From: Ulrich Hecht <uli@fpond.eu>
To: "cip-dev@lists.cip-project.org" <cip-dev@lists.cip-project.org>,
"pavel@nabladev.com" <pavel@nabladev.com>,
"jan.kiszka@siemens.com" <jan.kiszka@siemens.com>,
"masami.ichikawa@cybertrust.co.jp"
<masami.ichikawa@cybertrust.co.jp>,
"chris.paterson2@renesas.com" <chris.paterson2@renesas.com>,
"nobuhiro.iwamatsu.x90@mail.toshiba"
<nobuhiro.iwamatsu.x90@mail.toshiba>
Subject: [ANNOUNCE] Release v4.19.325-cip134
Date: Mon, 29 Jun 2026 12:34:34 +0200 (CEST) [thread overview]
Message-ID: <1029449999.62165.1782729274698@webmail.strato.de> (raw)
Hi,
the CIP kernel team has released Linux kernel v4.19.325-cip134. The linux-4.19.y-cip tree's base version has been updated to v4.19-st18. The trees are up-to-date with kernel 5.10.258.
You can get this release via the git tree or as a tarball from https://mirrors.edge.kernel.org/pub/linux/kernel/projects/cip/4.19/
v4.19.325-cip134:
repository:
https://git.kernel.org/pub/scm/linux/kernel/git/cip/linux-cip.git
branch:
linux-4.19.y-cip
commit hash:
774e9597d38ad0d067a1d50e502503224b74f9f5
Fixed CVEs:
CVE-2026-45981: s390/cio: Fix device lifecycle handling in css_alloc_subchannel()
CVE-2021-47188: scsi: ufs: core: Improve SCSI abort handling
CVE-2022-50073: net: tap: NULL pointer derefence in dev_parse_header_protocol when skb->dev is null
CVE-2022-50552: blk-mq: use quiesced elevator switch when reinitializing queues
CVE-2024-53213: net: usb: lan78xx: Fix double free issue with interrupt buffer allocation
CVE-2025-38710: gfs2: Validate i_depth for exhash directories
CVE-2026-23442: ipv6: add NULL checks for idev in SRv6 paths
CVE-2026-23444: wifi: mac80211: always free skb on ieee80211_tx_prepare_skb() failure
CVE-2026-31532: can: raw: fix ro->uniq use-after-free in raw_rcv()
CVE-2026-31576: media: hackrf: fix to not free memory after the device is registered in hackrf_probe()
CVE-2026-31577: nilfs2: fix NULL i_assoc_inode dereference in nilfs_mdt_save_to_shadow_map
CVE-2026-31578: media: as102: fix to not free memory after the device is registered in as102_usb_probe()
CVE-2026-31580: bcache: fix cached_dev.sb_bio use-after-free and crash
CVE-2026-31581: ALSA: 6fire: fix use-after-free on disconnect
CVE-2026-31583: media: em28xx: fix use-after-free in em28xx_v4l2_open()
CVE-2026-31586: KVM: SEV: Protect *all* of sev_mem_enc_register_region() with kvm->lock
CVE-2026-31588: KVM: x86: Use scratch field in MMIO fragment to hold small write values
CVE-2026-31596: ocfs2: handle invalid dinode in ocfs2_group_extend
CVE-2026-31597: ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY
CVE-2026-31598: ocfs2: fix possible deadlock between unlink and dio_end_io_write
CVE-2026-31602: ALSA: ctxfi: Limit PTP to a single page
CVE-2026-31605: fbdev: udlfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO
CVE-2026-31607: usbip: validate number_of_packets in usbip_pack_ret_submit()
CVE-2026-31615: usb: gadget: renesas_usb3: validate endpoint index in standard request handlers
CVE-2026-31616: usb: gadget: f_phonet: fix skb frags[] overflow in pn_rx_complete()
CVE-2026-31617: usb: gadget: f_ncm: validate minimum block_len in ncm_unwrap_ntb()
CVE-2026-31618: fbdev: tdfxfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO
CVE-2026-31619: ALSA: fireworks: bound device-supplied status before string array lookup
CVE-2026-31622: NFC: digital: Bounds check NFC-A cascade depth in SDD response handler
CVE-2026-31623: net: usb: cdc-phonet: fix skb frags[] overflow in rx_complete()
CVE-2026-31624: HID: core: clamp report_size in s32ton() to avoid undefined shift
CVE-2026-31625: HID: alps: fix NULL pointer dereference in alps_raw_event()
CVE-2026-31626: staging: rtl8723bs: initialize le_tmp64 in rtw_BIP_verify()
CVE-2026-31627: i2c: s3c24xx: check the size of the SMBUS message before using it
CVE-2026-31629: nfc: llcp: add missing return after LLCP_CLOSED checks
CVE-2026-31630: rxrpc: proc: size address buffers for %pISpc output
CVE-2026-31634: rxrpc: fix reference count leak in rxrpc_server_keyring()
CVE-2026-31637: rxrpc: reject undecryptable rxkad response tickets
CVE-2026-31642: rxrpc: Fix call removal to use RCU safe deletion
CVE-2026-31657: batman-adv: hold claim backbone gateways by reference
CVE-2026-31664: xfrm: clear trailing padding in build_polexpire()
CVE-2026-31673: af_unix: read UNIX_DIAG_VFS data under unix_state_lock
CVE-2026-31681: netfilter: xt_multiport: validate range encoding in checkentry
CVE-2026-31684: net: sched: act_csum: validate nested VLAN headers
CVE-2026-31685: netfilter: ip6t_eui64: reject invalid MAC header for all packets
CVE-2026-31686: mm/kasan: fix double free for kasan pXds
CVE-2026-31696: rxrpc: Fix missing validation of ticket length in non-XDR key preparsing
CVE-2026-31698: crypto: ccp: Don't attempt to copy PDH cert to userspace if PSP command failed
CVE-2026-31699: crypto: ccp: Don't attempt to copy CSR to userspace if PSP command failed
CVE-2026-31701: ALSA: caiaq: take a reference on the USB device in create_card()
CVE-2026-43080: l2tp: Drop large packets with UDP encap
CVE-2026-43085: netfilter: nfnetlink_log: initialize nfgenmsg in NLMSG_DONE terminator
CVE-2026-43089: xfrm_user: fix info leak in build_mapping()
CVE-2026-43093: xsk: tighten UMEM headroom validation to account for tailroom and min frame
CVE-2026-43104: drm/vc4: Fix a memory leak in hang state error path
CVE-2026-43105: drm/vc4: Fix memory leak of BO array in hang state
CVE-2026-43493: crypto: pcrypt - Fix handling of MAY_BACKLOG requests
CVE-2026-43496: net/sched: sch_red: Replace direct dequeue call with peek and qdisc_dequeue_peeked
CVE-2026-43502: net/rds: handle zerocopy send cleanup before the message is queued
CVE-2026-45834: Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb()
CVE-2026-45835: Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb()
CVE-2026-45836: Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb()
CVE-2026-45838: bpf: fix end-of-list detection in cgroup_storage_get_next_key()
CVE-2026-45840: openvswitch: cap upcall PID array size and pre-size vport replies
CVE-2026-45841: netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO
CVE-2026-45842: slip: reject VJ receive packets on instances with no rstate array
CVE-2026-45843: slip: bound decode() reads against the compressed packet length
CVE-2026-45844: netfilter: arp_tables: fix IEEE1394 ARP payload parsing
CVE-2026-45986: crypto: ccree - fix a memory leak in cc_mac_digest()
CVE-2026-45994: ibmasm: fix OOB reads in command_file_write due to missing size checks
CVE-2026-46004: ALSA: caiaq: Handle probe errors properly
CVE-2026-46018: ALSA: usb-audio: stop parsing UAC2 rates at MAX_NR_RATES
CVE-2026-46019: crypto: atmel-aes - Fix 3-page memory leak in atmel_aes_buff_cleanup
CVE-2026-46022: misc: ibmasm: fix OOB MMIO read in ibmasm_handle_mouse_interrupt()
CVE-2026-46023: dm mirror: fix integer overflow in create_dirty_log()
CVE-2026-46033: crypto: authencesn - reject short ahash digests during instance creation
CVE-2026-46040: inotify: fix watch count leak when fsnotify_add_inode_mark_locked() fails
CVE-2026-46043: RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv
CVE-2026-46046: ext4: fix missing brelse() in ext4_xattr_inode_dec_ref_all()
CVE-2026-46048: ALSA: caiaq: fix usb_dev refcount leak on probe failure
CVE-2026-46049: ALSA: ctxfi: Add fallback to default RSR for S/PDIF
CVE-2026-46051: md/raid5: fix soft lockup in retry_aligned_read()
CVE-2026-46064: ibmasm: fix heap over-read in ibmasm_send_i2o_message()
CVE-2026-46070: md/raid5: validate payload size before accessing journal metadata
CVE-2026-46077: crypto: atmel-tdes - fix DMA sync direction
CVE-2026-46088: ALSA: control: Validate buf_len before strnlen() in snd_ctl_elem_init_enum_names()
CVE-2026-46098: net: caif: clear client service pointer on teardown
CVE-2026-46102: net: strparser: fix skb_head leak in strp_abort_strp()
CVE-2026-46108: ipmi:si: Return state to normal if message allocation fails
CVE-2026-46109: usb: ulpi: fix memory leak on ulpi_register() error paths
CVE-2026-46120: ip6_gre: Use cached t->net in ip6erspan_changelink().
CVE-2026-46122: wifi: b43: enforce bounds check on firmware key index in b43_rx()
CVE-2026-46124: isofs: validate block number from NFS file handle in isofs_export_iget
CVE-2026-46127: RDMA/ocrdma: Don't NULL deref uctx on errors in ocrdma_copy_pd_uresp()
CVE-2026-46128: ipmi: Check event message buffer response for bad data
CVE-2026-46133: RDMA/rxe: Reject unknown opcodes before ICRC processing
CVE-2026-46146: ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3()
CVE-2026-46149: scsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show()
CVE-2026-46161: md/raid10: fix divide-by-zero in setup_geo() with zero far_copies
CVE-2026-46163: wifi: b43legacy: enforce bounds check on firmware key index in RX path
CVE-2026-46177: ipmi: Add limits to event and receive message requests
CVE-2026-46184: sound: ua101: fix division by zero at probe
CVE-2026-46187: wifi: rsi: fix kthread lifetime race between self-exit and external-stop
CVE-2026-46198: batman-adv: fix integer overflow on buff_pos
CVE-2026-46206: batman-adv: reject new tp_meter sessions during teardown
CVE-2026-46212: batman-adv: bla: prevent use-after-free when deleting claims
CVE-2026-46219: spi: mpc52xx: fix use-after-free on unbind
CVE-2026-46220: drm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission
CVE-2026-46227: sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL
CVE-2026-46231: batman-adv: bla: put backbone reference on failed claim hash insert
CVE-2026-46233: batman-adv: bla: only purge non-released claims
CVE-2026-46243: smb: client: reject userspace cifs.spnego descriptions
CVE-2026-46273: ibmveth: Disable GSO for packets with small MSS
CVE-2026-46275: Bluetooth: hci_uart: fix UAFs and race conditions in close and init paths
CVE-2026-46301: spi: topcliff-pch: fix use-after-free on unbind
CVE-2026-46303: isofs: validate Rock Ridge CE continuation extent against volume size
CVE-2026-46304: nvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free
CVE-2026-46307: wifi: ath5k: do not access array OOB
CVE-2026-43075: ocfs2: fix out-of-bounds write in ocfs2_write_end_inline
CVE-2026-43076: ocfs2: validate inline data i_size during inode read
CVE-2026-43110: wifi: brcmfmac: validate bsscfg indices in IF events
CVE-2026-43111: HID: roccat: fix use-after-free in roccat_report_event
CVE-2026-43113: wifi: wl1251: validate packet IDs before indexing tx_frames
CVE-2026-43117: btrfs: tracepoints: get correct superblock from dentry in event btrfs_sync_file()
CVE-2026-43281: mailbox: Prevent out-of-bounds access in fw_mbox_index_xlate()
CVE-2026-43494: net/rds: reset op_nents when zerocopy page pin fails
CVE-2026-43497: fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free
CVE-2026-43503: net: skbuff: propagate shared-frag marker through frag-transfer helpers
CVE-2026-46044: ipmi:ssif: Clean up kthread on errors
CVE-2026-46151: usb: usblp: fix heap leak in IEEE 1284 device ID via short response
CVE-2026-46167: usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl
CVE-2026-46294: dm: fix a buffer overflow in ioctl processing
CVE-2026-46300: Fragnesia: the Dirty Frag vulnerability class
CVE-2026-52914: batman-adv: fix fragment reassembly length accounting
CVE-2026-52915: netfilter: ip6t_hbh: reject oversized option lists
CVE-2026-52916: batman-adv: frag: disallow unicast fragment in fragment
CVE-2026-52919: batman-adv: fix tp_meter counter underflow during shutdown
CVE-2026-52920: netfilter: xt_policy: fix strict mode inbound policy matching
CVE-2026-52921: netfilter: ipset: stop hash:* range iteration at end
CVE-2026-52922: batman-adv: dat: handle forward allocation error
CVE-2026-52925: vrf: Fix a potential NPD when removing a port from a VRF
CVE-2026-52926: batman-adv: clear current gateway during teardown
CVE-2026-52931: batman-adv: tp_meter: avoid use of uninit sender vars
CVE-2026-52955: libceph: Fix potential out-of-bounds access in crush_decode()
CVE-2026-52957: libceph: Fix potential null-ptr-deref in decode_choose_args()
CVE-2026-52962: ceph: fix a buffer leak in __ceph_setxattr()
CVE-2026-52963: ALSA: usb-audio: Bound MIDI endpoint descriptor scans
CVE-2026-52972: crypto: af_alg - Cap AEAD AD length to 0x80000000
CVE-2026-52982: net: usb: rtl8150: fix use-after-free in rtl8150_start_xmit()
CVE-2026-52984: net/sched: netem: fix queue limit check to include reordered packets
CVE-2026-52986: netfilter: nf_conntrack_sip: don't use simple_strtoul
CVE-2026-52993: tipc: fix double-free in tipc_buf_append()
CVE-2026-52995: net/rds: zero per-item info buffer before handing it to visitors
CVE-2026-52998: netfilter: nfnetlink_osf: fix potential NULL dereference in ttl check
CVE-2026-52999: netfilter: nfnetlink_osf: fix out-of-bounds read on option matching
CVE-2026-53001: netfilter: xtables: restrict several matches to inet family
CVE-2026-53002: netfilter: conntrack: remove sprintf usage
CVE-2026-53004: sctp: fix OOB write to userspace in sctp_getsockopt_peer_auth_chunks
CVE-2026-53006: ipv6: fix possible UAF in icmpv6_rcv()
CVE-2026-53016: crypto: ccp - copy IV using skcipher ivsize
CVE-2026-53021: scsi: target: core: Fix integer overflow in UNMAP bounds check
CVE-2026-53037: HID: usbhid: fix deadlock in hid_post_reset()
CVE-2026-53039: ocfs2: validate group add input before caching
CVE-2026-53040: ocfs2: validate bg_bits during freefrag scan
CVE-2026-53041: ocfs2: fix listxattr handling when the buffer is full
CVE-2026-53043: ocfs2/dlm: validate qr_numregions in dlm_match_regions()
CVE-2026-53045: memory: tegra124-emc: Fix dll_change check
CVE-2026-53047: efi/capsule-loader: fix incorrect sizeof in phys array reallocation
CVE-2026-53050: quota: Fix race of dquot_scan_active() with quota deactivation
CVE-2026-53059: dm log: fix out-of-bounds write due to region_count overflow
CVE-2026-53060: dm cache metadata: fix memory leak on metadata abort retry
CVE-2026-53062: dm cache policy smq: fix missing locks in invalidating cache blocks
CVE-2026-53064: dm cache: fix null-deref with concurrent writes in passthrough mode
CVE-2026-53065: ASoC: sti: use managed regmap_field allocations
CVE-2026-53073: Bluetooth: hci_ldisc: Clear HCI_UART_PROTO_INIT on error
CVE-2026-53075: ppp: require CAP_NET_ADMIN in target netns for unattached ioctls
CVE-2026-53082: net: hamradio: 6pack: fix uninit-value in sixpack_receive_buf
CVE-2026-53088: net: bcmgenet: fix off-by-one in bcmgenet_put_txcb
CVE-2026-53093: wifi: brcmfmac: Fix error pointer dereference
CVE-2026-53112: wifi: rtlwifi: pci: fix possible use-after-free caused by unfinished irq_prepare_bcn_tasklet
CVE-2026-53128: drbd: Balance RCU calls in drbd_adm_dump_devices()
CVE-2026-53130: fs/omfs: reject s_sys_blocksize smaller than OMFS_DIR_START
CVE-2026-53287: audit: fix incorrect inheritable capability in CAPSET records
CVE-2026-53294: mailbox: mailbox-test: don't free the reused channel
CVE-2026-53295: mailbox: add sanity check for channel array
CVE-2026-53296: mailbox: mailbox-test: free channels on probe error
CVE-2026-53304: scsi: sg: Resolve soft lockup issue when opening /dev/sgX
CVE-2026-53306: tty: hvc_iucv: fix off-by-one in number of supported devices
CVE-2026-53309: ocfs2/dlm: fix off-by-one in dlm_match_regions() region comparison
CVE-2026-53320: nilfs2: reject zero bd_oblocknr in nilfs_ioctl_mark_blocks_dirty()
Best regards,
Ulrich Hecht
reply other threads:[~2026-06-29 10:35 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1029449999.62165.1782729274698@webmail.strato.de \
--to=uli@fpond.eu \
--cc=chris.paterson2@renesas.com \
--cc=cip-dev@lists.cip-project.org \
--cc=jan.kiszka@siemens.com \
--cc=masami.ichikawa@cybertrust.co.jp \
--cc=nobuhiro.iwamatsu.x90@mail.toshiba \
--cc=pavel@nabladev.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox