- crypto: algif_aead - Fix minimum RX size check for decryption {CVE-2026-31431} - crypto: af_alg - Fix page reassignment overflow in af_alg_pull_tsgl {CVE-2026-31431} - crypto: authencesn - reject too-short AAD (assoclen<8) to match ESP/ESN spec {CVE-2026-31431} - crypto: authencesn - Fix src offset when decrypting in-place {CVE-2026-31431} - crypto: authencesn - Do not place hiseq at end of dst for out-of-place decryption {CVE-2026-31431} - crypto: authenc - use memcpy_sglist() instead of null skcipher {CVE-2026-31431} - crypto: algif_aead - snapshot IV for async AEAD requests {CVE-2026-31431} - crypto: algif_aead - Revert to operating out-of-place {CVE-2026-31431} - crypto: algif_aead - use memcpy_sglist() instead of null skcipher {CVE-2026-31431} - crypto: scatterwalk - Backport memcpy_sglist() {CVE-2026-31431} - scsi: target: iscsi: Fix use-after-free in iscsit_dec_conn_usage_count() {CVE-2026-23216} - VMCI: Fix use-after-free when removing resource in vmci_resource_remove() {CVE-2024-46738} - ptp: fix integer overflow in max_vclocks_store {CVE-2024-40994} - xsk: Fix xsk_diag use-after-free error during socket cleanup {CVE-2023-53426} - net: hns3: add VLAN id validation before using {CVE-2025-71112} - scsi: qla2xxx: Fix improper freeing of purex item {CVE-2025-68741} - tracing: Consider the NULL character when validating the event length {CVE-2024-50131} - capabilities: fix undefined behavior in bit shift for CAP_TO_MASK {CVE-2022-49870} - scsi: libsas: Fix use-after-free bug in smp_execute_task_sg() {CVE-2022-50422} - netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate() {CVE-2026-23111} - team: fix check for port enabled in team_queue_override_port_prio_changed() {CVE-2025-71091} - i2c: piix4: Fix adapter not be removed in piix4_remove() {CVE-2022-49900} - libceph: replace overzealous BUG_ON in osdmap_apply_incremental() {CVE-2026-22990} - RDMA/mlx5: Initialize obj_event->obj_sub_list before xa_insert {CVE-2025-38387} - ACPICA: Refuse to evaluate a method if arguments are missing {CVE-2025-38386} - drm/tegra: Fix a possible null pointer dereference {CVE-2025-38363} - ACPICA: fix acpi operand cache leak in dswstate.c {CVE-2025-38345} - ACPICA: fix acpi parse and parseext cache leaks {CVE-2025-38344} - jbd2: fix data-race and null-ptr-deref in jbd2_journal_dirty_metadata() {CVE-2025-38337} - x86/sgx: Prevent attempts to reclaim poisoned pages {CVE-2025-38334} - mpls: Use rcu_dereference_rtnl() in mpls_route_input_rcu(). {CVE-2025-38324} - drm/amd/pp: Fix potential NULL pointer dereference in atomctrl_initialize_mc_reg_table {CVE-2025-38319} - fbdev: core: fbcvt: avoid division by 0 in fb_cvt_hperiod() {CVE-2025-38312} - seg6: Fix validation of nexthop addresses {CVE-2025-38310} - bpf: Fix WARN() in get_bpf_raw_tp_regs {CVE-2025-38285} - atm: clip: prevent NULL deref in clip_push() {CVE-2025-38251} - nfsd: Initialize ssc before laundromat_work to prevent NULL dereference {CVE-2025-38231} - ext4: inline: fix len overflow in ext4_prepare_inline_data {CVE-2025-38222} - fbdev: Fix do_register_framebuffer to prevent null-ptr-deref in fb_videomode_to_var {CVE-2025-38215} - fbdev: Fix fb_set_var to prevent null-ptr-deref in fb_videomode_to_var {CVE-2025-38214} - atm: Revert atm_account_tx() if copy_from_iter_full() fails. {CVE-2025-38190} - tipc: fix null-ptr-deref when acquiring remote ip of ethernet bearer {CVE-2025-38184} - calipso: Fix null-ptr-deref in calipso_req_{set,del}attr(). {CVE-2025-38181} - thunderbolt: Do not double dequeue a configuration request {CVE-2025-38174} - bpf: fix ktls panic with sockmap {CVE-2025-38166} - gve: add missing NULL check for gve_alloc_pending_packet() in TX DQO {CVE-2025-38122} - net_sched: sch_sfq: fix a potential crash on gso_skb handling {CVE-2025-38115} - x86/iopl: Cure TIF_IO_BITMAP inconsistencies {CVE-2025-38100} - dma-buf: insert memory barrier before updating num_fences {CVE-2025-38095} - net_sched: prio: fix a race in prio_tune() {CVE-2025-38083} - libnvdimm/labels: Fix divide error in nd_label_data_init() {CVE-2025-38072} - dm cache: prevent BUG_ON by blocking retries on failed device resumes {CVE-2025-38066} - dm: fix unconditional IO throttle caused by REQ_PREFLUSH {CVE-2025-38063} - net: pktgen: fix access outside of user given buffer in pktgen_thread_write() {CVE-2025-38061} - __legitimize_mnt(): check for MNT_SYNC_UMOUNT should be under mount_lock {CVE-2025-38058} - media: cx231xx: set device_caps for 417 {CVE-2025-38044} - firmware: arm_ffa: Set dma_mask for ffa devices {CVE-2025-38043} - serial: mctrl_gpio: split disable_ms into sync and no_sync APIs {CVE-2025-38040} - vxlan: Annotate FDB data races {CVE-2025-38037} - nvmet-tcp: don't restore null sk_state_change {CVE-2025-38035} - nfs: handle failure of nfs_get_lock_context in unlock path {CVE-2025-38023} - wifi: mt76: disable napi on driver removal {CVE-2025-38009} - openvswitch: Fix unsafe attribute parsing in output_userspace() {CVE-2025-37998} - netfilter: ipset: fix region locking in hash types {CVE-2025-37997} - module: ensure that kobject_put() is safe for module type kobjects {CVE-2025-37995} - wifi: brcm80211: fmac: Add error handling for brcmf_usb_dl_writeimage() {CVE-2025-37990} - USB: wdm: close race between wdm_open and wdm_wwan_port_stop {CVE-2025-37985} - usb: typec: ucsi: displayport: Fix deadlock {CVE-2025-37967} - bpf: Scrub packet on bpf_redirect_peer {CVE-2025-37959} - xenbus: Use kref to track req lifetime {CVE-2025-37949} - ftrace: Add cond_resched() to ftrace_graph_set_hash() {CVE-2025-37940} - drm/sched: Increment job count before swapping tail spsc queue {CVE-2025-38515} - intel_th: Fix a resource leak in an error handling path {CVE-2022-50143} - net: rfkill: gpio: Fix crash due to dereferencering uninitialized pointer {CVE-2025-39937} - net: fec: Fix possible NPD in fec_enet_phy_reset_after_clk_enable() {CVE-2025-39876} - i2c: qup: jump out of the loop in case of timeout {CVE-2025-38671} - regulator: core: fix NULL dereference on unbind due to stale coupling data {CVE-2025-38668} - PM / devfreq: Check governor before using governor->name {CVE-2025-38609} - inotify: Avoid reporting event with invalid wd {CVE-2023-54119} - net/sched: cls_u32: use skb_header_pointer_careful() {CVE-2026-23204} - drm/sched: Fix potential double free in drm_sched_job_add_resv_dependencies {CVE-2025-40096} - smb: client: let smbd_destroy() call disable_work_sync(&info->post_send_credits_work) {CVE-2025-39932} - xfs: do not propagate ENODATA disk errors into xattr code {CVE-2025-39835} - fbdev: bitblit: bound-check glyph index in bit_putcs* {CVE-2025-40322} - mm/kmemleak: avoid soft lockup in __kmemleak_do_cleanup() {CVE-2025-39737} - bpf: Do not let BPF test infra emit invalid GSO types to stack {CVE-2025-68725} - HID: hid-ntrig: fix unable to handle page fault in ntrig_report_version() {CVE-2025-39808} - net: usb: rtl8150: fix memory leak on usb_submit_urb() failure {CVE-2025-71154} - block: avoid possible overflow for chunk_sectors check in blk_stack_limits() {CVE-2025-39795} - drm/amdkfd: Destroy KFD debugfs after destroy KFD wq {CVE-2025-39706} - sctp: initialize more fields in sctp_v6_from_sk() {CVE-2025-39812} - scsi: qla4xxx: Prevent a potential error pointer dereference {CVE-2025-39676} - libceph: return the handler error from mon_handle_auth_done() {CVE-2026-22992} - drm/radeon: delete radeon_fence_process in is_signaled, no deadlock {CVE-2025-68223} - jbd2: prevent softlockup in jbd2_log_do_checkpoint() {CVE-2025-39782} - net: sock: fix hardened usercopy panic in sock_recv_errqueue {CVE-2026-22977} - wifi: ath11k: clear initialized flag for deinit-ed srng lists {CVE-2025-38601} - team: Move team device type change at the end of team_port_add {CVE-2025-68340} - can: kvaser_usb: kvaser_usb_read_bulk_callback(): fix URB memory leak {CVE-2026-23061} - crypto: authencesn - reject too-short AAD (assoclen<8) to match ESP/ESN spec {CVE-2026-23060} - libceph: make free_choose_arg_map() resilient to partial allocation {CVE-2026-22991} - KEYS: trusted: Fix a memory leak in tpm2_load_cmd {CVE-2025-71147} - ftrace: Fix potential warning in trace_printk_seq during ftrace_dump {CVE-2025-39813} - x86/mm/64: define ARCH_PAGE_TABLE_SYNC_MASK and arch_sync_kernel_mappings() {CVE-2025-39845} - rxrpc: Fix oops due to non-existence of prealloc backlog struct {CVE-2025-38514} - netfilter: ctnetlink: fix refcount leak on table dump {CVE-2025-38721} - bpf: Reject %p% format string in bprintf-like helpers {CVE-2025-38528} - drm/amd/display: Add null pointer check in mod_hdcp_hdcp1_create_session() {CVE-2025-39675} - net/packet: fix a race in packet_set_ring() and packet_notifier() {CVE-2025-38617} - ext4: do not BUG when INLINE_DATA_FL lacks system.data xattr {CVE-2025-38701} - cgroup: split cgroup_destroy_wq into 3 workqueues {CVE-2025-39953} - NFS: Fix the setting of capabilities when automounting a new filesystem {CVE-2025-39798} - fs: Prevent file descriptor table allocations exceeding INT_MAX {CVE-2025-39756} - media: rainshadow-cec: fix TOCTOU race condition in rain_interrupt() {CVE-2025-39713} - wifi: mac80211: reject TDLS operations when station is not associated {CVE-2025-38644} - ASoC: core: Check for rtd == NULL in snd_soc_remove_pcm_runtime() {CVE-2025-38706} - scsi: libiscsi: Initialize iscsi_conn->dd_data only if memory is allocated {CVE-2025-38700} - smb: client: fix smbdirect_recv_io leak in smbd_negotiate() error path {CVE-2025-39929} - mm: move page table sync declarations to linux/pgtable.h {CVE-2025-39844} - ppp: fix memory leak in pad_compress_skb {CVE-2025-39847} - HID: quirks: Add quirk for 2 Chicony Electronics HP 5MP Cameras {CVE-2025-38540} - libceph: prevent potential out-of-bounds reads in handle_auth_done() {CVE-2026-22984} - iommu: disable SVA when CONFIG_X86 is set {CVE-2025-71089} - netfilter: nf_tables: fix use-after-free in nf_tables_addchain() {CVE-2026-23231} - ALSA: usb-audio: Fix use-after-free in snd_usb_mixer_free() {CVE-2026-23089} - macvlan: fix possible UAF in macvlan_forward_source() {CVE-2026-23001} - mlxsw: spectrum_mr: Fix use-after-free when updating multicast route stats {CVE-2025-68800} - be2net: Fix NULL pointer dereference in be_cmd_get_mac_from_list {CVE-2026-23084} - wifi: ath10k: fix dma_free_coherent() pointer {CVE-2026-23133} - wifi: ath11k: fix node corruption in ar->arvifs list {CVE-2025-38293} - x86/mm: Check return value from memblock_phys_alloc_range() {CVE-2025-38071} - net: Fix TOCTOU issue in sk_is_readable() {CVE-2025-38112} - net: phy: mscc: Fix memory leak when using one step timestamping {CVE-2025-38148} - mm/damon/sysfs: cleanup attrs subdirs on context dir setup failure {CVE-2026-23144} - scsi: target: iscsi: Fix use-after-free in iscsit_dec_session_usage_count() {CVE-2026-23193} - nfsd: provide locking for v4_end_grace {CVE-2026-22980} - migrate: correct lock ordering for hugetlb file folios {CVE-2026-23097} - bpf, ktls: Fix data corruption when using bpf_msg_pop_data() in ktls {CVE-2025-38608} - scsi: lpfc: Check for hdwq null ptr when cleaning up lpfc_vport structure {CVE-2025-38695} - mm/kmemleak: avoid deadlock by moving pr_warn() outside kmemleak_lock {CVE-2025-39736} - net: drop UFO packets in udp_rcv_segment() {CVE-2025-38622} - net: bridge: fix soft lockup in br_multicast_query_expired() {CVE-2025-39773} - iwlwifi: Add missing check for alloc_ordered_workqueue {CVE-2025-38602} - net, hsr: reject HSR frame if skb can't hold tag {CVE-2025-39703} - crypto: ccp - Fix crash when rebind ccp device for ccp.ko {CVE-2025-38581} - RDMA: hfi1: fix possible divide-by-zero in find_hw_thread_mask() {CVE-2025-39742} - net: stmmac: make sure that ptp_rate is not 0 before configuring EST {CVE-2025-38125} - net/sched: Restrict conditions for adding duplicating netems to qdisc tree {CVE-2025-38553} - io_uring/net: commit partial buffers on retry {CVE-2025-38730} - perf/core: Prevent VMA split of buffer mappings {CVE-2025-38563} - ALSA: aloop: Fix racy access at PCM trigger {CVE-2026-23191}