tt: fix negative tt_buff_len
- HID: uclogic: Fix regression of input name assignment
- netfilter: x_tables: unregister the templates first
- tcp: Fix imbalanced icsk_accept_queue count.
- ice: fix locking in ice_dcb_rebuild()
- [arm64,armhf] phy: marvell: mvebu-a3700-utmi: fix incorrect
USB2_PHY_CTRL register access
- irq_work: Fix use-after-free in irq_work_single() on PREEMPT_RT
- wifi: ath11k: fix error path leaks in some WMI WOW calls
- HID: quirks: really enable the intended work around for appledisplay
- net/smc: avoid NULL deref of conn->lnk in smc_msg_event tracepoint
(CVE-2026-52941)
- ethtool: fix ethnl_bitmap32_not_zero() bit interval semantics
- [arm64] drm/msm/dsi: don't dump registers past the mapped region
- [arm64] drm/msm: Fix iommu_map_sgtable() return value check and avoid
WARN
- [ppc64el] powerpc/time: Remove redundant preempt_disable|enable() calls
from arch_irq_work_raise()
- net/smc: reject CHID-0 ACCEPT that matches an empty ism_dev slot
- net: tls: fix off-by-one in sg_chain entry count for wrapped sk_msg ring
- net: tls: prevent chain-after-chain in plain text SG
- [arm64] drm/msm/snapshot: fix dumping of the unaligned regions
- wifi: ath11k: Trigger sta disconnect on hardware restart
- wifi: ath11k: update hw params for IPQ5018
- wifi: ath11k: update ce configurations for IPQ5018
- wifi: ath11k: remap ce register space for IPQ5018
- wifi: ath11k: update hal srng regs for IPQ5018
- wifi: ath11k: initialize hw_ops for IPQ5018
- wifi: ath11k: add new hw ops for IPQ5018 to get rx dest ring hashmap
- wifi: ath11k: fix rssi station dump not updated in QCN9074
- wifi: ath11k: fix peer resolution on rx path when peer_id=0
- net: mana: Fix TOCTOU double-fetch of hwc_msg_id from DMA buffer
- [x86] platform/x86: hp_accel: Check ACPI_COMPANION() against NULL
- [x86] platform/x86: intel-hid: Check ACPI_HANDLE() against NULL
- [x86] platform/x86: intel-vbtn: Check ACPI_HANDLE() against NULL
- RDMA/rtrs: Fix use-after-free in path file creation cleanup
- net: bridge: Flush multicast groups when snooping is disabled
- bridge: mcast: Fix a possible use-after-free when removing a bridge port
- tracing: Avoid NULL return from hist_field_name() on truncation
- string: add mem_is_zero() helper to check if memory area is all zeros
- gpiolib: cdev: use !mem_is_zero() instead of memchr_inv(s, 0, n)
- gpio: cdev: check if uAPI v2 config attributes are correctly zeroed
- net: mana: validate rx_req_idx to prevent out-of-bounds array access
- security/keys: fix missed RCU read section on lookup
https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.1.176
- Input: usbtouchscreen - clamp NEXIO data_len/x_len to URB buffer size
- net/sched: cls_fw: fix NULL dereference of "old" filters before change()
(CVE-2026-53080)
- net: mctp: ensure our nlmsg responses are initialised (CVE-2026-45930)
- net/sched: sch_sfb: Replace direct dequeue call with peek and
qdisc_dequeue_peeked
- drm: Remove plane hsub/vsub alignment requirement for core helpers
- [armhf] net: cpsw_new: Fix potential unregister of netdev that has not
been registered yet (CVE-2026-43219)
- nfc: llcp: Fix use-after-free in llcp_sock_release()
- nfc: llcp: Fix use-after-free race in nfc_llcp_recv_cc()
- xfrm: Check for underflow in xfrm_state_mtu
- nfc: nxp-nci: i2c: use rising-edge IRQ on ACPI systems
- netfilter: synproxy: refresh tcphdr after skb_ensure_writable
- netfilter: xt_cpu: prefer raw_smp_processor_id
- netfilter: ebtables: fix OOB read in compat_mtw_from_user
(CVE-2026-52927)
- tun: free page on short-frame rejection in tun_xdp_one() (CVE-2026-46321)
- tun: free page on build_skb failure in tun_xdp_one() (CVE-2026-46322)
- net: netlink: fix sending unassigned nsid after assigned one
- net: netlink: don't set nsid on local notifications
- net/smc: Do not re-initialize smc hashtables
- [s390x] net/iucv: fix locking in .getsockopt
- ipv4: free net->ipv4.sysctl_local_reserved_ports after
unregister_net_sysctl_table()
- [x86] ASoC: Intel: bytcht_es8316: Fix MCLK leak on init errors
- net: hsr: fix potential OOB access in supervision frame handling
- tunnels: load network headers after skb_cow() in
iptunnel_pmtud_build_icmp[v6]()
- vxlan: do not reuse cached ip_hdr() value after skb_tunnel_check_pmtu()
- tunnels: do not assume transport header in iptunnel_pmtud_check_icmp()
- ASoC: codecs: simple-mux: Fix enum control bounds check
- Bluetooth: 6lowpan: check skb_clone() return value in send_mcast_pkt()
- bonding: refuse to enslave CAN devices
- ethtool: eeprom: add more safeties to EEPROM Netlink fallback
- ipv6: rpl: fix hdrlen overflow in ipv6_rpl_srh_decompress()
- Bluetooth: l2cap: clear chan->ident on ECRED reconfiguration success
- Bluetooth: L2CAP: Fix possible crash on l2cap_ecred_conn_rsp
- [arm*] gpio: rockchip: convert bank->clk to devm_clk_get_enabled()
- net: mana: Add NULL guards in teardown path to prevent panic on attach
failure
- sctp: fix race between sctp_wait_for_connect and peeloff
- ipv6: fix possible infinite loop in rt6_fill_node()
- ipv6: fix possible infinite loop in fib6_select_path()
- net: skbuff: fix pskb_carve leaking zcopy pages
- batman-adv: v: stop OGMv2 on disabled interface (CVE-2026-52913)
- batman-adv: tvlv: abort OGM send on tvlv append failure
- batman-adv: tt: reject oversized local TVLV buffers
- batman-adv: bla: avoid NULL-ptr deref for claim via dropped interface
- batman-adv: tvlv: reject oversized TVLV packets (CVE-2026-52934)
- batman-adv: iv: recover OGM scheduling after forward packet error
- batman-adv: tp_meter: directly shut down timer on cleanup
- batman-adv: tt: fix TOCTOU race for reported vlans
- batman-adv: tt: avoid empty VLAN responses
- batman-adv: bla: avoid double decrement of bla.num_requests
- mm/page_alloc: clear page->private in free_pages_prepare()
(CVE-2026-43303)
- bpf: Fix a few selftest failures due to llvm18 change
- net/packet: convert po->tp_tx_has_off to an atomic flag
- net/packet: convert po->tp_loss to an atomic flag
- net/packet: convert po->has_vnet_hdr to an atomic flag
- net/packet: convert po->running to an atomic flag
- net/packet: fix TOCTOU race on mmap'd vnet_hdr in tpacket_snd()
(CVE-2026-31700)
- [x86] drm/i915/psr: Add defininitions for INTEL_WA_REGISTER_CAPS DPCD
register
- drm/dp: Add eDP 1.5 bit definition
- [x86] drm/i915/psr: Read Intel DPCD workaround register
- [x86] drm/i915/psr: Apply Intel DPCD workaround when SDP on prior line
used
- net: gro: don't merge zcopy skbs (CVE-2026-46323)
- phy: mscc: Use PHY_ID_MATCH_VENDOR to minimize PHY ID table
- phy: mscc: Use PHY_ID_MATCH_EXACT for VSC8584, VSC8582, VSC8575, VSC856X
- hwmon: (pmbus/adm1266) serialize GPIO PMBus accesses with pmbus_lock
- hwmon: (pmbus/adm1266) serialize sequencer_state debugfs read with
pmbus_lock
- hwmon: (pmbus/adm1266) serialize NVMEM blackbox read with pmbus_lock
- iio: imu: st_lsm6dsx: fix stack leak in tagged FIFO buffer
- usb: typec: ucsi: ccg: reject firmware images without a ':' record header
- usb: typec: ucsi: displayport: NAK DP_CMD_CONFIGURE without a payload VDO
- usb: typec: altmodes/displayport: validate count before reading Status
Update VDO
- [x86] usb: typec: wcove: don't write past struct pd_message in
wcove_read_rx_buffer()
- usb: typec: ucsi: validate connector number in ucsi_connector_change()
- USB: serial: safe_serial: fix memory corruption with small endpoint
- HID: quirks: Add ALWAYS_POLL quirk for SIGMACHIP USB mouse
- Bluetooth: btusb: Allow firmware re-download when version matches
- hpfs: fix a crash if hpfs_map_dnode_bitmap fails
- ipc: limit next_id allocation to the valid ID range (CVE-2026-52923)
- auxdisplay: line-display: fix OOB read on zero-length message_store()
- Bluetooth: L2CAP: use chan timer to close channels in cleanup_listen()
- Bluetooth: L2CAP: fix chan ref leak in l2cap_chan_timeout() on !conn
- Bluetooth: HIDP: fix missing length checks in hidp_input_report()
- Bluetooth: ISO: fix UAF in iso_recv_frame
- Bluetooth: ISO: serialize iso_sock_clear_timer with socket lock
- parport: Fix race between port and client registration (Closes: #1130365)
- USB: cdc-acm: Fix bit overlap and move quirk definitions to header
- wireguard: send: append trailer after expanding head
- iio: dac: ad5686: fix input raw value check
- iio: dac: ad5686: acquire lock when doing powerdown control
- iio: adc: viperboard: Fix error handling in vprbrd_iio_read_raw
- iio: gyro: itg3200: fix i2c read into the wrong stack location
- iio: ssp_sensors: cancel delayed work_refresh on remove
- iio: temperature: tsys01: fix broken PROM checksum validation
- iio: magnetometer: st_magn: fix default DRDY pin selection for LIS2MDL
- iio: light: cm3323: fix reg_conf not being initialized correctly
- iio: buffer: hw-consumer: fix use-after-free in error path
- USB: serial: omninet: fix memory corruption with small endpoint
- usb: dwc2: Fix use after free in debug code
- Input: elan_i2c - validate firmware size before use
- bpf: sockmap: fix tail fragment offset in bpf_msg_push_data
- macsec: fix replay protection at XPN lower-PN wrap
- ipv6: exthdrs: refresh nh pointer after ipv6_hop_jumbo()
- [arm64] ASoC: qcom: q6asm-dai: fix error handling in prepare and
set_params
- ipv6: exthdrs: refresh nh after handling HAO option
- ip6: vti: Use ip6_tnl.net in vti6_siocdevprivate().
- ipv6: validate extension header length before copying to cmsg
- xfrm: input: hold netns during deferred transport reinjection
- ip6: vti: Use ip6_tnl.net in vti6_changelink().
- HID: wacom: Fix OOB write in wacom_hid_set_device_mode()
- iommu, debugobjects: avoid gcc-16.1 section mismatch warnings
- nfc: hci: fix out-of-bounds read in HCP header parsing
- xfrm: route MIGRATE notifications to caller's netns
- xfrm: ah: use skb_to_full_sk in async output callbacks
- netfilter: conntrack: tcp: do not force CLOSE on invalid-seq RST without
direction check
- [arm64] ASoC: qcom: q6asm-dai: close stream only when running
- [arm64] ASoC: qcom: q6asm-dai: do not set stream state in event and
trigger callbacks
- xfrm: esp: restore combined single-frag length gate
- Input: atmel_mxt_ts - fix boundary check in mxt_prepare_cfg_mem
- [x86] Input: synaptics - add LEN2058 to SMBus passlist for ThinkPad E490
- [x86] comedi: comedi_test: fix check for valid scan_begin_src in
waveform_ai_cmdtest()
- [x86] comedi: comedi_test: Fix limiting of convert_arg in
waveform_ai_cmdtest()
- counter: Fix refcount leak in counter_alloc() error path
- [i386] tty: serial: pch_uart: add check for dma_alloc_coherent()
- [arm*] usb: chipidea: core: convert ci_role_switch to local variable
- usb: core: Fix up Interrupt IN endpoints with bogus wBytesPerInterval
- USB: quirks: add NO_LPM for Lenovo ThinkPad USB-C Dock Gen2 hub
controllers
- usb: storage: Add quirks for PNY Elite Portable SSD
- usbip: vudc: Fix use after free bug in vudc_remove due to race condition
- usb: usbtmc: check URB actual_length for interrupt-IN notifications
- usb: usbtmc: reject interrupt endpoints with small wMaxPacketSize
- USB: serial: option: add MeiG SRM813Q
- USB: serial: option: add missing RSVD(5) flag for Rolling RW135R-GL
- USB: serial: belkin_sa: validate interrupt status length
- USB: serial: cypress_m8: validate interrupt packet headers
- USB: serial: keyspan: fix missing indat transfer sanity check
- USB: serial: mxuport: fix memory corruption with small endpoint
- USB: serial: mct_u232: fix missing interrupt-in transfer sanity check
- usb: gadget: net2280: Fix double free in probe error path
- usb: gadget: dummy_hcd: Reject hub port requests for non-existent ports
- usb: gadget: f_fs: copy only received bytes on short ep0 read
- thunderbolt: property: Reject u32 wrap in tb_property_entry_valid()
- thunderbolt: property: Reject dir_len < 4 to prevent size_t underflow
- scsi: fcoe: Reject FIP descriptors with zero fip_dlen in CVL walker
- scsi: scsi_transport_fc: Widen FPIN pname walker counter to u32
- scsi: target: iscsi: Bound iscsi_encode_text_output() appends to rsp_buf
- scsi: target: iscsi: Validate CHAP_R length before base64 decode
- drm/hyperv: validate resolution_count and fix WIN8 fallback
- drm/hyperv: validate VMBus packet size in receive callback
- [x86] drm/i915: Fix potential UAF in TTM object purge
- drm/amd/pm/si: Disregard vblank time when no displays are connected
- [arm64] serial: sh-sci: fix memory region release in error path
- [arm64] serial: fsl_lpuart: fix rx buffer and DMA map leaks in
start_rx_dma
- drm/amdkfd: fix NULL pointer bug in svm_range_set_attr
- drm/amdkfd: Check for pdd drm file first in CRIU restore path
- HID: core: Add printk_ratelimited variants to hid_warn() etc
- HID: pass the buffer size to hid_report_raw_event
- HID: core: Fix size_t specifier in hid_report_raw_event()
- RDMA/rxe: Complete the rxe_cleanup_task backport
- USB: serial: digi_acceleport: fix memory corruption with small endpoints
- [arm*] xhci: tegra: Fix ghost USB device on dual-role port unplug
- netfilter: nf_tables: restore set elements when delete set fails
(CVE-2024-27012)
- USB: serial: cypress_m8: fix memory corruption with small endpoint
- bpf/bonding: reject vlan+srcmac xmit_hash_policy change when XDP is
loaded (CVE-2026-23310)
- usb: core: Fix SuperSpeed root hub wMaxPacketSize
- bpf: Free reuseport cBPF prog after RCU grace period. (CVE-2026-52910)
- USB: serial: mct_u232: fix memory corruption with small endpoint
- [amd64] dmaengine: idxd: Fix not releasing workqueue on .release()
(CVE-2026-43064)
- i2c: dev: prevent integer overflow in I2C_TIMEOUT ioctl (CVE-2026-52948)
- ipv6: mcast: Fix use-after-free when processing MLD queries
(CVE-2026-53275)
- net/smc: fix sleep-inside-lock in __smc_setsockopt() causing local DoS
(CVE-2026-53274)
- tee: optee: prevent use-after-free when the client exits before the
supplicant (CVE-2026-53273)
- netfilter: xt_NFQUEUE: prefer raw_smp_processor_id
- ipvs: clear the svc scheduler ptr early on edit (CVE-2026-53270)
- netfilter: synproxy: add mutex to guard hook reference counting
(CVE-2026-53269)
- netfilter: conntrack_irc: fix possible out-of-bounds read
(CVE-2026-53268)
- netfilter: bridge: make ebt_snat ARP rewrite writable (CVE-2026-53266)
- dm cache policy smq: check allocation under invalidate lock
(CVE-2026-53265)
- net/sched: act_api: use RCU with deferred freeing for action lifecycle
(CVE-2026-53264)
- 6lowpan: fix off-by-one in multicast context address compression
(CVE-2026-53263)
- pcnet32: stop holding device spin lock during napi_complete_done
- net: Annotate sk->sk_write_space() for UDP SOCKMAP.
- net: garp: fix unsigned integer underflow in garp_pdu_parse_attr
- net: lan743x: permit VLAN-tagged packets up to configured MTU
- [arm*] net: fec: fix pinctrl default state restore order on resume
- Bluetooth: RFCOMM: hold listener socket in rfcomm_connect_ind()
(CVE-2026-53256)
- Bluetooth: MGMT: validate advertising TLV before type checks
(CVE-2026-53255)
- Bluetooth: RFCOMM: validate skb length in MCC handlers (CVE-2026-53254)
- Bluetooth: bnep: fix incorrect length parsing in bnep_rx_frame()
extension handling
- Bluetooth: bnep: reject short frames before parsing (CVE-2026-53253)
- Bluetooth: fix memory leak in error path of hci_alloc_dev()
(CVE-2026-53252)
- Bluetooth: MGMT: Fix backward compatibility with userspace
- ipv4: restrict IPOPT_SSRR and IPOPT_LSRR options (CVE-2026-53249)
- ptp: vclock: Switch from RCU to SRCU
- vxlan: vnifilter: send notification on VNI add
- vxlan: vnifilter: fix spurious notification on VNI update
- ieee802154: 6lowpan: only accept IPv6 packets in lowpan_xmit()
- net/802/mrp: fix vector attribute parsing in mrp_pdu_parse_vecattr
(CVE-2026-53245)
- sctp: purge outqueue on stale COOKIE-ECHO handling (CVE-2026-52924)
- ipmi: Fix rcu_read_unlock to srcu_read_unlock in handle_read_event_rsp
- signal: clear JOBCTL_PENDING_MASK for caller in zap_other_threads()
(CVE-2026-53352)
- time: Fix off-by-one in settimeofday() usec validation
- ALSA: PCM: Fix wait queue list corruption in snd_pcm_drain() on linked
streams (CVE-2026-53242)
- fs/ntfs3: Return error for inconsistent extended attributes
(CVE-2023-54125)
- usb: gadget: f_ncm: Fix net_device lifecycle with device_move
(CVE-2026-43421)
- usb: gadget: u_ether: Fix NULL pointer deref in eth_get_drvinfo
- net: skbuff: fix missing zerocopy reference in pskb_carve helpers
(CVE-2026-52943)
- tap: free page on error paths in tap_get_user_xdp() (CVE-2026-46320)
- [arm64] KVM: arm64: Remove VPIPT I-cache handling
- [arm64] tlb: Allow XZR argument to TLBI ops
- [arm64] tlb: Optimize ARM64_WORKAROUND_REPEAT_TLBI
- iomap: don't revert iov_iter on partially completed buffered writes
- xfrm: policy: fix use-after-free on inexact bin in
xfrm_policy_bysel_ctx() (CVE-2026-53239)
- netlabel: validate unlabeled address and mask attribute lengths
(CVE-2026-53238)
- ASoC: wm_adsp: Fix NULL dereference when removing firmware controls
(CVE-2026-53350)
- tcp: restrict SO_ATTACH_FILTER to priv users (CVE-2026-53236)
- net/mlx4: avoid GCC 10 __bad_copy_from() false positive
- net: qrtr: fix refcount saturation and potential UAF in qrtr_port_remove
(CVE-2026-52947)
- ipv6: sit: reload inner IPv6 header after GSO offloads (CVE-2026-53228)
- net: openvswitch: fix possible kfree_skb of ERR_PTR (CVE-2026-53227)
- r8152: reduce the control transfer of rtl8152_get_version()
- r8152: Block future register access if register access fails
- r8152: handle the return value of usb_reset_device()
- sctp: fix uninit-value in __sctp_rcv_asconf_lookup() (CVE-2026-53225)
- net: guard timestamp cmsgs to real error queue skbs (CVE-2026-53223)
- net/rds: fix NULL deref in rds_ib_send_cqe_handler() on masked atomic
completion (CVE-2026-52939)
- ip6_vti: fix incorrect tunnel matching in vti6_tnl_lookup()
(CVE-2026-53221)
- rds: mark snapshot pages dirty in rds_info_getsockopt()
- netfilter: nf_conntrack: destroy stale expectfn expectations on
unregister (CVE-2026-53349)
- netfilter: x_tables: avoid leaking percpu counter pointers
(CVE-2026-53219)
- netfilter: nf_log: validate MAC header was set before dumping it
(CVE-2026-52942)
- netfilter: nft_exthdr: fix register tracking for F_PRESENT flag
(CVE-2026-53218)
- [arm*] net: mvpp2: sync RX data at the hardware packet offset
(CVE-2026-53217)
- [arm*] net: mvpp2: limit XDP frame size to the RX buffer (CVE-2026-53216)
- [arm*] net: mvpp2: Add metadata support for xdp mode
- [arm*] net: mvpp2: refill RX buffers before XDP or skb use
(CVE-2026-53215)
- [arm*] net: mvpp2: build skb from XDP-adjusted data on XDP_PASS
- netfilter: ctnetlink: ensure safe access to master conntrack
(CVE-2026-43116)
- [arm*] drm/vc4: fix krealloc() memory leak (CVE-2026-53213)
- netfilter: nft_tunnel: fix use-after-free on object destroy
(CVE-2026-53212)
- Bluetooth: hci_sync: reject oversized Broadcast Announcement prepend
(CVE-2026-53209)
- Bluetooth: L2CAP: reject BR/EDR signaling packets over MTUsig
(CVE-2026-53208)
- [x86] drm/i915/gem: Fix phys BO pread/pwrite with offset (CVE-2026-53356)
- ksmbd: fix use-after-free of a deferred file_lock on double SMB2_CANCEL
(CVE-2026-53198)
- xfrm: espintcp: do not reuse an in-progress partial send (CVE-2026-52935)
- USB: serial: io_ti: fix heap overflow in get_manuf_info()
(CVE-2026-53196)
- USB: serial: io_ti: fix heap overflow in build_i2c_fw_hdr()
(CVE-2026-53195)
- USB: serial: option: add usb-id for Dell Wireless DW5826e-m
- USB: serial: kl5kusb105: fix bulk-out buffer overflow (CVE-2026-53194)
- ALSA: timer: Fix UAF at snd_timer_user_params()
- drm/amd/display: Reject gpio_bitshift >= 32 in
bios_parser_get_gpio_pin_info()
- RDMA/srp: bound SRP_RSP sense copy by the received length
(CVE-2026-53186)
- udp: clear skb->dev before running a sockmap verdict (CVE-2026-53184)
- [armhf] socfpga: Fix OF node refcount leak in SMP setup
- [armel,armhf] 9474/1: io: avoid KASAN instrumentation of raw halfword I/O
- [armel,armhf] 9475/1: entry: use byte load for KASAN VMAP stack shadow
(CVE-2026-53343)
- mptcp: fix retransmission loop when csum is enabled
- mptcp: close TOCTOU race while computing rcv_wnd
- mptcp: allow subflow rcv wnd to shrink (CVE-2026-53183)
- mptcp: sockopt: check timestamping ret value
- wifi: nl80211: reject oversized EMA RNR lists (CVE-2026-53182)
- vsock/vmci: fix sk_ack_backlog leak on failed handshake (CVE-2026-53181)
- bnxt_en: Fix NULL pointer dereference (CVE-2026-53177)
- IB/isert: Reject login PDUs shorter than ISER_HEADERS_LEN
(CVE-2026-53176)
- pidfd: refuse access to tasks that have started exiting harder
- fuse: reject fuse_notify() pagecache ops on directories (CVE-2026-53168)
- [arm*] i2c: qcom-cci: Fix NULL pointer dereference in cci_remove()
(CVE-2026-53339)
- [armhf] i2c: stm32f7: fix timing computation ignoring i2c-analog-filter
- [arm*] i2c: tegra: Fix NOIRQ suspend/resume
- [x86] Input: atkbd - add DMI quirk for Lenovo Yoga Air 14 (83QK)
- [x86] Input: atkbd - skip deactivate for HONOR BCC-N's internal keyboard
- ipc/shm: serialize orphan cleanup with shm_nattch updates
(CVE-2026-52930)
- [arm*] misc: fastrpc: fix use-after-free of fastrpc_user in workqueue
context (CVE-2026-53161)
- [arm*] misc: fastrpc: fix use-after-free race in fastrpc_map_create
(CVE-2026-53160)
- [arm*] misc: fastrpc: fix DMA address corruption due to find_vma misuse
(CVE-2026-53159)
- net/mlx5: Reorder completion before putting command entry in
cmd_work_handler
- net: bonding: fix NULL pointer dereference in bond_do_ioctl()
(CVE-2026-53337)
- [armel,armhf] net: mv643xx: fix OF node refcount
- net: rds: clear i_sends on setup unwind (CVE-2026-53355)
- mmc: core: Fix host controller programming for fixed driver type
- [arm64] mmc: renesas_sdhi: Add OF entry for RZ/G2H SoC
- mmc: sdhci: add signal voltage switch in sdhci_resume_host
- sctp: diag: reject stale associations in dump_one path (CVE-2026-52917)
- sctp: stream: fully roll back denied add-stream state (CVE-2026-52929)
- thunderbolt: Reject zero-length property entries in validator
(CVE-2026-53150)
- thunderbolt: Bound root directory content to block size (CVE-2026-53149)
- thunderbolt: Clamp XDomain response data copy to allocation size
(CVE-2026-53148)
- thunderbolt: Validate XDomain request packet size before type cast
(CVE-2026-53147)
- thunderbolt: Limit XDomain response copy to actual frame size
(CVE-2026-53146)
- slimbus: qcom-ngd-ctrl: Avoid ABBA on tx_lock/ctrl->lock (CVE-2026-53331)
- drm/amdgpu: restart the CS if some parts of the VM are still invalidated
- drm/amd/display: Clamp HDMI HDCP2 rx_id_list read to buffer size
(CVE-2026-53137)
- drm/amd/display: Clamp VBIOS HDMI retimer register count to array size
(CVE-2026-53136)
- drm/amd/display: Fix NULL deref and buffer over-read in SDP debugfs
(CVE-2026-53135)
- drm/amd/display: Use krealloc_array() in dal_vector_reserve()
(CVE-2026-53329)
- fs/fcntl: fix SOFTIRQ-unsafe lock order in fasync signaling
(CVE-2026-52946)
- mm/hugetlb: avoid false positive lockdep assertion
- mm/damon/ops-common: call folio_test_lru() after folio_get()
- mm/huge_memory: update file PMD counter before folio_put()
(CVE-2026-53189)
- f2fs: use kfree() instead of kvfree() to free some memory
- f2fs: fix to do sanity check on dcc->discard_cmd_cnt conditionally
- f2fs: fix UAF caused by decrementing sbi->nr_pages[] in
f2fs_write_end_io() (CVE-2026-31715)
- ksmbd: require minimum ACE size in smb_check_perm_dacl() (CVE-2026-31712)
- smb: client: validate the whole DACL before rewriting it in cifsacl
(CVE-2026-31709)
- [arm64] mm: Enable batched TLB flush in unmap_hotplug_range()
- lib: test_hmm: evict device pages on file close to avoid use-after-free
(CVE-2026-46280)
- wifi: mwifiex: fix use-after-free in mwifiex_adapter_cleanup()
(CVE-2026-46069)
- [arm*] spi: imx: Convert to platform remove callback returning void
- [arm*] spi: imx: fix use-after-free on unbind (CVE-2026-45996)
- thermal: core: Fix thermal zone governor cleanup issues (CVE-2026-46021)
- media: rc: ttusbir: respect DMA coherency rules
- media: rc: igorplugusb: heed coherency rules
- sched: Use u64 for bandwidth ratio calculations
- net: qrtr: ns: Limit the maximum number of lookups (CVE-2026-46026)
- net: qrtr: ns: Change servers radix tree to xarray
- net: qrtr: ns: Free the node during ctrl_cmd_bye() (CVE-2026-46038)
- net: qrtr: ns: Limit the total number of nodes (CVE-2026-46003)
- net: bridge: use a stable FDB dst snapshot in RCU readers
(CVE-2026-46086)
- spi: fix resource leaks on device setup failure (CVE-2026-46083)
- fbdev: defio: Disconnect deferred I/O from the lifetime of struct fb_info
(CVE-2026-46065)
- xfs: fix a resource leak in xfs_alloc_buftarg() (CVE-2026-46005)
- udf: fix partition descriptor append bookkeeping (CVE-2026-45991)
- hfsplus: fix uninit-value by validating catalog record size
(CVE-2026-46169)
- hfsplus: fix held lock freed on hfsplus_fill_super() (CVE-2026-46299)
- erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap()
(CVE-2026-45999)
- ceph: only d_add() negative dentries when they are unhashed
(CVE-2026-46052)
- printk: add print_hex_dump_devel()
- [arm*] crypto: caam - guard HMAC key hex dumps in hash_digest_key
(CVE-2026-46291)
- net: stmmac: avoid shadowing global buf_sz
- net: stmmac: rename STMMAC_GET_ENTRY() -> STMMAC_NEXT_ENTRY()
- net: stmmac: Prevent NULL deref when RX memory exhausted (CVE-2026-46110)
- tracepoint: balance regfunc() on func_add() failure in
tracepoint_add_func() (CVE-2026-46196)
- wifi: mac80211: remove station if connection prep fails (CVE-2026-46125)
- wifi: brcmfmac: Fix potential use-after-free issue when stopping watchdog
task (CVE-2026-46180)
- [arm*] usb: dwc3: Move GUID programming after PHY initialization
- net: ipv4: stop checking crypto_ahash_alignmask
- net: ipv6: stop checking crypto_ahash_alignmask
- xfrm: ah: account for ESN high bits in async callbacks (CVE-2026-46193)
- xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete
(CVE-2026-46116)
- [armhf] spi: sun4i: Convert to platform remove callback returning void
- [armfh] spi: sun4i: switch to use modern name
- [armhf] spi: sun4i: fix controller deregistration
- spi: Convert to SPI_CONTROLLER_HALF_DUPLEX
- [armhf] spi: spi-ti-qspi: Convert to platform remove callback returning
void
- [armhf] spi: spi-ti-qspi: switch to use modern name
- [armhf] spi: ti-qspi: fix controller deregistration
- [arm*] spi: sun6i: fix controller deregistration
- [arm*] spi: s3c64xx: Use devm_clk_get_enabled()
- [arm*] spi: s3c64xx: fix NULL-deref on driver unbind (CVE-2026-46296)
- mtd: spi-nor: core: fix implicit declaration warning
- mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show()
(CVE-2026-46190)
- [arm*] spi: tegra114: fix controller deregistration
- [arm*] spi: tegra20-sflash: fix controller deregistration
- mm/hugetlb_cma: round up per_node before logging it
- net: wwan: t7xx: validate port_count against message length in
t7xx_port_enum_msg_handler (CVE-2026-43495)
- fbcon: Avoid OOB font access if console rotation fails (CVE-2026-46191)
- [i386] spi: topcliff-pch: Convert to platform remove callback returning
void
- btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to
info-leak (CVE-2026-46159)
- tracing/probes: Limit size of event probe to 3K
- btrfs: remove fs_info argument from btrfs_sysfs_add_space_info_type()
- btrfs: fix double free in create_space_info_sub_group() error path
(CVE-2026-46164)
- pmdomain: core: Fix detach procedure for virtual devices in genpd
(CVE-2026-46292)
- smb: client: validate dacloffset before building DACL pointers
(CVE-2026-46195)
- smb: client: Use FullSessionKey for AES-256 encryption key derivation
- btrfs: fix missing last_unlink_trans update when removing a directory
(CVE-2026-46160)
- mptcp: fastclose msk when linger time is 0
- mptcp: pm: prio: skip closed subflows
- mptcp: pm: kernel: correctly retransmit ADD_ADDR ID 0
- mptcp: pm: ADD_ADDR rtx: allow ID 0
- mptcp: pm: ADD_ADDR rtx: fix potential data-race (CVE-2026-46137)
- mptcp: pm: ADD_ADDR rtx: resched blocked ADD_ADDR quicker
- f2fs: fix incorrect file address mapping when inline inode is unwritten
- f2fs: fix false alarm of lockdep on cp_global_sem lock
- cgroup/cpuset: Reset DL migration state on can_attach() failure
- genetlink: Use internal flags for multicast groups
- smb: client: require net admin for CIFS SWN netlink
- Bluetooth: hci_qca: Convert timeout from jiffies to ms
- mm/memory: fix spurious warning when unmapping device-private/exclusive
pages
- Bluetooth: Init sk_peer_* on bt_sock_alloc
- Bluetooth: serialize accept_q access (CVE-2026-52918)
- net: hsr: defer node table free until after RCU readers
- ipv6: ioam: add NULL check for idev in ipv6_hop_ioam()
- ice: fix VF queue configuration with low MTU values
- mptcp: pm: fix ADD_ADDR timer infinite retry on option space insufficient
- [arm64] octeontx2-af: CGX: add bounds check to cgx_speed_mbps index
- mptcp: reset rcv wnd on disconnect
- mptcp: do not drop partial packets
- [x86] platform/x86/intel/vsec: Add private data for per-device data
- [x86] platform/x86/intel/vsec: Create wrapper to walk PCI config space
- [x86] platform/x86/intel/vsec: Make driver_data info const
- [x86] platform/x86/intel/vsec: Fix enable_cnt imbalance on PCIe error
recovery
- [arm64] spi: qup: switch to use modern name
- [arm64] spi: qup: fix error pointer deref after DMA setup failure
- [arm64] tlb: Flush walk cache when unsharing PMD tables
- phy: tegra: xusb: Disable trk clk when not in use
- phy: tegra: xusb: Fix per-pad high-speed termination calibration
- iio: gyro: adis16260: fix division by zero in write_raw
- iio: dac: ad5686: fix ref bit initialization for single-channel parts
- ALSA: firewire-motu: Protect register DSP event queue positions
- [armhf] serial: samsung_tty: Use port lock wrappers
- [armhf] tty: serial: samsung: use u32 for register interactions
- [armhf] tty: serial: samsung: Remove redundant port lock acquisition in
rx helpers
- [arm64] usb: dwc3: xilinx: fix error handling in zynqmp init error paths
- [armhf] usb: musb: omap2430: Fix use-after-free in omap2430_probe()
- usb: gadget: f_hid: tidy error handling in hidg_alloc
- usb: gadget: f_hid: fix device reference leak in hidg_alloc()
- usb: typec: ucsi: Check if power role change actually happened before
handling
- thunderbolt: property: Cap recursion depth in __tb_property_parse_dir()
- [arm64] tty: serial: qcom-geni-serial: remove unused symbols
- [arm64] tty: serial: qcom-geni-serial: align #define values
- [arm64] serial: qcom-geni: fix UART_RX_PAR_EN bit position
- scsi: target: iscsi: Fix CRC overread and double-free in
iscsit_handle_text_cmd()
- usb: typec: ucsi: Don't update power_supply on power role change if not
connected
- netfilter: nft_fib: fix stale stack leak via the OIFNAME register
(CVE-2026-53134)
- hv_netvsc: use kmap_local_page in netvsc_copy_to_send_buf
(CVE-2026-53199)
- mm/hugetlb: rename isolate_hugetlb() to folio_isolate_hugetlb()
- mm/migrate: don't call folio_putback_active_hugetlb() on dst hugetlb
folio
- mm/hugetlb: rename folio_putback_active_hugetlb() to
folio_putback_hugetlb()
- mm/memory-failure: fix missing ->mf_stats count in hugetlb poison
- mm/memory-failure: fix hugetlb_lock AA deadlock in
get_huge_page_for_hwpoison (CVE-2026-53207)
- RDMA: Move DMA block iterator logic into dedicated files
- RDMA/umem: Fix truncation for block sizes >= 4G (CVE-2026-53133)
- ipvs: skip ipv6 extension headers for csum checks (CVE-2026-45850)
- blk-cgroup: Fix NULL deref caused by blkg_policy_data being installed
before init (CVE-2023-54271)
- batman-adv: stop tp_meter sessions during mesh teardown (CVE-2026-46208)
- batman-adv: tp_meter: fix tp_num leak on kmalloc failure
- [x86] ALSA: hda/hdmi: Add quirk for TUXEDO IBS14G6
- perf build: Conditionally define NDEBUG
- perf parse-events: Make YYDEBUG dependent on doing a debug build
- perf build: Disable fewer bison warnings
- [arm64] KVM: arm64: Wake-up from WFI when iqrchip is in userspace
- ipmi:ssif: Fix a shutdown race
- ipmi:ssif: Clean up kthread on errors (CVE-2026-46044)
- usb: typec: tcpm: reset internal port states on soft reset AMS
- lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl()
(CVE-2026-43492)
- ipmi:ssif: Remove unnecessary indention
- ipmi:ssif: NULL thread on error
- [arm*] drm/v3d: Reject empty multisync extension to prevent infinite
loop (CVE-2026-46314)
- [arm64] Mitigate TLBI errata on various CPU cores (CVE-2025-10263):
+ cputype: Add NVIDIA Olympus definitions
+ cputype: Add C1-Ultra definitions
+ cputype: Add C1-Premium definitions
+ errata: Mitigate TLBI errata on various Arm CPUs (CVE-2026-53354)
+ errata: Mitigate TLBI errata on NVIDIA Olympus CPU
+ errata: Mitigate TLBI errata on Microsoft Azure Cobalt 100 CPU
- [armhf] fbdev: vt8500lcdfb: Fix dma_free_coherent() cpu_addr parameter
(regression in 6.1.165)
- [x86] CPU/AMD: Move the Zen3 BTC_NO detection to the Zen3 init function
(regression in 6.1.173)
- r8152: Hold the rtnl_lock for all of reset
- media: rc: ttusbir: fix inverted error logic
- batman-adv: tp_meter: fix tp_vars reference leak in receiver shutdown
- media: rc: igorplugusb: fix control request setup packet (CVE-2026-46091)
- ksmbd: OOB read regression in smb_check_perm_dacl() ACE-walk loops
- batman-adv: tp_meter: fix race condition in send error reporting
- batman-adv: tp_meter: avoid role confusion in tp_list
- netfilter: require Ethernet MAC header before using eth_hdr()
(CVE-2026-53131)
.
[ Ben Hutchings ]
* Refresh "rxrpc: Fix conn-level packet handling to unshare RESPONSE packets"
* [rt] Add new signing key for Clark Williams
* [rt] Update to 6.1.176-rt64:
- ipv6: fix a BUG in rt6_get_pcpu_route() under PREEMPT_RT
- [x86] kvm/vmx: guard regparm(0) on vmread_error_trampoline for x86_32
only
* [x86] Revert "x86/CPU: Only try to mitigate FPDSS on Zen1" as redundant
* Revert "net: ipv4: stop checking crypto_ahash_alignmask"
* Revert "net: ipv6: stop checking crypto_ahash_alignmask"
* Revert "Bluetooth: L2CAP: use chan timer to close channels in
cleanup_listen()"
* cgroup/cpuset: Fix misplaced call to reset_migrate_dl_data()
* media: uvcvideo: Create an ID namespace for streaming output terminals
* [ppc64el] cpuidle: Set CPUIDLE_FLAG_POLLING for snooze state
* Revert "media: rc: streamzap: Error handling in probe"
* Revert "epoll: use refcount to reduce ep_mutex contention"
(CVE-2025-38349, CVE-2026-46242)
.
[ Salvatore Bonaccorso ]
* ip6_vti: set netns_immutable on the fallback device. (CVE-2026-52909)
* net/sched: act_pedit: check static offsets a priori
* net/sched: act_pedit: rate limit datapath messages
* net/sched: fix pedit partial COW leading to page cache corruption
(CVE-2026-46331)
* net/sched: act_pedit: free pedit keys on bail from offset check
Checksums-Sha1:
bda1e6c17284d2a8be3bb0629cc8de4517f26484 290776 linux_6.1.176-1.dsc
4441b32974d18ee4e4be15a51f647a221bc4d94a 137945728 linux_6.1.176.orig.tar.xz
e2287221a33002c0596427f28f9863b0902c82d7 1873136 linux_6.1.176-1.debian.tar.xz
9f6f6bf45c2d76c5048813acc08383a9c5299bf8 6537 linux_6.1.176-1_source.buildinfo
Checksums-Sha256:
640124b35c5d7e32af9a9d536c47cfebf723fbb86bfbb25d0f2729b798bca35e 290776
linux_6.1.176-1.dsc
9aad4025973feea3f0d978e82ab7db97d8d5ce3f59fcc6b1f316153d66e3a504 137945728
linux_6.1.176.orig.tar.xz
10477b04dc15f7c1c52d8c812c889be5fd37aa178163e352755cd137c73ade6b 1873136
linux_6.1.176-1.debian.tar.xz
02c7115da0c0a2aa72b251ad98090388f0842bb2136a0c1113519b607878a664 6537
linux_6.1.176-1_source.buildinfo
Files:
5293dfe525a253ae95342e2b28388a1a 290776 kernel optional linux_6.1.176-1.dsc
8ed41488a97b99fe31a4e16184f7bef7 137945728 kernel optional
linux_6.1.176.orig.tar.xz
7e40cb422a15f62b48d9e077cce6d2a9 1873136 kernel optional
linux_6.1.176-1.debian.tar.xz
d545a16aa102ac5761527c46a969e0f1 6537 kernel optional
linux_6.1.176-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEErCspvTSmr92z9o8157/I7JWGEQkFAmpG9AoACgkQ57/I7JWG
EQlMcw//dwk7T9atm43n4jPrNWFT2uAsmi4joSJ9D2KErm3K85g68zHxJeVZmBc8
o3/Mu9FNsk7b4SE+w/snoSTQQnLnk3Fy0StLbwEhBZpjOIyRkktTNu8QP5ed0Kar
vIWH+h2auc4jXgtS3jkVOJ27QFcfOcCzf+UQeoFn6VrHAezqubIU1uqrqyWgcrOa
RL12+nv/FEkMob61Br05kFVv5vSzi/6CrhyT3dRRUErJu0r8Jyr8xTTIUFyhSRso
vGhJ5qaO/EoQUQyiV+rRmFC0B7wn+kgDL4ZGzmPP363Iyhn79/LZ+JFbl/9I9TIM
tsNA5K8KnYr0Ae6ymKCah3um5/6FP5aw/qIknBV3+Xl0o6Vy/Rpq2OIg2URpQPzx
W2t2326xVIpmqTDvww0lE+L2cx657f4cBS3MOP0y1efYf92A+zFbKOqx0xZ+lCpS
UP+XPy6oM1abvakYAGbVTdFHZSMts8cjLiI8aYwVvTCy9XFhW4RgWCQt6mxdepiH
oZ+v38ZOvbbXP7LaE/qDnpJWhYpa2J+C+NAllY1aBq1iCFXt/DSfH4jkgBvwt54+
Qo0KCtJzcczau2I/QmrZOXWJQLCJrTrAx1TS4ew9WJfUxtFYLCzaQpRzGgpJfnRZ
rjR0llEiv8dHD0l+P9ZO/oAFwldLrowlEfzVoiiY/GR9ueWMVyU=
=ch9X
-----END PGP SIGNATURE-----
pgpXEZocUrEsu.pgp
Description: PGP signature
--- End Message ---