* Re: [cip-dev] v4.19.325-cip133 pipeline failure question
From: Pavel Machek @ 2026-06-04 10:44 UTC (permalink / raw)
To: lnasby; +Cc: cip-dev
In-Reply-To: <CAJ6VbX+9vr3_KsyK59Pr3Nv3g_Tr8yN=ZQ=F78NH_wYxNmoo1w@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 3934 bytes --]
Hi!
> I noticed that one of the tests in the pipeline for v4.19.325-cip133 shows
> a failure that seems non-trivial:
> https://gitlab.com/cip-project/cip-kernel/linux-cip/-/pipelines/2558173750
>
> In particular, it seems like a handful of specific CVE-related tests are
> failing. Is this kernel considered stable for release though? It is
> quite
If you need to run 4.19, 4.19.325-cip133 is very good option.
Whether it is stable/secure enough for your usecase really depends on
your usecase, and it is up to you to evaluate. Start by taking a look
at "KNOWN-BUGS" file. If you are running shell server with untrusted
users (for example), well, that a) is a bad idea and b) certainly is
very bad idea with 4.19 kernel.
Below is generic document that may give you some hints.
Best regards,
Pavel
Good and bad ideas w.r.t. kernel and security
Kernel tries to provide many security guarantees at different
levels. Still, some things are easier to guarantee than others, and
some security barriers are really important, while others... not so
much.
Kernel should be secure against remote attackers.
And it reasonably is, when not, we get it fixed with high priority.
Kernel should protect itself and other users against local, non-priviledged users.
Tries, but attack surface is big.
People don't care about DoS attacks much.
=> Running untrusted code is a bad idea. Forkbomb is few characters in sh.
Fast, out-of-order CPUs leak user data via timing side-channels. Those
CPUs should not process sensitive data. JITs can be used to extract the data.
We can try to work around the problems and apply vendor-provided
workarounds, but there are likely more problems in future. Similar
bugs are hidden in CPU microarchitectures, and in particular
Spectre workarounds are whack-a-mole and thus incomplete.
Hyperthreading makes those attacks easier.
=> Use suitable CPUs to process sensitive data.
BPF is in-kernel JIT
=> Don't use BPF, make sure it is disabled on your configurations.
Filesystems are complex, robustness against malformed filesystems is hard.
Some filesystems try to be robust against filesystems corruption,
and some don't even try. Some perform checks during mount, but
that means that malicious device can work around them.
=> Don't mount untrusted filesystems. If you have to, use simple and
common filesystem. VFAT might be good choice.
Kernel should protect itself against local users with CAP_XX.
Yes, there's capability system, and in theory capabilities should be separated.
=> Don't rely on that. Noone else does.
Some systems try to protect themselves against people with physical access.
Laws of physics says it is impossible, but people can still try to
make it more costly for the "attacker".
=> Please don't rely on that.
Coredumps are useful for debugging, but random processes leaving files in cwd
may not be welcome
Consider disabling coredumps, perhaps with RLIMIT_CORE=0.
Consider putting all coredumps into single directory with /proc/sys/kernel/core_pattern.
io_uring is rather new and buggy
https://www.phoronix.com/news/Linux-6.6-sysctl-IO_uring
Kernel config options for hardened kernel
Investigate:
CONFIG_X86_IOPL_IOPERM=y
https://timesys.com/security/securing-your-linux-configuration-kernel-hardening/
RETPOLINE=Y
DEVMEM=is not set
PAGE_POISONING=Y , enable withpage_poison=1
GCC_PLUGIN_STACKLEAK=Y
DEBUG_BUGVERBOSE=is not set , kind of security by obscurity, but may make attackers work harder; will also make your own debugging harder, so..
ARCH_HAS_ELF_RANDOMIZE=Y
INIT_ON_FREE_DEFAULT_ON=Y
INIT_ON_ALLOC_DEFAULT_ON=Y
DEBUG_VIRTUAL=Y
https://github.com/a13xp0p0v/kconfig-hardened-check ?
Unloading modules is hard and rarely used.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
^ permalink raw reply
* Re: [cip-dev] v4.19.325-cip133 pipeline failure question
From: Ulrich Hecht @ 2026-06-04 9:18 UTC (permalink / raw)
To: lnasby, cip-dev
In-Reply-To: <CAJ6VbX+9vr3_KsyK59Pr3Nv3g_Tr8yN=ZQ=F78NH_wYxNmoo1w@mail.gmail.com>
> On 06/03/2026 5:07 PM CEST Luke Nasby via lists.cip-project.org <lnasby=intwineconnect.com@lists.cip-project.org> wrote:
> I noticed that one of the tests in the pipeline for v4.19.325-cip133 shows a failure that seems non-trivial: https://gitlab.com/cip-project/cip-kernel/linux-cip/-/pipelines/2558173750
>
> In particular, it seems like a handful of specific CVE-related tests are failing. Is this kernel considered stable for release though? It is quite possible that I do not understand something related to these failures, but I am just curious to know if I should wait for this to be fixed, or if this version is currently safe to include in another project.
We have decided against backporting some speculation-related fixes to 4.4 and 4.19 due to their complexity and because we consider the vulnerabilities to be outside our threat model. (We assume a trusted userspace.)
These issues will not be fixed in the 4.4 and 4.19 trees, and related test failures are ignored in our test pipelines.
Whether these branches are safe to use for your project depends on whether you allow execution of untrusted userland code. Generally speaking, if you are not already running 4.19-based systems in production we would recommend to use more recent versions.
CU
Uli
^ permalink raw reply
* CIP IRC weekly meeting today on libera.chat
From: Jan Kiszka @ 2026-06-04 6:07 UTC (permalink / raw)
To: cip-dev
Hi all,
Kindly be reminded to attend the weekly meeting through IRC to discuss
technical topics with CIP kernel today. Our channel is the following:
irc:irc.libera.chat:6697/cip
The IRC meeting is scheduled to UTC (GMT) 12:00:
https://www.timeanddate.com/worldclock/meetingdetails.html?year=2026&month=6&day=4&hour=12&min=0&sec=0&p1=224&p2=179&p3=136&p4=37&p5=241&p6=248
USWest USEast UK DE TW JP
05:00 08:00 13:00 14:00 20:00 21:00
Last meeting minutes:
https://ircbot.wl.linuxfoundation.org/meetings/cip/2026/05/cip.2026-05-28-12.01.log.html
* Action items
* Kernel maintenance updates
* Kernel release status [*]
* Kernel testing
* AOB
- AI-assisted backport reviews, state & approaches
Jan
[*]
Date the data is created: Thu Jun 4 06:03:45 AM UTC 2026
linux-4.4.y-cip: interval 30 day
latest version release date: Tue May 19 02:53:20 PM UTC 2026
limit date: Thu Jun 18 02:53:20 PM UTC 2026
Status: On track
linux-4.4.y-cip-rt: interval 60 day
latest version release date: Mon May 25 11:40:18 AM UTC 2026
limit date: Fri Jul 24 11:40:18 AM UTC 2026
Status: On track
linux-4.19.y-cip: interval 30 day
latest version release date: Thu May 28 07:36:48 AM UTC 2026
limit date: Sat Jun 27 07:36:48 AM UTC 2026
Status: On track
linux-4.19.y-cip-rt: interval 60 day
latest version release date: Tue May 12 11:56:37 AM UTC 2026
limit date: Sat Jul 11 11:56:37 AM UTC 2026
Status: On track
linux-5.10.y-cip: interval 30 day
latest version release date: Fri May 15 10:25:33 PM UTC 2026
limit date: Sun Jun 14 10:25:33 PM UTC 2026
Status: On track
linux-5.10.y-cip-rt: interval 60 day
latest version release date: Mon May 4 10:49:51 AM UTC 2026
limit date: Fri Jul 3 10:49:51 AM UTC 2026
Status: On track
linux-6.1.y-cip: interval 30 day
latest version release date: Fri May 15 10:28:23 PM UTC 2026
limit date: Sun Jun 14 10:28:23 PM UTC 2026
Status: On track
linux-6.1.y-cip-rt: interval 60 day
latest version release date: Mon Apr 13 11:43:31 AM UTC 2026
limit date: Fri Jun 12 11:43:31 AM UTC 2026
Status: On track
linux-6.12.y-cip: interval 15 day
latest version release date: Thu May 21 11:47:46 PM UTC 2026
limit date: Fri Jun 5 11:47:46 PM UTC 2026
Status: On track
^ permalink raw reply
* v4.19.325-cip133 pipeline failure question
From: Luke Nasby @ 2026-06-03 15:07 UTC (permalink / raw)
To: cip-dev
[-- Attachment #1: Type: text/plain, Size: 570 bytes --]
Hello,
I noticed that one of the tests in the pipeline for v4.19.325-cip133 shows
a failure that seems non-trivial:
https://gitlab.com/cip-project/cip-kernel/linux-cip/-/pipelines/2558173750
In particular, it seems like a handful of specific CVE-related tests are
failing. Is this kernel considered stable for release though? It is quite
possible that I do not understand something related to these failures, but
I am just curious to know if I should wait for this to be fixed, or if this
version is currently safe to include in another project.
Thanks!
- Luke Nasby
[-- Attachment #2: Type: text/html, Size: 776 bytes --]
^ permalink raw reply
* [kernel-cve-report] New CVE entries this week
From: Masami Ichikawa @ 2026-06-03 23:13 UTC (permalink / raw)
To: cip-dev
Hi!
It's this week's CVE report.
This week reported 172 new CVEs and 256 updated CVEs.
The CVE-2026-46243 is known as CIFSwitch.
* New CVEs
CVE-2026-46104: selinux: use sk blob accessor in socket permission helpers
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46104
Introduced by commit d1d991e ("selinux: Add netlink xperm support") in
v6.13-rc1.
Fixed in v7.1-rc2.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [032e70aff025d7c519af9ab791cd084380619263]
stable/6.18: [d350fef4bc2467fe1bce15f7a20fe60e01ce41ad]
stable/7.0: [7eca71f57f194c1638ebb7f4097d6be8fd04c101]
CVE-2026-46105: scsi: mpt3sas: Limit NVMe request size to 2 MiB
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46105
Introduced by commit 9b8b848 ("block: Increase
BLK_DEF_MAX_SECTORS_CAP") in v6.17-rc1.
Fixed in v7.1-rc3.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [04631f55afc543d5431a2bdee7f6cc0f2c0debe7]
stable/6.18: [45dcc815fc5539e88154315f36cbcb11d3a52fc2]
stable/7.0: [e5f9824817c6358b9f9738bdb92dec9e4e794d3c]
CVE-2026-46106: eventfs: Hold eventfs_mutex and SRCU when remount walks events
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46106
Introduced by commit 340f0c7 ("eventfs: Update all the eventfs_inodes
from the events descriptor") in v6.10-rc1.
Fixed in v7.1-rc1.
Bug introduced commit was backported to following branches.
stable/6.6
Fixed status
mainline: [07004a8c4b572171934390148ee48c4175c77eed]
stable/6.12: [44e64d8a432837308f4dda3ffe819f1ec092a0ba]
stable/6.18: [52b109f1b875b912d4ab2c5fdd8c322d47119d9b]
stable/6.6: [ae9cd0b46b1890040006a2fc5e905c5d6053fd02]
stable/7.0: [ed2ad73bcb0a7a6cc934097d4853b6d5124c317e]
CVE-2026-46107: dm-thin: fix metadata refcount underflow
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46107
Introduced by commit 3241b1d ("dm: add persistent data library") in v3.2-rc1.
Fixed in v7.1-rc2.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [09a65adc7d8bbfce06392cb6d375468e2728ead5]
stable/5.15: [f49b41c9eb7c6ff00df27cd49cea210abbadd8ad]
stable/6.1: [f06f6aededd792a754cd677c02b3d3016d868c2c]
stable/6.12: [323d252a4a378834e4fe68298ca61cfc5dd3a460]
stable/6.18: [85311a585a26640760cd0f3349ab9f2905691044]
stable/6.6: [12161e03d33afce781f68fa11cc6060538862fad]
stable/7.0: [5ec0debbcfd43596e32c1239e993de06a704e04c]
CVE-2026-46108: ipmi:si: Return state to normal if message allocation fails
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46108
Introduced by commit 1da177e ("Linux-2.6.12-rc2") in v2.6.12.
Fixed in v7.1-rc3.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [09dd798270ff582d7309f285d4aaf5dbebae01cb]
stable/5.10: [c204fab7f76a055eac346e3b1a75c6b4bb99600e]
stable/5.15: [ab48817aebe4d831f87d4da6f94f50498c130d9e]
stable/6.1: [9c6ded95ac6281e390d167637ccbde6cea2ba1ae]
stable/6.12: [88881dc1da86064f479378bc9d0a4956c3d0bb12]
stable/6.18: [bc13fce9eeec88c4950924754c3347c6dc66ff4c]
stable/6.6: [ce905b65e649eee378a0f37e8219f1d70efb3007]
stable/7.0: [ba60140d4133231b49185ac8bf6e54f318d3134e]
CVE-2026-46109: usb: ulpi: fix memory leak on ulpi_register() error paths
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46109
Introduced by commit 01af542 ("usb: ulpi: fix double free in
ulpi_register_interface() error path") in v7.0-rc7.
Fixed in v7.1-rc3.
Bug introduced commit was backported to following branches.
cip/4.19 cip/4.19-rt cip/4.19-st cip/4.4 cip/4.4-rt cip/4.4-st
cip/5.10 cip/5.10-rt cip/6.1 cip/6.12 stable/5.10 stable/5.15
stable/6.1 stable/6.12 stable/6.18 stable/6.6
Fixed status
mainline: [0b9fcab1b8608d429e5f239afb197de928d4de7d]
stable/5.10: [0c2c0c6820fe96fa4be0a0499f8d3f3321b9af6c]
stable/5.15: [f1b855c00988a9cb41134cab7cf9faedba775dd9]
stable/6.1: [7bd61ed0bf9f4f1f2673d489b3bda1555b48d054]
stable/6.12: [be2c1d825f54277472c87019e82013ac534ddc4c]
stable/6.18: [2a71e01b2cf9b4329ff67102c1bea7448c2a2d2d]
stable/6.6: [b0c0d44adb55c66663886cb6e30ee92cbb0f5385]
stable/7.0: [f30ccfc2985590b33a23a3d8bed7ca16c0af551b]
CVE-2026-46110: net: stmmac: Prevent NULL deref when RX memory exhausted
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46110
Introduced by commit b6cb454 ("net: stmmac: avoid rx queue overrun")
in v6.7-rc2.
Fixed in v7.1-rc2.
Bug introduced commit was backported to following branches.
cip/6.1 cip/6.1-rt stable/6.1 stable/6.6
Fixed status
mainline: [0bb05e6adfa99a2ea1fee1125cc0953409f83ed8]
stable/6.12: [5c910f7708e3c507b037ca91ca5b09f8cfe71e65]
stable/6.18: [4af2e62cbcda575a174acd230c3f3a208135e16d]
stable/6.6: [e1c50b273298c7cd9b08b113e7a7598b531a02f5]
stable/7.0: [950cb436165aad0f8f2cd49da3cd07677465bcde]
CVE-2026-46111: Bluetooth: hci_conn: fix potential UAF in create_big_sync
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46111
Introduced by commit eca0ae4 ("Bluetooth: Add initial implementation
of BIS connections") in v6.0-rc1.
Fixed in v7.1-rc3.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [0beddb0c380bed5f5b8e61ddbe14635bb73d0b41]
stable/6.12: [1750a2df0eab61dc421a7afae74abdd239a44b85]
stable/6.18: [dc34f8d8240f25dd137dc2758ebbcc75e3779142]
stable/6.6: [6823f730bf195fc296d9edd09e2ca94bc1ff5584]
stable/7.0: [f8eaf92c57ad99358dd372580d5ff87623343a72]
CVE-2026-46112: RDMA/hns: Fix unlocked call to hns_roce_qp_remove()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46112
Introduced by commit e088a68 ("RDMA/hns: Support rq record doorbell
for the user space") in v4.17-rc1.
Fixed in v7.1-rc3.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [0c99acbc8b6c6dd526ae475a48ee1897b61072fb]
stable/5.15: [1f0a3aa8b569d010316b427238222c5d899f9618]
stable/6.1: [b6296ff2475fc95ee6ea1b528c4b385302808186]
stable/6.12: [fcf6a832c0d5b2bc5398d6996c5570d3ee7993fb]
stable/6.18: [1912f78798505dc9c637081bbddfbf1c22494c49]
stable/6.6: [fb4ae739811d467409bd07d0e36cfd4140f3d26a]
stable/7.0: [615d9d260c32bb678504ca96f29ae46f9d745155]
CVE-2026-46113: KVM: x86: Fix shadow paging use-after-free due to unexpected GFN
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46113
Introduced by commit 2032a93 ("KVM: MMU: Don't allocate gfns page for
direct mmu pages") in v2.6.36-rc1.
Introduced by commit 6aa8b73 ("kvm: userspace interface") in v2.6.20.16.
Fixed in v7.1-rc3.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [0cb2af2ea66ad8ff195c156ea690f11216285bdf]
stable/6.1: [e9d4ea13aa2b6400bb10ec64b370ba3dadcd22f0]
stable/6.12: [06c19c967b845b63172601fe459667d973b7e6b7]
stable/6.18: [738ec97b1855df6c08fe2369f798fa0b972e556b]
stable/6.6: [488e386484ec8c0e558be6e156edf34ed9f4d5c8]
stable/7.0: [14d1e55dfd2cf4711bff164a6aaaddb783552134]
CVE-2026-46114: RDMA/rxe: Reject non-8-byte ATOMIC_WRITE payloads
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46114
Introduced by commit 034e285 ("RDMA/rxe: Make responder support atomic
write on RC service") in v6.2-rc1.
Fixed in v7.1-rc3.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [1114c87aa6f195cf07da55a27b2122ae26557b26]
stable/6.12: [d415fce3fcde6d7aeea6c25362a395b905811452]
stable/6.18: [105bf79a23b85cf3a761d18a4f3e10ce88526bc1]
stable/6.6: [539cabb7b2d8ba70f55bba91db55faef11c2a6d7]
stable/7.0: [7ec1ed4747f5f99f8b797bb438c5efd36079fad5]
CVE-2026-46115: block: add pgmap check to biovec_phys_mergeable
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46115
Introduced by commit 49580e6 ("block: add check when merging zone
device pages") in v6.2-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [13920e4b7b784b40cf4519ff1f0f3e513476a499]
stable/6.12: [a7f3aa8c9df3905fe820ae36b67ba56b81587574]
stable/6.18: [f17d521075325b8afc42d1baa1c28a5e9aca111f]
stable/6.6: [3d2ecbd444b01d6500671d1a582b7393943cf539]
stable/7.0: [f632dab4b841554cd6416058c61886d7db176581]
CVE-2026-46116: xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46116
Introduced by commit fe9f1d8 ("xfrm: add state hashtable keyed by
seq") in v5.14-rc1.
Introduced by commit 7b4dc36 ("[XFRM]: Do not add a state whose SPI is
zero to the SPI hash.") in v2.6.20.16.
Fixed in v7.1-rc3.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [14acf9652e5690de3c7486c6db5fb8dafd0a32a3]
stable/6.12: [26edb0a3c99f9d958c212be68b21f1221614dcf0]
stable/6.18: [4980162de555cb838f1a189ce7d2cbf5d2e7b050]
stable/6.6: [b4a53add2fa8f1b5aa17d4c5686c320785fab182]
stable/7.0: [a2e2d08fb070fab4947447171f1c4e3ca5a188e5]
CVE-2026-46117: RDMA/mana: Remove user triggerable WARN_ON() in
mana_ib_create_qp_rss()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46117
Introduced by commit c15d780 ("RDMA/mana_ib: Add CQ interrupt support
for RAW QP") in v6.8-rc1.
Fixed in v7.1-rc3.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [159f2efabc89d3f931d38f2d35876535d4abf0a3]
stable/6.12: [9cc0c6b1ba8cd5c55aef043e1384de0a8b4efa71]
stable/6.18: [9ef65af26b2a6738bf15812042e84b3112402d3a]
stable/7.0: [db991ba50087ad99fa12a2c483aa3be19671ea73]
CVE-2026-46118: pseries/papr-hvpipe: Fix null ptr deref in
papr_hvpipe_dev_create_handle()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46118
Introduced by commit 6d3789d ("papr-hvpipe: convert
papr_hvpipe_dev_create_handle() to FD_PREPARE()") in v6.19-rc1.
Fixed in v7.1-rc3.
Bug introduced commit was backported to following branches.
stable/6.18
Fixed status
mainline: [1b9f7aafa44f5ce852c00509104d10fd9eb0f402]
stable/6.18: [735439394dde8462f9b50566727fbe333beaadaf]
stable/7.0: [cf51bec1560f8bf115d1476f60335f9d90e110b0]
CVE-2026-46119: libceph: Fix slab-out-of-bounds access in auth message
processing
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46119
According to the .vulnerable file, this bug was introduced by commit
4e7a5dc in v2.6.34-rc2.
Fixed in v7.1-rc1.
It looks as if this bug was introduced by 3c0d089 ("libceph: don't
pass result into ac->ops->handle_reply()") in v5.13.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [1c439de70b1c3eb3c6bffa8245c16b9fc318f114]
stable/5.15: [c2374b92c729d0388a538b3cde7b3e3b5e55ef39]
stable/6.1: [38fdf04c602d52c42c67fc1617211492753b7e8b]
stable/6.12: [408e85ee708b6aa03eeb0220ffa0915f4d407181]
stable/6.18: [b7df9fbd4869fdfe09a3f501ffd228486521e062]
stable/6.6: [2ae0afd98432536562fa8261538ae795446f0589]
stable/7.0: [8517b6c8d2c759918ba0058cb6c7e14d59643202]
CVE-2026-46120: ip6_gre: Use cached t->net in ip6erspan_changelink().
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46120
Introduced by commit 2d66503 ("net: ip6_gre: Fix ip6erspan hlen
calculation") in v4.17-rc7.
Fixed in v7.1-rc3.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [1d324c2f43f70c965f25c58cc3611c779adbe47e]
stable/5.10: [7bd0f2b162b426b343a114e1b329f0d8d14fdc6e]
stable/5.15: [01b71ff2857d3598337de11e7840a8e3ff21553c]
stable/6.1: [0fcf6731706f73494245a9c0d64f93bebf95bb51]
stable/6.12: [311fdd26eb4443d43b909cc67a10f3a5fd1b21b2]
stable/6.18: [e70cfb40c3a99b232cd42c6a6a10f0d8e039dc82]
stable/6.6: [eca62bb0569de4d43a4dac06a2092a9d4ca1d702]
stable/7.0: [cf7fc624329e76c6394653d12353e1d033adea91]
CVE-2026-46121: mm/damon/sysfs-schemes: protect memcg_path kfree()
with damon_sysfs_lock
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46121
Introduced by commit 4f489fe ("mm/damon/sysfs-schemes: free old
damon_sysfs_scheme_filter->memcg_path on write") in v6.16-rc4.
Fixed in v7.1-rc2.
Bug introduced commit was backported to following branches.
cip/6.12 stable/6.12 stable/6.6
Fixed status
mainline: [1e68eb96e8beb1abefd12dd22c5637795d8a877e]
stable/6.12: [c88802d0e8edd14b6cd2daf3000f99adbc4c85c5]
stable/6.18: [eafd6f5372d29b0dd213799b92c2c9c7ad31d7da]
stable/6.6: [b1e9f2d5870776347edef927f9bb3ea19b8e3abb]
stable/7.0: [baecc45ad60e621ef14d6c1e7f41ef36bbfdf910]
CVE-2026-46122: wifi: b43: enforce bounds check on firmware key index
in b43_rx()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46122
Introduced by commit e4d6b79 ("[B43]: add mac80211-based driver for
modern BCM43xx devices") in v2.6.24-rc1.
Fixed in v7.1-rc3.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [1f4f78bf8549e6ac4f04fba4176854f3a6e0c332]
stable/5.10: [135cb49c9a42a02cceeac7b49ec03e267f7ed6d6]
stable/5.15: [3157ad40b084a8f3932da2641749ab45e99b933e]
stable/6.1: [765709720e6af9a178abc40244a8d1aa39ac4e71]
stable/6.12: [1e9e55cf66f0fa4799f4d86ef3aaba8e606b5c14]
stable/6.18: [d7029879bafdac2006c67553807d122283dc6cbf]
stable/6.6: [c3d7b90dc95020cd9282c4630e402fe224f7644e]
stable/7.0: [219ba67e69e49681e48c822d6eaafb5def032f34]
CVE-2026-46123: Bluetooth: virtio_bt: clamp rx length before skb_put
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46123
Introduced by commit 160fbcf ("Bluetooth: virtio_bt: Use skb_put to
set length") in v6.1-rc4.
Fixed in v7.1-rc3.
Bug introduced commit was backported to following branches.
stable/5.15
Fixed status
mainline: [21bd244b6de5d2fe1063c23acc93fbdd2b20d112]
stable/5.15: [4236e55b2d9d1ffd3b4bdf8ebbb86e5a0a526b4a]
stable/6.1: [fd91fa2678ab603dfb285416c1cf3843d7be1e41]
stable/6.12: [6c1730099a6fc18b183bd6c1adad3b54adcaeda9]
stable/6.18: [b40cdd1b1370d76e9e760af4490cb4a351cceead]
stable/6.6: [ed41c81d30b211a671667259c3b5feeba0e062d5]
stable/7.0: [e6b4296f170d949ebba937cf6a3f247ec9550d2c]
CVE-2026-46124: isofs: validate block number from NFS file handle in
isofs_export_iget
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46124
Introduced by commit 0405d4b ("isofs: Prevent the use of too small
fid") in v6.15-rc3.
Fixed in v7.1-rc2.
Bug introduced commit was backported to following branches.
cip/4.19 cip/4.19-rt cip/4.19-st cip/4.4 cip/4.4-rt cip/4.4-st
cip/5.10 cip/5.10-rt cip/6.1 cip/6.1-rt cip/6.12 stable/5.10
stable/5.15 stable/6.1 stable/6.12 stable/6.6
Fixed status
mainline: [24376458138387fb251e782e624c7776e9826796]
stable/5.10: [ee0024f5a7e3c73aa253869fae9650ae054093ca]
stable/5.15: [31dbb4ba0f719ae7774e4c0c95172c9bf81692f5]
stable/6.1: [908a76f0b1038035e6ebb4f2293ce079f92e0a02]
stable/6.12: [0a1af74ae2177bda3aee0837a0546309aa539d0d]
stable/6.18: [afbafeddf23db13fe2edb2d5c0bf4bbb13d7881b]
stable/6.6: [bb0988ed4f2e26d59bbb58f644cb3a55b7521e21]
stable/7.0: [4c721a1d9b3c4fcaf59cc9b2281e3ec5a043e1a6]
CVE-2026-46125: wifi: mac80211: remove station if connection prep fails
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46125
Introduced by commit 81151ce ("wifi: mac80211: support MLO
authentication/association with one link") in v6.0-rc1.
Fixed in v7.1-rc3.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [283fc9e44ff5b5ac967439b4951b80bd4299f4e4]
stable/6.12: [afcbaed89cdc1a001b43270cbf5394bb4804270a]
stable/6.18: [9e28654f79f443bca9b29ff3ae7cf18abfba58a0]
stable/6.6: [fe75fa1ac9a92990f7fc3d34b17808fd933071b2]
stable/7.0: [1c2b72ea89882aeb948340498391e69c58d466f1]
CVE-2026-46126: RDMA/mana: Fix mana_destroy_wq_obj() cleanup in
mana_ib_create_qp_rss()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46126
Introduced by commit c15d780 ("RDMA/mana_ib: Add CQ interrupt support
for RAW QP") in v6.8-rc1.
Fixed in v7.1-rc3.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [34ecf795692ee57c393109f4a24ccc313091e137]
stable/6.12: [8f23eb6c50f1a4bf32fc4d62cfb9fc39e8e586cf]
stable/6.18: [bb9cb36eaefa4dcb7c0d9f7a01e5c739abdd53a8]
stable/7.0: [9a05a6798177e44dfbe18393be2c1ebb89ab06fd]
CVE-2026-46127: RDMA/ocrdma: Don't NULL deref uctx on errors in
ocrdma_copy_pd_uresp()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46127
Introduced by commit fe2caef ("RDMA/ocrdma: Add driver for Emulex
OneConnect IBoE RDMA adapter") in v3.5-rc1.
Fixed in v7.1-rc3.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [34fbf48cf3b410d2a6e8c586fa952a36331ca5ba]
stable/5.10: [b610f33c5523fe26f6dd897667fff9c7a1de5905]
stable/5.15: [443c991fbc954cc9363e963c09f404b9f281f3a2]
stable/6.1: [27b6eb1f27fda9bdd5cae028e396758cdf525845]
stable/6.12: [75fc130664ae324e7b2f9ad3630e0f175e9ca6c8]
stable/6.18: [8832626a483439e207734e027afff322ccdf726e]
stable/6.6: [e01a957561f663d3b68d2fd233a4502e3367efcd]
stable/7.0: [ec44c00a4fe1327efa35083f98b39c01cb535a51]
CVE-2026-46128: ipmi: Check event message buffer response for bad data
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46128
Introduced by commit 1da177e ("Linux-2.6.12-rc2") in v2.6.12.
Fixed in v7.1-rc3.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [36920f30e78e69df01f9691c470b6f3ba8aebf98]
stable/5.10: [cf1ef30c42a7079e5bad863cd01c52aa3a17c3ac]
stable/5.15: [474e53d4397087913a5b9c9eb90fa068da4808bf]
stable/6.1: [01f8387fa5b796f13cf50014c171f6da7abc46ea]
stable/6.12: [7f7ada72c07a83b46045ddfeee526bd9e2e3c8f0]
stable/6.18: [42432b579a594b66ac32e5e7b7c26e6bc578ec89]
stable/6.6: [2418e4b21fb1355504d095da5d5f0a210564a43d]
stable/7.0: [24269264c3d59a49eb09b10af2c75b14f2931482]
CVE-2026-46129: btrfs: fix double free in create_space_info() error path
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46129
Introduced by commit a11224a ("btrfs: fix memory leaks in
create_space_info() error paths") in v6.19-rc6.
Fixed in v7.1-rc1.
Bug introduced commit was backported to following branches.
cip/6.1 cip/6.1-rt cip/6.12 stable/6.1 stable/6.12 stable/6.18 stable/6.6
Fixed status
mainline: [3f487be81292702a59ea9dbc4088b3360a50e837]
stable/6.1: [ae6d6e31ceb72b7697c28a528e4923c08e3c2ef5]
stable/6.12: [f414b3abbba59ef379a2b3c31f2bdd9358ed5e53]
stable/6.18: [9a060970fd7b5e1c561e4ce73cb9949e4269a738]
stable/6.6: [c2670ec4aa49ca226bce9776601e0da37502be07]
stable/7.0: [dd6ade0fdd59218d71a981ae7c937a304e49209c]
CVE-2026-46130: dm-verity-fec: fix reading parity bytes split across
blocks (take 3)
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46130
Introduced by commit 6df90c0 ("dm-verity FEC: Fix RS FEC repair for
roots unaligned to block size (take 2)") in v6.13-rc7.
Fixed in v7.1-rc1.
Bug introduced commit was backported to following branches.
cip/6.1 cip/6.1-rt cip/6.12 stable/6.1 stable/6.12 stable/6.6
Fixed status
mainline: [430a05cb926f6bdf53e81460a2c3a553257f3f61]
stable/7.0: [3d1b4e2d8ac0a1a1390a117f61ce0ca1c47e3bcb]
CVE-2026-46131: KVM: x86: check for nEPT/nNPT in slow flush hypercalls
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46131
Introduced by commit aee7382 ("KVM: x86: Prepare kvm_hv_flush_tlb() to
handle L2's GPAs", 2022-11-18) in v6.2-rc1.
Fixed in v7.1-rc3.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [464af6fc2b1dcc74005b7f58ee3812b17777efee]
stable/6.12: [45fc766bc756ff1d66f8ca026a9c4f7f764adfae]
stable/6.18: [d6f4e217d663ede5becc2fd6cb612c749677387b]
stable/6.6: [971f17f5d91045404e3914029ea57c3da90179a4]
stable/7.0: [4c7f8436b19a2a3acc0cb6b6e3becd6796ae5c57]
CVE-2026-46132: net: rtnetlink: zero ifla_vf_broadcast to avoid stack
infoleak in rtnl_fill_vfinfo
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46132
Introduced by commit 75345f8 ("ipoib: show VF broadcast address") in v5.3-rc1.
Fixed in v7.1-rc3.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [4b9e327991815e128ad3af75c3a04630a63ce3e0]
stable/5.10: [14271b401ec6a4bf0d88054106fc2956084717e1]
stable/5.15: [cccce3190ba4356432b9f22369b56123d3d89f0d]
stable/6.1: [a44fbb631cba646532f3948636626f81717365a7]
stable/6.12: [c5b1b92ab7eff1a6e8c507ddde6fd02fabd0cfa8]
stable/6.18: [fbe0e6197225e6a83cf113a67a4b425f8de0bcd5]
stable/6.6: [0653c0516234c8258975d268a749115fc0f0ff00]
stable/7.0: [38bcc21f52246badb3154b6158dcb381d98de011]
CVE-2026-46133: RDMA/rxe: Reject unknown opcodes before ICRC processing
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46133
Introduced by commit 8700e3e ("Soft RoCE driver") in v4.8-rc1.
Fixed in v7.1-rc3.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [4c6f86d85d03cdb33addce86aa69aa795ca6c47a]
stable/5.10: [318787fa7193bd79691f2ebce4e80cb6abd0faef]
stable/5.15: [6a79b1ea0fcb2c998fda6a793050f66146e9cc42]
stable/6.1: [599cfdf44c1701c581cd4a21f1e1e03f8dc3840b]
stable/6.12: [f8ee926431a7bbec2b10c1290664af2cb290b983]
stable/6.18: [006a3a5f75345c6a0dbf13fd3ee01406e93b6733]
stable/6.6: [e3dc3a2fb05f4ed49c7f20594c4c52350d032189]
stable/7.0: [6fa18025e5782afff91415fd5217b39c1e4837d7]
CVE-2026-46134: platform/chrome: cros_ec_typec: Init mutex in
Thunderbolt registration
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46134
Introduced by commit 3b00be2 ("platform/chrome: cros_ec_typec:
Thunderbolt support") in v6.14-rc1.
Fixed in v7.1-rc3.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [525cb7ba6661074c1c5cc3772bccc6afab6791ef]
stable/6.18: [23ae72e8c2f1c1d1da8cbd479320ddcfcc9c7435]
stable/7.0: [3b13d5883a097f538fccbab1c61c95546d29621f]
CVE-2026-46135: nvmet-tcp: fix race between ICReq handling and queue teardown
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46135
Introduced commit is not determined.Fixed in v7.1-rc2.
NVMe over TCP target driver was added by 872d26a ("nvmet-tcp: add NVMe
over TCP target driver") in 5.0-rc1.
Fixed status
mainline: [5293a8882c549fab4a878bc76b0b6c951f980a61]
stable/6.12: [49891c8fe0cb43fbbe480da1cdccfbbaeb820cb3]
stable/6.18: [67e1aaf93b495c2f10bc8a5fbba575fbb7f449b6]
stable/7.0: [dcfe4d1f7960e7d1c01642318f3aae1a604f8508]
CVE-2026-46136: wifi: mt76: mt7921: fix a potential clc buffer length underflow
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46136
Introduced by commit fa6ad88 ("wifi: mt76: mt7921: fix country count
limitation for CLC") in v6.8-rc1.
Fixed in v7.1-rc1.
Bug introduced commit was backported to following branches.
cip/6.1 cip/6.1-rt stable/6.1 stable/6.6
Fixed status
mainline: [5373f8b19e568b5c217832b9bbef165bd2b2df14]
stable/6.1: [2a79b1a492bcfa725383b6580cd93a6862308c85]
stable/6.12: [90cc573fd2f46ddbc2c329e7814b5ba3deb7b939]
stable/6.18: [0aa63d33742b805d1a218d18d12b983cce4b2f7b]
stable/6.6: [e451c325b000b9a0081fd93bc6d103d6943d4b55]
stable/7.0: [a0111847f0b4f6023f6dd320114697514e024ba3]
CVE-2026-46137: mptcp: pm: ADD_ADDR rtx: fix potential data-race
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46137
Introduced by commit 00cfd77 ("mptcp: retransmit ADD_ADDR when
timeout") in v5.10-rc1.
Fixed in v7.1-rc3.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [5cd6e0ad79d2615264f63929f8b457ad97ae550d]
stable/6.12: [6e4710d7d8782cb61af29a7e7111ddfc38b9e1a3]
stable/6.18: [2ad56e434199ca24a812bb353667aa1c3860f513]
stable/6.6: [013dcdc1961543b9a3433466bc8c79a2f4ca75b5]
stable/7.0: [cc3c0399361efaaf7ae64262eb3f70829b1189c6]
CVE-2026-46138: Bluetooth: hci_event: Fix OOB read and infinite loop
in hci_le_create_big_complete_evt
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46138
Introduced by commit a0bfde1 ("Bluetooth: ISO: Add support for
connecting multiple BISes") in v6.6-rc1.
Fixed in v7.1-rc3.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [5ddb8014261137cadaf83ab5617a588d80a22586]
stable/6.12: [22559ad7654f61727fc270ee4893da9f4b70cf17]
stable/6.18: [77981a507aa0fc001dc37f0dd6631dd2042fed17]
stable/6.6: [6cb7f67bc28da787499291a562d49a084d9c90cd]
stable/7.0: [665da0baaf0396f9ed3c86ccb3955dcd0b73e774]
CVE-2026-46139: smb: client: use kzalloc to zero-initialize security
descriptor buffer
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46139
Introduced by commit 62e7dd0 ("smb: common: change the data type of
num_aces to le16") in v6.14-rc6.
Fixed in v7.1-rc3.
Bug introduced commit was backported to following branches.
cip/6.12 stable/6.12 stable/6.6
Fixed status
mainline: [5e489c6c47a2ac15edbaca153b9348e42c1eacab]
stable/6.12: [941a1e6eb35440336913afc88a82103291956d5d]
stable/6.18: [be1ef9512a3f5a755895c24f31b334342f4aa15b]
stable/6.6: [4c3ed344a970aad51388ac3b0145b98318f0e21f]
stable/7.0: [9bdb2ca31368b7671949dfb94a5d57ffccd01edd]
CVE-2026-46140: Bluetooth: btmtk: validate WMT event SKB length before
struct access
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46140
Introduced by commit d019930 ("Bluetooth: btmtk: move
btusb_mtk_hci_wmt_sync to btmtk.c") in v6.11-rc1.
Fixed in v7.1-rc3.
Bug introduced commit was backported to following branches.
stable/6.6
Fixed status
mainline: [634a4408c0615c523cf7531790f4f14a422b9206]
stable/6.12: [c411cf1bfde951cfa821809cf4020ba177f76e0c]
stable/6.18: [624fb79dadc1b65757986a9d0fdde5c0cf3fe179]
stable/7.0: [70d37a8b9229e394cc17ddad47e90b81d80fcd09]
CVE-2026-46141: powerpc/xive: fix kmemleak caused by incorrect chip_data lookup
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46141
Introduced by commit cc0cc23 ("powerpc/xive: Untangle xive from child
interrupt controller drivers") in v6.18-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [6771c54728c278bf1e4bfdab4fddbbb186e33498]
stable/6.18: [2546fb8c9acc8c7512ed4339ce2a982cb7407065]
stable/7.0: [e66ed135cdf23a318e9727dca48f98f7f6142f78]
CVE-2026-46142: net: libwx: fix VF illegal register access
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46142
Introduced by commit a04ea57 ("net: libwx: fix device bus LAN ID") in v6.18-rc5.
Fixed in v7.1-rc3.
Bug introduced commit was backported to following branches.
cip/6.12 stable/6.12 stable/6.6
Fixed status
mainline: [694de316f607fe2473d52ca0707e3918e72c1562]
stable/6.12: [f6e656f7cea16b638675a2ab7d7e4cf2516c5eb0]
stable/6.18: [33c5bb50b9c40e8451e6aec4487a31d794b98d92]
stable/6.6: [d3bd8040497968f6f5470018724ef7b0df92f707]
stable/7.0: [68a007a701bc06fa426507c551ef12514f2e721d]
CVE-2026-46143: ASoC: qcom: q6apm-lpass-dai: Fix multiple graph opens
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46143
Introduced by commit be1fae6 ("ASoC: q6apm-lpass-dai: close graph on
prepare errors") in v6.10-rc6.
Fixed in v7.1-rc1.
Bug introduced commit was backported to following branches.
cip/6.1 cip/6.1-rt stable/6.1 stable/6.6
Fixed status
mainline: [69acc488aaf39d0ddf6c3cf0e47c1873d39919a2]
stable/6.1: [af9cc7c622e596455c5190e6ef53c5b40ea7a90d]
stable/6.12: [c91b7bcc70346d07f57ef03d1b9a338324e213de]
stable/6.18: [7cab9f2ad51c858263da836baebad050a1bc7914]
stable/6.6: [3141d8b00cad6d3331953c79060ccc3a0262311b]
stable/7.0: [b97493f0f42ab9d882a62466782e1900e481a9d6]
CVE-2026-46144: RDMA/mana: Fix error unwind in mana_ib_create_qp_rss()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46144
Introduced by commit 0266a17 ("RDMA/mana_ib: Add a driver for
Microsoft Azure Network Adapter") in v6.2-rc1.
Fixed in v7.1-rc3.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [6aaa978c6b6218cfac15fe1dab17c76fe229ce3f]
stable/6.12: [726af85ea4af750b2f75095e24e3cd99797344cb]
stable/6.18: [ab64c63b460bbd0521480bf90d5695783f5e66bc]
stable/6.6: [190e570cc0fc7f57eacf80d2b854ba54b4dfad6b]
stable/7.0: [30e8a2f33815d8f51b8f8b829c07af16c671cc27]
CVE-2026-46145: RDMA/mana: Validate rx_hash_key_len
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46145
Introduced by commit 0266a17 ("RDMA/mana_ib: Add a driver for
Microsoft Azure Network Adapter") in v6.2-rc1.
Fixed in v7.1-rc3.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [6dd2d4ad9c8429523b1c220c5132bd551c006425]
stable/6.12: [11c1431d641e0e4e0529e96957995820600c7287]
stable/6.18: [012796f9541fcd0c1fa8ae4da7eb4d83931ef838]
stable/6.6: [7d7c9f0fcd19c4d2f0164347c58d49cafa961b72]
stable/7.0: [7d94f155f354b961c598f71bafa804dceded513f]
CVE-2026-46146: ALSA: usb-audio: Avoid potential endless loop in
convert_chmap_v3()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46146
Introduced by commit ecfd411 ("ALSA: usb-audio: Validate UAC3 cluster
segment descriptors") in v6.17-rc2.
Fixed in v7.1-rc2.
Bug introduced commit was backported to following branches.
cip/4.19 cip/4.19-rt cip/4.19-st cip/5.10 cip/5.10-rt cip/6.1
cip/6.1-rt cip/6.12 stable/5.10 stable/5.15 stable/6.1 stable/6.12
stable/6.6
Fixed status
mainline: [6e7247d8f5fefeceb0bb9cc80a5388a636b219cd]
stable/5.10: [076d5d13eb9c1ad259a7f246149f6676c62285f9]
stable/5.15: [316aa0b1e3c5600eae5ab876394c1ac70e6db581]
stable/6.1: [24a40df79307ca7ca0eec0889361cf6ac146d72a]
stable/6.12: [4e0ee232ebe3df04874125d7c7f3e6c25ea5483d]
stable/6.18: [be09b47ed8677d76962e3240c145502e2ad9f3c8]
stable/6.6: [e0e3dcf48189603f3865f1a0b799b3b42baae96d]
stable/7.0: [fa5b19ce69067874b1413f3c2027563bae8c2cb3]
CVE-2026-46147: KVM: arm64: Fix pin leak and publication ordering in
__pkvm_init_vcpu()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46147
Introduced commit is not determined.Fixed in v7.1-rc2.
Fixed status
mainline: [73b9c1e5da84cd69b1a86e374e450817cd051371]
stable/6.18: [7d3c27b54253cda91dc4d2c1bfc109c490837ab9]
stable/7.0: [6d69c0ed978f7f0efd053fc98390f25ab77c1aea]
CVE-2026-46148: spi: microchip-core-qspi: control built-in cs manually
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46148
Introduced by commit 8f9cf02 ("spi: microchip-core-qspi: Add regular
transfers") in v6.17-rc1.
Introduced by commit 8596124 ("spi: microchip-core-qspi: Add support
for microchip fpga qspi controllers") in v6.1-rc1.
Fixed in v7.1-rc3.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [7672749e1496215e8683ce57cf323119033954cf]
stable/6.18: [998f43196d732f20f9b71eb6ebd973736c9fa911]
stable/7.0: [ee3c99aa102212ad59dc2c19595515c4a6729307]
CVE-2026-46149: scsi: target: configfs: Bound snprintf() return in
tg_pt_gp_members_show()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46149
Introduced by commit c66ac9d ("[SCSI] target: Add LIO target core
v4.0.0-rc6") in v2.6.38-rc1.
Fixed in v7.1-rc3.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [772a896a56e0e3ef9424a025cec9176f9d8f4552]
stable/5.10: [d3cc9d490c207d57a289054397349f6f8c90354e]
stable/5.15: [db0a4759d62cad4ff891e2d81ae4be73bb57f4a4]
stable/6.1: [12f2201a56957ba020392223a7393a5eba080c1b]
stable/6.12: [72cc5ea7ef32bb5fa38bf0dd2e56fcd73aa8c89e]
stable/6.18: [00d91bfdce5033f5d9b4915638ae9b0553848b5d]
stable/6.6: [1f678d13e939f91840cb1ebe9b88544923539d3c]
stable/7.0: [e501154f9d82c95d2719bcbbaf679d8fd3226ef7]
CVE-2026-46150: fanotify: fix false positive on permission events
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46150
Introduced by commit abc7757 ("fsnotify: Provide framework for
dropping SRCU lock in ->handle_event") in v4.12-rc1.
Fixed in v7.1-rc2.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [7746e3bd4cc19b5092e00d32d676e329bfcb6900]
stable/5.10: [a24765332e129c1916d5a6615418b75599b8fcdc]
stable/5.15: [4a7611ad653785fcdea5ff5f4441e2b7d05b7f11]
stable/6.1: [04bb66be92f48ed13c3faf1139d892df228789bc]
stable/6.12: [f130790f1acc8399f32652846c875a251efd040f]
stable/6.18: [7baa02b0ae9d17ec5f08836d8ea88ce1927d0678]
stable/6.6: [895ebbedf88318607c24acc0f591c74b165e1d0a]
stable/7.0: [b7b24b28c8cd55844cab908f4f39dded638d5538]
CVE-2026-46151: usb: usblp: fix heap leak in IEEE 1284 device ID via
short response
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46151
According to the .vulnerable file, this bug was introduced by commit
1da177e in v2.6.12.
Fixed in v7.1-rc3.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [7a400c6fe3617e31e690e3f7ca37bb335e0498f3]
stable/5.10: [4650cce898fcd0bb8c33e529984687a8caed10c3]
stable/5.15: [612640abbd9e0947fe8f37aaf0cf324265d7caa4]
stable/6.1: [4220d4dd062ea3d3eb056a6cbe0b568e740d20b1]
stable/6.12: [6d8142141c942c0d8e79343cffda9c44bb1f3f4f]
stable/6.18: [8247f52d822180e94ccbfdab91613af386a4e34d]
stable/6.6: [6e29c32a27218f2dcd4a4e9b0b3c5e7728640698]
stable/7.0: [522d17e93a85575256894212d10e5a1fa6f36529]
CVE-2026-46152: wifi: mac80211: drop stray 'static' from fast-RX rx_result
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46152
Introduced by commit 3468e1e ("wifi: mac80211: add mesh fast-rx
support") in v6.4-rc1.
Fixed in v7.1-rc3.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [7a5b81e0c87a075afd572f659d8eb68c9c4cd2ba]
stable/6.12: [1739fc31b4de06c5c78ce0741182770fb079091e]
stable/6.18: [e131562d6f2b958148c35c98831b007f47f0e3d3]
stable/6.6: [03584528bfffb195e384698af9148b94e42e3f14]
stable/7.0: [3ef44f96ccc3e06e059dec57842e366f0c4b1893]
CVE-2026-46153: 8021q: delete cleared egress QoS mappings
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46153
Introduced by commit 1da177e ("Linux-2.6.12-rc2") in v2.6.12.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [7dddc74af369478ba7f9bc136d0fc1dc4570cb66]
stable/7.0: [a52e122c9e4d56ad9a03b32c915a199276d989c3]
CVE-2026-46154: sched_ext: Read scx_root under scx_cgroup_ops_rwsem in
cgroup setters
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46154
Introduced by commit a5bd6ba ("sched_ext: Use cgroup_lock/unlock() to
synchronize against cgroup operations") in v6.18-rc1.
Fixed in v7.1-rc2.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [80afd4c84bc8f5e80145ce35279f5ce53f6043db]
stable/6.18: [ce9aaa3af445c391735c9d000c4db60dfd5640d4]
stable/7.0: [0f54f6355575971673d8aac7da107ec4178e45bd]
CVE-2026-46155: smb/client: fix out-of-bounds read in smb2_compound_op()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46155
Introduced by commit ea41367 ("smb: client: introduce
SMB2_OP_QUERY_WSL_EA") in v6.9-rc1.
Fixed in v7.1-rc3.
Bug introduced commit was backported to following branches.
stable/6.6
Fixed status
mainline: [8d09328dfda089675e4c049f3f256064a1d1996b]
stable/6.12: [9b3af35645ff9cd334edc130249f9a2fb2bea25f]
stable/6.18: [512d33bc8ea4ea5c19728ee118715f4b1f4d1926]
stable/6.6: [dffb44b2e06a2908e249f0f93156fc987eee1d1c]
stable/7.0: [a16f70a71be4b5a4eccf39a9bf09b47285f4cb7c]
CVE-2026-46156: LoongArch: Fix potential ADE in loongson_gpu_fixup_dma_hang()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46156
Introduced by commit 95db0c9 ("LoongArch: Workaround LS2K/LS7A GPU DMA
hang bug") in v7.0-rc6.
Fixed in v7.1-rc3.
Bug introduced commit was backported to following branches.
cip/6.1 cip/6.12 stable/6.1 stable/6.12 stable/6.18 stable/6.6
Fixed status
mainline: [8dfa2f8780e486d05b9a0ffce70b8f5fbd62053e]
stable/6.1: [bfde8accc3e3260c0ecbb8cc34361739e1e16f31]
stable/6.12: [2cb19b06c09983727573bbe7d7430cbad480a714]
stable/6.18: [9e1aed63a5552958ef2a9bfd699a3f990e52a77f]
stable/6.6: [07d190e4ec689d6478f7f5e36099fb9bf457e7c5]
stable/7.0: [81fef1c278436e6bd68ee4ca05a0acb96e256561]
CVE-2026-46157: ALSA: pcm: oss: Fix data race at accessing runtime.oss.trigger
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46157
According to the .vulnerable file, this bug was introduced by commit
1da177e in v2.6.12.
Fixed in v7.1-rc2.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [901ac0ff15edf9503162e2cf6579bd11a30f1ed4]
stable/6.12: [49f9d048845be874df7997e4b1ce662de450c4b6]
stable/6.18: [ac3e9b55b7da6f0be51720bd330a0edc1a8b61f1]
stable/7.0: [6b01c1bc9a4748ab37548a700a8aaff910e298e6]
CVE-2026-46158: mptcp: pm: ADD_ADDR rtx: always decrease sk refcount
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46158
Introduced by commit 00cfd77 ("mptcp: retransmit ADD_ADDR when
timeout") in v5.10-rc1.
Fixed in v7.1-rc3.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [9634cb35af17019baec21ca648516ce376fa10e6]
stable/6.12: [b41dd76f3b9735096c21d3e799a2b9fe36498d57]
stable/6.18: [acd3d3562315c99f3c0db16f0fcc5f0306638982]
stable/6.6: [9426265e157dd77ec237c795901ed4dea6d69b5c]
stable/7.0: [25e37407442b8766ec2cf52fb4e31b5c3d3aeeae]
CVE-2026-46159: btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU
which can lead to info-leak
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46159
Introduced by commit 7fde62b ("Btrfs: buffer results in the space_info
ioctl") in v2.6.34-rc2.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [973e57c726c1f8e77259d1c8e519519f1e9aea77]
stable/6.12: [4fdc6ee0802121d9cd96b8d085e589f51e5a4ec3]
stable/6.18: [5d12e0ab009ade48c1bff9324fd9bea2c773d088]
stable/6.6: [f5ee467b56764964027c361641f64953fc0f8f9a]
stable/7.0: [d09d67d5de577cedae3de9497dff217e0ac8b641]
CVE-2026-46160: btrfs: fix missing last_unlink_trans update when
removing a directory
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46160
According to the .vulnerable file, this bug was introduced by commit
12fcfd2 in v2.6.30-rc1.
Fixed in v7.1-rc2.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [999757231c49376cd1a37308d2c8c4c9932571e1]
stable/6.12: [aa9c3ecaf7337df3a689318584f879b5339ede0f]
stable/6.18: [fb388eb58c1ba047ccabc33901839acfecadcf49]
stable/6.6: [cc3c0a0f965754ce230d93ba44ee5b34fbe6138a]
stable/7.0: [36fcc2c7517f8a86379154c9793f867592aa8b7e]
CVE-2026-46161: md/raid10: fix divide-by-zero in setup_geo() with zero
far_copies
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46161
Introduced by commit 475901a ("MD RAID10: Improve redundancy for 'far'
and 'offset' algorithms (part 1)") in v3.9-rc2.
Fixed in v7.1-rc2.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [9aa6d860b0930e2f72795665c42c44252a558a0c]
stable/5.10: [0b43a70394ce492274e67463326be03e0a9897c5]
stable/5.15: [c716ab3034f84f8a6c226814247b8c5ac9f95da1]
stable/6.1: [553e32adfa1a96b217651139a3f8c3b92b9984ac]
stable/6.12: [9d8e03b9a2b1e8ce5c198bf3a409a629f4d02cda]
stable/6.18: [913d556e4bd1b56ed822815655b82c7bb54edc51]
stable/6.6: [4af2e558e6fdfb972c61350653fd55d1f62b60a5]
stable/7.0: [f9ddb621b2325eb69c95692958daf2bab4dea2c4]
CVE-2026-46162: ice: fix double free in ice_sf_eth_activate() error path
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46162
Introduced by commit 13acc5c ("ice: subfunction activation and base
devlink ops") in v6.12-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [9aab1c3d7299285e2569cbc0ed5892d631a241b2]
stable/6.12: [2ca30340b5028ddc3f17086a538feeff06167b1b]
stable/6.18: [121d1f253aed515cd85748f68c664a6cb756e8ad]
stable/7.0: [d0c6a4816609f145ffcc74e64baa214c571c17c6]
CVE-2026-46163: wifi: b43legacy: enforce bounds check on firmware key
index in RX path
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46163
Introduced by commit 75388ac ("[B43LEGACY]: add mac80211-based driver
for legacy BCM43xx devices") in v2.6.24-rc1.
Fixed in v7.1-rc3.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [a035766f970bde2d4298346a31a80685be5c0205]
stable/5.10: [a92bd0503df2488f2cc040f329ebccff1c1934cb]
stable/5.15: [df805c1d085b7a96077f0964185764c87060950d]
stable/6.1: [4242db36de99de734cc1f60e5edd86cda7e598c6]
stable/6.12: [6ee946077607d7783ae6709a899213fc4fe08f35]
stable/6.18: [9d1bc155802943e92c57a5fb923d23edfbf0b525]
stable/6.6: [1baaeb6adecb9691748c0253dab6ddd19a2b4e9e]
stable/7.0: [fdd4e51979f42ca8b1ab7e6176b607e1caabf2a5]
CVE-2026-46164: btrfs: fix double free in
create_space_info_sub_group() error path
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46164
Introduced by commit f92ee31 ("btrfs: introduce btrfs_space_info
sub-group") in v6.16-rc1.
Fixed in v7.1-rc1.
Bug introduced commit was backported to following branches.
cip/6.1 cip/6.1-rt cip/6.12 stable/6.1 stable/6.12 stable/6.6
Fixed status
mainline: [a7449edf96143f192606ec8647e3167e1ecbd728]
stable/6.12: [14b22be1dd844383eb03af9b1ee3b6b25d32aeaf]
stable/6.18: [dfd05a16b5c9d1d98b47905f37f2fccda52173d1]
stable/6.6: [d2a675f2e238ec96c8e91e2718c1f910c9c8fb21]
stable/7.0: [259af6857a1b4f1e9ef8b780353f9d11c26a22bd]
CVE-2026-46165: openvswitch: vport: fix self-deadlock on release of tunnel ports
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46165
Introduced by commit 6931d21 ("openvswitch: defer tunnel netdev_put to
RCU release") in v7.0-rc6.
Fixed in v7.1-rc3.
Bug introduced commit was backported to following branches.
cip/6.1 cip/6.12 stable/6.1 stable/6.12 stable/6.18 stable/6.6
Fixed status
mainline: [aa69918bd418e700309fdd08509dba324fb24296]
stable/6.1: [8ae6c15fc473c9ad03b0173330cce9a092c76154]
stable/6.12: [6522d59fb7de55ce0f0f285d962243ddffebb01f]
stable/6.18: [3df75fff46b1517eb479d8e6b8e3500763715dd0]
stable/6.6: [c741433f6c8dcdecd1d9549d89053761fd1ea413]
stable/7.0: [366c482965c673565ecb8bcfb15d5548f13a6a10]
CVE-2026-46166: wifi: mac80211: use safe list iteration in radar detect work
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46166
Introduced by commit bca8bc0 ("wifi: mac80211: handle
ieee80211_radar_detected() for MLO") in v6.12-rc1.
Fixed in v7.1-rc3.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [ac8eb3e18f41e2cc8492cc1d358bcb786c850270]
stable/6.12: [887ece6c23b49d02a6678e7a8d5ad213d75883ce]
stable/6.18: [7577a4b8a10fab45a6ee2045ea038a5adadbb585]
stable/7.0: [120149fb3ebcf674832ca3cafd32bedcdb686dde]
CVE-2026-46167: usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46167
According to the .vulnerable file, this bug was introduced by commit
1da177e in v2.6.12.
Fixed in v7.1-rc3.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [b38e53cbfb9d84732e5984fbd73e128d592415c5]
stable/5.10: [0f7c41314ebf17049917a452684db371babf711a]
stable/5.15: [cf24991619be317e2769310b4a367bf4a04b82bc]
stable/6.1: [087d97342c100138ea7d75a50977c9c2319f957b]
stable/6.12: [a502b997668401a6821501fc98b7f9220f9b6ff2]
stable/6.18: [762a6ccf391db0d629e590a803a3a2231e17dd3f]
stable/6.6: [d06d937b0a4cdb8867f04275c8100a8b943da31a]
stable/7.0: [6b0e7438e31c74b01514d31ff35c1e688c4baaba]
CVE-2026-46168: mptcp: fix scheduling with atomic in timestamp sockopt
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46168
Introduced by commit 9061f24 ("mptcp: sockopt: propagate timestamp
request to subflows") in v5.14-rc1.
Fixed in v7.1-rc2.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [b5c52908d52c6c8eb8933264aa6087a0600fd892]
stable/5.15: [0949d8bbbedbafe0136a1723c41eb823c2f1e09d]
stable/6.1: [e792cfb6aeaf65612cdf8e3ac431d65e66283654]
stable/6.12: [b157dab93a7af44a84e78cf0cb311dde475cff5b]
stable/6.18: [8a005fe451c73fd2b3d1faa5643c11e6bd07acfc]
stable/6.6: [ebeb70e29e37cfce899309cc2665a3bfe960ed94]
stable/7.0: [7eb513b42721bee4b96da69f6188d5a7783f210d]
CVE-2026-46169: hfsplus: fix uninit-value by validating catalog record size
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46169
Introduced by commit 1da177e ("Linux-2.6.12-rc2") in v2.6.12.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [b6b592275aeff184aa82fcf6abccd833fb71b393]
stable/6.12: [c91bbd6193c70a02c50c22e0fb1f60c3c5bd053a]
stable/6.18: [a420904450962a562ad053a41a53a27755021b48]
stable/6.6: [61a790974ff7e533acbceca06c7d02f22bf96d4d]
stable/7.0: [93e8d613f1a01b6637f387cc93f184cf7fb881d6]
CVE-2026-46170: mptcp: pm: ADD_ADDR rtx: free sk if last
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46170
Introduced by commit 00cfd77 ("mptcp: retransmit ADD_ADDR when
timeout") in v5.10-rc1.
Fixed in v7.1-rc3.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [b7b9a461569734d33d3259d58d2507adfac107ed]
stable/6.12: [531c537b8fb620beabccfb1594e8d43cbebbb87a]
stable/6.18: [b74ad20198652b6b39a761c277ba65ae82b1e107]
stable/6.6: [6a3af482188f6db4186d1605f64d911d7330abb3]
stable/7.0: [8143a224785ceaf2b0856e08d4498916f38228fb]
CVE-2026-46171: riscv: kvm: fix vector context allocation leak
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46171
Introduced by commit 0f4b825 ("riscv: KVM: Add vector lazy
save/restore support") in v6.5-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [b7c958d7c1eb1cb9b2be7b5ee4129fcd66cec978]
stable/6.18: [bd62c0f61bc722a097417401030c596cea8e21aa]
stable/7.0: [1d57ab45ec5c0e22789de793bcf2a31ad6fb7d98]
CVE-2026-46172: ipv6: xfrm6: release dst on error in xfrm6_rcv_encap()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46172
Introduced by commit 0146dca ("xfrm: add support for UDPv6
encapsulation of ESP") in v5.8-rc1.
Fixed in v7.1-rc3.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [bc0fcb9823cd0894934cf968b525c575833d7078]
stable/5.10: [a0721bcd72641c32b281f227a94505b31cf54117]
stable/5.15: [a20b34f6e854fe6f2aa82528fae7a88759919eb4]
stable/6.1: [870560015ce6e0d8f841c6a8aba33c44be52c727]
stable/6.12: [554c9b090c8ac5b1c5c507f4badf8d5d0c9c6e13]
stable/6.18: [9d5047782f9bd2829e529df69209bf3232eb561f]
stable/6.6: [c2efc4956981066df2fef1cc77391b523db6d8e4]
stable/7.0: [6a5eec0a2a0e99ec9743cf8f1c4082178811d90a]
CVE-2026-46173: exit: prevent preemption of oopsing TASK_DEAD task
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46173
Introduced by commit 7f80a2f ("exit: Stop poorly open coding
do_task_dead in make_task_dead") in v5.17-rc1.
Fixed in v7.1-rc4.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [c1fa0bb633e4a6b11e83ffc57fa5abe8ebb87891]
stable/6.1: [3d6fb8a7690c23e3213c4b008f64d89a44b98737]
stable/6.12: [7b2800ba5f5f77a8ee7f4cbadb19cf1264597a34]
stable/6.18: [6f49f94f3b11fe8bff1bf2a054143789e76aaf17]
stable/6.6: [640b4c00fb0e2920327435f6176cbefc3c546165]
stable/7.0: [9756b3db5db6c2f5eccb32dddbd88eb4c54f575e]
CVE-2026-46174: x86/CPU/AMD: Prevent improper isolation of shared
resources in Zen2's op cache
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46174
According to the .vulnerable file, this bug was introduced by commit
f7f3dc0 in v4.14-rc2.
Fixed in v7.1-rc4.
Bug introduced commit was backported to following branches.
cip/4.4 cip/4.4-rt cip/4.4-st
Fixed status
cip/4.19-st: [3461f705cfdf325386297a27e46094efe20f0896]
mainline: [c21b90f77687075115d989e53a8ec5e2bb427ab1]
stable/5.10: [1e23b30a80b14e5764657401ee2cca030525ae8e]
stable/5.15: [f5bc3aef7df46eaaf423d7413ab8833f704ae576]
stable/6.1: [251497955f2314cd39d43191e81c6151dead4c7b]
stable/6.12: [9109489cc8c34e50d15575a3d1ff82af586bc1aa]
stable/6.18: [28f5ed477eef166d678d6966762cbc1de9b4f436]
stable/6.6: [ff6fc65b3bf73acc5ee71919154d830ad5431362]
stable/7.0: [1cd85a19748b2407830376a5cbae5c0f126016e5]
CVE-2026-46175: f2fs: fix fsck inconsistency caused by FGGC of node block
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46175
Introduced by commit da011cc ("f2fs: move node pages only in victim
section during GC") in v4.7-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [c3e238bd1f56993f205ef83889d406dfeaf717a8]
stable/6.18: [8be551f538dc5b64183e27bd45a7a0795263f760]
stable/7.0: [e7c6d30169b03307d27c4479563df79c08f3a746]
CVE-2026-46176: RDMA/mlx5: Fix error path fall-through in
mlx5_ib_dev_res_srq_init()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46176
Introduced by commit 5895e70 ("IB/mlx5: Allocate resources just before
first QP/SRQ is created") in v6.11-rc1.
Fixed in v7.1-rc3.
Bug introduced commit was backported to following branches.
stable/6.6
Fixed status
mainline: [c488df06bd552bb8b6e14fa0cfd5ad986c6e9525]
stable/6.12: [bc2cf5935b4665172235341163315905197ae91d]
stable/6.18: [b087913ae88256df66620f7ba0a9776716aeef7e]
stable/6.6: [a13c2ac4d480b734342c6fbf8249fc48afd675f3]
stable/7.0: [6fd93142dd1d09000c3750af08270f5792523fe9]
CVE-2026-46177: ipmi: Add limits to event and receive message requests
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46177
Introduced commit is not determined.Fixed in v7.1-rc3.
Fixed status
mainline: [c4cca236968683eb0d59abfb12d5c7e4d8514227]
stable/5.10: [112df8e631636cafda64dcee4561daf09ce74a4a]
stable/5.15: [304b56883b7eff73eb606c35d062c8101aaf5471]
stable/6.1: [9059dc94421e1d4f8e5844204608b37ebfddb3da]
stable/6.12: [e20212b431bef217d3886b86bbc90cc3ed00de68]
stable/6.18: [3d37d2165df9504ea99d9e6181552dc4d2d1ab37]
stable/6.6: [67c44e0deba936d5edaebea356b4589eb43acb5c]
stable/7.0: [c024167fb00489baee08c72182ca2e7dc5fb9f20]
CVE-2026-46178: RDMA/mlx4: Fix resource leak on error in mlx4_ib_create_srq()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46178
Introduced by commit 225c7b1 ("IB/mlx4: Add a driver Mellanox ConnectX
InfiniBand adapters") in v2.6.22-rc1.
Fixed in v7.1-rc3.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [c54c7e4cb679c0aaa1cb489b9c3f2cd98e63a44c]
stable/5.10: [53fd4c03558672ccb167754fbacbf045c7ab335c]
stable/5.15: [0be6ae614ca7fa53e7389e3c7462ed20abbd4192]
stable/6.1: [5b3b220d54e6a3d77380cb7caa1ef79cb8f4fc94]
stable/6.12: [0dbd619716fb07b7de1acd64fec673ee6e1adde7]
stable/6.18: [e01b8c9286c470b71a38acd320106f2c4f2826a1]
stable/6.6: [c5dc30da990045105c9762248d23076223e7878a]
stable/7.0: [388617f44d81604a760742a0b5de292d411e63e3]
CVE-2026-46179: ASoC: SOF: Don't allow pointer operations on
unconfigured streams
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46179
Introduced by commit c1a731c ("ASoC: SOF: compress: Add support for
computing timestamps") in v6.1-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [c5b6285aae050ff1c3ea824ca3d88ac4be1e69c8]
stable/6.1: [76ff6bfc9a809571793f425ba99f6a759108dcf8]
stable/6.12: [98ed1383f597f8a45b6cb816bb20b96d46eeceda]
stable/6.18: [0f0c0c1397a42aacaacae828206ee1b921623952]
stable/6.6: [327a64241f30c74b6f35537eb9e1fc6c3cbe060b]
stable/7.0: [4f42dd01f5217465f23a763e27b3984e114d0972]
CVE-2026-46180: wifi: brcmfmac: Fix potential use-after-free issue
when stopping watchdog task
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46180
Introduced by commit 373c83a ("brcmfmac: stop watchdog before detach
and free everything") in v4.18-rc6.
Introduced by commit a9ffda8 ("brcm80211: fmac: abstract bus_stop
interface function pointer") in v3.3-rc1.
Fixed in v7.1-rc3.
Bug introduced commit was backported to following branches.
cip/4.4 cip/4.4-rt cip/4.4-st
Fixed status
mainline: [c623b63580880cc742255eaed3d79804c1b91143]
stable/6.12: [d16827cb1d3936f7627d0da6044483f743ebde03]
stable/6.18: [658d2e46c2e9a8eb9b80c5e803ce3c89885b3366]
stable/6.6: [ed4168d1a50fef5be8eca947fbbf05a28507d265]
stable/7.0: [908b92231e1ded53e43fcfad5e0704d83e1b803c]
CVE-2026-46181: RDMA/mlx4: Fix mis-use of RCU in mlx4_srq_event()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46181
Introduced by commit 30353bf ("net/mlx4_core: Use RCU to perform radix
tree lookup for SRQ") in v4.9-rc1.
Fixed in v7.1-rc3.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [c9341307ea16b9395c2e4c9c94d8499d91fe31d0]
stable/6.18: [1e2a44875b6afb4add1115f7f3351dcbeb6f273d]
stable/7.0: [8b7833f3bce35cb0d01c1503781523c099c675f0]
CVE-2026-46182: pseries/papr-hvpipe: Prevent kernel stack memory leak
to userspace
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46182
Introduced by commit cebdb52 ("powerpc/pseries: Receive payload with
ibm,receive-hvpipe-msg RTAS") in v6.18-rc1.
Fixed in v7.1-rc3.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [cefeed44296261173a806bef988b26bc565da4be]
stable/6.18: [0479b6e9f999cc1cbad7d9f09f574fc387e605d5]
stable/7.0: [f88f8e4485b437e0a2f96a7ff1f88aa22d925659]
CVE-2026-46183: mm/damon/sysfs-schemes: protect path kfree() with
damon_sysfs_lock
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46183
Introduced by commit c41e253 ("mm/damon/sysfs-schemes: implement path
file under quota goal directory") in v6.19-rc1.
Fixed in v7.1-rc2.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [cf3b71421ca00807328c6d9cd242f9de3b77a4bf]
stable/7.0: [a34ca3e33da4b924c66bcca3729bf68ec5936910]
CVE-2026-46184: sound: ua101: fix division by zero at probe
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46184
Introduced by commit 63978ab ("sound: add Edirol UA-101 support") in
v2.6.34-rc1.
Fixed in v7.1-rc2.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [d1f73f169c1014463b5060e3f60813e13ddc7b87]
stable/5.10: [e02897c5b041c9b980055fa9a6167023d6dc5caf]
stable/5.15: [aae1498c59f48d03ee358df84f07a5af9885f827]
stable/6.1: [66d9c2ed081f299cfb201d9e9c4faf920e56e0bf]
stable/6.12: [593dd7e6c890d8e4ca21b3e2f796b7cb8e8da983]
stable/6.18: [0ff2b713f406e9ecadb406014d74e7a020ac12b1]
stable/6.6: [6162e8212e88c39492d981b248b5e37002486c66]
stable/7.0: [f1862dbf09080254c52175a448290c784dd7d3de]
CVE-2026-46185: smb/client: fix out-of-bounds read in symlink_data()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46185
Introduced by commit 76894f3 ("cifs: improve symlink handling for
smb2+") in v6.1-rc1.
Fixed in v7.1-rc3.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [d62b8d236fab503c6fec1d3e9a38bea71feaca20]
stable/6.1: [2be11faf79e49fb8250a181ff0b4d2b2f084af83]
stable/6.12: [15dc0a4de743a1aaa7b859b3aea79f08c695396c]
stable/6.18: [b8c8a704f0bc133deb171f6aeb6f3a684203e212]
stable/6.6: [ef6495d4df6e7af8f3de67e65150881c880f696c]
stable/7.0: [b9561402489d41149f63e001a74384863b7b30a6]
CVE-2026-46186: Bluetooth: virtio_bt: validate rx pkt_type header length
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46186
Introduced by commit 160fbcf ("Bluetooth: virtio_bt: Use skb_put to
set length") in v6.1-rc4.
Fixed in v7.1-rc3.
Bug introduced commit was backported to following branches.
stable/5.15
Fixed status
mainline: [daf23014e5d975e72ea9c02b5160d3fcf070ea47]
stable/5.15: [149cfb42ad69c7964fd9f2c43831da9152007129]
stable/6.1: [7b2d4c04816cdc887f472caaf7fc966cfc107e40]
stable/6.12: [2c1143564c71e7497b42d8360a8379ccbb011d3c]
stable/6.18: [3485c7236c59c8c34a41af1c4b52982437554e79]
stable/6.6: [1e1e509b6fd2a42421745bbcd98bd16daad20904]
stable/7.0: [f743eab6486965f276c7e3f1700895f014fdc6db]
CVE-2026-46187: wifi: rsi: fix kthread lifetime race between self-exit
and external-stop
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46187
Introduced by commit 4c62764 ("rsi: improve kernel thread handling to
fix kernel panic") in v4.20-rc1.
Fixed in v7.1-rc3.
Bug introduced commit was backported to following branches.
cip/4.19 cip/4.19-rt cip/4.19-st cip/4.4 cip/4.4-rt cip/4.4-st
Fixed status
mainline: [db57a1aa54ff68669781976e4edb045e09e2b65b]
stable/5.10: [4ac3095da22fc50e51ec10c3b8323c21ab3e441a]
stable/5.15: [9dfe8a4458a063c6433526bc59112a169eee1aa3]
stable/6.1: [4f697813162d5f9151726a6d2bee82bffe4b0256]
stable/6.12: [16d9f674c619838bdeae42abc0929c9c5477ea1f]
stable/6.18: [4f9a4ae8d2c198f01611ea376034c326ef43ab56]
stable/6.6: [95fcb436586dc3c2983537d557ac05bbc6a027f3]
stable/7.0: [4f4c9b13c485abd0a2d2c97f9db339d1dd8e147f]
CVE-2026-46188: octeon_ep_vf: add NULL check for napi_build_skb()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46188
Introduced by commit 1cd3b40 ("octeon_ep_vf: add Tx/Rx processing and
interrupt support") in v6.9-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [dd66b42854705e4e4ee7f14d260f86c578bed3e3]
stable/6.12: [60246cdd4c515ea7d920cddf48932efcb990773e]
stable/6.18: [b0f4711b426a06fb4c4be85c36b9f5588d5140d3]
stable/7.0: [6fef6640bbf360e254cc0174365ed30ce3a07572]
CVE-2026-46189: RDMA/vmw_pvrdma: Fix double free on
pvrdma_alloc_ucontext() error path
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46189
Introduced by commit 29c8d9e ("IB: Add vmw_pvrdma driver") in v4.10-rc1.
Fixed in v7.1-rc3.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [e38e86995df27f1f854063dab1f0c6a513db3faf]
stable/5.10: [269967d7693304e1f06ed2dff4ebbbeeb397cda4]
stable/5.15: [1df5711121cdc11e76b889408fdbe459feba1d39]
stable/6.1: [3a231c34c5bc3d3cfc850b877758ec9fdaa8a483]
stable/6.12: [45d25e3ec17900bf5a9d6876ff16ceee31c4c0e0]
stable/6.18: [0c63333ff97bd1275294fd12840a0efe9d7a4c59]
stable/6.6: [ecc36a82ecfcfdf3c6606d209f22ec5543c410e0]
stable/7.0: [935ee27d0904aa944cbcc979094c20e5ef62eead]
CVE-2026-46190: mtd: spi-nor: debugfs: fix out-of-bounds read in
spi_nor_params_show()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46190
Introduced by commit 0257be7 ("mtd: spi-nor: expose internal
parameters via debugfs") in v5.19-rc1.
Fixed in v7.1-rc2.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [e47029b977e747cb3a9174308fd55762cce70147]
stable/6.12: [ca18c180b053f6ce80394322b314ac721c316af7]
stable/6.18: [34bdcfb496b29f9a52431194f94473b37fb8c162]
stable/6.6: [9a80c458320e0514e11945402dd6e48fcee05524]
stable/7.0: [c0b654bc0b76a1da102d9138be1ed1223bd99310]
CVE-2026-46191: fbcon: Avoid OOB font access if console rotation fails
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46191
Introduced by commit 6cc50e1 ("[PATCH] fbcon: Console Rotation - Add
support to rotate font bitmap") in v2.6.20.16.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [e4ef723d8975a2694cc90733a6b888a5e2841842]
stable/6.12: [ab6c34b9829d5de03f1d08a47a2253729a6e7e27]
stable/6.18: [7105d9f1387d63b15c9a860674fc92c959181f2f]
stable/6.6: [594973a2e54924d8ba31c9faac669fc1ba6fcb80]
stable/7.0: [b44cc78ff46b96e72d333a3be6aaaa0a14797263]
CVE-2026-46192: spi: microchip-core-qspi: don't attempt to transmit
during emulated read-only dual/quad operations
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46192
Introduced by commit 8f9cf02 ("spi: microchip-core-qspi: Add regular
transfers") in v6.17-rc1.
Fixed in v7.1-rc3.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [eb56deaabf127e8985fc91fa6c97bf8a3b062844]
stable/6.18: [ec9d0ddbde6003c303fa5e1d5cd48952852984d8]
stable/7.0: [67184f361ab4d9fac6d2b8d5fed6649d496038a4]
CVE-2026-46193: xfrm: ah: account for ESN high bits in async callbacks
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46193
Introduced by commit d4d573d ("{IPv4,xfrm} Add ESN support for AH
egress part") in v3.15-rc1.
Introduced by commit d8b2a86 ("{IPv4,xfrm} Add ESN support for AH
ingress part") in v3.15-rc1.
Introduced by commit 26dd70c ("{IPv6,xfrm} Add ESN support for AH
egress part") in v3.15-rc1.
Introduced by commit 8d6da6f ("{IPv6,xfrm} Add ESN support for AH
ingress part") in v3.15-rc1.
Fixed in v7.1-rc3.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [ec54093e6a8f87e800bb6aa15eb7fc1e33faa524]
stable/6.12: [729899a2aa8bda7844be0cdcd3b470f11b912eda]
stable/6.18: [7db99a09b3bc87268287bc7ab5f2e7f382b5ad87]
stable/6.6: [0555d4f526232b3c9e3afbcd490c0c0793aefec6]
stable/7.0: [2ffaa7a94f9a4d22724364a1821735a0231d9f8d]
CVE-2026-46194: f2fs: fix node_cnt race between extent node destroy
and writeback
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46194
Introduced by commit 3fc5d5a ("f2fs: fix to shrink read extent node in
batches") in v6.13-rc1.
Fixed in v7.1-rc1.
Bug introduced commit was backported to following branches.
cip/6.12 stable/6.12 stable/6.6
Fixed status
mainline: [ed78aeebef05212ef7dca93bd931e4eff67c113f]
stable/6.12: [ab1eaf9d5c99042f5b0243bf67a06283a4c0757f]
stable/6.18: [b0e4395870eb3441ddc959f6710b5f6ca61aff26]
stable/6.6: [42dd1c91f993431d0b399502479d00e6ad1bca71]
stable/7.0: [0559a0e962aacbb47519e26ee663be04b72dcb92]
CVE-2026-46195: smb: client: validate dacloffset before building DACL pointers
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46195
Introduced by commit bc3e9dd ("cifs: Change SIDs in ACEs while
transferring file ownership.") in v5.12-rc1.
Fixed in v7.1-rc3.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [f98b48151cc502ada59d9778f0112d21f2586ca3]
stable/6.12: [3b1ddba19e77ee35241cd27f16dc3e8d14e08db7]
stable/6.18: [c688f3ed73d31943334ad2139cb02ec49664322a]
stable/6.6: [ba7f71b6161c0943dafc367565e5843d16b7d505]
stable/7.0: [8bd07e417b6bda67e317920584e48cb6ee442a8a]
CVE-2026-46196: tracepoint: balance regfunc() on func_add() failure in
tracepoint_add_func()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46196
Introduced by commit 8cf868a ("tracing: Have the reg function allow to
fail") in v4.10-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [fad217e16fded7f3c09f8637b0f6a224d58b5f2e]
stable/6.12: [7bcadb3c2bc1cf60690e931aadd35fb7bd646a49]
stable/6.18: [2c5b8eeea006eb694c81631cd5713d494b80be90]
stable/6.6: [247ed8a969f981bfba3112fd4bb441eaa6cef59c]
stable/7.0: [342829e042ac00f3d68d442ea92873fb6683f494]
CVE-2026-46197: drm/amdkfd: validate SVM ioctl nattr against buffer size
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46197
According to the .vulnerable file, this bug was introduced by commit
42de677 in v5.14-rc1.
Fixed in v7.1-rc2.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [045e0ff208f0838a246c10204105126611b267a1]
stable/5.15: [daa8bc5f83814b55b71d2b5b3a090d57a5219c21]
stable/6.1: [fb07a0c9c8419164812e07274947f11b1d92dd61]
stable/6.12: [ccd060b5c7cc75ae7e211c250b97c5b6272e7efc]
stable/6.18: [db9530a9873a7c85d2266a922589ebcf427fa631]
stable/6.6: [91c6dc5a41695d02dfc6299f106ac38a6c493e52]
stable/7.0: [6abd3a4417cb73a7d0db7e25bf11fae1074bdba3]
CVE-2026-46198: batman-adv: fix integer overflow on buff_pos
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46198
Introduced by commit c6c8fea ("net: Add batman-adv meshing protocol")
in v2.6.38-rc1.
Fixed in v7.1-rc4.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [0799e5943611006b346b8813c7daf7dd5aa26bfd]
stable/5.10: [867cd090760e8f5cd206f387b47ff9c56fac04e9]
stable/5.15: [10bb1f366d884d506c38a947b43026a75d1afe9a]
stable/6.1: [96c9c0ed9a9579a9085765aceaa4556a6666eb82]
stable/6.12: [974542d1efc48b7e9fe16184e647615cba39969b]
stable/6.18: [bf872db54f91ffe70104b98c20068b2d5910e018]
stable/6.6: [f61499359fa529f0d45a53bf7c573a49eb6322e6]
stable/7.0: [b252797bfced986d6d92ec2f4cfcca842ce8aa78]
CVE-2026-46199: drm/amdgpu/vcn4: Prevent OOB reads when parsing dec msg
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46199
According to the .vulnerable file, this bug was introduced by commit
87cc7f9 in v5.13-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [0a78f2bac1424deb7c9d5e09c6b8e849d8e8b648]
stable/6.1: [88411caee8f576d6b5abf6531232fcc0ce756dc5]
stable/6.12: [7688143ca62edeecacb3ba0a2cea129dbd262a18]
stable/6.18: [63b51e8a9d54317d31cc3856c1e12407070d5fc2]
stable/6.6: [c72a8b4dc6d598e3831ef3abd9c6527dfbf4810e]
stable/7.0: [3c817a60b09eaab926e475088e750936efcc95ae]
CVE-2026-46200: spi: mpc52xx: fix controller deregistration
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46200
Introduced by commit 42bbb70 ("powerpc/5200: Add mpc5200-spi (non-PSC)
device driver") in v2.6.33-rc1.
Introduced by commit b8d4e2c ("mpc52xx_spi: add gpio chipselect") in
v2.6.33-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [0f997fdae819a8c2cc83bd4ff7d935ad76c727c9]
stable/6.12: [a3669f678d0ee8b686d3eea4c0ed9817c9374945]
stable/6.18: [28f28a0f4e327f792c230493a0ea00389ff68ff5]
stable/7.0: [7fea80d93bfd34051b2ac1cec07766c87d8d28be]
CVE-2026-46201: drm/xe: Fix dma-buf attachment leak in xe_gem_prime_import()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46201
Introduced by commit dd08ebf ("drm/xe: Introduce a new DRM driver for
Intel GPUs") in v6.8-rc1.
Fixed in v7.1-rc2.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [111ab678471bf1f90d078d5513bb086b70596c3c]
stable/6.12: [d394669e194936d7ce15284a24a5ae334c4c5b74]
stable/6.18: [0afa8b1ef582ecf6fb04097fd356f8741e5005ed]
stable/7.0: [eea1e10f8d99c0f04deef707c99705b94bba3b78]
CVE-2026-46202: HID: appletb-kbd: run inactivity autodim from workqueues
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46202
Introduced by commit 93a0fc4 ("HID: hid-appletb-kbd: add support for
automatic brightness control while using the touchbar") in v6.15-rc1.
Fixed in v7.1-rc4.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [1654e53349d4e657b331de354313461f401f5063]
stable/6.18: [5c0830323689ef15224f0025276176988861b3b0]
stable/7.0: [2473a334c292af257ef68e33bc7760f4a8251812]
CVE-2026-46203: spi: cadence-quadspi: fix unclocked access on unbind
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46203
Introduced by commit 0578a6d ("spi: spi-cadence-quadspi: add runtime
pm support") in v6.7-rc1.
Fixed in v7.1-rc2.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [233db2cb14db8b1935dda52a6affd97276462b82]
stable/7.0: [d67a5311818b3e6481a1e4293c9337ebfee73111]
CVE-2026-46204: drm/amdgpu/vcn4: Prevent OOB reads when parsing IB
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46204
According to the .vulnerable file, this bug was introduced by commit
0b15205 in v6.0-rc1.
Fixed in v7.1-rc1.
Affected file was added by 8da1170 ("drm/amdgpu: add VCN4 ip block
support") in v5.19-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [2444eb0ec8283f4a3845eb7febad378476e1ba3c]
stable/6.12: [d0802a8877d730260d4af4dd4e0b6cde7e0e593f]
stable/6.18: [a6d5563ba1f03a049561cd347574613167294e8d]
stable/6.6: [1dc005775fb5b3f86464406452b17364f85581d3]
stable/7.0: [5c3e8ebad0c9e2354ddfa8f2148dc4f70a3b4bd1]
CVE-2026-46205: staging: media: atomisp: Disallow all private IOCTLs
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46205
Introduced by commit a49d253 ("staging/atomisp: Add support for the
Intel IPU v2") in v4.12-rc1.
Introduced by commit ad85094 ("Revert "media: staging: atomisp: Remove
driver"") in v5.8-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [2b7eb2c5dc72f0fc954ac4aa155f9e285e937f7c]
stable/5.10: [64e85679beafe082fc2e70a557ec356c7fd27548]
stable/5.15: [8774f8cb661f57ae43cc3bc0509d16ef1f406e45]
stable/6.1: [ceb1b5f910e58986ea544ff8c9c2f23ae9a52414]
stable/6.12: [6f1ce75a75c65061e7a720c3d0ee5f8adab7a2d3]
stable/6.18: [c7848b67ef10f581114b6a2f52b160fc20eb52c9]
stable/6.6: [8c7a281a99224a5b9af99c4dcd98d68eea75926c]
stable/7.0: [6850a439f8d23d4979624f1d6880d3118d473a28]
CVE-2026-46206: batman-adv: reject new tp_meter sessions during teardown
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46206
Introduced by commit 33a3bb4 ("batman-adv: throughput meter
implementation") in v4.8-rc1.
Fixed in v7.1-rc4.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [3243543592425beec83d453793e9d27caa0d8e66]
stable/5.10: [0a7a840074c9ca5ebffc9c52358c8ea55828ec71]
stable/5.15: [dcff44644bb518598b1a6be722706d6174b2f6a1]
stable/6.1: [52e6ec3e972cf27792cc1559874dbee19f286869]
stable/6.12: [ff93f86ecbb50a4709c403fc279a396e308edde5]
stable/6.18: [e1e2194cc725ec1d41f9412496212f0fa0519c36]
stable/6.6: [e4a3c4a4c8f6efd243c3e448c05b7bebcbf7b3b6]
stable/7.0: [ca39545cf07c142b39d474a1439a046bf28def3d]
CVE-2026-46207: vsock/virtio: fix empty payload in tap skb for
non-linear buffers
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46207
Introduced by commit 4b0bf10 ("vsock/virtio: non-linear skb handling
for tap") in v6.7-rc1.
Fixed in v7.1-rc4.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [3a3e3d90cbc79600544536723911657730759af3]
stable/6.12: [06747f52ab157591cec7e5623a759473b66ef6f6]
stable/6.18: [52da6a74ca3de0fcda60301096b71534b3b18641]
stable/7.0: [378b131a25bd1a5ee27ca199fe486c299d5350c5]
CVE-2026-46208: batman-adv: stop tp_meter sessions during mesh teardown
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46208
Introduced by commit 33a3bb4 ("batman-adv: throughput meter
implementation") in v4.8-rc1.
Fixed in v7.1-rc4.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [3d3cf6a7314aca4df0a6dde28ce784a2a30d0166]
stable/6.12: [26dfeee8db81354bfdade155f27f9e16510ad196]
stable/6.18: [03660dab86f93319178a24667f6998526dc4355d]
stable/6.6: [79bc0eaeef2c5797317bf2da8e3159a74d62ec47]
stable/7.0: [8634c1dbd73adb74d40533ebb7e914efb82e71fb]
CVE-2026-46209: drm/gem: Fix inconsistent plane dimension calculation
in drm_gem_fb_init_with_funcs()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46209
Introduced by commit 4c3dbb2 ("drm: Add GEM backed framebuffer
library") in v4.14-rc1.
Fixed in v7.1-rc2.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [3d4c2268bd7243c3780fe32bf24ff876da272acf]
stable/5.10: [11427ad6c9f0def5ce567982b785da3191946430]
stable/5.15: [adfc5ba4ef4dd2bca5969f40e8fc7b41fb3902ad]
stable/6.1: [22922f7dae74409fc4bf0f1142710cb6b8ce8cc2]
stable/6.12: [1da4ab7189f1064b3b712b388772c008b4d82580]
stable/6.18: [1a17ea9861e89585361caa8bc231bd22dc6dbe7d]
stable/6.6: [6b992591e04f2cce813bcf239b354f375bbf84d3]
stable/7.0: [c5fc49d8470c5ebf3b41607600f277158f159950]
CVE-2026-46210: media: iris: fix use-after-free of fmt_src during MBPF check
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46210
Introduced by commit 5ad964a ("media: iris: Initialize and
deinitialize encoder instance structure") in v6.18-rc1.
Fixed in v7.1-rc3.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [3d9593ad1a58c5acc3e5fa2a48222bb7632e6812]
stable/7.0: [494ffd1712a588e590e6b1e9f876a8c8b24a9180]
CVE-2026-46211: drm/msm/gem: fix error handling in
msm_ioctl_gem_info_get_metadata()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46211
Introduced by commit 9902cb9 ("drm/msm/gem: Add metadata") in v6.8-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [47cbfe2608314b833ad61a65827d8fb363bc2d2d]
stable/6.12: [697e1a9559f6962f999cc4c748c2ffffcc0a7a7a]
stable/6.18: [c57c861956b89f2e2528e6384d51e2dedd915809]
stable/7.0: [b079e85c91f446f29e808d8291189e897f1884ff]
CVE-2026-46212: batman-adv: bla: prevent use-after-free when deleting claims
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46212
Introduced by commit 2372138 ("batman-adv: add basic bridge loop
avoidance code") in v3.5-rc1.
Fixed in v7.1-rc4.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [4ae1709a314060a196981b344610d023ea841e57]
stable/5.10: [1d4b241482d9025c537afb3c7c8419c72c0e0c82]
stable/5.15: [a1a99837bb6169cfb9187abaa2005e8f12079426]
stable/6.1: [b88c865dcf6e9f20bfe66a360d4b62941ef769b8]
stable/6.12: [6c5dc6d68e6ba7f0224a757a39ed52fcdb54d472]
stable/6.18: [00155f336a5e8b1006d2ca9ae7ad8fc4a44bb401]
stable/6.6: [368449e467d5f1e2c2e987bf2bd57000ba75e10b]
stable/7.0: [0cc9847c64cb6e61118bc78c9187c8209a7197fa]
CVE-2026-46213: HID: appletb-kbd: fix UAF in inactivity-timer cleanup path
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46213
Introduced by commit 38224c4 ("HID: appletb-kbd: fix slab
use-after-free bug in appletb_kbd_probe") in v6.16-rc5.
Fixed in v7.1-rc4.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [4db2af929279c799b5653a39eb0795c72baffca4]
stable/6.18: [59a79938ca5541fe55d675304116b7ea684afef0]
stable/7.0: [93d989e47bc316c793a69c6a332e053c90e29f02]
CVE-2026-46214: vsock/virtio: fix accept queue count leak on transport mismatch
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46214
Introduced by commit c0cfa2d ("vsock: add multi-transports support")
in v5.5-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [52bcb57a4e8a0865a76c587c2451906342ae1b2d]
stable/5.10: [2ea5d2c79edcc99c7dbe0bb7518f5e1ee2a2391f]
stable/5.15: [fd51e810affa38d735d04261e673b2a5fe9c8665]
stable/6.1: [f66c7904fb6f0e420a654bc90909e64a25d00896]
stable/6.12: [29371f3cc83e2a92265b4768014a30b80234112f]
stable/6.18: [e9edf9893cf26d060705c910a9b62d8cc96ed56a]
stable/6.6: [65c484726e74013a2ec7ba67a34d87760ae8f390]
stable/7.0: [6d3275fc4ed968938e1d556c344798046776668d]
CVE-2026-46215: drm: Set old handle to NULL before prime swap in change_handle
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46215
Introduced by commit 5309672 ("drm: Add DRM prime interface to
reassign GEM handle") in v6.18-rc1.
Fixed in v7.1-rc3.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [5e28b7b94408897e41c63477aabc9e1db439bc8c]
stable/6.18: [672464dd53231509c9c771110798c56d4660e19e]
stable/7.0: [61bd96d3e5472c253f9c1ab77608f0c8aaa9d025]
CVE-2026-46216: drm/xe/hdcp: Add NULL check for media_gt in
intel_hdcp_gsc_check_status()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46216
Introduced by commit 4af50be ("drm/xe: Use gsc_proxy_init_done to
check proxy status") in v6.10-rc1.
Fixed in v7.1-rc3.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [60a1e131a811b68703da58fd805ab359b704ab03]
stable/6.12: [cad210d2851f3a7d9573bdfc02aa61d9287bbe8c]
stable/6.18: [814326e86e929b865020ff44f4576dbdfe3f7ff3]
stable/7.0: [d8ab4b47edf4578dbfbe5e95817107a514fa34cc]
CVE-2026-46217: drm/amdgpu/vcn4: Avoid overflow on msg bound check
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46217
Introduced by commit 0a78f2b ("drm/amdgpu/vcn4: Prevent OOB reads when
parsing dec msg") in v7.1-rc1.
Fixed in v7.1-rc2.
Bug introduced commit was backported to following branches.
cip/6.12 stable/6.1 stable/6.12 stable/6.18 stable/6.6 stable/7.0
Fixed status
mainline: [65bce27ea6192320448c30267ffc17ffa094e713]
stable/6.1: [f7bf02dcb7c76229ea8ace11b7d0d0c7b87ee57e]
stable/6.12: [73043d296787bf187d89ffb5c5dcf5bdc3db7885]
stable/6.18: [271cd5429513ff9b364a9bf8903e5b65b687eb25]
stable/6.6: [5bb5faff4837b1d98fd655cf8bd7b5d4da0fc4dc]
stable/7.0: [30d12ee310a6024ff4c7b9eafdbbeab2db450d4a]
CVE-2026-46218: drm/amdgpu: Add bounds checking to ib_{get,set}_value
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46218
According to the .vulnerable file, this bug was introduced by commit
d38ceaf in v4.2-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [66085e206431ef88ce36f53c1f53d570790ccc9e]
stable/6.1: [5da6c6430be0acb25b4242bce0323fc514d4e3cf]
stable/6.12: [a853178d23e774adfe3a35073c375b04b3b20f7d]
stable/6.18: [fec8b11b55e53ff51a741e56894fe331a516f5c6]
stable/6.6: [0fb5cb556b249b2b64c0f818136c4c3e838ef53f]
stable/7.0: [ee26fcf7c5cf131f0b6a732faa27d79ec61b8ec7]
CVE-2026-46219: spi: mpc52xx: fix use-after-free on unbind
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46219
Introduced by commit 9848366 ("spi: mpc52xx: Add cancel_work_sync
before module remove") in v6.13-rc2.
Fixed in v7.1-rc1.
Bug introduced commit was backported to following branches.
cip/4.19 cip/4.19-rt cip/4.19-st cip/4.4 cip/4.4-rt cip/4.4-st
cip/5.10 cip/5.10-rt cip/6.1 cip/6.1-rt cip/6.12 stable/5.10
stable/5.15 stable/6.1 stable/6.12 stable/6.6
Fixed status
mainline: [706b3dc2ac7a998c55e14b3fd2e8f934c367e6e0]
stable/5.10: [ac8316c896c79f32c1d0a38cb41fd2b14cf8112e]
stable/5.15: [ed929d40963073f23cfb50219ccbcc6e0c3ea641]
stable/6.1: [0944b20e9dfa2917bd70eb5b301cbb67fe54a718]
stable/6.12: [ee52da0dd83ebcd89ecbbe2660c57b15a25489f2]
stable/6.18: [6c3e413919a12627d04a31a4a5fccb9fc129bb02]
stable/6.6: [bb6b50f709c5a01906ff72a07fdc070bb3357188]
stable/7.0: [bbcd6dd8e9f264440eaf6167382bf404911c1c46]
CVE-2026-46220: drm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46220
Introduced by commit 2130f89 ("drm/amdgpu: add SDMA v4.0
implementation (v2)") in v4.12-rc1.
Fixed in v7.1-rc3.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [78d2e624fa073c14970aa097adcf3ea31c157a66]
stable/5.10: [ecaa80318e900ca0c3f687742ede33b41cfd2f8e]
stable/5.15: [25e7d56a39657d56d1ea6d78992f7ed15dedb412]
stable/6.1: [d4c56932d29773e278be6a65a5384a36c95b89a4]
stable/6.12: [d331fb241a4602253976ddd65144a8ba2b05665d]
stable/6.18: [0b91ea46bb68abf98a082bf239092253bbd6aaa2]
stable/6.6: [4f7ca00fa91daf0795ec6b3b130c5ebba1f155fe]
stable/7.0: [a4fd82fb0757c180bf622907397c528b89a827b2]
CVE-2026-46221: EDAC/versalnet: Fix device name memory leak
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46221
Introduced by commit d5fe2fe ("EDAC: Add a driver for the AMD Versal
NET DDR controller") in v6.18-rc1.
Fixed in v7.1-rc3.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [8cf5dd235eff6008cb04c3d8064d2acfa90616f1]
stable/6.18: [24d2912962d087ebff7c4984f8ac34a5f23c8dbf]
stable/7.0: [b16033c8774f5fb4c0cb9b445a1dfc68f499ae6a]
CVE-2026-46222: media: rockchip: rkcif: Add missing MUST_CONNECT flag to pads
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46222
Introduced by commit 501802e ("media: rockchip: rkcif: add abstraction
for dma blocks") in v6.19-rc1.
Introduced by commit 85411d1 ("media: rockchip: rkcif: add abstraction
for interface and crop blocks") in v6.19-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [8e3c751259dc2d1325838eff26f41032523c7b57]
stable/7.0: [318142640590342bfec7aa06d0bdcd0ddbf953d0]
CVE-2026-46223: cgroup: Defer css percpu_ref kill on rmdir until
cgroup is depopulated
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46223
Introduced by commit 1b164b8 ("cgroup: Wait for dying tasks to leave
on rmdir") in v7.0-rc7.
Fixed in v7.1-rc3.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [93618edf753838a727dbff63c7c291dee22d656b]
stable/7.0: [33fa2e6b1507a0a377a151a8826438bedad1d0b0]
CVE-2026-46224: drm/xe: Fix bo leak in xe_dma_buf_init_obj() on
allocation failure
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46224
Introduced by commit eb289a5 ("drm/xe: Convert xe_dma_buf.c for
exhaustive eviction") in v6.18-rc1.
Fixed in v7.1-rc2.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [93a528f67ce5095bcab46a69839eca97f43dd352]
stable/6.18: [f9ad21b90162baf1d78f8036ff3813c3ec1ac88e]
stable/7.0: [8fa8c2a22585fcb31dc605b91a67bbcca223fdd7]
CVE-2026-46225: spi: rspi: fix controller deregistration
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46225
Introduced by commit 9e03d05 ("spi: rcar: Use
devm_spi_register_master()") in v3.14-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [9944fa6726afb1e6eb7e2212764e7da0c97f2dcc]
stable/6.12: [c5090db1b31de3ef4db0cda7e822ab49cb572292]
stable/6.18: [aee76c1dd189562c6678313caec12761f78a9ef3]
stable/6.6: [77defd64b405b680db73d767313fce770d368368]
stable/7.0: [fee6abd9845c3edd217b0e429d09f764f9a5690e]
CVE-2026-46226: spi: fsl: fix controller deregistration
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46226
Introduced by commit 4178b6b ("spi: fsl-(e)spi: migrate to using devm_
functions to simplify cleanup") in v4.3-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [9b7abfed4c3754062d1f3ffd452e65a38667f586]
stable/6.12: [e888308222375ac28bae69134dae288178718a96]
stable/6.18: [ca3195c7b88362d7c81efe685948663a9f9db0e6]
stable/6.6: [562d954a144950ec2aa6a874ae657cb3fa31fe53]
stable/7.0: [5750743a39c9d46ac9fcf57ffe000956da4942cf]
CVE-2026-46227: sctp: revalidate list cursor after
sctp_sendmsg_to_asoc() in SCTP_SENDALL
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46227
Introduced by commit 4910280 ("sctp: add support for snd flag
SCTP_SENDALL process in sendmsg") in v4.17-rc1.
Fixed in v7.1-rc4.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [abb5f36771cc4c05899b34000829a787572a8817]
stable/5.10: [f3a3f0b406b4b7eb3cea35a23fa2bf170848b104]
stable/5.15: [0dbc8cde64280fc37cdd678cced34eaf96cfb197]
stable/6.1: [0c7b55974f97b78d1109025eadf084e74cbf330f]
stable/6.12: [6187a172d6ed57d6b2c327836e4407c6456e639d]
stable/6.18: [c9dadb31f36045a8cb65df4bd75e7237ef21a4b5]
stable/6.6: [1bfb06ecb00f7fdf35dba8e8f2877346cbe5e078]
stable/7.0: [bf0f40d8107e2ce827521968dc6926f3e13728ae]
CVE-2026-46228: spi: ch341: fix devres lifetime
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46228
Introduced by commit 8846739 ("spi: add ch341a usb2spi driver") in v6.11-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [abe572f630bc1f0e77041012ab075869036ede4f]
stable/6.18: [4422fc2411cbbdf5104a914e0596bb483faea254]
stable/7.0: [108a64b27a52f781c4f3751641e3dd65c7dd2fb5]
CVE-2026-46229: drm/amdkfd: Clear VRAM on allocation to prevent stale
data exposure
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46229
According to the .vulnerable file, this bug was introduced by commit
6856e4b in v5.4-rc1.
Fixed in v7.1-rc1.
Affected file was added by a46a2cd ("drm/amdgpu: Add GPUVM memory
management functions for KFD") in v4.17-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [ad52d61d82181dbdb7f05826de38352d5e550cc2]
stable/6.12: [32b153658f017ad2f5bf8aab479e8d16ac95bc3a]
stable/6.18: [77d0b5d11387071770246fd0185a69fa28e8e109]
stable/6.6: [1db431380879fd9d28b763a88a0c0431be5be8df]
stable/7.0: [047d44d8d29a6a1a5757256837aa9dd78e3cd0b5]
CVE-2026-46230: drm/amdgpu/vcn3: Prevent OOB reads when parsing dec msg
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46230
According to the .vulnerable file, this bug was introduced by commit
87cc7f9 in v5.13-rc1.
Fixed in v7.1-rc1.
Affected file was added by cf14826 ("drm/amdgpu: add VCN3.0 support
for Sienna_Cichlid") in v5.9-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [b193019860d61e92da395eae2011f2f6716b182f]
stable/5.15: [f55552adb100eb54a6e6dabff4fbdc8679bd3fa0]
stable/6.1: [82c535eff05490c71153af57de9fe85502fcb5d5]
stable/6.12: [870c8738c3774336baedddd0240951d078a703b8]
stable/6.18: [638e48ee39d0f2af9336f917a6f5d6692dd64d93]
stable/6.6: [638d3e0b9eb77aa53fdd60e2b928761d16ba76fa]
stable/7.0: [e382e0b81a3e7bd21504fee1d01ae8b08f84d3a7]
CVE-2026-46231: batman-adv: bla: put backbone reference on failed
claim hash insert
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46231
Introduced by commit 3db0dec ("batman-adv: Fix non-atomic
bla_claim::backbone_gw access") in v4.7.
Fixed in v7.1-rc4.
Bug introduced commit was backported to following branches.
cip/4.4 cip/4.4-rt cip/4.4-st
Fixed status
mainline: [ba9d20ee9076dac32c371116bacbe72480eb356c]
stable/5.10: [6c8b68a7ed667a63aa603ba4d3a7088be143007e]
stable/5.15: [769f413d374ff2b6ff6d8d8c37b4c1178e6cdf14]
stable/6.1: [2888c9a154123db0254ae4fb9bea570c7e1f2e06]
stable/6.12: [fd0ca034c1e71ca7613cde9dd892836b2c2831bd]
stable/6.18: [0baf4b659cdc7305cf685b5a5d60f9e3816ab5d0]
stable/6.6: [65419eb4259a26a3cd3f56fa0e3b3c113bf8c256]
stable/7.0: [7cccf4eb4f96d3c3af91a00b7a9caa652439542e]
CVE-2026-46232: HID: playstation: Clamp num_touch_reports
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46232
Introduced by commit 7520382 ("HID: playstation: add DualShock4
touchpad support.") in v6.2-rc1.
Fixed in v7.1-rc4.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [cac61b58a3b6340c52afa06bb15eac033158db2f]
stable/6.12: [9c031b24aed6733b6dcc5d98527875b8654a04e9]
stable/6.18: [7812694752a5f295eaa05a093b90a2c332666051]
stable/6.6: [0bc4cf1a6ba00fb8c074531b179bc7b97502fbc4]
stable/7.0: [208f6d5b1dfd6399bc6af9e11f27f1f496243ed0]
CVE-2026-46233: batman-adv: bla: only purge non-released claims
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46233
Introduced by commit 2372138 ("batman-adv: add basic bridge loop
avoidance code") in v3.5-rc1.
Fixed in v7.1-rc4.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [cf6b604011591865ae39ac82de8978c1120d17af]
stable/5.10: [a9f58d5e3261f3deeae69ec1e237f38ef3ff5cbe]
stable/5.15: [6725c523a35eeca611ff37e7d4a8712fae92aefd]
stable/6.1: [afb5436f6028fd68f408f189230fbaa19c910d72]
stable/6.12: [7b7ebb7222a5524ce58e48cc9c6d688320ea6cfe]
stable/6.18: [b65365d2b1e6095c538d49baeb140dd1c166c1b3]
stable/6.6: [7b8fbcee3184d848b5aee085ca16d0cf05c9b641]
stable/7.0: [ab3dbd07a809a8eb30c7ddfab9ac886ed30dce8d]
CVE-2026-46234: vsock: fix buffer size clamping order
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46234
Introduced by commit b9f2b0f ("vsock: handle buffer_size sockopts in
the core") in v5.5-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [d114bfdc9b76bf93b881e195b7ec957c14227bab]
stable/5.10: [f6ec135941d2c1c2dbb87b5ce1783f4f6ac6ccca]
stable/5.15: [caf11dfea5233a69298a1c448bbf8d1639c80536]
stable/6.1: [01ef69785dc3162f588a361ab770b1e312800188]
stable/6.12: [310da27932dd0afe7ce7456dfe1f0814c3301f41]
stable/6.18: [2602f7bb5818e92315feeaeb71d8ce4d5c9ab160]
stable/6.6: [a998a7e250bf976539e05a00ec64a81292afecaa]
stable/7.0: [0b68881501460c3761f196469e1e503218c5e536]
CVE-2026-46235: media: saa7164: add ioremap return checks and cleanups
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46235
Introduced by commit 443c122 ("V4L/DVB (12923): SAA7164: Add support
for the NXP SAA7164 silicon") in v2.6.32-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [d51c60a498e83c9a79884c8e420f97e3885c9583]
stable/6.1: [23dee5990d2c27ed79567fd61ccfe6876768531a]
stable/6.12: [a9b83f46e52cf1239d780920d1a7a3e415f7b5d9]
stable/6.18: [6047dc542fa404b5c187cc2c7906aaaaec6d11ed]
stable/6.6: [3ce8f3057c51bb0a66aa3fab0862be74e9f88684]
stable/7.0: [6c22a6d8e4c1507bba504aeebe80476144a373eb]
CVE-2026-46236: media: rc: xbox_remote: heed DMA restrictions
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46236
Introduced by commit 02d32bd ("media: rc: add driver for Xbox DVD
Movie Playback Kit") in v5.0-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [e280d1e5e3f2595bbb43fe6e1bce00c59a43c0ff]
stable/5.10: [465d27ab83692167f06a6f917bdfd0a0d4fc8ff3]
stable/5.15: [e0301883ec779c21158a3923b2eb666074fa976e]
stable/6.1: [0ea67a135335e51be50e83ee4cc99560b8b89c25]
stable/6.12: [48a668c22e8f92637bc496e84d1cf06900f74a5c]
stable/6.18: [63a960b39de9c51f29ca19aa5067934f865c0bc7]
stable/6.6: [0cc9251833bf02c8c7863404157c94dab5928fcf]
stable/7.0: [0bd8ac88ec5f74cd0f4b8cfc54f4cc0827007249]
CVE-2026-46237: drm/amdgpu/vcn3: Avoid overflow on msg bound check
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46237
Introduced by commit b193019 ("drm/amdgpu/vcn3: Prevent OOB reads when
parsing dec msg") in v7.1-rc1.
Fixed in v7.1-rc2.
Bug introduced commit was backported to following branches.
cip/6.12 stable/5.15 stable/6.1 stable/6.12 stable/6.18 stable/6.6 stable/7.0
Fixed status
mainline: [e6e9faba8100628990cccd13f0f044a648c303cf]
stable/5.15: [94a2b37399807fd2ca78dc1906986c4fbd72968e]
stable/6.1: [95b0f6df8d7fad2eabf265d2c3d2538ef58e4465]
stable/6.12: [e8124121b79ab5d32fa8fbbd101f7208eca9cd7d]
stable/6.18: [016b64a0313ea5346cf526e30c8d3e66aca10175]
stable/6.6: [1936310f68c54be961de38ac539cef9b543207cb]
stable/7.0: [2e43b66fceacd6e982b94f2e3f8b34edd7463396]
CVE-2026-46238: batman-adv: stop caching unowned originator pointers in BAT IV
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46238
Introduced by commit c6c8fea ("net: Add batman-adv meshing protocol")
in v2.6.38-rc1.
Fixed in v7.1-rc4.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [f03e8583532941b07761c5429de7d50766fa3110]
stable/5.10: [86b2b58d7c228d850c8c78e4144e6123e8ed2718]
stable/5.15: [384e3050a42be9085d50507b4d5f8266a588d742]
stable/6.1: [8c16c68fdbb69778f8d04f650340c3f4d1518f8e]
stable/6.12: [6e20700f8c524ac379ba8274ff5d453023b7c006]
stable/6.18: [09dc0d1a12222ffca6481916eab3cfea477b9620]
stable/6.6: [aafcbaf1159ea224528ca4075d0ba8c10ef374af]
stable/7.0: [67bceeb22207f1f5a402973a3a0809e5f2698f38]
CVE-2026-46239: media: i2c: ov5647: Fix runtime PM refcount leak in s_ctrl
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46239
Introduced by commit 4f66f36 ("media: i2c: ov5647: Convert to CCI
register access helpers") in v7.0-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [f11ae9c04f8368a3b5a0280ef595198dace1c983]
stable/7.0: [6b03ecf75bda5900b8e661eb75656f631b598bc2]
CVE-2026-46240: media: iris: Fix use-after-free in
iris_release_internal_buffers()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46240
Introduced by commit 1dabf00 ("media: iris: gen1: Destroy internal
buffers after FW releases") in v7.0-rc1.
Fixed in v7.1-rc3.
Bug introduced commit was backported to following branches.
stable/6.18
Fixed status
mainline: [f27cfdcfc916bb59297825805f4c3499f89f9e76]
stable/6.18: [dd24998a4a4016fb9921916024399bd80f0d45c6]
stable/7.0: [18c64439f249859b6140f7bf8bcf95c8ed841f28]
CVE-2026-46241: spi: mpc52xx: fix use-after-free on registration failure
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46241
Introduced by commit 42bbb70 ("powerpc/5200: Add mpc5200-spi (non-PSC)
device driver") in v2.6.33-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [f62c060272b9d7423b1650b844e8e4e7b8f9f925]
stable/6.12: [8b49b6aadd0c622ca7d68b4a53ae10362e221cf3]
stable/6.18: [336d9ad7560b3baba17af06727a888040ee93390]
stable/7.0: [5c77f11b9b5f1ad5a704dad875260c44016ede10]
CVE-2026-46242: eventpoll: fix ep_remove struct eventpoll / struct file UAF
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46242
Introduced by commit 58c9b01 ("epoll: use refcount to reduce ep_mutex
contention") in v6.4-rc1.
Fixed in v7.1-rc1.
Bug introduced commit was backported to following branches.
stable/5.15 stable/6.1
Fixed status
mainline: [a6dc643c69311677c574a0f17a3f4d66a5f3744b]
stable/6.18: [ef4ca02e95363e78977ca04340d44fe3b4b2b81f]
stable/7.0: [ced39b6a8062bac5c18a1c3df85634107eb8664a]
CVE-2026-46243: smb: client: reject userspace cifs.spnego descriptions
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46243
Introduced by commit f1d662a ("[CIFS] Add upcall files for cifs to use
spnego/kerberos") in v2.6.24-rc3.
Fixed in v7.1-rc5.
This vulnerability is known as CIFSwitch.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [3da1fdf4efbc490041eb4f836bf596201203f8f2]
stable/5.10: [7713bd320ed4fc3d08a227cd8e41242219a16981]
stable/5.15: [9544559e59438a4b609b2fdfa0763d8360572824]
stable/6.1: [cf20038657d6d4974349556a34e08fe0490bebbc]
stable/6.12: [a3bbda6502a9398b816fa2e71c9a3f955f58013d]
stable/6.18: [91f89c1d83e80417629791fcef6af8140d7d01c8]
stable/6.6: [2035acfb17221729b1b8ac335e941868a04ca079]
stable/7.0: [0aece6685fc80a8de492688ca2315fb86ec379c7]
CVE-2025-71313: PCI: endpoint: Add missing NULL check for alloc_workqueue()
Announce: https://www.cve.org/CVERecord?id=CVE-2025-71313
Introduced by commit e35f56b ("PCI: endpoint: Support NTB transfer
between RC and EP") in v6.0-rc1.
Introduced by commit 8b821cf ("PCI: endpoint: Add EP function driver
to provide NTB functionality") in v5.12-rc1.
Fixed in v7.0-rc1.
Bug introduced commit was backported to following branches.
stable/5.15
Fixed status
mainline: [03f336a869b3a3f119d3ae52ac9723739c7fb7b6]
CVE-2025-71314: drm/panthor: Recover from panthor_gpu_flush_caches() failures
Announce: https://www.cve.org/CVERecord?id=CVE-2025-71314
Introduced by commit 5cd894e ("drm/panthor: Add the GPU logical
block") in v6.10-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [3c0a60195b37af83bbbaf223cd3a78945bace49e]
stable/6.12: [8ec4f1b14a6147db07d6e51aa1d6bcc799649847]
stable/6.18: [57753f2c64c033a21a7400b3a2192db1cd6c890e]
CVE-2026-46244: netfilter: nft_inner: Fix IPv6 inner_thoff desync
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46244
Introduced by commit 3a07327 ("netfilter: nft_inner: support for inner
tunnel header matching") in v6.2-rc1.
Fixed in v7.1-rc5.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [b6a91f68ebfed9c38e0e9150f58a9b85da07181c]
stable/6.12: [870d59e2cf218e7418491e26bad768cb16654582]
stable/6.18: [689bbf48c1f45130086ae1c46ab83ea4c753c601]
stable/6.6: [c161ad9157f5a0429b5ff94d9770faf3bf48d273]
stable/7.0: [d0f98a3617f6ae5b1e95cde1e68e7ead4a1279ce]
CVE-2026-46245: drm/amd/display: Fix dc_link NULL handling in HPD init
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46245
Introduced by commit 4562236 ("drm/amd/dc: Add dc display driver
(v2)") in v4.15-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [226a40c06a183abaeb7529a4f54d6c203bd14407]
CVE-2026-46246: power: supply: pm8916_lbc: Fix use-after-free for
extcon in IRQ handler
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46246
Introduced by commit f8d7a3d ("power: supply: Add driver for pm8916
lbc") in v6.7-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [23067259919663580c6f81801847cfc7bd54fd1f]
stable/6.12: [9fab0120907e6965168e55b1e17cb9dfaf262b86]
stable/6.18: [47abfc207ab02cf1297257e282e8048da63f0d08]
CVE-2026-46247: clk: qcom: gfx3d: add parent to parent request map
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46247
Introduced by commit 55213e1 ("clk: qcom: Add gfx3d ping-pong PLL
frequency switching") in v4.5-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [2583cb925ca1ce450aa5d74a05a67448db970193]
stable/6.1: [82cfe5292b11deb1dc33822f67f73cfbe8eafe25]
stable/6.12: [56360aa4ddd736fc19e6d0b0206c5e437e0d6ff8]
stable/6.18: [aed53da569fb96eec09b4817b1953bcc2e467eea]
stable/6.6: [547ae2f17349c7586953af5ef50de43ef3f65e9e]
CVE-2026-46248: wifi: ath12k: clear stale link mapping of ahvif->links_map
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46248
Introduced by commit 81e4be3 ("wifi: ath12k: handle link removal in
change_vif_links()") in v6.15-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [2c1ba9c2adf0fda96eaaebd8799268a7506a8fc9]
stable/6.18: [da289440f04c93048d82d293b180f1cacdfee2d9]
CVE-2026-46249: octeontx2-af: Fix PF driver crash with kexec kernel booting
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46249
Introduced by commit 54494aa ("octeontx2-af: Add Marvell OcteonTX2 RVU
AF driver") in v4.20-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [2d2d574309e3ae84ee794869a5da8b4c38753a94]
stable/5.10: [b7605b9301abc18fbbf2b0e23fdd281fc768955d]
stable/5.15: [9769a09afda20a006b528b9e723effcae45965b2]
stable/6.1: [57821d1436ba1c6a6973aa32d54166fdec35558c]
stable/6.12: [7d56ba306e93d04696718963fb4cda2883ee7585]
stable/6.18: [9c3398e5b3a914b74276d44ab54c49123b89c61a]
stable/6.6: [8b5ed7c5417b7013d35b6f2507dab739013ba1a9]
CVE-2026-46250: MIPS: Work around LLVM bug when gp is used as global
register variable
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46250
Introduced commit is not determined.Fixed in v7.0-rc1.
Fixed status
cip/4.19-st: [512fb475b00016996cdec9f308ddb9775912a1c7]
mainline: [30bfc2d6a1132a89a5f1c3b96c59cf3e4d076ea3]
stable/5.10: [05bff9b0ae095b2420cfebb4a96759a09334bec6]
stable/5.15: [1fe3b402b1e97a1718df3be0a1d3eee20133e735]
stable/6.1: [4dc65b40fb80c2020efbf139b9a38d30f9a37b92]
stable/6.12: [e3a6498a63394218561065a9a7a597a204f52f6a]
stable/6.18: [561834f6d6f52b8a1791331e94b2aac753491d2a]
stable/6.6: [c0155dee51b9f5f48aaf5c71cae005eb0e36521f]
CVE-2026-46251: btrfs: fix block_group_tree dirty_list corruption
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46251
Introduced by commit 14033b0 ("btrfs: don't save block group root into
super block") in v6.1-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [3a1f4264daed4b419c325a7fe35e756cada3cf82]
stable/6.1: [6e10283b5519d987d880d71bec90cdc7f2ec62b3]
stable/6.12: [4eb830847d84276f1c8ea46541cfeeedaba1fb63]
stable/6.18: [80e1fda9c084dcf54819a12bc7682ec0afd2d8f4]
stable/6.6: [e3d1fd084319f8f0830b22f014c7af6a96b4497b]
CVE-2026-46252: regulator: core: fix locking in
regulator_resolve_supply() error path
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46252
Introduced by commit 36a1f1b ("regulator: core: Fix memory leak in
regulator_resolve_supply()") in v4.2-rc4.
Introduced by commit 8e5356a ("regulator: core: Clear the supply
pointer if enabling fails") in v4.7-rc1.
Fixed in v7.0-rc1.
Bug introduced commit was backported to following branches.
cip/4.4 cip/4.4-rt cip/4.4-st
Fixed status
mainline: [497330b203d2c59c5ff3fa4c34d14494d7203bc3]
CVE-2026-46253: pstore/ram: fix buffer overflow in persistent_ram_save_old()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46253
Introduced by commit 201e4ac ("pstore/ram: Should update old dmesg
buffer before reading") in v3.5-rc4.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
cip/4.19-st: [ac13d7ba72df5c74cc1276fecdc5eebaf8f2c98a]
cip/4.4-st: [9a7aa6096256392f98d1057c82fc7d09dd9b9567]
mainline: [5669645c052f235726a85f443769b6fc02f66762]
stable/5.10: [58bda5a1d1ee98254383ef34f76b2c35140513ea]
stable/5.15: [06d2c8bd108cea503f6f6e13e47495ed1085275f]
stable/6.1: [2fa9a047c6a50ec80c3890dd623b85e237f0d1fd]
stable/6.12: [9a6fc69a570c0780834246d52c856cc3dbc2605f]
stable/6.18: [4f73486ca822305c1cf5b8ebc0b53a6ab3801a81]
stable/6.6: [cff0ef043e16feb5a02307c8f9d0117a96c5587c]
CVE-2026-46254: AppArmor: Allow apparmor to handle unaligned dfa tables
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46254
Introduced by commit e6e8bf4 ("apparmor: fix restricted endian type
warnings for dfa unpack") in v4.11-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [64802f731214a51dfe3c6c27636b3ddafd003eb0]
stable/6.12: [ec737e7fdf2f0ba7b203d4ec72cc915978b10e7e]
stable/6.18: [23f112bd6144e815153462e12d313ac3e7027168]
CVE-2026-46255: dmaengine: fsl-edma: don't explicitly disable clocks
in .remove()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46255
Introduced by commit a9903de ("dmaengine: fsl-edma: refactor using
devm_clk_get_enabled") in v6.6-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [666c53e94c1d0bf0bdf14c49505ece9ddbe725bc]
stable/6.12: [68feac21bd4de7ae4faba05704c404861d991fcf]
stable/6.18: [bda244871179543dd3be7d093236cb33b2fb1765]
stable/6.6: [533d495f15e4c88ad5246c7f90ae026702e28d75]
CVE-2026-46256: NFS/localio: prevent direct reclaim recursion into NFS
via nfs_writepages
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46256
Introduced by commit 70ba381 ("nfs: add LOCALIO support") in v6.12-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [67435d2d8a33a75f9647724952cb1b18279d2e95]
stable/6.18: [ae26a4cf2baf0a44c538dc093504d1994b02dade]
CVE-2026-46257: clocksource/drivers/timer-sp804: Fix an Oops when
read_current_timer is called on ARM32 platforms where the SP804 is not
registered as the sched_clock.
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46257
Introduced by commit 640594a ("clocksource/drivers/timer-sp804: Fix
read_current_timer() issue when clock source is not registered") in
v6.19-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [694921a93f3e3621e067afc545cedf6fe3b234a9]
CVE-2026-46258: gpio: cdev: Avoid NULL dereference in linehandle_create()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46258
Introduced by commit da7e394 ("gpio: convert linehandle_create() to
FD_PREPARE()") in v6.19-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [6af6be278e3ba2ffb6af5b796c89dfb3f5d9063e]
CVE-2026-46259: procfs: fix missing RCU protection when reading
real_parent in do_task_stat()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46259
Introduced by commit 06fffb1 ("do_task_stat: don't take
rcu_read_lock()") in v2.6.26-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
cip/4.19-st: [dc487ccdbe36d1b4e77c21417ee19ecc3469d8d0]
cip/4.4-st: [34fa0caccdaa8585ddcbb2ce9e513172a897ce49]
mainline: [76149d53502cf17ef3ae454ff384551236fba867]
stable/5.10: [fefa0fcd78be465b7ad4c497fa6ec90d64194c04]
stable/5.15: [c93a33f28f915d446eea6fb3f0e1def0b3af1982]
stable/6.1: [1c8dc5b5517546c68ffae40b948336122bb61306]
stable/6.12: [73ec7c96601d61d52310c659145bb06d933a0fa6]
stable/6.18: [4f9ae386861e280b7631ca252f798d25575627ee]
stable/6.6: [0e64bd46a04a4fd61279aca9f53a664e9e5f7e7e]
CVE-2026-46260: ipv6: Fix out-of-bound access in fib6_add_rt2node().
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46260
Introduced by commit bbf4a17 ("ipv6: Fix ECMP sibling count mismatch
when clearing RTF_ADDRCONF") in v6.19.
Fixed in v7.0-rc1.
Bug introduced commit was backported to following branches.
cip/6.12 stable/6.12 stable/6.18 stable/6.6
Fixed status
mainline: [8244f959e2c125c849e569f5b23ed49804cce695]
stable/6.12: [bf5009a06e03ee9a51052bb59f2228a5e4e66260]
stable/6.18: [03b5051e02f5a3772eee57493ad697d4b505b0c2]
stable/6.6: [bcc60ad129ae1837cf809c81bff56ec8bfdb6b11]
CVE-2026-46261: spi: wpcm-fiu: Fix potential NULL pointer dereference
in wpcm_fiu_probe()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46261
Introduced by commit 9838c18 ("spi: wpcm-fiu: Add direct map support")
in v6.2-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [888a0a802c467bbe34a42167bdf9d7331333440a]
stable/6.12: [2c538a0b3472e99c892c26f4940da38b7d87f632]
stable/6.18: [0f93a80eb3fd596ddc5730d05e0e8c88e1aa2891]
stable/6.6: [9e5cb7e67fbdb8320d68d87db882a92b36f6a1d9]
CVE-2026-46262: ASoC: fsl_xcvr: Revert fix missing lock in fsl_xcvr_mode_put()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46262
Introduced by commit f514248 ("ASoC: fsl_xcvr: fix missing lock in
fsl_xcvr_mode_put()") in v6.19.
Fixed in v7.0-rc1.
Bug introduced commit was backported to following branches.
cip/6.1 cip/6.1-rt cip/6.12 stable/5.15 stable/6.1 stable/6.12
stable/6.18 stable/6.6
Fixed status
mainline: [9f16d96e1222391a6b996a1b676bec14fb91e3b2]
stable/5.15: [ae5a70e3e87c28edbaf9939cfef1bcbd9615420f]
stable/6.1: [30ffcad5edb56947dccc26f6816ab7a55b21a711]
stable/6.12: [b0f74f5d24fe3c73ef1369a811891198b54c1e8e]
stable/6.18: [9a2a5da002775376498e8814df4a87cd629a3a0c]
stable/6.6: [29b2fbe3498da3681a01b34e4a2259f8a1b89448]
CVE-2026-46263: drm/amd/display: Fix out-of-bounds stream encoder index v3
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46263
Introduced by commit 2728e9c ("drm/amd/display: add DC changes for
DCN351") in v6.9-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [abde491143e4e12eecc41337910aace4e8d59603]
stable/6.12: [29f3824b08a98d41ecbbfd33580630d7607f962e]
stable/6.18: [263e28add4f4472cfa95150d218955d1945aa413]
CVE-2026-46264: drm/xe/pf: Fix sysfs initialization
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46264
Introduced by commit 5c170a4 ("drm/xe/pf: Prepare sysfs for SR-IOV
admin attributes") in v6.19-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [bf7172cd25ed182f30af2cbb9f80c730dc717d8e]
CVE-2026-46265: RDMA/hns: Fix WQ_MEM_RECLAIM warning
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46265
Introduced by commit ffd541d ("RDMA/hns: Add the workqueue framework
for flush cqe handler") in v5.7-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [c0a26bbd3f99b7b03f072e3409aff4e6ec8af6f6]
stable/6.1: [12761bd0ae16a80f237c2a65ab1b1064076cc74a]
stable/6.12: [562c96b1393da2df3ea62173c84117b39da353b9]
stable/6.18: [0cbec8b49270f3f0600b8e3ef5e8f0d233dcea27]
stable/6.6: [70a5eb757ace5bd627a36f04d871eaf85def424d]
CVE-2026-46266: inet: RAW sockets using IPPROTO_RAW MUST drop incoming ICMP
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46266
Introduced by commit 1da177e ("Linux-2.6.12-rc2") in v2.6.12.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [c89477ad79446867394360b29bb801010fc3ff22]
stable/6.12: [19e42490c89bac9a388f28179e66bebbef350f99]
stable/6.18: [531c1aec81bfe19d00af13da5531fbb8209e4bd2]
stable/6.6: [db76b75ede3810e7cf9cfea5067d4f3e0993768b]
CVE-2026-46267: nfc: hci: shdlc: Stop timers and work before freeing context
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46267
Introduced by commit 4a61cd6 ("NFC: Add an shdlc llc module to llc
core") in v3.7-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [c9efde1e537baed7648a94022b43836a348a074f]
stable/5.15: [c60f41022eaad2a1dafecd3ae6f249a3bd6d4b6e]
stable/6.1: [a24a676329d40481b2331bfa1418a679577dfd3a]
stable/6.12: [cf70cedce327833296ebe6043364d1e44b76a2ab]
stable/6.18: [276820278e9717cc7d4bb32381892dd3ddf418d4]
stable/6.6: [77eef9f2eef045c3c37a3df82d3e661afb866b98]
CVE-2026-46268: PCI/P2PDMA: Fix p2pmem_alloc_mmap() warning condition
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46268
Introduced by commit b7e2823 ("mm/mm_init: move p2pdma page refcount
initialisation to p2pdma") in v6.15-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [cb500023a75246f60b79af9f7321d6e75330c5b5]
stable/6.18: [eb9aa9f8010465d927864f5a35bdc5604b0ff51a]
CVE-2026-46269: pinctrl: canaan: k230: Fix NULL pointer dereference
when parsing devicetree
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46269
Introduced by commit d94a32a ("pinctrl: canaan: k230: Fix order of DT
parse and pinctrl register") in v6.17-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [d8c128fb6c2277d95f3f6a4ce28b82c8370031f6]
stable/6.18: [3c7d637bfc3dfbd6471c68bd767f7eb8b5b09eba]
CVE-2026-46270: power: supply: rt9455: Fix use-after-free in
power_supply_changed()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46270
Introduced by commit e86d69d ("power_supply: Add support for Richtek
RT9455 battery charger") in v4.2-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
cip/4.19-st: [14089824bf261a0d5fa1957a9f18761249787b7f]
cip/4.4-st: [c20d6273c666b768d56aca53a77fded4e2b5578e]
mainline: [e2febe375e5ea5afed92f4cd9711bde8f24ee6d2]
stable/5.10: [d4e2e3c3caa26b93aa9f36d0a6824b584e2a8dfc]
stable/5.15: [62d753b916bd500bb269b7078cdab73198ab4718]
stable/6.1: [a39f8f06216f73ef40e71e2fe4ad071964c1fd36]
stable/6.12: [2178dc65d45e2f7bcaa8af8d80d100419bdab251]
stable/6.18: [64e15155095f39f4dec9b4659da1238ef8fc54d4]
stable/6.6: [af261f218a7606f93d2c786353d60bb4feb56ef0]
CVE-2026-46271: wifi: ath12k: do WoW offloads only on primary link
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46271
Introduced by commit 32f7b19 ("wifi: ath12k: support MLO as well if
single_chip_mlo_support flag is set") in v6.16-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [e62102ac9b773bdb08475aa9ca24dea61ae98708]
stable/6.18: [7379837c3f9efa576dc2d716ebfaa3a113b3112f]
CVE-2026-46272: coresight: tmc-etr: Fix race condition between sysfs
and perf mode
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46272
Introduced by commit 296b01f ("coresight: Refactor out buffer
allocation function for ETR") in v6.5-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [e6e43e82c79c97917cbe356c07e8a6f3f982ab53]
stable/6.18: [38a07194bbcddb18d77dad40ba9978d994c0b74c]
CVE-2026-46273: ibmveth: Disable GSO for packets with small MSS
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46273
Introduced by commit 8641dd8 ("ibmveth: Add support for TSO") in v4.2-rc1.
Fixed in v7.1-rc2.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [cc427d24ac6442ffdeafd157a63c7c5b73ed4de4]
stable/5.10: [86fc64584811d43c9ccd74447de58620189d8b77]
stable/5.15: [9a5e984d7af910e46dcbed3ce77873e000a4f77d]
stable/6.1: [1cdf5dbcec988d06f5f720bdf89e91073f77fa10]
stable/6.12: [db8012c631cb845e9ae2b4b531e17d86c9519755]
stable/6.18: [c1f261863e65b508f37416dfbc5c5d911c9b9233]
stable/6.6: [82bc89fbb82d9396fb4eaee8720ea85e2e787957]
stable/7.0: [3af24f0c4c31f18a4a2d927990759194832bb6e9]
* Updated CVEs
CVE-2021-47188: scsi: ufs: core: Improve SCSI abort handling
stable/5.10 was fixed.
Fixed status
stable/5.10: [9491bc16082d9a402c9099acbfffc89af6f9316f]
CVE-2022-48703: thermal/int340x_thermal: handle data_vault when the
value is ZERO_SIZE_PTR
stable/5.10 was fixed.
Fixed status
stable/5.10: [722588f17fd3d3a127e50718ec2caf22bd7e9daa]
CVE-2022-48816: SUNRPC: lock against ->sock changing during sysfs read
stable/5.15 was fixed.
Fixed status
stable/5.15: [fdc42287ae3f8a35cc2098307f52d7864b4bc8ed]
CVE-2022-49135: drm/amd/display: Fix memory leak
stable/5.10 was fixed.
Fixed status
stable/5.10: [5076315aaddd640bde896ec8d79423ed8ec83a59]
CVE-2022-49158: scsi: qla2xxx: Fix warning message due to adisc being flushed
stable/5.10 was fixed.
Fixed status
stable/5.10: [c7e01292eb8499ef044737fd2ba37d033552167c]
CVE-2022-49183: net/sched: act_ct: fix ref leak when switching zones
stable/5.10 was fixed.
Fixed status
stable/5.10: [9222a08be539cbb7a8e0d46cbc7ab9e4db273eb8]
CVE-2022-49803: netdevsim: Fix memory leak of nsim_dev->fa_cookie
stable/5.15 was fixed.
Fixed status
stable/5.15: [6d463ddd0107d4188229d996dcdd45c99bad8af7]
CVE-2022-49822: cifs: Fix connections leak when tlink setup failed
stable/5.10 was fixed.
Fixed status
stable/5.10: [775d6625f96b26b90b9be9164b855ea2c471c0e5]
CVE-2022-49961: bpf: Do mark_chain_precision for ARG_CONST_ALLOC_SIZE_OR_ZERO
stable/5.15 was fixed.
Fixed status
stable/5.15: [987b4c465ba28c662ca857be6c20fd2d96bc55f0]
CVE-2022-50073: net: tap: NULL pointer derefence in
dev_parse_header_protocol when skb->dev is null
stable/5.10, stable/5.15 were fixed.
Fixed status
stable/5.10: [8f90163f9e013c8fc791aab338aab44a46044cfc]
stable/5.15: [447ba770cfe798925f4923548b367fd49f0ee5f0]
CVE-2022-50116: tty: n_gsm: fix deadlock and link starvation in
outgoing data path
stable/5.15 was fixed.
Fixed status
stable/5.15: [5020173e7e7725110a8d4be1359bf1dfc4b1814d]
CVE-2022-50472: IB/mad: Don't call to function that might sleep while
in atomic context
stable/5.10 was fixed.
Fixed status
stable/5.10: [d45e6ccb8e98d8339631f32984d345a663e74ce2]
CVE-2022-50493: scsi: qla2xxx: Fix crash when I/O abort times out
stable/5.10 was fixed.
Fixed status
stable/5.10: [5f730e489e741c28fe6a5b3308e33c094462acb0]
CVE-2022-50552: blk-mq: use quiesced elevator switch when reinitializing queues
stable/5.10, stable/5.15 were fixed.
Fixed status
stable/5.10: [0f90015383cd3f1128bebfbe7a97122d97808046]
stable/5.15: [9646443f28f33ec545ae303e613c3f476fad4dc1]
CVE-2023-45896: fs/ntfs3: Add more attributes checks in mi_enum_attr()
stable/5.15 was fixed.
Fixed status
stable/5.15: [a7accf181a4709a6e380360372150cc4a1b6b89a]
CVE-2023-52682: f2fs: fix to wait on block writeback for post_read case
stable/5.15 was fixed.
Fixed status
stable/5.15: [2bfe8fdb674f71747553a65f2ef27e14c8880655]
CVE-2023-52737: btrfs: lock the inode in shared mode before starting fiemap
stable/5.15 was fixed.
Fixed status
stable/5.15: [e425191073a80906d8502b5179471cc58b0b9e9a]
CVE-2023-53133: bpf, sockmap: Fix an infinite loop error when len is 0
in tcp_bpf_recvmsg_parser()
stable/5.10 was fixed.
Fixed status
stable/5.10: [f0d52cc242f279c422b487dcaaccd98b99672fd0]
CVE-2023-53292: blk-mq: fix NULL dereference on q->elevator in
blk_mq_elv_switch_none
stable/6.1 was fixed.
Fixed status
stable/6.1: [988ddb77218d3975dd13dee7bb0e1fae098a9fdb]
CVE-2023-53421: blk-cgroup: Reinit blkg_iostat_set after clearing in
blkcg_reset_stats()
stable/5.10 was fixed.
Fixed status
stable/5.10: [58c135513562698f222a58ba07dbdfcfb268aa0d]
CVE-2023-53543: vdpa: Add max vqp attr to vdpa_nl_policy for nlattr length check
stable/5.15 was fixed.
Fixed status
stable/5.15: [baed19c108ac8287425b93a44985bbe9a0b1af8d]
CVE-2023-53545: drm/amdgpu: unmap and remove csa_va properly
stable/5.15 was fixed.
Fixed status
stable/5.15: [1bc35e637a81dac5f5155e83a277c26708c4d4d7]
CVE-2023-53596: drivers: base: Free devm resources when unregistering a device
stable/5.10, stable/5.15 were fixed.
Fixed status
stable/5.10: [83e2ec36a92432e9445e853c12becbbae353b511]
stable/5.15: [b9ef4b0aa91d2f9f5951faafdbbd47cf01799ec3]
CVE-2023-53629: fs: dlm: fix use after free in midcomms commit
stable/5.15 was fixed.
Fixed status
stable/5.15: [84d6ce2aef1d06a53f606211da68a2085dfeb50d]
CVE-2023-53989: arm64: mm: fix VA-range sanity check
stable/6.1 was fixed.
Fixed status
stable/6.1: [c7a9e967cc9615a1dabc5e0e6fdbe88a172d5a5b]
CVE-2023-54322: arm64: set __exception_irq_entry with __irq_entry as a default
stable/6.1 was fixed.
Fixed status
stable/6.1: [47d74b54180b6b296b489b7895011c9a28979ff1]
CVE-2024-26886: Bluetooth: af_bluetooth: Fix deadlock
stable/5.15 was fixed.
Fixed status
stable/5.15: [60673f442984fe689d4127a5dd4be414247b3d67]
CVE-2024-27389: pstore: inode: Only d_invalidate() is needed
stable/5.15 was fixed.
Fixed status
stable/5.15: [d0ee2a8adb6673382cce8a4280e1ca0849b3b783]
CVE-2024-35865: smb: client: fix potential UAF in smb2_is_valid_oplock_break()
stable/5.15 was fixed.
Fixed status
stable/5.15: [a710ef9e974f18232d2b9b19c90eda1a1167b2d4]
CVE-2024-36922: wifi: iwlwifi: read txq->read_ptr under lock
stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.15: [f30e8af109818c9db08cbcc46eb9713fe4b530ba]
stable/6.1: [aab7b39fcac5f6165f6434bcbb56bb7865d4ad2b]
CVE-2024-41079: nvmet: always initialize cqe.result
stable/5.15 was fixed.
Fixed status
stable/5.15: [c6a2cf8b0764f3ba7d9bff58c8775a6d4476bb29]
CVE-2024-43902: drm/amd/display: Add null checker before passing variables
stable/5.10 was fixed.
Fixed status
stable/5.10: [ea000e4b4ee5363997715531cb3d024b4e5d561c]
CVE-2024-46770: ice: Add netif_device_attach/detach into PF reset flow
stable/5.15 was fixed.
Fixed status
stable/5.15: [721f27f489a47ed0d8690b73fc1f070c2eb180cf]
CVE-2024-47809: dlm: fix possible lkb_resource null dereference
stable/5.15 was fixed.
Fixed status
stable/5.15: [e1ffea6bec96d4349dbfcc42ad3e436259f64243]
CVE-2024-49925: fbdev: efifb: Register sysfs groups through driver core
stable/5.15 was fixed.
Fixed status
stable/5.15: [2d97b85eb5a86766ad0f8ea3d121e6ae144e3ed8]
CVE-2024-50012: cpufreq: Avoid a bad reference count on CPU node
stable/5.15 was fixed.
Fixed status
stable/5.15: [2b846344b15f933a56903b7cdba9080f06c725ff]
CVE-2024-53213: net: usb: lan78xx: Fix double free issue with
interrupt buffer allocation
stable/5.10, stable/5.15 were fixed.
Fixed status
stable/5.10: [cc5aa8e3ad69dcedeba79e667d4a2efb72a305af]
stable/5.15: [2970ef2fce90c661952ec2b451b0276d5f8d6180]
CVE-2024-53221: f2fs: fix null-ptr-deref in f2fs_submit_page_bio()
stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.15: [4289be8465924748daa9bf14866eb7f0987d4e39]
stable/6.1: [bd9197b72d772be7bccc3b66c83a3157cfe2f96f]
CVE-2024-56647: net: Fix icmp host relookup triggering ip_rt_bug
stable/6.1 was fixed.
Fixed status
stable/6.1: [d50981aaaefc3b04490fbc8274d37881a2b1b112]
CVE-2024-56657: ALSA: control: Avoid WARN() for symlink errors
stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.15: [4e5a92a7223c83c1f5f2db6cd010ac9347948972]
stable/6.1: [365ee29e559269cbb2108c4cc05dd8e262b4e84e]
CVE-2024-56719: net: stmmac: fix TSO DMA API usage causing oops
stable/5.15 was fixed.
Fixed status
stable/5.15: [05968b6dd0ffc65d7386608b11a11fb4fdfc9f36]
CVE-2024-56727: octeontx2-pf: handle otx2_mbox_get_rsp errors in otx2_flows.c
stable/5.15 was fixed.
Fixed status
stable/5.15: [e3c4e78d636e6dbd8ed72e41b311de2bb7e0b699]
CVE-2024-57945: riscv: mm: Fix the out of bound issue of vmemmap address
stable/5.10 was fixed.
Fixed status
stable/5.10: [04350304428063da6a55a8a4597d409dc69148b2]
CVE-2025-21712: md/md-bitmap: Synchronize bitmap_get_stats() with
bitmap lifetime
stable/5.15 was fixed.
Fixed status
stable/5.15: [eb2f9d98cd3e94a79fbf8fb90637c5b12e805428]
CVE-2025-21739: scsi: ufs: core: Fix use-after free in init error and
remove paths
stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.15: [0a6895c03b1f439236e2d22b1a69ebfc1eb9d5ea]
stable/6.1: [d06eb2620d3bf16056b8b7ea3744dbb5e30512f4]
CVE-2025-21845: mtd: spi-nor: sst: Fix SST write failure
stable/6.1 was fixed.
Fixed status
stable/6.1: [f791837015a0d20f584d0ed368393f119a00018f]
CVE-2025-21847: ASoC: SOF: stream-ipc: Check for cstream nullity in
sof_ipc_msg_data()
stable/6.1 was fixed.
Fixed status
stable/6.1: [dfe25c554daa12ee26eb3540bbded57733ed5d9c]
CVE-2025-21863: io_uring: prevent opcode speculation
stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.15: [18eae8420081ef8e043ad455937bfb470ef08607]
stable/6.1: [d261ead565a080e3411b0dd04e6d58a52471cac8]
CVE-2025-22069: riscv: fgraph: Fix stack layout to match
__arch_ftrace_regs argument of ftrace_return_to_handler
stable/6.12 was fixed.
Fixed status
stable/6.12: [7ed384db061a264bd806898f7ccab9b98b591488]
CVE-2025-22105: bonding: check xdp prog when set bond mode
stable/6.1 was fixed.
Fixed status
stable/6.1: [074de2f6706ea840bbf06599cdc194086fbae092]
CVE-2025-22107: net: dsa: sja1105: fix kasan out-of-bounds warning in
sja1105_table_delete_entry()
stable/5.10, stable/5.15 were fixed.
Fixed status
stable/5.10: [f85b9bfb08ba2b642d1810c6c4ae1e7b46f1776a]
stable/5.15: [f117d0467215d7f1d445ae16d2c799637e63dc6c]
CVE-2025-23141: KVM: x86: Acquire SRCU in KVM_GET_MP_STATE to protect
guest memory accesses
stable/5.15 was fixed.
Fixed status
stable/5.15: [56d997b257075951a46663970cd350cd5e34c041]
CVE-2025-37864: net: dsa: clean up FDB, MDB, VLAN entries on unbind
stable/6.1 was fixed.
Fixed status
stable/6.1: [5e531e71b9d21d5e985251440e0d722f71299b7a]
CVE-2025-38105: ALSA: usb-audio: Kill timer properly at removal
stable/5.15 was fixed.
Fixed status
stable/5.15: [06513dd6d32c37d0364db8488cfdf3e14da238a8]
CVE-2025-38192: net: clear the dst when changing skb protocol
stable/5.15 was fixed.
Fixed status
stable/5.15: [a046f183d21ab5ace5a96ece4cf9873a42f003a7]
CVE-2025-38250: Bluetooth: hci_core: Fix use-after-free in vhci_flush()
stable/5.15 was fixed.
Fixed status
stable/5.15: [90dee0a0ff84fac8accd5be98412b3819f667149]
CVE-2025-38584: padata: Fix pd UAF once and for all
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [a2048e475e22b13dc3e53d485b7e6e11464ed9a6]
stable/5.15: [73f132e60857038416540c3599b1de6033d7575a]
stable/6.1: [609e59193fc6d9dd323f1c6ae1fdd721f1c79680]
CVE-2025-38626: f2fs: fix to trigger foreground gc during
f2fs_map_blocks() in lfs mode
stable/5.15 was fixed.
Fixed status
stable/5.15: [c737047f4665232d1e26b3620bc62df334545451]
CVE-2025-38627: f2fs: compress: fix UAF of f2fs_inode_info in f2fs_free_dic
stable/6.1 was fixed.
Fixed status
stable/6.1: [74cbeeca4f16823ba58c882e1d8b836c0e39c93d]
CVE-2025-38659: gfs2: No more self recovery
stable/5.15 was fixed.
Fixed status
stable/5.15: [69cf5699a402ee7ae1be53954dc2ae652c0a053c]
CVE-2025-38710: gfs2: Validate i_depth for exhash directories
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [076e992752e4b24178918f748d75597c80a408d2]
stable/5.15: [366183911b153e9b8cf758e1414e1154d7569337]
stable/6.1: [112bb60cd0e254a369e95aa9941a694ffeca089f]
CVE-2025-39997: ALSA: usb-audio: fix race condition to UAF in snd_usbmidi_free
stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.15: [e63f049c7764b615d1d50cb486745fa63372b42d]
stable/6.1: [e16985513e89466a236d2a7c202783b4dd0c5a46]
CVE-2025-40005: spi: cadence-quadspi: Implement refcount to handle
unbind during busy
stable/5.15 was fixed.
Fixed status
stable/5.15: [8ce3ebbe5c718940b4e94f5c25f5720223f893f8]
CVE-2025-40163: sched/deadline: Stop dl_server before CPU goes offline
stable/6.12 was fixed.
Fixed status
stable/6.12: [d7fd56ed5e07e053a5eea6112d61fcaded653b87]
CVE-2025-40347: net: enetc: fix the deadlock of enetc_mdio_lock
stable/6.1 was fixed.
Fixed status
stable/6.1: [a649161526736f48bcc592e3a412e5bcd7dd9e24]
CVE-2025-68201: drm/amdgpu: remove two invalid BUG_ON()s
stable/6.1 was fixed.
Fixed status
stable/6.1: [7281d5b698d60fa46d17cd36ee8c5192fea9428d]
CVE-2025-68239: binfmt_misc: restore write access before closing files
opened by open_exec()
stable/5.15 was fixed.
Fixed status
stable/5.15: [54274ff90488b6c0f595a6518faed3cf0bc966eb]
CVE-2025-68307: can: gs_usb: gs_usb_xmit_callback(): fix handling of
failed transmitted URBs
stable/5.15 was fixed.
Fixed status
stable/5.15: [87974ebd6552817492daec7866ebfa2c484fa2ac]
CVE-2025-68315: f2fs: fix to detect potential corrupted nid in free_nid_list
stable/6.1 was fixed.
Fixed status
stable/6.1: [88b2ddb0c4f1dc874d4598e78cc830c64315ed86]
CVE-2025-68823: ublk: fix deadlock when reading partition table
stable/6.1 was fixed.
Fixed status
stable/6.1: [27bb79b7717b2fbb111a1c13548b2786ee712dca]
CVE-2025-71161: dm-verity: disable recursive forward error correction
stable/5.15 was fixed.
Fixed status
stable/5.15: [8b821ca892cfeeaf0bedc9fc72717294f67144d5]
CVE-2025-71221: dmaengine: mmp_pdma: Fix race condition in mmp_pdma_residue()
stable/5.15 was fixed.
Fixed status
stable/5.15: [3f0e0e2d9e752570041e95fd04635e2580097819]
CVE-2025-71289: fs/ntfs3: handle attr_set_size() errors when truncating files
stable/6.12, stable/6.18 were fixed.
Fixed status
stable/6.12: [3a718675d6af4992e34ffe86b8f36d471a5afe0e]
stable/6.18: [d73dcd1520d65a34420761641a36b951b14c8c53]
CVE-2026-23066: rxrpc: Fix recvmsg() unconditional requeue
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [8fd3b5e297854a4da0f273169baf4b1b7b257b97]
stable/5.15: [c198628f3fca5c874d93874c233014d336e09f64]
stable/6.1: [c6cebcb4e0b3140ec2ace45c020a9049527385d1]
CVE-2026-23141: btrfs: send: check for inline extents in
range_is_hole_in_parent()
stable/5.15 was fixed.
Fixed status
stable/5.15: [901e581bfc44d181f7d9c3f11880dac3e89deb2e]
CVE-2026-23157: btrfs: do not strictly require dirty metadata
threshold for metadata writepages
stable/5.15 was fixed.
Fixed status
stable/5.15: [6a8b6242eaa1dd7a0de2d6de6420d10ffe68db90]
CVE-2026-23204: net/sched: cls_u32: use skb_header_pointer_careful()
stable/5.15 was fixed.
Fixed status
stable/5.15: [29681ed51e737be14d18ecd1c304c57002e4b72c]
CVE-2026-23255: net: add proper RCU protection to /proc/net/ptype
stable/6.1 was fixed.
Fixed status
stable/6.1: [e974a10a52618f7f57a4bce173a0ed96acd4e5dc]
CVE-2026-23327: cxl/mbox: validate payload size before accessing
contents in cxl_payload_from_user_allowed()
stable/6.18 was fixed.
Fixed status
stable/6.18: [dc184ac2f0ba77ae19725ee06ad3ab36bb9d1f61]
CVE-2026-23371: sched/deadline: Fix missing ENQUEUE_REPLENISH during
PI de-boosting
stable/6.18 was fixed.
Fixed status
stable/6.18: [0638bf16b7a73a2fe63624bd0d16d9fd904805c3]
CVE-2026-23389: ice: Fix memory leak in ice_set_ringparam()
stable/6.1 was fixed.
Fixed status
stable/6.1: [bddf04e3822e4fa38691433dd0750420d49a0dd6]
CVE-2026-23394: af_unix: Give up GC if MSG_PEEK intervened.
stable/6.12, stable/6.6 were fixed.
Fixed status
stable/6.12: [e3dd56fb5683ba80bf8d7a2f9aa21cfa53f05202]
stable/6.6: [3106f326f67c03dd9da4ca64663d11e40138cf40]
CVE-2026-23399: nf_tables: nft_dynset: fix possible stateful
expression memleak in error path
stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.15: [eb7bf413e59945df03d4567b73ce464eebe2f4ea]
stable/6.1: [4357dbb1d9c35ca0b4443d71c98a48e6666f7689]
CVE-2026-23442: ipv6: add NULL checks for idev in SRv6 paths
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [0348fa0ada37cef7c6b5ab2a428bb2c6aee784e4]
stable/5.15: [83d705d35e583cb1b1eacf196dfe7b77d442018e]
stable/6.1: [d1bd8b9edc6752d10f84d28ff64f842401ce336d]
CVE-2026-23444: wifi: mac80211: always free skb on
ieee80211_tx_prepare_skb() failure
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [905ef207d5ed99ca64adfe39fba9ac46e434327a]
stable/5.15: [5ef8ca1c164786da24169af155c1ca1ff1353cf8]
stable/6.1: [9a779d1f480e83720b5384adf165604e7ee226bd]
CVE-2026-23468: drm/amdgpu: Limit BO list entry count to prevent
resource exhaustion
stable/6.1 was fixed.
Fixed status
stable/6.1: [c833d6c7199c5b5fca9ec95593acd539ec9c171c]
CVE-2026-23469: drm/imagination: Synchronize interrupts before
suspending the GPU
stable/6.12 was fixed.
Fixed status
stable/6.12: [50257450196e4bba11c562117847ea409660a7de]
CVE-2026-23473: [REJECTED]: io_uring/poll: fix multishot recv missing
EOF on wakeup race
stable/6.1 was fixed.
Fixed status
stable/6.1: [3c7f635c60a3512b7912602df804ca7cd1cd3659]
CVE-2026-31407: netfilter: conntrack: add missing netlink policy validations
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [e7b5766693477c52424cc6c79dd30a7a9c7db52c]
stable/5.15: [78bba9f73942aa7dca47d817d8cec0fb9b443b70]
stable/6.1: [be88a337bf07afb1ee173f1099294d1b7ab3fefe]
CVE-2026-31409: ksmbd: unset conn->binding on failed binding request
stable/5.15 was fixed.
Fixed status
stable/5.15: [7e8b270813079c785696bce8802a3f920665c88c]
CVE-2026-31420: bridge: mrp: reject zero test interval to avoid OOM panic
stable/6.12, stable/6.18 were fixed.
Fixed status
stable/6.12: [630a15a31c2034b5b697f4aabc769b9d80d82446]
stable/6.18: [e8ec80430bfa520e7352155d6ac632e527cba7aa]
CVE-2026-31449: ext4: validate p_idx bounds in ext4_ext_correct_indexes
stable/6.1 was fixed.
Fixed status
stable/6.1: [10242e640b36b91ad03d25f3dc77854bbdff8358]
CVE-2026-31476: ksmbd: do not expire session on binding failure
stable/5.15 was fixed.
Fixed status
stable/5.15: [4642ea35c03cf3d3558c009df4757cdb7af3f82d]
CVE-2026-31486: hwmon: (pmbus/core) Protect regulator operations with mutex
stable/6.12 was fixed.
Fixed status
stable/6.12: [acf04e2863132f6d9222f71f3a76fb9782cbe061]
CVE-2026-31488: drm/amd/display: Do not skip unrelated mode changes in
DSC validation
stable/6.1 was fixed.
Fixed status
stable/6.1: [da1d0ed31e9802fd99384f43cc63678a5a11cb41]
CVE-2026-31489: spi: meson-spicc: Fix double-put in remove path
stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.15: [d61bcec3aec6f0244a9b963e0c76c00f771d49b6]
stable/6.1: [7434c64ddae88a02e7fb478bc256cc100d48d3e3]
CVE-2026-31500: Bluetooth: btintel: serialize btintel_hw_error() with
hci_req_sync_lock
stable/6.1 was fixed.
Fixed status
stable/6.1: [7e041d0aad1d4d43d921ace052e04f4e2cacaed3]
CVE-2026-31527: driver core: platform: use generic driver_override
infrastructure
stable/6.6 was fixed.
Fixed status
stable/6.6: [492349e5e4a369a8b62781100a3ade470bf1ce6b]
CVE-2026-31532: can: raw: fix ro->uniq use-after-free in raw_rcv()
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [1de30576a6dfeaaa27ef91fa272e6b9240b6fbd3]
stable/5.15: [64c8553decf5a5f2417bd54761ea0a832c56c4ca]
stable/6.1: [3f43f12fde34737fba091b7e3ab391e14ddbb0be]
CVE-2026-31560: spi: spi-dw-dma: fix print error log when wait finish
transaction
stable/6.12, stable/6.18 were fixed.
Fixed status
stable/6.12: [b8188ff3cfaa5621212b08473488cdbe41f86531]
stable/6.18: [aae4a47073b12c23eb1d2c5401bda442fbe27bd1]
CVE-2026-31576: media: hackrf: fix to not free memory after the device
is registered in hackrf_probe()
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [87b9685cca91ed715c39ba544715832d26a7f4b4]
stable/5.15: [131ec9046e1c8af101aebdaec4e8095e05f3312b]
stable/6.1: [67fd62e3efdc9dce01f76d95a745212f4feb38e6]
CVE-2026-31577: nilfs2: fix NULL i_assoc_inode dereference in
nilfs_mdt_save_to_shadow_map
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [6637bbcfb59df5b732a79e5ab1a74886a0b93d59]
stable/5.15: [837c7a59fb58f81b0db33848357f6a5d0d1250ad]
stable/6.1: [7902b1df1520a0880bcda7a3704cfacd17905a83]
CVE-2026-31578: media: as102: fix to not free memory after the device
is registered in as102_usb_probe()
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [0d36653a3a821e5a974798adb347b3ea09332914]
stable/5.15: [25d500cf391e384356a612b85cf60b353ad3cd0c]
stable/6.1: [07ceb444c8f627cf863864d4274b5a77769725ed]
CVE-2026-31580: bcache: fix cached_dev.sb_bio use-after-free and crash
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [81f44ed8c3f54abb7561ece774ea4cca5070b2f2]
stable/5.15: [f50e7c325ab1207fe941555bcff659f6d7050572]
stable/6.1: [9467d360be70e6ee55b0c1cd2a1f1424f57b5b85]
CVE-2026-31581: ALSA: 6fire: fix use-after-free on disconnect
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [e719232f4552e29de8027a83918ea94434be87af]
stable/5.15: [e247a0e01d15ed420f77ec5e2335721bf430a5b3]
stable/6.1: [ba88461f7653636c48321ca993006a74724c2f41]
CVE-2026-31583: media: em28xx: fix use-after-free in em28xx_v4l2_open()
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [3c0283a59e36e3707c4a81f4952e362d31f876b8]
stable/5.15: [2cbf81f76842e46bdf25823c70e1db4044a65678]
stable/6.1: [38a327221f7f765e7d853b7bafe47e342441ec85]
CVE-2026-31585: media: vidtv: fix nfeeds state corruption on
start_streaming failure
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [f8cccb427e65d725fc0ba05e8900b4676eda268e]
stable/5.15: [60f768d46df561e06d92ffcacc00909f37a0f23d]
stable/6.1: [80900b5424f3454256153ce386388df43b324f63]
CVE-2026-31586: KVM: SEV: Protect *all* of
sev_mem_enc_register_region() with kvm->lock
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [23acef4156c260e8598397a1a2e8b3a23e919893]
stable/5.15: [1bd36e93b542d9dd020190c6607c6a3663405195]
stable/6.1: [740ba1ebb223f137ff088ab74d533a13f9167bd8]
CVE-2026-31587: ASoC: qcom: q6apm: move component registration to
unmanaged version
stable/6.1 was fixed.
Fixed status
stable/6.1: [110769a9aa51135ac7ce479a47dfb41924f37664]
CVE-2026-31588: KVM: x86: Use scratch field in MMIO fragment to hold
small write values
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [019d0bd32b9a4646ba35d904907452039e2db700]
stable/5.15: [4569c66dd9e94a22cd0796b6514a8b25ffff16a1]
stable/6.1: [52570e73d48f1c73836d37e594667117b4c2a5a8]
CVE-2026-31590: KVM: SEV: Drop WARN on large size for
KVM_MEMORY_ENCRYPT_REG_REGION
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [6a8e3c82122737529b25ef2a048fbcc569d8c055]
stable/5.15: [a703933bcfa5cc76ca10e2048464600e74136099]
stable/6.1: [abcd43ff579abd0a654bb4636086e78819dd5f4c]
CVE-2026-31594: PCI: endpoint: pci-epf-vntb: Remove duplicate resource teardown
stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.15: [305a0674bc552bfcc3231e23fb91cf4f62aec168]
stable/6.1: [b261027a1a235d8925e332363f23135a0eff2b35]
CVE-2026-31595: PCI: endpoint: pci-epf-vntb: Stop cmd_handler work in
epf_ntb_epc_cleanup
stable/6.1 was fixed.
Fixed status
stable/6.1: [b2eb405bbced3a6e772545e1b74dbde37cee1f8f]
CVE-2026-31596: ocfs2: handle invalid dinode in ocfs2_group_extend
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [7eafcf507fbd68f3276c00f6c02ef155ad69f79b]
stable/5.15: [fabfa6b81bd386154d7e59f8cd8f760f9e68b48c]
stable/6.1: [b328d8e7c437d0f026ba2c13788af6eae77700f1]
CVE-2026-31597: ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [36539c4d536f851a3b346a6ebb27b51bc3d77a94]
stable/5.15: [35c2c05261d6f6d84aaa1355afa201d507943e76]
stable/6.1: [3f5e74b5db9353b01ed50f4de84e75b755f8fbc2]
CVE-2026-31598: ocfs2: fix possible deadlock between unlink and dio_end_io_write
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [297d8d7bb6a2bf133d3a3636edbdf94101cbd719]
stable/5.15: [32630dee18c6bb2175c8a865a474749492eaf19c]
stable/6.1: [93f35419eb84d58820040642cb6e7528fe4aba7a]
CVE-2026-31599: media: vidtv: fix NULL pointer dereference in
vidtv_channel_pmt_match_sections
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [54e18a23e62e81b8335cec3e8e9c5cb33fd88665]
stable/5.15: [5c986b77200b5ea754ba6636deacc7e0942fec9b]
stable/6.1: [93d9e747a9e8a5ca9e3c5e37dcff76b40399139f]
CVE-2026-31602: ALSA: ctxfi: Limit PTP to a single page
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [c5908160e17cb56e1f61fbaee08adc21083f4933]
stable/5.15: [de8016fb0904d68ac886e375069535996baa42ee]
stable/6.1: [2b4331c08c0b385598b4d8ccd71e93ab3f4b2578]
CVE-2026-31603: staging: sm750fb: fix division by zero in ps_to_hz()
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [124a43550db8a74eef080cd4573a4904efe67029]
stable/5.15: [b285a8f3bbb821a93eb37c2740a68ca1d7112a59]
stable/6.1: [3300b049693138852a4c6738b5f1194a1ee91ddd]
CVE-2026-31605: fbdev: udlfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [9981de9fb5ae0d3d6bc5ff5ca63350c2a3cdc564]
stable/5.15: [fd50ab7dd4ee5bbb4aebffa76ae18484b03a8ea5]
stable/6.1: [828ce54b27de93bd9c67991bca5a2c76c76742de]
CVE-2026-31607: usbip: validate number_of_packets in usbip_pack_ret_submit()
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [324262c38438255bf6bdbf6342ca47c0badaab76]
stable/5.15: [973f2c250289f5bf6cc146b98aa6fdde11fe50d6]
stable/6.1: [ce744264b06b97069b3722511ab355738311fee0]
CVE-2026-31611: ksmbd: require 3 sub-authorities before reading sub_auth[2]
stable/6.1 was fixed.
Fixed status
stable/6.1: [cf2148b880fb7c0fcd727202dbc4fd5d6998b9c2]
CVE-2026-31612: ksmbd: validate EaNameLength in smb2_get_ea()
stable/6.1 was fixed.
Fixed status
stable/6.1: [859f11e1bc81a4d32bb3ceeae54bcd296ac675d3]
CVE-2026-31613: smb: client: fix OOB reads parsing symlink error response
stable/6.1 was fixed.
Fixed status
stable/6.1: [043834e72337ee7b4e9685859888623ba1504ac7]
CVE-2026-31615: usb: gadget: renesas_usb3: validate endpoint index in
standard request handlers
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [7caaf76207f50c77abfd788380e19b2c23a94415]
stable/5.15: [c4e5ae6db2328d2d9ed55d3005a36c13faab0752]
stable/6.1: [360aa6e71870a175a6d86af905be2ca171639eb3]
CVE-2026-31616: usb: gadget: f_phonet: fix skb frags[] overflow in
pn_rx_complete()
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [3d7f7e0c842242878c24b2facff8d6eda23ee1e9]
stable/5.15: [b5ec49fa198bd08967a3102bd41f53ccadce72c9]
stable/6.1: [7424f0287da73d3d8c5fa5e9d25d26fce762708e]
CVE-2026-31617: usb: gadget: f_ncm: validate minimum block_len in
ncm_unwrap_ntb()
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [068a7f2749fff6462a0a908ec415b885fe430f50]
stable/5.15: [1425655c2870054c3ab4712e2b6dbdd331597ada]
stable/6.1: [8b3b7bd3c02f98634baaf36c7fc7ac915f6517ca]
CVE-2026-31618: fbdev: tdfxfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [2f207e46c62688bb7eb4e3feaf9a0d94020fb0c9]
stable/5.15: [6c05191598eca87a87329b3f6e4a0825775f09cf]
stable/6.1: [59bde9e0930efef1286768cb65fc78d5e5267f93]
CVE-2026-31619: ALSA: fireworks: bound device-supplied status before
string array lookup
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [183aa0de0f680496b9feb85c9d182681ad4600dd]
stable/5.15: [62fcb273fbee5b2a0e7ed41cc914c8d7d1a5d285]
stable/6.1: [327f8e730e3c65ec97df9d3b07de66aeb3dc932d]
CVE-2026-31622: NFC: digital: Bounds check NFC-A cascade depth in SDD
response handler
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [9ba6bb09e00b922d902f684f575779e5433fe6e3]
stable/5.15: [f83b399aa05a0712e3b1569a30d3d90b3533d2ef]
stable/6.1: [20663102c14566e900e1d2f679e30b7f1694f387]
CVE-2026-31623: net: usb: cdc-phonet: fix skb frags[] overflow in rx_complete()
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [6807ff49bf796b3823b1e29f97b69316a40a9a94]
stable/5.15: [0c5c65a17db729fc63ab656bdaaf0e675a9dbeac]
stable/6.1: [6053620fdbcd89fa7e755644efdaab78e0daaae7]
CVE-2026-31624: HID: core: clamp report_size in s32ton() to avoid
undefined shift
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [76ad02854a30c394e0c076e6e6bed0a388573a94]
stable/5.15: [eb415ddaf25e09ddb8fe5736a70c9de2e6462534]
stable/6.1: [0ab048dbdb1daacf17d52e9252297eb6e1298e49]
CVE-2026-31625: HID: alps: fix NULL pointer dereference in alps_raw_event()
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [56850666bb5dcf7a13d76c5d02864813e17ee537]
stable/5.15: [72516a8d7fe247fd895424bab87952f105a0c255]
stable/6.1: [cc411e4823d8bfa23327d9989a0fa4e0ce76aebe]
CVE-2026-31626: staging: rtl8723bs: initialize le_tmp64 in rtw_BIP_verify()
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [6792624d933146e2757b07092e93ad915cb58930]
stable/5.15: [51532c7c1d357145f4ac561648499f7a6847f739]
stable/6.1: [9e911eead187240193516edf55a0e1ab3425aa5b]
CVE-2026-31627: i2c: s3c24xx: check the size of the SMBUS message
before using it
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [fd1650da24ed54c716aa9b69e9bbd8a662e492da]
stable/5.15: [8f756a5964396da0fc9e0db33253a5b85dbbcbb6]
stable/6.1: [2d262da4bca6fab96e2e709feb95b31b0a9a03a7]
CVE-2026-31629: nfc: llcp: add missing return after LLCP_CLOSED checks
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [b2a23529593d011fb433a3d711fc597ed6a6bd2f]
stable/5.15: [665315df9c3486cb213fc44d83cc8bcd47fe0d26]
stable/6.1: [9b49e2a4b8219a2fc5cebf94f4ec34e509aff8a6]
CVE-2026-31630: rxrpc: proc: size address buffers for %pISpc output
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [386c86412608d3449006a318a662cbcd6ca1f668]
stable/5.15: [235b2115de892eab2e107a42efa7a4347baaa80b]
stable/6.1: [625af53a1564e31bb2df9adc3739df46137f46c1]
CVE-2026-31634: rxrpc: fix reference count leak in rxrpc_server_keyring()
stable/5.10 was fixed.
Fixed status
stable/5.10: [45d9584e51bdd61faf1900f82666d4ea6a85da72]
CVE-2026-31637: rxrpc: reject undecryptable rxkad response tickets
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [252157d939d179b5d767cb860ff8fa7f8723b67a]
stable/5.15: [a75b3b361dd481d942c5f259a82d59718a41092c]
stable/6.1: [b3a808cd0790b5075aaa2bc3588edf02cd71d352]
CVE-2026-31642: rxrpc: Fix call removal to use RCU safe deletion
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [3e47a38e584b905359fe0ce5be5165d1e8592a90]
stable/5.15: [b15b1ce96777b88989a6a4de8d01efbcd81ad2d7]
stable/6.1: [280efb85e9759881a9d31d0874baa04583cb6c09]
CVE-2026-31656: drm/i915/gt: fix refcount underflow in
intel_engine_park_heartbeat
stable/5.10 was fixed.
Fixed status
stable/5.10: [82034799c6c14b3104668878c3f3e5786f777126]
CVE-2026-31657: batman-adv: hold claim backbone gateways by reference
stable/5.10, stable/5.15 were fixed.
Fixed status
stable/5.10: [5202f071b367ffbc8e279fc7a00db14f5e587f52]
stable/5.15: [69d1ce9c72eca91203ffdb8d08bacd511100aec6]
CVE-2026-31664: xfrm: clear trailing padding in build_polexpire()
stable/5.10, stable/5.15 were fixed.
Fixed status
stable/5.10: [a5127501c8d30b5728791b1e340284ca5c9cc4bd]
stable/5.15: [e6f4ffe8596947a595c9544e73a73adcb0568b88]
CVE-2026-31673: af_unix: read UNIX_DIAG_VFS data under unix_state_lock
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [e7339db13b9ddb63417b12da55fd6191e59f7442]
stable/5.15: [4f6a8f10182c3a9d22e8eb183957ae7ade9e4bf7]
stable/6.1: [c3ec44ab4526bbc4b6c9fc845af86488244f4c9b]
CVE-2026-31676: rxrpc: only handle RESPONSE during service challenge
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [a1a8efde03a40b6c658d580e96644d9b9a2a0d3a]
stable/5.15: [6c3a0fbdafef8316e34ae22333e317a341e737cd]
stable/6.1: [0afdfd4941c1b60a1f5c361760daa970edca60cd]
CVE-2026-31681: netfilter: xt_multiport: validate range encoding in checkentry
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [8c5bf8f5b478f569191c4a7982de7cd5f5f73c1a]
stable/5.15: [c9749f6232c845e31c21d4cc72200211df15d8a2]
stable/6.1: [b67d638cbee9975c765feb45c126e96ed11ec802]
CVE-2026-31684: net: sched: act_csum: validate nested VLAN headers
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [0410c619e86551677fb79887a38eccad3f5a0725]
stable/5.15: [886469b6455611a511aa6013e957e15e50577513]
stable/6.1: [46c07ad50fa2f4ba7663ee1b72b75ad7ad45cf09]
CVE-2026-31685: netfilter: ip6t_eui64: reject invalid MAC header for all packets
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [4d75bc2cd093bf5803edf512c099bfb220fd6459]
stable/5.15: [7d6a57411caf54df025860c9b1a82cd42d57a562]
stable/6.1: [d5603591373441fecf9951833d6d873e09320f08]
CVE-2026-31686: mm/kasan: fix double free for kasan pXds
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [7d7b2d5c107a1f6302cf0006d859985e7c3ddd1c]
stable/5.15: [3298bdf5a878ded06351eb293856fa84e050029e]
stable/6.1: [2277246ea265cdca64ce6fdea4b26cd6ff0ec4db]
CVE-2026-31694: fuse: reject oversized dirents in page cache
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [3059f9abe7f1ba8fddf3c86c5faa1eeacf07e7d4]
stable/5.15: [1d4a517fa90480c52fd452fea2686cd80f773ce2]
stable/6.1: [038e61812fa52ef62bad2cfc96bf37dc0db47c1e]
CVE-2026-31696: rxrpc: Fix missing validation of ticket length in
non-XDR key preparsing
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [44714dfda386884919ba366411880b6fb3c3efd3]
stable/5.15: [41a117dd80371343babc52198d1114e83eb37627]
stable/6.1: [9a397aa9b5e53ca63d4d6aefb542832eca389618]
CVE-2026-31697: crypto: ccp: Don't attempt to copy ID to userspace if
PSP command failed
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [99bae2e3c3f9ba8f854c938ed2c811b6a63b28e4]
stable/5.15: [a21ae9f8769e5f75433bb0a85ac3868b2100ef5b]
stable/6.1: [0f1f2f9894893dc8a28af1b9e9dbc0abf453eb52]
CVE-2026-31698: crypto: ccp: Don't attempt to copy PDH cert to
userspace if PSP command failed
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [af67d35da744b6b678c7a0296d9c679658779829]
stable/5.15: [854d7846e1d29f32f1bbeb2e869e794df12067f6]
stable/6.1: [25d9b3446001185484209cf57951f3368462b631]
CVE-2026-31699: crypto: ccp: Don't attempt to copy CSR to userspace if
PSP command failed
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [502d10a1d9d477e6c7fc7021a2dac7018f4ab8b5]
stable/5.15: [0fb87e44b81385f940b482cba5b3f0bd18fb8185]
stable/6.1: [372116eece159adff631b1508344c8b85ebf9559]
CVE-2026-31701: ALSA: caiaq: take a reference on the USB device in create_card()
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [493b3a682ededc804555755f5d2193201339612d]
stable/5.15: [dbcf7588e8dea017ddb3f18ec2766f7d2e5f2a0e]
stable/6.1: [ac7345f68cda6989016d85d63f7b244c064aa8f6]
CVE-2026-31702: f2fs: fix use-after-free of sbi in f2fs_compress_write_end_io()
stable/6.1 was fixed.
Fixed status
stable/6.1: [57bc678f36ac03281e877c6b84877b43f964143f]
CVE-2026-31704: ksmbd: use check_add_overflow() to prevent u16 DACL
size overflow
stable/6.1 was fixed.
Fixed status
stable/6.1: [41e53a773db6342ac9a689ee5ba635c31744c9f0]
CVE-2026-31705: ksmbd: fix out-of-bounds write in smb2_get_ea() EA alignment
stable/6.1 was fixed.
Fixed status
stable/6.1: [ddbbc8b2a09dd2cfed90871313e3691ae1db08a2]
CVE-2026-31708: smb: client: fix OOB read in smb2_ioctl_query_info
QUERY_INFO path
stable/6.1 was fixed.
Fixed status
stable/6.1: [1dd757379997b71a328a4b591ffaf481acd0ead1]
CVE-2026-31711: smb: server: fix active_num_conn leak on transport
allocation failure
stable/6.1 was fixed.
Fixed status
stable/6.1: [60734c8bc3b4aa0672e251f08dda81977e4b5387]
CVE-2026-31716: fs/ntfs3: validate rec->used in journal-replay file record check
stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.15: [8e64d33198b5a0fb14a452708bad844f94f03b2c]
stable/6.1: [1393a467a9607e62123806de7d4c3a3e54e396a9]
CVE-2026-31717: ksmbd: validate owner of durable handle on reconnect
stable/6.12, stable/6.6 were fixed.
Fixed status
stable/6.12: [c7f0f0d01c88bdcb8b1694d7d321670013f7ed7d]
stable/6.6: [712cdf917e77a6444ce3836874829d770db20ee6]
CVE-2026-43052: wifi: mac80211: check tdls flag in ieee80211_tdls_oper
stable/5.15, stable/6.1, stable/6.6 were fixed.
Fixed status
stable/5.15: [6813a8b1b240756dad4375f3e020ce10e4e3871b]
stable/6.1: [44839ea7e96b3659a1606f3d5267063135479b7c]
stable/6.6: [ba5b43db126a5e7378553869e3f7954d9187349f]
CVE-2026-43058: media: vidtv: fix pass-by-value structs causing MSAN warnings
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [a876d72ceba7fe5444005239f363c105767e0ecf]
stable/5.15: [a73f84a30975e6c4ae06efd500d31c82564dba10]
stable/6.1: [c034d8094fee474eb94142c17643eee2919079b7]
CVE-2026-43071: dcache: Limit the minimal number of bucket to two
stable/6.1 was fixed.
Fixed status
stable/6.1: [45b06bb5ea96f75ad81d7ef446f832ea6b0026fe]
CVE-2026-43072: drm/vc4: platform_get_irq_byname() returns an int
stable/6.1 was fixed.
Fixed status
stable/6.1: [59ece0d4d1db0cf483c4c51a58691f50ff81d3a2]
CVE-2026-43074: eventpoll: defer struct eventpoll free to RCU grace period
stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.15: [902120be4f44947df6311002addc7faf69bdbff1]
stable/6.1: [a6d57084372161f86660bc4607784420e00efe2c]
CVE-2026-43075: ocfs2: fix out-of-bounds write in ocfs2_write_end_inline
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [68f9cc3bbf2ae501770cea7dc0005fc9a85e48ea]
stable/5.15: [2e6a254f9cedf51b75cc20b8b92e2209bfa04c3e]
stable/6.1: [22df7d4de9c5cd42edf855a1de25f2106088c4c6]
CVE-2026-43076: ocfs2: validate inline data i_size during inode read
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [d012c782abcabe68b5b9e71be58a15e9f9d83dc1]
stable/5.15: [bcd46bc261b215b3b12c557a978299eafa02ecdd]
stable/6.1: [131c0b573e1b467b7d553e9ff38003f1acd8f5f2]
CVE-2026-43079: perf/x86/intel/uncore: Skip discovery table for offline dies
stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.15: [d18da11a5e21eac7651c8897e5e0908f6c2bc9de]
stable/6.1: [dfcba8c8674cead6c88a2f269b71aa4efd3d384a]
CVE-2026-43080: l2tp: Drop large packets with UDP encap
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [02d787fd0922c71c0264449fe82d35983613e4e5]
stable/5.15: [c2994fd24997ed63d713c03313f863645adb4d6c]
stable/6.1: [a42452db035577e150ffd9adf98c56fef9fb9408]
CVE-2026-43085: netfilter: nfnetlink_log: initialize nfgenmsg in
NLMSG_DONE terminator
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [296f18e1c3a87c915a92ed27832d5040a22d1072]
stable/5.15: [9e2182865de781c41ab16b7985e9d26dcefea867]
stable/6.1: [57cc509d82b46150a11dcecc8b25eaa177eda34d]
CVE-2026-43089: xfrm_user: fix info leak in build_mapping()
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [521385cbd50ca9474396d88462fcdfa6489685d9]
stable/5.15: [c2779ae9a3e5a044e5ccd564681511bbbcc5fc0f]
stable/6.1: [72a8de41c3eb4dcf22bf3b674ea38fb2f75d6f32]
CVE-2026-43093: xsk: tighten UMEM headroom validation to account for
tailroom and min frame
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [5f123bc278bf4e3283d8606321bebbfd299f4384]
stable/5.15: [1a6051cd7e3e4c54ff3854a43b638b9292af5e67]
stable/6.1: [8769708add9eadeea8041a9761771bb715a87104]
CVE-2026-43094: ixgbevf: add missing negotiate_features op to Hyper-V ops table
stable/6.1 was fixed.
Fixed status
stable/6.1: [376d74ea03589914fbe2dedcbebf418396c04fd0]
CVE-2026-43098: nfc: s3fwrn5: allocate rx skb before consuming bytes
stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.15: [20a57de2e79b797ed75382659d52bf4c7d9cb446]
stable/6.1: [e4ab0fd1c91882f2a7846b1817781c8741f7f315]
CVE-2026-43099: ipv4: icmp: fix null-ptr-deref in icmp_build_probe()
stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.15: [0f21bc261e60f0c696c58841c4873ff77ed83673]
stable/6.1: [dc5db4db19766a61ad65d81d1f55b1c1e51ba78d]
CVE-2026-43103: net: lapbether: handle NETDEV_PRE_TYPE_CHANGE
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [698642a01d53107ce9b3fc08bd801284af478a2b]
stable/5.15: [ffc5ed59f6dc87c51e8775f002619310225742e8]
stable/6.1: [a10570973619cba9dfa6d723177251b846fae587]
CVE-2026-43104: drm/vc4: Fix a memory leak in hang state error path
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [c197def3834cbee3fd824ce4c57d08cb24e18955]
stable/5.15: [9487daa18e627ac6b5ed5911be79f23362554b70]
stable/6.1: [259e2bba3fd7005c62cbd42365a48b3221b244e3]
CVE-2026-43105: drm/vc4: Fix memory leak of BO array in hang state
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [7235fc096ece53211bd2c0e958c65f9b802aeb98]
stable/5.15: [686bb2fce082f043db50db02b5de5c64ca4dc4c4]
stable/6.1: [9c092941fc1d00933bcb46ecac1cb930db3abf5d]
CVE-2026-43110: wifi: brcmfmac: validate bsscfg indices in IF events
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [b329fbcf075949a038045d8e9b86ae3d5bbd8a54]
stable/5.15: [2ae3ccb78c0a9ef5ee3d80d02ab319ac1d5af734]
stable/6.1: [9c81bcc2c695e0082012a2a3d36a0eefaa51579c]
CVE-2026-43111: HID: roccat: fix use-after-free in roccat_report_event
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [20dca865460f7943cf70afca274b60dac371f546]
stable/5.15: [441689e3103694caa3e2d62b7d57c7bccefa5e37]
stable/6.1: [181ea51ab0f6370842c5b49cfb86824253a1189e]
CVE-2026-43112: fs/smb/client: fix out-of-bounds read in cifs_sanitize_prepath
stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.15: [a2ba20c17de8eb028f96b1d85f119d3d25655bd9]
stable/6.1: [fbced33599653471b4581dfe1abc7b467031f126]
CVE-2026-43113: wifi: wl1251: validate packet IDs before indexing tx_frames
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [6509dbece7339dbc8980c706b9d623119a6de105]
stable/5.15: [a8a11a876f0a97061ee5d9e61d0f5a0df7e241c7]
stable/6.1: [e0dc1ad870d6788b049bfe1511ac75b2333a7550]
CVE-2026-43114: netfilter: nft_set_pipapo_avx2: don't return
non-matching entry on expiry
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [f8c39983fc9c1a978c82e6f2df7bfba8a8561587]
stable/5.15: [c7babe2f28b507e17f28e9f753b7caec72d4857f]
stable/6.1: [1c43f0dd8691ddf8884793b481ddc7511cf593c3]
CVE-2026-43117: btrfs: tracepoints: get correct superblock from dentry
in event btrfs_sync_file()
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [4a7bab35fad5251c8cb738161152578cd83b6b9c]
stable/5.15: [520e8b4bcf872a534a7bf61ccf880047642df296]
stable/6.1: [e252db8ca2a01f82d472091f35d549b313278636]
CVE-2026-43281: mailbox: Prevent out-of-bounds access in fw_mbox_index_xlate()
stable/5.10, stable/5.15 were fixed.
Fixed status
stable/5.10: [2c7ff651ec6b660c7c96a36db9328b3232f555d8]
stable/5.15: [ec0874447895b994182a962d2fee9ef075de5efd]
CVE-2026-43319: spi: spidev: fix lock inversion between spi_lock and buf_lock
stable/6.6 was fixed.
Fixed status
stable/6.6: [fabfed1afe273717ea33b8aee46b767360edbb80]
CVE-2026-43328: cpufreq: governor: fix double free in
cpufreq_dbs_governor_init() error path
stable/5.15 was fixed.
Fixed status
stable/5.15: [4b9118e93d2499bb2808ef3742fa0ce06f4f8117]
CVE-2026-43350: smb: client: require a full NFS mode SID before
reading mode bits
stable/6.1 was fixed.
Fixed status
stable/6.1: [8bd4cad3f458d11650d51c2d24b03fb1770ae6cc]
CVE-2026-43493: crypto: pcrypt - Fix handling of MAY_BACKLOG requests
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [ae7e95638d956d556d74b9abb9e780d3bd3dcd9e]
stable/5.15: [1d7f07df450bac3301938fbc4251f2611be4084e]
stable/6.1: [76641449b28979ebd6c02e9598367e119e385236]
CVE-2026-43494: net/rds: reset op_nents when zerocopy page pin fails
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [c6e51512a784c4a7b86e1a044988696e3b3721fa]
stable/5.15: [03014551938a0887fa55f18ce49b70158a9c0113]
stable/6.1: [d84ce1786ce40fdd3dd98db47aec5527817e1ef6]
CVE-2026-43496: net/sched: sch_red: Replace direct dequeue call with
peek and qdisc_dequeue_peeked
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [03b0aaeba082ae981a0dfe96cdd03d02050537a1]
stable/5.15: [c7335f4dc0fa21f7015b910c6fc2f4d599732328]
stable/6.1: [45cd83c5c470ba49fe261489c8358ad7b9df7c45]
CVE-2026-43497: fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent
use-after-free
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [60f711cfd580f86fea8284146ac133804e728f9a]
stable/5.15: [5931f5651ee32bd41b3323256b31fcc8e71336ed]
stable/6.1: [e3d9865dacd7435b8465848428210d0f0c673311]
CVE-2026-43499: rtmutex: Use waiter::task instead of current in remove_waiter()
stable/6.1 was fixed.
Fixed status
stable/6.1: [d8cce4773c2b23d819baf5abedc62f7b430e8745]
CVE-2026-43501: ipv6: rpl: reserve mac_len headroom when recompressed SRH grows
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [bde199c72d319a4e207f88daabc888317504e2fb]
stable/5.15: [be1fa0aa9b4fdd5a8b7a61ba520a690a68391e6e]
stable/6.1: [0a9e8053f1f8a8e1bfc1dd61ffe67be6c1180402]
CVE-2026-43502: net/rds: handle zerocopy send cleanup before the
message is queued
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [e9aefdc5c53fe9aed108c14e3d155710a1bb14c9]
stable/5.15: [46662f7dc59475995609bf3e9d27eb36f4acf26f]
stable/6.1: [1e262db7675e27f42c3f3f47d6011855f4454f24]
CVE-2026-45834: Bluetooth: L2CAP: Fix null-ptr-deref in
l2cap_sock_state_change_cb()
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [1b1c0da227bf63479bac9982fc8d12df9aaea0fb]
stable/5.15: [85426e97dc72f2088ba6d27e74cd58c3fbd43e31]
stable/6.1: [0c17c8832562b2aac288e89cefd0f46074f54bcb]
CVE-2026-45835: Bluetooth: L2CAP: Fix null-ptr-deref in
l2cap_sock_new_connection_cb()
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [140b63cb46f2855ac4ec8fba2f1e974a9c2974e8]
stable/5.15: [2422eaed0925973c0f318c94eb13e76f14c7381e]
stable/6.1: [684a1f9ee2325437ae18ac5371884e4c6a25ae73]
CVE-2026-45836: Bluetooth: L2CAP: Fix null-ptr-deref in
l2cap_sock_get_sndtimeo_cb()
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [fd072f833147b0bc10c43a454624cb99d02f3fc7]
stable/5.15: [6e8d1a2a677a81caa60cf0aabd4217bd585fbba1]
stable/6.1: [e1863e7480feddb90125d0dd5a1b572972d75908]
CVE-2026-45838: bpf: fix end-of-list detection in cgroup_storage_get_next_key()
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [0f3d9dd5e1fd52b39e25328307c6a694e994ffe3]
stable/5.15: [26d3339e465e54107bd85884341d1609c5300d6a]
stable/6.1: [2c88b2d96e1d4d0c7c4589a4593d4cdee6d332d6]
CVE-2026-45839: bpf: reject negative CO-RE accessor indices in
bpf_core_parse_spec()
stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.15: [a9e777f856cd2f1efc106afc7bf21aef868509d5]
stable/6.1: [669349b4612c26b3d7aacfa99d7174681bd19223]
CVE-2026-45840: openvswitch: cap upcall PID array size and pre-size
vport replies
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [8d59b80e69dddb665eb2de36e62859ab2073470e]
stable/5.15: [d9e47e29aacb9f8a9d59feb6ab5b128a9bbb40b0]
stable/6.1: [b39f763d720d623218bc1d95ace6855d7b474e81]
CVE-2026-45841: netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [cb833bbc1b3c51e08652d3c86298307c07d3f2db]
stable/5.15: [26900306a5a2c3e4f75c643a064525526bb6e5f3]
stable/6.1: [0694618cf3e9b120666e31f5f383a6e466d95a0d]
CVE-2026-45842: slip: reject VJ receive packets on instances with no
rstate array
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [3d71c961febddd855d3ae9a519eeb96c8023f430]
stable/5.15: [72304fec672e8aac9ee7b9c475db96b37cca8d8d]
stable/6.1: [4aa9eca6fda2919027dfd7a7cc69334982d89586]
CVE-2026-45843: slip: bound decode() reads against the compressed packet length
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [6268f01ae989013671b526c883e92655342c6f6f]
stable/5.15: [9aafba2f49e1fcccc2018816f5836a609c925879]
stable/6.1: [335957df4ed60f02a2ec0432fbedbf0cc7241d8b]
CVE-2026-45844: netfilter: arp_tables: fix IEEE1394 ARP payload parsing
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [0f23a1457695f1a61f64367e39f0f9cfa29947d1]
stable/5.15: [1e285362ef7096eb12733370d59e033f4a1d294a]
stable/6.1: [84e8536c981338d0d8cc6e712cf71a936a93e13f]
CVE-2026-45846: bareudp: fix NULL pointer dereference in
bareudp_fill_metadata_dst()
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [31e010a106ff6cd8ccac4bfee547fd3fa1015574]
stable/5.15: [55193df8d6d33318435f19572bf5ea47a22eee28]
stable/6.1: [51eef9c072aa3405a6823a96ae666d38a3b48750]
CVE-2026-45986: crypto: ccree - fix a memory leak in cc_mac_digest()
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [7c21d58fcd6ad8e15a539347254093c93224a8b2]
stable/5.15: [f53458c7c756b3e0838d51cf1e9f41b25079801a]
stable/6.1: [7cd17993adb8a5d14a7e84d751316a5fdf0c251f]
CVE-2026-45987: KVM: nSVM: Sync interrupt shadow to cached vmcb12
after VMRUN of L2
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [0c1f74d8b74d8a31751fb6ea5417e48e02c93b58]
stable/5.15: [4b44aa1a134e499c4517597118378b308602a16c]
stable/6.1: [e39a77a9b1e17d2d831c304eafac4c41a784a0be]
CVE-2026-45992: ALSA: caiaq: Fix potentially leftover ep1_in_urb at error path
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [2d42c3386b7389d33caea7184cdb0188997fa6a9]
stable/5.15: [d50223ae98148fcc3bba18e718e4b0608df83bce]
stable/6.1: [089940d969e13e129b54f104a578cbafd99e308b]
CVE-2026-45994: ibmasm: fix OOB reads in command_file_write due to
missing size checks
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [44ee19422aa82a6847594866de7e5a31e4ef98b3]
stable/5.15: [7b8a574da5d7ea99b943f7a3458a17a1d95e8838]
stable/6.1: [d50e2019c9d7c433f56d9dff65703eb904aa1fb1]
CVE-2026-45997: scsi: sd: fix missing put_disk() when
device_add(&disk_dev) fails
stable/6.1 was fixed.
Fixed status
stable/6.1: [2c2c14b7dfccad8c5a28802849e40c21252e4c28]
CVE-2026-46002: ext2: reject inodes with zero i_nlink and valid mode
in ext2_iget()
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [1b80cf48bcf0e1937af9cd6c7beb188762bbf7c5]
stable/5.15: [9e2d67fb2b73eeff8b601e26b332128eae8147bb]
stable/6.1: [a69a0c5156b6f0092b9fcf44517f5831a962de2d]
CVE-2026-46004: ALSA: caiaq: Handle probe errors properly
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [da938aa9fc7826901921dcea225948ab21a97e45]
stable/5.15: [09616e25f502080ba684fc7fcf959d1376ab756d]
stable/6.1: [b956e48371f2ff72b76be9a829800ecec963bd45]
CVE-2026-46006: drm/nouveau: fix u32 overflow in pushbuf reloc bounds check
stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.15: [573a1104bd36e49c067a9dc62e7c476d5ee7e92a]
stable/6.1: [45a45184b9c0b0b26ead06e370cda2073616a7cc]
CVE-2026-46009: PCI: endpoint: pci-epf-ntb: Remove duplicate resource teardown
stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.15: [c3029721b84f59e790285ad27544ed5d3cb0f2a6]
stable/6.1: [c72f6a7ea638f95c486a5cfd86e567b646027687]
CVE-2026-46015: tcp: call sk_data_ready() after listener migration
stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.15: [7aa7933a5607b1e5b56f322d17265c1d0ea02c51]
stable/6.1: [14e9bb6eba8f59dcc637702e4744ae5e30660d76]
CVE-2026-46018: ALSA: usb-audio: stop parsing UAC2 rates at MAX_NR_RATES
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [5436bc1b07d4656f99412dc72871d250d7d55205]
stable/5.15: [0da05fedf5e1966b7e7d389866cb86fcf09f4b32]
stable/6.1: [f14bd323eec4b4f0ef662520ec852e593ece1d4c]
CVE-2026-46019: crypto: atmel-aes - Fix 3-page memory leak in
atmel_aes_buff_cleanup
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [de6952e0af2acbada900d742437e848285c01d11]
stable/5.15: [5ad40cde96d603a88d68f8ed59f6d36407ab1f3c]
stable/6.1: [03e00aafa5f747d07811589e8d5fee638245431b]
CVE-2026-46022: misc: ibmasm: fix OOB MMIO read in
ibmasm_handle_mouse_interrupt()
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [6f6ecc9153df176e956d0664b56f93080b0a45f0]
stable/5.15: [bac8643486f854dd53af9b23aea7dbbd9b7c1865]
stable/6.1: [f7e5b4eefd7be3e09f8bd5fee63ed478fd7446ab]
CVE-2026-46023: dm mirror: fix integer overflow in create_dirty_log()
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [e5e0ae3237584ebef510366c4cb3d5cc7c22b610]
stable/5.15: [249c831183fb806c8e3b14c7c4c1d2fb68cf37fb]
stable/6.1: [ae59b3025609d5a0a39cf5b2b94e2467f6231573]
CVE-2026-46024: libceph: Prevent potential null-ptr-deref in
ceph_handle_auth_reply()
stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.15: [9ded62c302c0342efdb5eda3bf6e75720caad0df]
stable/6.1: [f101271fcf55d7eacfefd610b51ec65f46ba8118]
CVE-2026-46027: net/smc: avoid early lgr access in smc_clc_wait_msg
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [257cdf0c5ced9c0fba8aba501d94b0a5fcef2086]
stable/5.15: [22546729b96fc873b23065dc49e3d73c45cfb874]
stable/6.1: [5eedbfd82c2884e0010fdfb3c9446a6ebcadb691]
CVE-2026-46031: net: ks8851: Reinstate disabling of BHs around IRQ handler
stable/6.1 was fixed.
Fixed status
stable/6.1: [1962027a6d223f90df8b372929f9d1a8d321ad6a]
CVE-2026-46033: crypto: authencesn - reject short ahash digests during
instance creation
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [77f59fb2d3aa33e90ec6cbbf45dcfb20ab82b1a9]
stable/5.15: [2f31cd1e64a079c845bca31d2da7b3c90a311726]
stable/6.1: [d4c6a6d08e70bb1083c7c405fc7faacbf19aebc0]
CVE-2026-46037: ipv4: icmp: validate reply type before using icmp_pointers
stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.15: [b3a88fc5ae024d43c5ecf653f3bbe837e4a6dc99]
stable/6.1: [93df2af4f491de33827550b9d420f01808c0706b]
CVE-2026-46040: inotify: fix watch count leak when
fsnotify_add_inode_mark_locked() fails
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [3ab58cf42c46bf2366d2f55ae5c59299d5e178b7]
stable/5.15: [10edf7e0ffdc7faa18e2244b17722c1b882b8273]
stable/6.1: [3ad9ccea1b25435f6179b57aa891960beb7ce8f9]
CVE-2026-46043: RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [c4376c672c3648d5bdc31dfffc329d07164f93c4]
stable/5.15: [5fedefec757192dcaad29a664ac332c7601be144]
stable/6.1: [2c0d71ef12f46c57d37bc571f3f2797db7eb50cc]
CVE-2026-46044: ipmi:ssif: Clean up kthread on errors
stable/5.10, stable/5.15 were fixed.
Fixed status
stable/5.10: [549607af66a0efdb41307ba6343eed31de8b133e]
stable/5.15: [f2d0a3ede5ebf404d4c334a1f04ef439e0086857]
CVE-2026-46046: ext4: fix missing brelse() in ext4_xattr_inode_dec_ref_all()
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [dd98a5603a212ea9c96c6982ccdbcc748fdb9a56]
stable/5.15: [153ab2c52355fbebcae622db8e7b506492c73a29]
stable/6.1: [b706d00206a9e82362a9633efbd8b5775650169b]
CVE-2026-46047: net: qrtr: ns: Fix use-after-free in driver remove()
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [65168712c216584ff482a7d1a67589f2079b2634]
stable/5.15: [dff081c3602f2fd810f69ef47945a226980dd05d]
stable/6.1: [4ae0bd51bf7079e9c2a06b5de0ae04ba70d10167]
CVE-2026-46048: ALSA: caiaq: fix usb_dev refcount leak on probe failure
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [c874db8a1d2f9f08161470d00cfe8db2f5cca2cc]
stable/5.15: [6fa8dff64fb6c401ced40a05797b327659317498]
stable/6.1: [a8d907acc3e5a078c2e5637ff60c30c6d2ddc23a]
CVE-2026-46049: ALSA: ctxfi: Add fallback to default RSR for S/PDIF
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [d0b53842211f73a10ea174100a213f7fa14b9f33]
stable/5.15: [615b7a5e5d8be68d52f262579906f7e015ba4606]
stable/6.1: [dfc00979ff00d9dfdfa1df32144a272ee2728102]
CVE-2026-46050: md/raid10: fix deadlock with check operation and nowait requests
stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.15: [2249983d971e6839b36284e6610390b2c217dfa1]
stable/6.1: [ae356d5eb1331d678985799f893e436314834a87]
CVE-2026-46051: md/raid5: fix soft lockup in retry_aligned_read()
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [66df9f30673db66ac35145820a8e24906069ae57]
stable/5.15: [4166d5234fe8b6c3c7f796a6c198605356c5b355]
stable/6.1: [a9055300e07d9d6800264d3c2560e1d0144689ca]
CVE-2026-46053: net: rds: fix MR cleanup on copy error
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [91a44b406bc1f9e1c5da0cb7d0d5991b43b79147]
stable/5.15: [106dc689206610cfa2098f593fdd1e020c997835]
stable/6.1: [ec55a86f7fba7d9111df94b9c11a4755ed492995]
CVE-2026-46056: Bluetooth: hci_event: fix potential UAF in SSP passkey handlers
stable/6.1 was fixed.
Fixed status
stable/6.1: [b6ae482f88654db407c8c17619d4b62959b903ef]
CVE-2026-46058: media: amphion: Fix race between m2m job_abort and device_run
stable/6.1 was fixed.
Fixed status
stable/6.1: [516467052fdfc6a13eadc70d43420ae57436bf3c]
CVE-2026-46062: ntfs3: fix integer overflow in run_unpack() volume
boundary check
stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.15: [424858f9a048057bb8f834bfe03d18f5e477e747]
stable/6.1: [e73cd5aed6b15e55c1c47577bdb473b5e88d6a69]
CVE-2026-46064: ibmasm: fix heap over-read in ibmasm_send_i2o_message()
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [ca1c857e2bb74a9fc0606128334f85316d57067b]
stable/5.15: [b870f652877bfbe321bd0f4096fc37a93296f7b6]
stable/6.1: [ce57fa439bd1b5d664f334a0c3e3f0e42abb0153]
CVE-2026-46070: md/raid5: validate payload size before accessing
journal metadata
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [c96c6f01d84b5c67db1bf1cc8591c0b7146826fc]
stable/5.15: [ef4851d8324fd978ca1ff9ec76a275438f887743]
stable/6.1: [28d3ff7109c66e99dc1b7cddacb5c760849620ef]
CVE-2026-46072: ntfs3: add buffer boundary checks to run_unpack()
stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.15: [bbad75336870b51b81979b97613746237fcb02fe]
stable/6.1: [425de2aba0d061b3e715d51a3b1992c112ed5b99]
CVE-2026-46075: crypto: atmel-sha204a - Fix potential UAF and memory
leak in remove path
stable/6.1 was fixed.
Fixed status
stable/6.1: [6dbeb0f788582e1ab5dfc3f41994eac0ec88c2b5]
CVE-2026-46077: crypto: atmel-tdes - fix DMA sync direction
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [ce3224678acb8c0b3473daa7d7dbffc998c6951a]
stable/5.15: [b9b28f3881dd514e74f98ae04e79a635022a4804]
stable/6.1: [c0f3002c02a3a83250e25582ffbe8df7eb78a8bd]
CVE-2026-46078: erofs: fix the out-of-bounds nameoff handling for
trailing dirents
stable/6.1 was fixed.
Fixed status
stable/6.1: [80a23c6d1aba35be8746d74ac14e6ba5ae46da21]
CVE-2026-46079: rbd: fix null-ptr-deref when device_add_disk() fails
stable/6.1 was fixed.
Fixed status
stable/6.1: [78bd0c143dea4b7a4c23c13356987ca0eafb442e]
CVE-2026-46080: ocfs2: split transactions in dio completion to avoid
credit exhaustion
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [97c03c0e9f73a5049794b3c69ee60fb5e8b0ebd8]
stable/5.15: [1e99bb19994246514d63e656492904176f9d5edd]
stable/6.1: [91e05ac2336d00d5b99fc774be4bd50039084796]
CVE-2026-46082: KVM: SVM: Inject #UD for INVLPGA if EFER.SVME=0
stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.15: [ebb63390142c6458fc37758e0892759989cc159f]
stable/6.1: [491139c17f8ad5773303068411f6ac5eed438b51]
CVE-2026-46088: ALSA: control: Validate buf_len before strnlen() in
snd_ctl_elem_init_enum_names()
stable/5.10, stable/5.15, stable/6.1 were fixed.
--
Masami Ichikawa
Cybertrust Japan Co., Ltd.
Email :masami.ichikawa@cybertrust.co.jp
:masami.ichikawa@miraclelinux.com
Fixed status
stable/5.10: [708f6ec9bcdf58bfd561409110baaf4fd3be4ea3]
stable/5.15: [bfcbb4994da9e979c4bcfcf24aaaac69e457e48e]
stable/6.1: [a470f7cabc4df72d9bd132f5719a8717292bb440]
CVE-2026-46092: wifi: rtw88: check for PCI upstream bridge existence
stable/6.1 was fixed.
Fixed status
stable/6.1: [3b89b4c095804c478d50376285e66700cf3c045f]
CVE-2026-46098: net: caif: clear client service pointer on teardown
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [cffca7a18b8f9de7c3d3013a1f5740c412b2a501]
stable/5.15: [7ef97d4675b05a103648bd9244d91dff7d8c08b0]
stable/6.1: [e16859f3f4426fa349bc5519d582a93d28f5a15d]
CVE-2026-46099: net: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels
stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.15: [51fef5a7c4d160839199e941929456ba21ddf73c]
stable/6.1: [b258b849a580285a1692e782ebc902b44c884a71]
CVE-2026-46101: netfilter: reject zero shift in nft_bitwise
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [9baa08d6b6b096fad70049533f0d705d85fdc979]
stable/5.15: [4fccea585631621c975883911a08d15b6671f7dc]
stable/6.1: [9ad26c272405f53834871cc2e46b9b5393a666c3]
CVE-2026-46102: net: strparser: fix skb_head leak in strp_abort_strp()
stable/5.10, stable/5.15, stable/6.1 were fixed.
Fixed status
stable/5.10: [d6668ce0e78d23eabecef9a6bc4f0f739cb28ad3]
stable/5.15: [a470ed71c906cc8cbad0d74c9942216698911f8b]
stable/6.1: [c2e57695ec9ff9d42f23de70f3805199153d007b]
CVE-2026-46103: can: ucan: fix devres lifetime
stable/6.1 was fixed.
Fixed status
stable/6.1: [3df5b9110ac08f67ccfe382fc172bfee95688eec]
Regards,
--
Masami Ichikawa
Cybertrust Japan Co., Ltd.
Email :masami.ichikawa@cybertrust.co.jp
:masami.ichikawa@miraclelinux.com
^ permalink raw reply
* [isar-cip-core][PATCH] add descriptions for dpkg-raw and initramfs-hook recipes
From: Felix Moessbauer @ 2026-06-03 14:51 UTC (permalink / raw)
To: cip-dev; +Cc: jan.kiszka, Felix Moessbauer
The description must not be empty (isar requirement), and it ends
up in the SBOM. For that, we add meaningfull descriptions to the
packages we generate.
Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>
---
Note, that the missing descriptions where discovered on an MTDA image build.
recipes-core/home-fs/home-fs_0.1.bb | 1 +
recipes-core/journald-config/journald-config_0.1.bb | 1 +
recipes-core/move-homedir-var/move-homedir-var_0.1.bb | 1 +
recipes-core/swupdate-config-wfx/swupdate-config-wfx_0.2.bb | 1 +
recipes-core/swupdate-config/swupdate-config_0.2.bb | 1 +
.../swupdate-handler-roundrobin_0.1.bb | 1 +
recipes-core/tmp-fs/tmp-fs_0.2.bb | 1 +
recipes-devtools/swupdate-signer/swupdate-signer-cms_0.1.bb | 1 +
recipes-devtools/swupdate-signer/swupdate-signer-empty.bb | 1 +
.../initramfs-abrootfs-hook/initramfs-abrootfs-hook_0.3.bb | 1 +
.../initramfs-crypt-hook/initramfs-crypt-hook_0.11.bb | 1 +
.../initramfs-erofs-hook/initramfs-erofs-hook_0.2.bb | 1 +
.../initramfs-overlay-hook/initramfs-overlay-hook_0.4.bb | 1 +
.../initramfs-squashfs-hook/initramfs-squashfs-hook_0.2.bb | 1 +
.../initramfs-verity-hook/initramfs-verity-hook_0.3.bb | 1 +
15 files changed, 15 insertions(+)
diff --git a/recipes-core/home-fs/home-fs_0.1.bb b/recipes-core/home-fs/home-fs_0.1.bb
index fd88f21..c99c32a 100644
--- a/recipes-core/home-fs/home-fs_0.1.bb
+++ b/recipes-core/home-fs/home-fs_0.1.bb
@@ -11,6 +11,7 @@
inherit dpkg-raw
MAINTAINER = "cip-dev <cip-dev@lists.cip-project.org>"
+DESCRIPTION = "Systemd unit to mount a dedicated /home filesystem"
SRC_URI = "file://postinst \
file://home.mount"
diff --git a/recipes-core/journald-config/journald-config_0.1.bb b/recipes-core/journald-config/journald-config_0.1.bb
index 62fc0c7..62b569c 100644
--- a/recipes-core/journald-config/journald-config_0.1.bb
+++ b/recipes-core/journald-config/journald-config_0.1.bb
@@ -11,6 +11,7 @@
inherit dpkg-raw
MAINTAINER = "cip-dev <cip-dev@lists.cip-project.org>"
+DESCRIPTION = "Systemd journald drop-in configuration for persistent journal storage"
SRC_URI = "file://persistent-journal.conf"
diff --git a/recipes-core/move-homedir-var/move-homedir-var_0.1.bb b/recipes-core/move-homedir-var/move-homedir-var_0.1.bb
index 54e807a..a8d1318 100644
--- a/recipes-core/move-homedir-var/move-homedir-var_0.1.bb
+++ b/recipes-core/move-homedir-var/move-homedir-var_0.1.bb
@@ -11,6 +11,7 @@
inherit dpkg-raw
MAINTAINER = "cip-dev <cip-dev@lists.cip-project.org>"
+DESCRIPTION = "Relocate home directory data to /var"
DEBIAN_CONFLICTS = "home-fs"
SRC_URI = "file://${BPN}.tmpfiles.tmpl"
diff --git a/recipes-core/swupdate-config-wfx/swupdate-config-wfx_0.2.bb b/recipes-core/swupdate-config-wfx/swupdate-config-wfx_0.2.bb
index 70a2eb6..16abd5d 100644
--- a/recipes-core/swupdate-config-wfx/swupdate-config-wfx_0.2.bb
+++ b/recipes-core/swupdate-config-wfx/swupdate-config-wfx_0.2.bb
@@ -12,6 +12,7 @@
inherit dpkg-raw
MAINTAINER = "cip-dev <cip-dev@lists.cip-project.org>"
+DESCRIPTION = "SWUpdate Suricatta WFX client configuration"
PROVIDES := "${PN}"
DEBIAN_PROVIDES := "${PN}"
diff --git a/recipes-core/swupdate-config/swupdate-config_0.2.bb b/recipes-core/swupdate-config/swupdate-config_0.2.bb
index cdfd8b9..b48e3d1 100644
--- a/recipes-core/swupdate-config/swupdate-config_0.2.bb
+++ b/recipes-core/swupdate-config/swupdate-config_0.2.bb
@@ -12,6 +12,7 @@
inherit dpkg-raw
MAINTAINER = "cip-dev <cip-dev@lists.cip-project.org>"
+DESCRIPTION = "SWUpdate base configuration"
PROVIDES := "${PN}"
DEBIAN_PROVIDES := "${PN}"
diff --git a/recipes-core/swupdate-handler-roundrobin/swupdate-handler-roundrobin_0.1.bb b/recipes-core/swupdate-handler-roundrobin/swupdate-handler-roundrobin_0.1.bb
index 2ba192c..d4d0f8d 100644
--- a/recipes-core/swupdate-handler-roundrobin/swupdate-handler-roundrobin_0.1.bb
+++ b/recipes-core/swupdate-handler-roundrobin/swupdate-handler-roundrobin_0.1.bb
@@ -11,6 +11,7 @@
inherit dpkg-raw
MAINTAINER = "cip-dev <cip-dev@lists.cip-project.org>"
+DESCRIPTION = "Lua round-robin SWUpdate handler"
PROVIDES = "swupdate-handlers"
diff --git a/recipes-core/tmp-fs/tmp-fs_0.2.bb b/recipes-core/tmp-fs/tmp-fs_0.2.bb
index f2b7976..a361005 100644
--- a/recipes-core/tmp-fs/tmp-fs_0.2.bb
+++ b/recipes-core/tmp-fs/tmp-fs_0.2.bb
@@ -11,6 +11,7 @@
inherit dpkg-raw
MAINTAINER = "cip-dev <cip-dev@lists.cip-project.org>"
+DESCRIPTION = "systemd unit to mount /tmp as tmpfs"
SRC_URI = "file://postinst"
diff --git a/recipes-devtools/swupdate-signer/swupdate-signer-cms_0.1.bb b/recipes-devtools/swupdate-signer/swupdate-signer-cms_0.1.bb
index ee8d172..845bb9a 100644
--- a/recipes-devtools/swupdate-signer/swupdate-signer-cms_0.1.bb
+++ b/recipes-devtools/swupdate-signer/swupdate-signer-cms_0.1.bb
@@ -11,6 +11,7 @@
inherit dpkg-raw
MAINTAINER = "cip-dev <cip-dev@lists.cip-project.org>"
+DESCRIPTION = "SWUpdate signer script to sign with deployed signing certificates"
PROVIDES = "swupdate-signer"
DEBIAN_PROVIDES = "swupdate-signer"
diff --git a/recipes-devtools/swupdate-signer/swupdate-signer-empty.bb b/recipes-devtools/swupdate-signer/swupdate-signer-empty.bb
index af9de76..c6f624e 100644
--- a/recipes-devtools/swupdate-signer/swupdate-signer-empty.bb
+++ b/recipes-devtools/swupdate-signer/swupdate-signer-empty.bb
@@ -11,6 +11,7 @@
inherit dpkg-raw
MAINTAINER = "cip-dev <cip-dev@lists.cip-project.org>"
+DESCRIPTION = "Placeholder SWUpdate signer that creates a dummy signature"
PROVIDES = "swupdate-signer"
DEBIAN_PROVIDES = "swupdate-signer"
diff --git a/recipes-initramfs/initramfs-abrootfs-hook/initramfs-abrootfs-hook_0.3.bb b/recipes-initramfs/initramfs-abrootfs-hook/initramfs-abrootfs-hook_0.3.bb
index 48f6458..95331ba 100644
--- a/recipes-initramfs/initramfs-abrootfs-hook/initramfs-abrootfs-hook_0.3.bb
+++ b/recipes-initramfs/initramfs-abrootfs-hook/initramfs-abrootfs-hook_0.3.bb
@@ -12,6 +12,7 @@
inherit initramfs-hook
MAINTAINER = "cip-dev <cip-dev@lists.cip-project.org>"
+DESCRIPTION = "Initramfs hook for selecting and mounting the active A/B root filesystem"
RDEPENDS += "initramfs-cip-functions"
DEBIAN_DEPENDS .= ", util-linux, initramfs-cip-functions"
diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.11.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.11.bb
index 3cb0520..87d455d 100644
--- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.11.bb
+++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.11.bb
@@ -12,6 +12,7 @@
inherit initramfs-hook
MAINTAINER = "cip-dev <cip-dev@lists.cip-project.org>"
+DESCRIPTION = "Initramfs hook for TPM-backed encrypted partition setup and unlock"
RDEPENDS += "initramfs-cip-functions"
diff --git a/recipes-initramfs/initramfs-erofs-hook/initramfs-erofs-hook_0.2.bb b/recipes-initramfs/initramfs-erofs-hook/initramfs-erofs-hook_0.2.bb
index 2015503..6a3af29 100644
--- a/recipes-initramfs/initramfs-erofs-hook/initramfs-erofs-hook_0.2.bb
+++ b/recipes-initramfs/initramfs-erofs-hook/initramfs-erofs-hook_0.2.bb
@@ -12,5 +12,6 @@
inherit initramfs-hook
MAINTAINER = "cip-dev <cip-dev@lists.cip-project.org>"
+DESCRIPTION = "Initramfs hook that adds EROFS filesystem support during early boot"
HOOK_ADD_MODULES = "erofs"
diff --git a/recipes-initramfs/initramfs-overlay-hook/initramfs-overlay-hook_0.4.bb b/recipes-initramfs/initramfs-overlay-hook/initramfs-overlay-hook_0.4.bb
index 57b26ec..e201277 100644
--- a/recipes-initramfs/initramfs-overlay-hook/initramfs-overlay-hook_0.4.bb
+++ b/recipes-initramfs/initramfs-overlay-hook/initramfs-overlay-hook_0.4.bb
@@ -13,6 +13,7 @@
inherit initramfs-hook
MAINTAINER = "cip-dev <cip-dev@lists.cip-project.org>"
+DESCRIPTION = "Initramfs hook for mounting writable overlays on top of immutable paths"
INITRAMFS_OVERLAY_RECOVERY_SCRIPT ??= "overlay_recovery_action.script"
diff --git a/recipes-initramfs/initramfs-squashfs-hook/initramfs-squashfs-hook_0.2.bb b/recipes-initramfs/initramfs-squashfs-hook/initramfs-squashfs-hook_0.2.bb
index 9ff4cbf..fccba26 100644
--- a/recipes-initramfs/initramfs-squashfs-hook/initramfs-squashfs-hook_0.2.bb
+++ b/recipes-initramfs/initramfs-squashfs-hook/initramfs-squashfs-hook_0.2.bb
@@ -12,5 +12,6 @@
inherit initramfs-hook
MAINTAINER = "cip-dev <cip-dev@lists.cip-project.org>"
+DESCRIPTION = "Initramfs hook that adds SquashFS filesystem support during early boot"
HOOK_ADD_MODULES = "squashfs"
diff --git a/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.3.bb b/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.3.bb
index b2fb704..e67ae7c 100644
--- a/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.3.bb
+++ b/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.3.bb
@@ -12,6 +12,7 @@
inherit initramfs-hook
MAINTAINER = "cip-dev <cip-dev@lists.cip-project.org>"
+DESCRIPTION = "Initramfs hook for mounting dm-verity protected root filesystems"
SRC_URI += " \
file://hook \
--
2.53.0
^ permalink raw reply related
* [isar-cip-core][PATCH v1] doc/README.factory-reset.md: Minor updates related to use cases and relevance to IEC 62443-4-2
From: Adithya.Balakumar @ 2026-06-02 6:00 UTC (permalink / raw)
To: cip-dev, jan.kiszka
Cc: Adithya Balakumar, shivanand.kunijadar, dinesh.kumar,
kazuhiro3.hayashi
From: Adithya Balakumar <Adithya.Balakumar@toshiba-tsip.com>
Signed-off-by: Adithya Balakumar <Adithya.Balakumar@toshiba-tsip.com>
---
doc/README.factory-reset.md | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/doc/README.factory-reset.md b/doc/README.factory-reset.md
index aa8dd1c..419e32b 100644
--- a/doc/README.factory-reset.md
+++ b/doc/README.factory-reset.md
@@ -51,3 +51,12 @@ root@demo:~# reboot
```
root@demo:~# find /var -name "to-be-deleted"
```
+
+## Use cases
+
+- The primary use case is resetting data partitions (e.g. `/home` and `/var`). This also resets any configuration changes made under `/etc`, since the read-write overlay for /etc is currently backed by /var.
+- If the `/etc` RW overlay is backed by a dedicated partition (separate from `/home` or `/var`), that partition can be formatted independently to restore default configurations (included at build time).
+
+## Relevance to IEC 62443-4-2
+
+- Factory reset feature helps meet requirements under CR 4.2 Information Persistance. Refer [here](https://gitlab.com/cip-project/cip-documents/-/blob/master/iec-62443-assessment/iec-62443-4-2/iec-62443-4-2-fr-4-fr-5.rst?ref_type=heads#id12) for more details on how the requirement is met.
--
2.39.5
^ permalink raw reply related
* RE: [cip-dev] [PATCH 6.1.y-cip] i2c: riic: Implement bus recovery
From: nobuhiro.iwamatsu.x90 @ 2026-05-28 22:04 UTC (permalink / raw)
To: pavel, prabhakar.mahadev-lad.rj; +Cc: cip-dev, biju.das.jz
In-Reply-To: <ahddIAv7e7UneixV@duo.ucw.cz>
HI all,
> -----Original Message-----
> From: cip-dev@lists.cip-project.org <cip-dev@lists.cip-project.org> On Behalf Of Pavel Machek via lists.cip-project.org
> Sent: Thursday, May 28, 2026 6:08 AM
> To: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
> Cc: cip-dev@lists.cip-project.org; iwamatsu nobuhiro(岩松 信洋 □DITC○CPT)
> <nobuhiro.iwamatsu.x90@mail.toshiba>; Pavel Machek <pavel@nabladev.com>; Biju Das
> <biju.das.jz@bp.renesas.com>
> Subject: Re: [cip-dev] [PATCH 6.1.y-cip] i2c: riic: Implement bus recovery
>
> HI!
>
> > commit ba9e1b5254783528e10b45b1f0fb40e21f4ff88a upstream.
> >
> > Implement I2C bus recovery support for the RIIC controller by making
> > use of software-controlled SCL and SDA line manipulation. The
> > controller allows forcing SCL and SDA levels through control bits,
> > which enables generation of manual clock pulses and a stop condition to free a stuck bus.
> >
> > This implementation wires up the bus recovery mechanism using
> > i2c_generic_scl_recovery and provides get/set operations for SCL and SDA.
> >
> > This allows the RIIC driver to recover from bus hang scenarios where
> > SDA is held low by a slave.
>
> This looks okay to me.
>
> Reviewed-by: Pavel Machek <pavel@nabladev.com>
>
> I can apply this if it passes testing and there are no other comments.
>
> Best regards,
> Pavel
Applied with Pavel's Reviewed-by tag, thanks.
Best regards,
Nobuhiro
^ permalink raw reply
* RE: [PATCH 6.1.y-cip] i2c: riic: Implement bus recovery
From: nobuhiro.iwamatsu.x90 @ 2026-05-28 8:44 UTC (permalink / raw)
To: prabhakar.mahadev-lad.rj, cip-dev, pavel; +Cc: biju.das.jz
In-Reply-To: <20260527162119.52245-1-prabhakar.mahadev-lad.rj@bp.renesas.com>
Hi,
> -----Original Message-----
> From: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
> Sent: Thursday, May 28, 2026 1:21 AM
> To: cip-dev@lists.cip-project.org; iwamatsu nobuhiro(岩松 信洋 □DITC○CPT)
> <nobuhiro.iwamatsu.x90@mail.toshiba>; Pavel Machek <pavel@nabladev.com>
> Cc: Biju Das <biju.das.jz@bp.renesas.com>
> Subject: [PATCH 6.1.y-cip] i2c: riic: Implement bus recovery
>
> commit ba9e1b5254783528e10b45b1f0fb40e21f4ff88a upstream.
>
> Implement I2C bus recovery support for the RIIC controller by making use of software-controlled SCL and SDA line
> manipulation. The controller allows forcing SCL and SDA levels through control bits, which enables generation of manual
> clock pulses and a stop condition to free a stuck bus.
>
> This implementation wires up the bus recovery mechanism using i2c_generic_scl_recovery and provides get/set
> operations for SCL and SDA.
>
> This allows the RIIC driver to recover from bus hang scenarios where SDA is held low by a slave.
>
> Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
> Reviewed-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
> Tested-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
> Reviewed-by: Fabrizio Castro <fabrizio.castro.jz@renesas.com>
> Link: https://lore.kernel.org/r/20250501204003.141134-1-prabhakar.mahadev-lad.rj@bp.renesas.com
> Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
> Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
> ---
> drivers/i2c/busses/i2c-riic.c | 53 +++++++++++++++++++++++++++++++++--
> 1 file changed, 51 insertions(+), 2 deletions(-)
I reviewed this. and looks good to me.
I can apply, if test is OK and there is no comment,
Reviewed-by: Nobuhiro Iwamatsu <nobuhiro.iwamatsu.x90@mail.toshiba>
Best regards,
Nobuhiro
^ permalink raw reply
* [ANNOUNCE] Release v4.19.325-cip133
From: Ulrich Hecht @ 2026-05-28 8:12 UTC (permalink / raw)
To: cip-dev@lists.cip-project.org, pavel@nabladev.com,
jan.kiszka@siemens.com, masami.ichikawa@cybertrust.co.jp,
chris.paterson2@renesas.com, nobuhiro.iwamatsu.x90@mail.toshiba
Hi,
the CIP kernel team has released Linux kernel v4.19.325-cip133. The linux-4.19.y-cip tree's base version has been updated to v4.19-st17. The trees are up-to-date with kernel 5.10.256.
You can get this release via the git tree or as a tarball from https://mirrors.edge.kernel.org/pub/linux/kernel/projects/cip/4.19/
v4.19.325-cip133:
repository:
https://git.kernel.org/pub/scm/linux/kernel/git/cip/linux-cip.git
branch:
linux-4.19.y-cip
commit hash:
9cd7882c4ff1122842b29191a5913970c5159ecc
Fixed CVEs:
CVE-2026-43284: xfrm: esp: avoid in-place decrypt on shared skb frags
CVE-2026-46333: ptrace: slightly saner 'get_dumpable()' logic
Best regards,
Ulrich Hecht
^ permalink raw reply
* RE: [cip-dev] [PATCH 5.10.y-cip 0/9] i2c: riic: Driver enhancements
From: nobuhiro.iwamatsu.x90 @ 2026-05-28 7:24 UTC (permalink / raw)
To: pavel, prabhakar.mahadev-lad.rj; +Cc: cip-dev, biju.das.jz
In-Reply-To: <ahde-JBeE7BGLuJh@duo.ucw.cz>
Hi,
> -----Original Message-----
> From: cip-dev@lists.cip-project.org <cip-dev@lists.cip-project.org> On Behalf Of Pavel Machek via lists.cip-project.org
> Sent: Thursday, May 28, 2026 6:16 AM
> To: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
> Cc: cip-dev@lists.cip-project.org; iwamatsu nobuhiro(岩松 信洋 □DITC○CPT)
> <nobuhiro.iwamatsu.x90@mail.toshiba>; Pavel Machek <pavel@nabladev.com>; Biju Das
> <biju.das.jz@bp.renesas.com>
> Subject: Re: [cip-dev] [PATCH 5.10.y-cip 0/9] i2c: riic: Driver enhancements
>
> Hi!
>
> > This patch series aims to add I2C bus recovery support to the Renesas
> > RIIC driver. Along with adding I2C bus recovery trivial cleanup
> > patches have also been backported.
> >
> > All the patches have been cherry-picked from the upstream kernel.
>
> This looks okay to me. Do you plan to do more backports to 5.10?
>
> Reviewed-by: Pavel Machek <pavel@nabladev.com>
>
> I can apply the series if it passes testing and there are no other comments.
I reviewed this series, so looks good to me too.
I will apply this series with Pavel's Reviewed-by tag.
>
> Best regards,
> Pavel
Best regards,
Nobuhiro
^ permalink raw reply
* [isar-cip-core][PATCH] linux-cip: Update to 4.4.302-cip111[-rt61] and 6.12.90-cip24
From: Jan Kiszka @ 2026-05-28 6:46 UTC (permalink / raw)
To: cip-dev
From: Jan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
...4.302-cip109-rt60.bb => linux-cip-rt_4.4.302-cip111-rt61.bb} | 2 +-
recipes-kernel/linux/linux-cip-rt_6.12.88-cip23.bb | 1 -
recipes-kernel/linux/linux-cip-rt_6.12.90-cip24.bb | 1 +
...{linux-cip_4.4.302-cip110.bb => linux-cip_4.4.302-cip111.bb} | 2 +-
.../{linux-cip_6.12.88-cip23.bb => linux-cip_6.12.90-cip24.bb} | 2 +-
5 files changed, 4 insertions(+), 4 deletions(-)
rename recipes-kernel/linux/{linux-cip-rt_4.4.302-cip109-rt60.bb => linux-cip-rt_4.4.302-cip111-rt61.bb} (68%)
delete mode 120000 recipes-kernel/linux/linux-cip-rt_6.12.88-cip23.bb
create mode 120000 recipes-kernel/linux/linux-cip-rt_6.12.90-cip24.bb
rename recipes-kernel/linux/{linux-cip_4.4.302-cip110.bb => linux-cip_4.4.302-cip111.bb} (68%)
rename recipes-kernel/linux/{linux-cip_6.12.88-cip23.bb => linux-cip_6.12.90-cip24.bb} (59%)
diff --git a/recipes-kernel/linux/linux-cip-rt_4.4.302-cip109-rt60.bb b/recipes-kernel/linux/linux-cip-rt_4.4.302-cip111-rt61.bb
similarity index 68%
rename from recipes-kernel/linux/linux-cip-rt_4.4.302-cip109-rt60.bb
rename to recipes-kernel/linux/linux-cip-rt_4.4.302-cip111-rt61.bb
index 66a7fdab..af553fd2 100644
--- a/recipes-kernel/linux/linux-cip-rt_4.4.302-cip109-rt60.bb
+++ b/recipes-kernel/linux/linux-cip-rt_4.4.302-cip111-rt61.bb
@@ -11,4 +11,4 @@
require linux-cip-release.inc
-SRC_URI[sha256sum] = "8dd1e6aafa63695c51ea8d5712384881a2dfa19be8538688d779d66d207382cd"
+SRC_URI[sha256sum] = "d82994372165c85e4de9bd76b8d785beb9590c0f96404e47de92e917c408193e"
diff --git a/recipes-kernel/linux/linux-cip-rt_6.12.88-cip23.bb b/recipes-kernel/linux/linux-cip-rt_6.12.88-cip23.bb
deleted file mode 120000
index 306c2a9e..00000000
--- a/recipes-kernel/linux/linux-cip-rt_6.12.88-cip23.bb
+++ /dev/null
@@ -1 +0,0 @@
-linux-cip_6.12.88-cip23.bb
\ No newline at end of file
diff --git a/recipes-kernel/linux/linux-cip-rt_6.12.90-cip24.bb b/recipes-kernel/linux/linux-cip-rt_6.12.90-cip24.bb
new file mode 120000
index 00000000..0bbe9619
--- /dev/null
+++ b/recipes-kernel/linux/linux-cip-rt_6.12.90-cip24.bb
@@ -0,0 +1 @@
+linux-cip_6.12.90-cip24.bb
\ No newline at end of file
diff --git a/recipes-kernel/linux/linux-cip_4.4.302-cip110.bb b/recipes-kernel/linux/linux-cip_4.4.302-cip111.bb
similarity index 68%
rename from recipes-kernel/linux/linux-cip_4.4.302-cip110.bb
rename to recipes-kernel/linux/linux-cip_4.4.302-cip111.bb
index 55e57d98..1c00f30e 100644
--- a/recipes-kernel/linux/linux-cip_4.4.302-cip110.bb
+++ b/recipes-kernel/linux/linux-cip_4.4.302-cip111.bb
@@ -11,4 +11,4 @@
require linux-cip-release.inc
-SRC_URI[sha256sum] = "d4c2646e4691e59c33c95d67b0d13fe00f463f43f3ecbfbe0295ac186cb77ab0"
+SRC_URI[sha256sum] = "d3cd13883e8c7f39613840594ae37dbe6ca5a6e0c368082e95554b0d043968b2"
diff --git a/recipes-kernel/linux/linux-cip_6.12.88-cip23.bb b/recipes-kernel/linux/linux-cip_6.12.90-cip24.bb
similarity index 59%
rename from recipes-kernel/linux/linux-cip_6.12.88-cip23.bb
rename to recipes-kernel/linux/linux-cip_6.12.90-cip24.bb
index f61cbf92..4f129f45 100644
--- a/recipes-kernel/linux/linux-cip_6.12.88-cip23.bb
+++ b/recipes-kernel/linux/linux-cip_6.12.90-cip24.bb
@@ -7,4 +7,4 @@
require linux-cip-release.inc
-SRC_URI[sha256sum] = "c7044d8f5135c80bb32c5f194a940b1bdf8904cd80eea1aee90588be0e12d59d"
+SRC_URI[sha256sum] = "acf2bc2fa5d793849b97bd32cd6274ba45391464492be52a2036ba8bbdc64247"
--
2.47.3
^ permalink raw reply related
* Re: [isar-cip-core][PATCH v2 1/1] chore(factory-reset): make btrfs support optional
From: Jan Kiszka @ 2026-05-28 6:44 UTC (permalink / raw)
To: Felix Moessbauer, cip-dev
In-Reply-To: <20260527091648.764283-1-felix.moessbauer@siemens.com>
On 27.05.26 11:16, Felix Moessbauer wrote:
> To reduce the footprint and attack surface of our images, we make the
> support of btrfs in the factory-reset initramfs hook optional. By that,
> we extend the interface to also allow support for further file system
> types.
>
> Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>
> ---
> Changes since v1:
>
> Rename control variable to INITRAMFS_FACTORY_RESET_FSTYPES, make it a
> list for further extension.
>
> .../initramfs-factory-reset-hook_0.3.bb | 13 ++++++++++---
> 1 file changed, 10 insertions(+), 3 deletions(-)
>
> diff --git a/recipes-initramfs/initramfs-factory-reset-hook/initramfs-factory-reset-hook_0.3.bb b/recipes-initramfs/initramfs-factory-reset-hook/initramfs-factory-reset-hook_0.3.bb
> index e962a51..670725b 100644
> --- a/recipes-initramfs/initramfs-factory-reset-hook/initramfs-factory-reset-hook_0.3.bb
> +++ b/recipes-initramfs/initramfs-factory-reset-hook/initramfs-factory-reset-hook_0.3.bb
> @@ -20,6 +20,9 @@ INITRAMFS_FACTORY_RESET_LUKS_FORMAT_TYPE ??= "ext4"
> INITRAMFS_FACTORY_RESET_CLEAR_TPM ??= '0'
> INITRAMFS_FACTORY_RESET_CLEAR_TPM:encrypt-partitions ?= '1'
>
> +# to support factory reset on btrfs, add 'btrfs'
> +INITRAMFS_FACTORY_RESET_FSTYPES = "${INITRAMFS_FACTORY_RESET_LUKS_FORMAT_TYPE}"
> +
> SRC_URI += " \
> file://factory-reset-script.tmpl \
> file://reset-env.tmpl \
> @@ -35,14 +38,18 @@ TEMPLATE_VARS += " INITRAMFS_FACTORY_RESET_DEVICES \
> RDEPENDS = "factory-reset-helper \
> initramfs-cip-functions"
>
> -DEBIAN_DEPENDS .= ", coreutils, util-linux, e2fsprogs, btrfs-progs, awk, \
> +DEBIAN_DEPENDS .= ", coreutils, util-linux, e2fsprogs, awk, \
> factory-reset-helper, findutils, initramfs-cip-functions"
> DEBIAN_DEPENDS:append:encrypt-partitions = ", tpm2-tools"
> -HOOK_COPY_EXECS = "mountpoint findmnt mktemp rmdir basename \
> - mke2fs mkfs.btrfs awk blkid rm get-factory-reset.sh \
> +HOOK_COPY_EXECS = "mountpoint findmnt mktemp basename \
> + mke2fs awk blkid rm get-factory-reset.sh \
> chattr grep find"
> HOOK_COPY_EXECS:append:encrypt-partitions = " tpm2_clear"
>
> +OVERRIDES .= "${@':btrfs-support' if 'btrfs' in d.getVar('INITRAMFS_FACTORY_RESET_FSTYPES') else ''}"
> +DEBIAN_DEPENDS:append:btrfs-support = ", btrfs-progs"
> +HOOK_COPY_EXECS:append:btrfs-support = " mkdir rmdir mkfs.btrfs"
> +
> HOOK_ADD_MODULES = "efivarfs"
>
> do_install[cleandirs] += "${D}/usr/share/factory-reset/"
Thanks, applied.
Jan
--
Siemens AG, Foundational Technologies
Linux Expert Center
^ permalink raw reply
* Re: [cip-dev] CIP IRC weekly meeting today on libera.chat
From: Masami Ichikawa @ 2026-05-28 6:14 UTC (permalink / raw)
To: jan.kiszka; +Cc: cip-dev
In-Reply-To: <ee790f7b-6e1e-4dc4-91f3-f93c3fba4d33@siemens.com>
Hello.
I'll be absent today.
On Thu, May 28, 2026 at 8:18 AM Jan Kiszka via lists.cip-project.org
<jan.kiszka=siemens.com@lists.cip-project.org> wrote:
>
> Hi all,
>
> Kindly be reminded to attend the weekly meeting through IRC to discuss
> technical topics with CIP kernel today. Our channel is the following:
>
> irc:irc.libera.chat:6697/cip
>
> The IRC meeting is scheduled to UTC (GMT) 12:00:
>
> https://www.timeanddate.com/worldclock/meetingdetails.html?year=2026&month=5&day=28&hour=12&min=0&sec=0&p1=224&p2=179&p3=136&p4=37&p5=241&p6=248
>
> USWest USEast UK DE TW JP
> 05:00 08:00 13:00 14:00 20:00 21:00
>
> Last meeting minutes:
> https://ircbot.wl.linuxfoundation.org/meetings/cip/2026/05/cip.2026-05-21-12.06.log.html
>
> * Action items
> * Kernel maintenance updates
> * Kernel release status [*]
> * Kernel testing
> * AOB
>
> Jan
>
> [*]
> Date the data is created: Wed May 27 11:16:26 PM UTC 2026
> linux-4.4.y-cip: interval 30 day
> latest version release date: Tue May 19 02:53:20 PM UTC 2026
> limit date: Thu Jun 18 02:53:20 PM UTC 2026
> Status: On track
> linux-4.4.y-cip-rt: interval 60 day
> latest version release date: Mon May 25 11:40:18 AM UTC 2026
> limit date: Fri Jul 24 11:40:18 AM UTC 2026
> Status: On track
> linux-4.19.y-cip: interval 30 day
> latest version release date: Thu May 7 11:06:48 AM UTC 2026
> limit date: Sat Jun 6 11:06:48 AM UTC 2026
> Status: On track
> linux-4.19.y-cip-rt: interval 60 day
> latest version release date: Tue May 12 11:56:37 AM UTC 2026
> limit date: Sat Jul 11 11:56:37 AM UTC 2026
> Status: On track
> linux-5.10.y-cip: interval 30 day
> latest version release date: Fri May 15 10:25:33 PM UTC 2026
> limit date: Sun Jun 14 10:25:33 PM UTC 2026
> Status: On track
> linux-5.10.y-cip-rt: interval 60 day
> latest version release date: Mon May 4 10:49:51 AM UTC 2026
> limit date: Fri Jul 3 10:49:51 AM UTC 2026
> Status: On track
> linux-6.1.y-cip: interval 30 day
> latest version release date: Fri May 15 10:28:23 PM UTC 2026
> limit date: Sun Jun 14 10:28:23 PM UTC 2026
> Status: On track
> linux-6.1.y-cip-rt: interval 60 day
> latest version release date: Mon Apr 13 11:43:31 AM UTC 2026
> limit date: Fri Jun 12 11:43:31 AM UTC 2026
> Status: On track
> linux-6.12.y-cip: interval 15 day
> latest version release date: Thu May 21 11:47:46 PM UTC 2026
> limit date: Fri Jun 5 11:47:46 PM UTC 2026
> Status: On track
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#23030): https://lists.cip-project.org/g/cip-dev/message/23030
> Mute This Topic: https://lists.cip-project.org/mt/119522314/4520416
> Group Owner: cip-dev+owner@lists.cip-project.org
> Unsubscribe: https://lists.cip-project.org/g/cip-dev/unsub [masami.ichikawa@miraclelinux.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
Regards,
--
Masami Ichikawa
Cybertrust Japan Co., Ltd.
Email :masami.ichikawa@cybertrust.co.jp
:masami.ichikawa@miraclelinux.com
^ permalink raw reply
* CIP IRC weekly meeting today on libera.chat
From: Jan Kiszka @ 2026-05-27 23:18 UTC (permalink / raw)
To: cip-dev
Hi all,
Kindly be reminded to attend the weekly meeting through IRC to discuss
technical topics with CIP kernel today. Our channel is the following:
irc:irc.libera.chat:6697/cip
The IRC meeting is scheduled to UTC (GMT) 12:00:
https://www.timeanddate.com/worldclock/meetingdetails.html?year=2026&month=5&day=28&hour=12&min=0&sec=0&p1=224&p2=179&p3=136&p4=37&p5=241&p6=248
USWest USEast UK DE TW JP
05:00 08:00 13:00 14:00 20:00 21:00
Last meeting minutes:
https://ircbot.wl.linuxfoundation.org/meetings/cip/2026/05/cip.2026-05-21-12.06.log.html
* Action items
* Kernel maintenance updates
* Kernel release status [*]
* Kernel testing
* AOB
Jan
[*]
Date the data is created: Wed May 27 11:16:26 PM UTC 2026
linux-4.4.y-cip: interval 30 day
latest version release date: Tue May 19 02:53:20 PM UTC 2026
limit date: Thu Jun 18 02:53:20 PM UTC 2026
Status: On track
linux-4.4.y-cip-rt: interval 60 day
latest version release date: Mon May 25 11:40:18 AM UTC 2026
limit date: Fri Jul 24 11:40:18 AM UTC 2026
Status: On track
linux-4.19.y-cip: interval 30 day
latest version release date: Thu May 7 11:06:48 AM UTC 2026
limit date: Sat Jun 6 11:06:48 AM UTC 2026
Status: On track
linux-4.19.y-cip-rt: interval 60 day
latest version release date: Tue May 12 11:56:37 AM UTC 2026
limit date: Sat Jul 11 11:56:37 AM UTC 2026
Status: On track
linux-5.10.y-cip: interval 30 day
latest version release date: Fri May 15 10:25:33 PM UTC 2026
limit date: Sun Jun 14 10:25:33 PM UTC 2026
Status: On track
linux-5.10.y-cip-rt: interval 60 day
latest version release date: Mon May 4 10:49:51 AM UTC 2026
limit date: Fri Jul 3 10:49:51 AM UTC 2026
Status: On track
linux-6.1.y-cip: interval 30 day
latest version release date: Fri May 15 10:28:23 PM UTC 2026
limit date: Sun Jun 14 10:28:23 PM UTC 2026
Status: On track
linux-6.1.y-cip-rt: interval 60 day
latest version release date: Mon Apr 13 11:43:31 AM UTC 2026
limit date: Fri Jun 12 11:43:31 AM UTC 2026
Status: On track
linux-6.12.y-cip: interval 15 day
latest version release date: Thu May 21 11:47:46 PM UTC 2026
limit date: Fri Jun 5 11:47:46 PM UTC 2026
Status: On track
^ permalink raw reply
* RE: [PATCH 5.10.y-cip 0/9] i2c: riic: Driver enhancements
From: Prabhakar Mahadev Lad @ 2026-05-27 22:55 UTC (permalink / raw)
To: Pavel Machek; +Cc: cip-dev@lists.cip-project.org, Nobuhiro Iwamatsu, Biju Das
In-Reply-To: <ahde-JBeE7BGLuJh@duo.ucw.cz>
Hi Pavel,
> -----Original Message-----
> From: Pavel Machek <pavel@nabladev.com>
> Sent: 27 May 2026 22:16
> To: Prabhakar Mahadev Lad <prabhakar.mahadev-lad.rj@bp.renesas.com>
> Cc: cip-dev@lists.cip-project.org; Nobuhiro Iwamatsu
> <nobuhiro.iwamatsu.x90@mail.toshiba>; Pavel Machek <pavel@nabladev.com>;
> Biju Das <biju.das.jz@bp.renesas.com>
> Subject: Re: [PATCH 5.10.y-cip 0/9] i2c: riic: Driver enhancements
>
> Hi!
>
> > This patch series aims to add I2C bus recovery support to the Renesas
> > RIIC driver. Along with adding I2C bus recovery trivial cleanup
> > patches have also been backported.
> >
> > All the patches have been cherry-picked from the upstream kernel.
>
> This looks okay to me. Do you plan to do more backports to 5.10?
>
In regard to I2C driver, no I won't plan to do more backports.
> Reviewed-by: Pavel Machek <pavel@nabladev.com>
>
> I can apply the series if it passes testing and there are no other
> comments.
>
Thank you for the review.
Cheers,
Prabhakar
^ permalink raw reply
* [kernel-cve-report] New CVE entries this week
From: Masami Ichikawa @ 2026-05-27 22:26 UTC (permalink / raw)
To: cip-dev
Hi!
It's this week's CVE report.
This week reported 288 new CVEs and 8 updated CVEs.
CVE-2026-43494 is known as PinTheft.
* New CVEs
CVE-2026-43494: net/rds: reset op_nents when zerocopy page pin fails
Announce: https://www.cve.org/CVERecord?id=CVE-2026-43494
Introduced by commit 0cebacc ("rds: zerocopy Tx support.") in v4.17-rc1.
Fixed in v7.1-rc4.
This bug as known as PinTheft.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [e174929793195e0cd6a4adb0cad731b39f9019b4]
stable/6.12: [0bbbff00a15b1df2cac9014d6cf4b6890f473353]
stable/6.18: [640e37f58f991546a87540d067279c2c1fa9fe51]
stable/6.6: [9115669faedccdda100428e2d26fd0aac8c50799]
stable/7.0: [290e833d1acb1093bc121fcdc97f5e6161157479]
CVE-2026-43495: net: wwan: t7xx: validate port_count against message
length in t7xx_port_enum_msg_handler
Announce: https://www.cve.org/CVERecord?id=CVE-2026-43495
Introduced by commit da45d25 ("net: wwan: t7xx: Add control port") in v5.19-rc1.
Fixed in v7.1-rc3.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [0e7c074cfcd9bd93765505f9eb8b42f03ed2a744]
stable/6.12: [9855e063e063158cc5bded576382599dc3133202]
stable/6.18: [2b56d7903ab804481f5233a259d5f341e9fd513c]
stable/6.6: [f94450ce5053b36002995b72d1fa1db3bb08c5bf]
stable/7.0: [dd4f4c93c1488d7100b9964f2da4c8b3c29652f1]
CVE-2026-43496: net/sched: sch_red: Replace direct dequeue call with
peek and qdisc_dequeue_peeked
Announce: https://www.cve.org/CVERecord?id=CVE-2026-43496
Introduced by commit 77be155 ("pkt_sched: Add peek emulation for
non-work-conserving qdiscs.") in v2.6.29-rc1.
Fixed in v7.1-rc3.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [458d5615272d3de535748342eb68ca492343048c]
stable/6.12: [ce051eede433f876d322ac3550a36a3c6fc4c231]
stable/6.18: [8d09618840b99ef00154d3e731ce9b11e096196d]
stable/6.6: [36aa34f42cb6842cf371f3a2d3e855d24fd57a50]
stable/7.0: [587dcf970a525f543d8b5855d9f37a4ca97b76ef]
CVE-2026-43497: fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent
use-after-free
Announce: https://www.cve.org/CVERecord?id=CVE-2026-43497
According to the .vulnerable file, this bug was introduced by commit
7433914 in v4.19-rc1.
Fixed in v7.1-rc3.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [8de779dc40d35d39fa07387b6f921eb11df0f511]
stable/6.12: [18dd358de72d57993422cbb5dfb29ccd74efe192]
stable/6.18: [da9b065cedfd3b574f229d5be594e6aa47a27ae6]
stable/6.6: [4f312c30f0368e8d2a76aa650dff73f23490b5e7]
stable/7.0: [a2c53a3822ee26e8d758071815b9ed3bf6669fc1]
CVE-2026-43498: accel/ivpu: Disallow re-exporting imported GEM objects
Announce: https://www.cve.org/CVERecord?id=CVE-2026-43498
Introduced by commit 5755796 ("accel/ivpu: Add support for userptr
buffer objects") in v6.19-rc1.
Fixed in v7.1-rc3.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [7dd57d7a6350770dfc283287125c409e995200e0]
stable/7.0: [3756043dd695bba34cc728cdc5688dcb49ac8043]
CVE-2026-43499: rtmutex: Use waiter::task instead of current in remove_waiter()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-43499
Introduced by commit 8161239 ("rtmutex: Simplify PI algorithm and make
highest prio task get lock") in v2.6.39-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [3bfdc63936dd4773109b7b8c280c0f3b5ae7d349]
stable/6.12: [6d52dfcb2a5db86e346cf51f8fcf2071b8085166]
stable/6.18: [3fb7394a837740770f0d6b4b30567e60786a63f2]
stable/6.6: [8a1fc8d698ac5e5916e3082a0f74450d71f9611f]
stable/7.0: [88614876370aac8ad1050ad785a4c095ba17ac11]
CVE-2026-43501: ipv6: rpl: reserve mac_len headroom when recompressed SRH grows
Announce: https://www.cve.org/CVERecord?id=CVE-2026-43501
Introduced by commit 8610c7c ("net: ipv6: add support for rpl sr
exthdr") in v5.7-rc1.
Fixed in v7.1-rc2.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [9e6bf146b55999a095bb14f73a843942456d1adc]
stable/6.12: [4babc2d9fda2df43823b85d08a0180b68f1b0854]
stable/6.18: [c261d07a80576dc8ccf394ef8f074f8c67a06b37]
stable/6.6: [8e8be63465a5e80394c70324603dfea1bfdad48f]
stable/7.0: [7398ebefbfd4f8a31d4f665a4213302fa995494b]
CVE-2026-43502: net/rds: handle zerocopy send cleanup before the
message is queued
Announce: https://www.cve.org/CVERecord?id=CVE-2026-43502
Introduced by commit 0cebacc ("rds: zerocopy Tx support.") in v4.17-rc1.
Fixed in v7.1-rc3.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [44b550d88b267320459d518c0743a241ab2108fa]
stable/6.12: [3abc8983b2bae3f487f77d9da5527d7d6b210d46]
stable/6.18: [14ef6fd18db2494098b21e0471bf27a1d8e9993e]
stable/6.6: [21d70744e6d3bbf9293aa1ee6fba7c53ad75275e]
stable/7.0: [0f5c185fc79a59ee9991234dd6d2a3e5afa6e75b]
CVE-2026-43503: net: skbuff: propagate shared-frag marker through
frag-transfer helpers
Announce: https://www.cve.org/CVERecord?id=CVE-2026-43503
Introduced by cef401de7be8 ("net: fix possible wrong checksum
generation") in v3.9-rc1 and f4c50a4034e6 ("xfrm: esp: avoid in-place
decrypt on shared skb frags") in 7.1-rc3.
Bug introduced commit was backported to following branches.
cip/5.10 cip/6.1 cip/6.12 stable/5.10 stable/5.15 stable/6.1
stable/6.12 stable/6.18 stable/6.6 stable/7.0
Fixed status
mainline: [48f6a5356a33dd78e7144ae1faef95ffc990aae0]
stable/5.10: [fbeab9555564a1b98e8582cd106dfe46c4606991]
stable/5.15: [179f1852bdedc300e373e807cc102cd81feff196]
stable/6.1: [12401fcfb01f53ccc63ab0a3246570fe8f3105ee]
stable/6.12: [fc6eb39c55e97df2f94ad974b8a5bbcd019da2c8]
stable/6.18: [ff375cc75f9167168db38e0464a482d5fbc8d81d]
stable/6.6: [989214c66884d70716d83dc1d0bf5e16287bf349]
stable/7.0: [9bc9d6d6967a2239aa57af2aa53554eddd640d20]
CVE-2026-45834: Bluetooth: L2CAP: Fix null-ptr-deref in
l2cap_sock_state_change_cb()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45834
Introduced by commit 89bc500 ("Bluetooth: Add state tracking to struct
l2cap_chan") in v3.1-rc1.
Fixed in v7.1-rc3.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [2ff1a41a912de8517b4482e946dd951b7d80edbf]
stable/6.12: [c88c185ae0a1067823661b220aeea613df2c127b]
stable/6.18: [1810e42ff6716f320c7269d5850eca48b07b7427]
stable/6.6: [5105f3e6b2df619c635b5f6a49fac131a36c7952]
stable/7.0: [a2dcf1a61d056aef15b63c6eae9441344d624389]
CVE-2026-45835: Bluetooth: L2CAP: Fix null-ptr-deref in
l2cap_sock_new_connection_cb()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45835
Introduced by commit 80808e4 ("Bluetooth: Add l2cap_chan_ops
abstraction") in v3.1-rc1.
Fixed in v7.1-rc3.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [0a120d96166301d7a95be75b52f843837dbd1219]
stable/6.12: [bc3bb9f40da8e53896abc2d29c6d0c6686fe4ab9]
stable/6.18: [741e6024e31587b0c021b6616a9e428a4ea0b64a]
stable/6.6: [ab77c8bc30269bee15d917059a66bea48909f5f0]
stable/7.0: [76083fb80f5a38ac13326b2d810f66bd07771eea]
CVE-2026-45836: Bluetooth: L2CAP: Fix null-ptr-deref in
l2cap_sock_get_sndtimeo_cb()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45836
Introduced by commit 8d836d7 ("Bluetooth: Access sk_sndtimeo
indirectly in l2cap_core.c") in v3.13-rc1.
Fixed in v7.1-rc3.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [78a88d43dab8d23aeef934ed8ce34d40e6b3d613]
stable/6.12: [58dc5e3d8768e121907608e6e196a908512fb083]
stable/6.18: [32bd343803d4ba47cc516f9d5f037f01b855d767]
stable/6.6: [cf1fd517f892ded88168df878f834b625133f86d]
stable/7.0: [a93d66907dd4d29b65c9797a93784bf61906d6d6]
CVE-2025-71303: accel/amdxdna: Fix race condition when checking rpm_on
Announce: https://www.cve.org/CVERecord?id=CVE-2025-71303
Introduced by commit 063db45 ("accel/amdxdna: Enhance runtime power
management") in v6.19-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [00ffe45ece80160aef446d74ded906352f21dd72]
CVE-2025-71304: smack: /smack/doi: accept previously used values
Announce: https://www.cve.org/CVERecord?id=CVE-2025-71304
Introduced by commit e114e47 ("Smack: Simplified Mandatory Access
Control Kernel") in v2.6.25-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
cip/4.19-st: [67b8493a0b33a31b1acb73d961f01e541696e587]
cip/4.4-st: [3ea6dcc4c441de72eab68fa211a2f2851a1ab28d]
mainline: [33d589ed60ae433b483761987b85e0d24e54584e]
stable/5.10: [eb718a3c8181ada679340db34cd61bce48e44749]
stable/5.15: [6ec091c5c7eeabd249a7c46813cad1e9f555f859]
stable/6.1: [199452f22d2f74b897fe826f81ec402b0a8461a0]
stable/6.12: [f8071500177f38cff38892bd85ac631cc6e010b2]
stable/6.18: [5a247a84de0ba44edbbd6be851c8a6b2aa60ff85]
stable/6.6: [1c7ee23dfcd18d80770d8f90f2ab5bb1b2bfd8a3]
CVE-2025-71305: drm/display/dp_mst: Add protection against 0 vcpi
Announce: https://www.cve.org/CVERecord?id=CVE-2025-71305
Introduced commit is not determined.Fixed in v7.0-rc1.
Affected code was added by 4d07b0b ("drm/display/dp_mst: Move all
payload info into the atomic state") in 6.1-rc1.
Fixed status
mainline: [342ccffd9f77fc29fe1c05fd145e4d842bd2feaa]
stable/6.1: [95dbd525efce2a9e9e1c50ad15213de644c85ad0]
stable/6.12: [3f44cdb5371faf225af37d5caba8f21ec0572469]
stable/6.18: [4d2ccdea18b564e3f73e3e543854acea64e6277d]
stable/6.6: [ac9a7c329a5610051fc476644c9b9145a5965ecb]
CVE-2025-71306: ima: Fix stack-out-of-bounds in is_bprm_creds_for_exec()
Announce: https://www.cve.org/CVERecord?id=CVE-2025-71306
Introduced by commit 95b3cda ("ima: instantiate the
bprm_creds_for_exec() hook") in v6.14-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [377cae9851e8559e9d8b82a78c1ac0abeb18839c]
CVE-2025-71307: drm/panthor: Fix NULL pointer dereference on panthor_fw_unplug
Announce: https://www.cve.org/CVERecord?id=CVE-2025-71307
Introduced by commit 5140725 ("drm/panthor: Support GLB_REQ.STATE
field for Mali-G1 GPUs") in v6.19-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [920c6af98e98e6afedf6318a75bac95af8415c6c]
CVE-2025-71308: accel/amdxdna: Fix potential NULL pointer dereference
in context cleanup
Announce: https://www.cve.org/CVERecord?id=CVE-2025-71308
Introduced by commit be462c9 ("accel/amdxdna: Add hardware context")
in v6.14-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [97f27573837ef96b4ba42af463cc800cab615c0e]
CVE-2025-71309: fs/ntfs3: fix deadlock in ni_read_folio_cmpr
Announce: https://www.cve.org/CVERecord?id=CVE-2025-71309
Introduced by commit f35590e ("fs/ntfs3: remove ntfs_bio_pages and use
page cache for compressed I/O") in v6.19-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [e37a75bb866c29da954b51d0dd7670406246d9ee]
CVE-2025-71311: fs/ntfs3: Initialize new folios before use
Announce: https://www.cve.org/CVERecord?id=CVE-2025-71311
Introduced by commit 584f60b ("ntfs3: Convert ntfs_get_frame_pages()
to use a folio") in v6.11-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [f223ebffa185cc8da934333c5a31ff2d4f992dc9]
stable/6.12: [dd6c81527d097b3b0bf5a15c2fdc9657d045144c]
stable/6.18: [5a30cc03bde169ad558695b26da6ea7e55f6194a]
CVE-2025-71312: fs/ntfs3: fix ntfs_mount_options leak in ntfs_fill_super()
Announce: https://www.cve.org/CVERecord?id=CVE-2025-71312
Introduced by commit aee4d5a ("ntfs3: fix double free of
sbi->options->nls and clarify ownership of fc->fs_private") in
v6.19-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [f7edab0cee03a1cbe0e55a7bcab8d2d8b6b74278]
CVE-2026-45837: bpf: Fix use-after-free in arena_vm_close on fork
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45837
Introduced by commit 3174603 ("bpf: Introduce bpf_arena.") in v6.9-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [4fddde2a732de60bb97e3307d4eb69ac5f1d2b74]
stable/6.12: [723b9fa930cc277c15ce6b9ec9feec828cfac9d7]
stable/6.18: [d18099f19e53250f8ad2801498b88cec29d9107a]
stable/7.0: [201128fcc7b213d27ab77bc4e89488b41796480f]
CVE-2026-45838: bpf: fix end-of-list detection in cgroup_storage_get_next_key()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45838
Introduced by commit de9cbba ("bpf: introduce cgroup storage maps") in
v4.19-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [5828b9e5b272ecff7cf5d345128d3de7324117f7]
stable/6.12: [85a2f30e40f7468db732f55659bc6318874f49af]
stable/6.18: [32ce55d424395904986f5066f8755f6cb9993377]
stable/6.6: [b4b5a20bed82130da2f2818f04d52378952fbd0b]
stable/7.0: [fc39753b7f92e09177777e9c648afe5aa3abb81f]
CVE-2026-45839: bpf: reject negative CO-RE accessor indices in
bpf_core_parse_spec()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45839
Introduced by commit ddc7c30 ("libbpf: implement BPF CO-RE offset
relocation algorithm") in v5.4-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [1c22483a2c4bbf747787f328392ca3e68619c4dc]
stable/6.12: [36a9012f76ba8d9189ae56a1f8bb7c87c07a1f3a]
stable/6.18: [76f2ebaf79a9ae6d0737b87f045fe769e425d78f]
stable/6.6: [3ff85ae79e1a74baeb916b78a63d821f6d19a994]
stable/7.0: [99dbab7b5a12d8f58d5b0aa2f7a1fe656a70f4b2]
CVE-2026-45840: openvswitch: cap upcall PID array size and pre-size
vport replies
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45840
Introduced by commit 5cd667b ("openvswitch: Allow each vport to have
an array of 'port_id's.") in v3.17-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [2091c6aa0df6aba47deb5c8ab232b1cb60af3519]
stable/6.12: [f99ac36b5d7c719d08a69fcdecce40f78a874e15]
stable/6.18: [fa6e90bc443bed8dc0d55bc5ea5b27ffdfe37704]
stable/6.6: [f9ef3db77a383d66847fd082c2b437d8ae4d9c63]
stable/7.0: [1d6c02b86329883aa467a3a61f8d34369db73a2f]
CVE-2026-45841: netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45841
Introduced by commit 11eeef4 ("netfilter: passive OS fingerprint
xtables match") in v2.6.31-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [2195574dc6d9017d32ac346987e12659f931d932]
stable/6.12: [c55940895245d8ef658ab381248a28755218d625]
stable/6.18: [fb965b1cfe92b28d28b5ebe3116b81dbef9f2d2f]
stable/6.6: [8def8fbd23f40e945febe913d04b731012ce0082]
stable/7.0: [9a05e195618a6d474f2bcd5b6376d0ffc2f00366]
CVE-2026-45842: slip: reject VJ receive packets on instances with no
rstate array
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45842
Introduced by commit 4ab42d7 ("ppp, slip: Validate VJ compression slot
parameters completely") in v4.4-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [e76607442d5b73e1ba6768f501ef815bb58c2c0e]
stable/6.12: [de42f86e2cf5028a97e74c25869d1a962b13c301]
stable/6.18: [9e1ff0eead073c4f46d874ad2526b7dda5465faf]
stable/6.6: [c6980e8b1a86288167f34966fa5219031999b6f1]
stable/7.0: [7b0d9e878ec2b21d99ae8051b3dda59cdb66c152]
CVE-2026-45843: slip: bound decode() reads against the compressed packet length
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45843
Introduced by commit 1da177e ("Linux-2.6.12-rc2") in v2.6.12.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [4c1367a2d7aad643a6f87c6931b13cc1a25e8ca7]
stable/6.12: [4cefe32639933d652614b0bd50f818f9af4af78f]
stable/6.18: [0511ecb00e61bf28e2fec4bb41fcce385c3a3b2d]
stable/6.6: [37537e42e6df387398bee85cb85070cc80bb1e10]
stable/7.0: [d42bec6e4f6d6d658be365539400b3314b76b2a7]
CVE-2026-45844: netfilter: arp_tables: fix IEEE1394 ARP payload parsing
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45844
Introduced by commit 6752c8d ("firewire net, ipv4 arp: Extend hardware
address and remove driver-level packet inspection.") in v3.10-rc1.
Fixed in v7.1-rc2.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [1e8e3f449b1e73b73a843257635b9c50f0cc0f0a]
stable/6.12: [03ea11dbefaa55c502735ee551c89ef773fe753b]
stable/6.18: [1c55053f8ffdc060006df898fd3664e3d1bfac7b]
stable/6.6: [ad9973df8e0eeb123d9ec4d18828e05b7d44ff4b]
stable/7.0: [ac698d81fd6619c7504cee913f1cab5285fba1b7]
CVE-2026-45845: net/sched: taprio: fix NULL pointer dereference in class dump
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45845
Introduced by commit 665338b ("net/sched: taprio: dump class stats for
the actual q->qdiscs[]") in v6.6-rc1.
Fixed in v7.1-rc2.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [3d07ca5c0fae311226f737963984bd94bb159a87]
stable/6.12: [d02e2fbf60de46678e2ea698a6a904fd21e1cc31]
stable/6.18: [48b26d48e76221dc90b02bf5428bab53643461ca]
stable/6.6: [ec2501e361b08b50bcb1e7b3253fc861abbda28d]
stable/7.0: [8f1ff8866cb9f655e5faea6994eb902960be8e04]
CVE-2026-45846: bareudp: fix NULL pointer dereference in
bareudp_fill_metadata_dst()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45846
Introduced by commit 571912c ("net: UDP tunnel encapsulation module
for tunnelling different protocols like MPLS, IP, NSH etc.") in
v5.7-rc1.
Fixed in v7.1-rc2.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [aa6c6d9ee064aabfede4402fd1283424e649ca19]
stable/6.12: [35a115a204be08f97450b0389413e218268ef4a2]
stable/6.18: [74a02921c48fcd35a7881956c9e5c52b86595f5d]
stable/6.6: [a0f4e4e8e0f5e24ddd83e3d1221732621cf34636]
stable/7.0: [638905520fc4fae6a80991563f264131545ba3df]
CVE-2026-45847: net: remove WARN_ON_ONCE when accessing forward path array
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45847
Introduced by commit ddb94ea ("net: resolve forwarding path from
virtual netdevice and HW destination address") in v5.13-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [008e7a7c293b30bc43e4368dac6ea3808b75a572]
stable/5.15: [548244c2f542aa0ad49453e9306e715a3877bc44]
stable/6.1: [dcf9b3c90e5560339649d088836529883fb509f3]
stable/6.12: [959ea349c7e2d4edf07b6838ca7e59345fe61a08]
stable/6.18: [50422613185d505201167e8bdd2f2700790d5db6]
stable/6.6: [9464ca7a6e56ad1ebf48b2ad5c16871edfad10c6]
CVE-2026-45848: apparmor: fix NULL sock in aa_sock_file_perm
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45848
Introduced by commit 56974a6 ("apparmor: add base infastructure for
socket mediation") in v4.17-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
cip/4.19-st: [58607749a2ec80cd5bb900e8d11b1ffeb3f6601b]
mainline: [00b67657535dfea56e84d11492f5c0f61d0af297]
stable/5.10: [68538ec34fcb4194c7961dc4eca6f5537fec8067]
stable/5.15: [5121b7283f1c46e4c06b88b1dda7b064429d77de]
stable/6.1: [c11b7c3280d000376e27ebfed17ec7046699eab4]
stable/6.12: [3852eb9a0392eb435c03dcb47d581bcfe6a9a95b]
stable/6.18: [ccb66a3c6c8f51b3ed1bc003b70bb9ff99e8d835]
stable/6.6: [0dc19bca22606f7a61d5988408f74e3ae0ef3486]
CVE-2026-45849: net: mscc: ocelot: add missing lock protection in
ocelot_port_xmit_inj()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45849
Introduced by commit c5e12ac ("net: mscc: ocelot: serialize access to
the injection/extraction groups") in v6.11-rc5.
Fixed in v7.0-rc1.
Bug introduced commit was backported to following branches.
cip/6.1 cip/6.1-rt stable/6.1 stable/6.6
Fixed status
mainline: [026f6513c5880c2c89e38ad66bbec2868f978605]
stable/6.1: [0b217a40156f497e09dd20d3f7baec40c785f386]
stable/6.12: [7ac58d8832802ec89baa7539e13e6d58a88cce04]
stable/6.18: [51c32ae7fae14552d79f7139614b77c1bbd57a48]
stable/6.6: [cc1b179f778f98270bdbbb48d183b4b6427ae198]
CVE-2026-45850: ipvs: skip ipv6 extension headers for csum checks
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45850
Introduced by commit 2906f66 ("ipvs: SCTP Trasport Loadbalancing
Support") in v2.6.34-rc1.
Introduced by commit 0bbdd42 ("IPVS: Extend protocol DNAT/SNAT and
state handlers") in v2.6.28-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [05cfe9863ef049d98141dc2969eefde72fb07625]
CVE-2026-45851: efi: Fix reservation of unaccepted memory table
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45851
Introduced by commit 8dbe339 ("efi/unaccepted: Make sure unaccepted
table is mapped") in v6.6-rc3.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [0862438c90487e79822d5647f854977d50381505]
stable/6.12: [ba6b6f1502fa55621d1db23f253d54322bdbe4e0]
stable/6.18: [9b18bf59977f5c5bc3b11b210520f62500a7adf3]
stable/6.6: [b7bc182ec1846be437351e44164089d988f9d0dd]
CVE-2026-45852: RDMA/rxe: Fix double free in rxe_srq_from_init
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45852
Introduced by commit aae0484 ("IB/rxe: avoid srq memory leak") in v4.20-rc1.
Fixed in v7.0-rc1.
Bug introduced commit was backported to following branches.
cip/4.19 cip/4.19-rt cip/4.19-st
Fixed status
mainline: [0beefd0e15d962f497aad750b2d5e9c3570b66d1]
stable/5.10: [22b8c23a3b92d023614bb00896fe364b2c1a31d3]
stable/5.15: [af5956243018918130d52c9f671efdb40bab3366]
stable/6.1: [d286f0d4e3ad3caf5f0e673cdad7bf89bf37d947]
stable/6.12: [ce6f8e007682f378279d4cf83b240f12d52c723b]
stable/6.18: [5c07aef09a121a4cd622a71eb0753a9e135c84a8]
stable/6.6: [26793db60925df1e88a29466813d586cbc190b8c]
CVE-2026-45853: drm/amdgpu: Use kvfree instead of kfree in
amdgpu_gmc_get_nps_memranges()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45853
Introduced by commit b194d21 ("drm/amdgpu: Use NPS ranges from
discovery table") in v6.11-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [0c44d61945c4a80775292d96460aa2f22e62f86c]
stable/6.12: [16e7e7ad8cdc6b4c4af7f31e262f1494c1b2a55e]
stable/6.18: [9ae85b0c1909b6c6bfd2636b04cdaf7f520bf2b5]
CVE-2026-45854: crypto: inside-secure/eip93 - unregister only
available algorithm
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45854
Introduced by commit 9739f5f ("crypto: eip93 - Add Inside Secure
SafeXcel EIP-93 crypto engine support") in v6.15-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [0ceeadc7b53a041d89d5843f6bf0ccb7c98b0b4f]
stable/6.18: [243d642ff5809811208fa1707b7ab8a6ab4b1d68]
CVE-2026-45855: ata: libata-scsi: avoid Non-NCQ command starvation
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45855
Introduced by commit bdb0130 ("scsi: Add host and host template flag
'host_tagset'") in v5.10-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [0ea84089dbf62a92dc7889c79e6b18fc89260808]
stable/6.12: [ce22aaed011206fed9cbd8c9c2d44718607f31ee]
stable/6.18: [888cd7e40adb2ef4af1b4d3b6e2e83ad409ae8c2]
CVE-2026-45856: RDMA/uverbs: Validate wqe_size before using it in
ib_uverbs_post_send
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45856
Introduced by commit c3bea3d ("RDMA/uverbs: Use the iterator for
ib_uverbs_unmarshall_recv()") in v5.0-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [1956f0a74ccf5dc9c3ef717f2985c3ed3400aab0]
stable/5.10: [9c15ec4cd4e7f57c6bbcb4e73e99290f150dd2a7]
stable/5.15: [9b5ac1c15334d46c0dbd49d64a2257b929500163]
stable/6.1: [01c9b152647dc70dc06a4a2eff86ebb3b3c76075]
stable/6.12: [d533425ac1f2925b4fc3e4ed9b9d72362cb23475]
stable/6.18: [bf4454da8b1e712714628c0a0d6e7845bb40790a]
stable/6.6: [bf1feed1a7886af945f92890493aefd2b5c9928a]
CVE-2026-45857: scsi: csiostor: Fix dereference of null pointer rn
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45857
Introduced by commit a3667aa ("[SCSI] csiostor: Chelsio FCoE offload
driver") in v3.8-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
cip/4.19-st: [df377f5b4bceaa58c90e0feeb6cfd258eed38885]
cip/4.4-st: [1b4fd0ad8c2b5da142478625aa0ec6939b698bb5]
mainline: [1982257570b84dc33753d536dd969fd357a014e9]
stable/5.10: [16ccbfddcb32365138c806cf572e69b42a193c5c]
stable/5.15: [44ef9f81392de885883f73b9f5c43936a82ae9d7]
stable/6.1: [526ea3c0ccd495b0079db3e28fdddd51c1bf01f7]
stable/6.12: [6037124dbf675fbd0a6248aaf04cf07387b8c323]
stable/6.18: [25ab5e97d3c5f3ed594b4a65d1cc99dc24756681]
stable/6.6: [25d623f0d77c11a256a54e860d00c239aa9a2583]
CVE-2026-45858: ext4: don't zero the entire extent if
EXT4_EXT_DATA_PARTIAL_VALID1
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45858
Introduced commit is not determined.Fixed in v7.0-rc1.
Fixed status
mainline: [1bf6974822d1dba86cf11b5f05498581cf3488a2]
stable/6.1: [ddf854e59166533b0f46ba32cd6cd9aca3197d1b]
stable/6.12: [d17857b4fb9ba5745b59be0ef38fd532991fccbf]
stable/6.18: [d67c8ecf3d8fda9b8ef80e6f665d84b6d6ac9d88]
stable/6.6: [58ddae5d77b1db3a27b891c75a8fa120239ac092]
CVE-2026-45859: netfilter: nfnetlink_queue: do shared-unconfirmed
check before segmentation
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45859
Introduced by commit 7d8dc1c ("netfilter: nf_queue: drop packets with
cloned unconfirmed conntracks") in v6.11-rc4.
Fixed in v7.0-rc1.
Bug introduced commit was backported to following branches.
cip/6.1 cip/6.1-rt stable/5.15 stable/6.1 stable/6.6
Fixed status
mainline: [207b3ebacb6113acaaec0d171d5307032c690004]
stable/6.12: [79b713ef4261a8ead96af4703f89d0b5f25532e2]
stable/6.18: [23901aa6b8a2f294c4b774436b4691f3ff863a8f]
CVE-2026-45860: netfilter: nf_conncount: increase the connection clean
up limit to 64
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45860
Introduced by commit d265929 ("netfilter: nf_conncount: reduce
unnecessary GC") in v5.19-rc1.
Fixed in v7.0-rc1.
Bug introduced commit was backported to following branches.
cip/4.19 cip/4.19-rt cip/4.19-st cip/5.10 cip/5.10-rt stable/5.10 stable/5.15
Fixed status
cip/4.19-st: [ac7a01b06c4537def10aa53afcfbfd554f416dee]
mainline: [21d033e472735ecec677f1ae46d6740b5e47a4f3]
stable/5.10: [a5c9e14e0e8923218ae881d5e78c990c07694966]
stable/5.15: [13eede458fdf231f1bf96a398feea4ad1553f14c]
stable/6.1: [fa85432d58c8e74b39333edbf8d28df2985dfc79]
stable/6.12: [3d0994ed0aa1fc0a2c5e620b765e8defdd021bff]
stable/6.18: [6e5fa7add3e76da068a478d905be64be8fa4e80a]
stable/6.6: [0792ad077d776c2dcf20f0484e2461ded1b77a24]
CVE-2026-45861: gfs2: Fix slab-use-after-free in qd_put
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45861
Introduced by commit a475c5d ("gfs2: Free quota data objects
synchronously") in v6.6-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [22150a7d401d9e9169b9b68e05bed95f7f49bf69]
stable/6.12: [ca7c67bdd293089b3483f18886d6b2d0037d2ad9]
stable/6.18: [1d47922b98046b8070a77347fb883a6523792803]
CVE-2026-45862: iommu/vt-d: Flush cache for PASID table before using it
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45862
Introduced by commit 194b334 ("iommu/vt-d: Fix PASID directory pointer
coherency") in v6.3-rc1.
Fixed in v7.0-rc1.
Bug introduced commit was backported to following branches.
cip/5.10 cip/5.10-rt cip/6.1 cip/6.1-rt stable/5.10 stable/5.15 stable/6.1
Fixed status
mainline: [22d169bdd2849fe6bd18c2643742e1c02be6451c]
stable/5.10: [cd75e77125c8a51754ca4cd60b4ca083ed735d1d]
stable/5.15: [0616137b70e6d9a547d4b60df8e1b64e36d83661]
stable/6.1: [36990407cdd257473607e33802d00e978af2759e]
stable/6.12: [5962c30a6f05ea1ab73f039e235bb30716243517]
stable/6.18: [36244dfd3853f7bf89d03b8e90d56b23ce7fbc16]
stable/6.6: [c93f23375d8c410954b0df825e814b632fd62b9d]
CVE-2026-45863: i3c: dw: Fix memory leak in dw_i3c_master_i2c_xfers()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45863
Introduced by commit 62fe9d0 ("i3c: dw: Add power management support")
in v6.11-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [2537089413514caaa9a5fdeeac3a34d45100f747]
stable/6.12: [140a45bd4f6db7d1b30cab967d29689b946c52fa]
stable/6.18: [8e71414e252c1cb235911008a98fd47927d3a55c]
CVE-2026-45864: fs/ntfs3: prevent infinite loops caused by the next
valid being the same
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45864
Introduced by commit 4342306 ("fs/ntfs3: Add file operations and
implementation") in v5.15-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [27b75ca4e51e3e4554dc85dbf1a0246c66106fd3]
stable/5.15: [50c822fcb36768f1fb356f05b02a2248ef81936d]
stable/6.1: [6d93239b4fc479f7c0a412dd196ec0ca2672d14a]
stable/6.12: [b97e371e5d1c13d722335d46eb8bc1a22b272a0e]
stable/6.18: [4bf3bafb8e0635ed93e3cd4156dcbcc0fb960cb4]
stable/6.6: [71c8b966ec56e13c02388c1312910588bb49be7a]
CVE-2026-45865: mctp i2c: initialise event handler read bytes
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45865
Introduced by commit f5b8abf ("mctp i2c: MCTP I2C binding driver") in v5.18-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [2a14e91b6d76639dac70ea170f4384c1ee3cb48d]
stable/6.1: [93e01e837e105299f1c259ef71f6e1ec4fe806e3]
stable/6.12: [fa9861e5c8af7651dddfa8d490aaada17ae33b6c]
stable/6.18: [6ff2ebfef75fbc57d937d8fbe738b967edf2d331]
stable/6.6: [11f83253244060b5de5eac787f61ae3f3e559d01]
CVE-2026-45866: serial: caif: fix use-after-free in caif_serial ldisc_close()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45866
Introduced by commit 56e0ef5 ("drivers/net: caif: fix wrong
rtnl_is_locked() usage") in v3.11-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
cip/4.19-st: [8adeaccc29edb61079c607ec2d9d85266605c9e8]
cip/4.4-st: [752d013b6a0d6f504fd1b2fcf732ec8ba66cb233]
mainline: [308e7e4d0a846359685f40aade023aee7b27284c]
stable/5.10: [5e266ba8d330d3b8e5bc198f238cd8901826cfa1]
stable/5.15: [d3c75db4e0460641dbcd274b40867e252d801da1]
stable/6.1: [4e63d6f68544ae5269ac9735ae5b69b59b5b8725]
stable/6.12: [52731ef4438155cea782fac74e547a327ab9e7c5]
stable/6.18: [c8c197aaa56b25a2d54f3aa07e27e228d6c08546]
stable/6.6: [331e2b7051635780edea248dd08ae2026c126f4a]
CVE-2026-45867: power: supply: act8945a: Fix use-after-free in
power_supply_changed()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45867
Introduced by commit a09209a ("power: supply: act8945a_charger: Add
status change update support") in v4.9-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
cip/4.19-st: [69dd2e9614e5a107217e2c84ac75281e01e7c4d7]
mainline: [3291c51d4684d048dd2eb91b5b65fcfdaf72141f]
stable/5.10: [f2a0777b1e5a3cee1712c4d3e9095c0df8fc8cb3]
stable/5.15: [0768e8525a46df103647ca5059b32320d7fd17e4]
stable/6.1: [d023ef9f748b2090f7a9dbdd5c622b6ad99088ea]
stable/6.12: [76a42ba547a9b2e2337894f67a4d9247445007d5]
stable/6.18: [f27eb76def5c07e4d7cc468b40741f19dafc83ce]
stable/6.6: [697bb5dc0cb4791e244f3970b067bc1ef33be9d9]
CVE-2026-45868: pinctrl: single: fix refcount leak in pcs_add_gpio_func()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45868
Introduced by commit a1a277e ("pinctrl: single: create new gpio
function range") in v3.10-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
cip/4.19-st: [7a9286ab1d8cc7ec18ce252f7deba61ff87d79bc]
cip/4.4-st: [a9bfc223ce08b83935b28895446c4058192db146]
mainline: [353353309b0f7afa407df29e455f9d15b5acc296]
stable/5.10: [191bfd5710d6a7f48ba4315d8d3e908dcc15243c]
stable/5.15: [3e3b28bb0b6ddc521a4fdd1c1ba0d35017a0796b]
stable/6.1: [456a60d06c09a92680dc35fabca68024badcc28e]
stable/6.12: [7814b1431848854b56717086e2b61bea3c59753d]
stable/6.18: [e2e367e56bacb93ce5ac73f0b3297d5c83d38dd4]
stable/6.6: [99cc7352156c65201c675f750e0e77c4c73d93f5]
CVE-2026-45869: power: supply: wm97xx: Fix NULL pointer dereference in
power_supply_changed()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45869
Introduced by commit 7c87942 ("wm97xx_battery: Use irq to detect
charger state") in v2.6.32-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [39fe0eac6d755ef215026518985fcf8de9360e9e]
stable/5.10: [3d7b5391bb95505b3581c1fb77150c467ab92864]
stable/5.15: [438f9a303ea8b55162b2d5376490c2ab3ec165a0]
stable/6.1: [9b7d77cb046b4487e8e511e04e62b6f416ce845c]
stable/6.12: [93bdf715d33cf5ee01c58e8546c2469c71ce082a]
stable/6.18: [c0def811ad8d642dca9b6d31a198cc39f5f90837]
stable/6.6: [86183153c299e8bb1839e717286d6c6f39508a59]
CVE-2026-45870: SUNRPC: auth_gss: fix memory leaks in XDR decoding error paths
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45870
Introduced by commit 1d65833 ("SUNRPC: Add RPC based upcall mechanism
for RPCGSS auth") in v3.10-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
cip/4.19-st: [0ed31afc1d3baaead365e35e33f348703a32bfc5]
cip/4.4-st: [5d389fb9be0fd4d56c833f911ead53fb6a7929c5]
mainline: [3e6397b056335cc56ef0e9da36c95946a19f5118]
stable/5.10: [c81431b1b9fbd21e9a5a9211b5517b7295d18e6a]
stable/5.15: [caf7eff432e91a9eba1c79fa545c2f54be15d62b]
stable/6.1: [64303b92d94c0c7845a273acd8d84b796d6f1db7]
stable/6.12: [b4af3806846778799cd4ab0766dc18341e777264]
stable/6.18: [d79b9097a6a2b91471b40755f1225364be5d85ff]
stable/6.6: [df10f23defff22c8d55fe6db74f6e4ce927145bf]
CVE-2026-45871: tpm: st33zp24: Fix missing cleanup on get_burstcount() error
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45871
Introduced by commit bf38b87 ("tpm/tpm_i2c_stm_st33: Split
tpm_i2c_tpm_st33 in 2 layers (core + phy)") in v4.1-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
cip/4.19-st: [d3808c5bd98013c299246f260d3b195a94ebd990]
cip/4.4-st: [d6f8587801d1d313ba51bc6405091dd6ac75c3f9]
mainline: [3e91b44c93ad2871f89fc2a98c5e4fe6ca5db3d9]
stable/5.10: [e0ce3da82341fcd6194175f1837946b2a894c625]
stable/5.15: [7687133509cf66ced120b667fefd21f80bf17993]
stable/6.1: [1256c6dc96d1e687e6e9b63088156ed07411b00c]
stable/6.12: [cc09d55f519e15355de343264a22ac6682b8305e]
stable/6.18: [ec15eb67fe9df87981b4829b901ec254273ca483]
stable/6.6: [a51cff9be046e13e1c1b2fe45d5c48b582ec9b8c]
CVE-2026-45872: scsi: smartpqi: Fix memory leak in pqi_report_phys_luns()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45872
Introduced by commit 28ca6d8 ("scsi: smartpqi: Add extended report
physical LUNs") in v5.16-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [41b37312bd9722af77ec7817ccf22d7a4880c289]
stable/6.1: [f471ecfec093e39ef8fd08978413793087daa14d]
stable/6.12: [d52e13122d3771f753dd73ae6512fa01f58015cb]
stable/6.18: [e5579ebaadc7b699868dad0f591a7bf83cd647e1]
stable/6.6: [fdf1188cfa80f88c9f18d58cb33d57ff40e70e26]
CVE-2026-45873: netfilter: nft_set_rbtree: check for partial overlaps
in anonymous sets
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45873
Introduced by commit c9e6978 ("netfilter: nft_set_rbtree: Switch to
node list walk for overlap detection") in v6.2-rc6.
Fixed in v7.0-rc1.
Bug introduced commit was backported to following branches.
cip/4.19 cip/4.19-rt cip/4.19-st cip/5.10 cip/5.10-rt cip/6.1
cip/6.1-rt stable/5.10 stable/5.15 stable/6.1
Fixed status
cip/4.19-st: [80109d2147a5dbf1d105b2de6c2d047fa254b5fa]
mainline: [4780ec142cbb24b794129d3080eee5cac2943ffc]
stable/5.10: [7ca5813e1b21ef300e04593f47b073ef3217aac6]
stable/5.15: [029e5f6a95e905b12d6bc20421be32a01e0eb311]
stable/6.1: [f1381ce0a1dd013610985e1c4260908163a427df]
stable/6.12: [05feaf826390fd16f1deb89dd9412def3b2a280f]
stable/6.18: [dad14d22dff1a191612acb98facceb303d0524a2]
stable/6.6: [f1535d56fc3f6c625b7e0559c006bd0318791bb1]
CVE-2026-45874: phy: freescale: imx8qm-hsio: fix NULL pointer dereference
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45874
Introduced by commit 82c56b6 ("phy: freescale: imx8qm-hsio: Add
i.MX8QM HSIO PHY driver support") in v6.11-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [4dd5d4c0361af0a3fd24f45c815996abf4429770]
stable/6.12: [a771b386cb6c6e582e7b50f8eeff3347ff887f71]
stable/6.18: [dd8b9ba3d9701832cfb5dcefd8b43250df28dbc2]
CVE-2026-45875: mfd: arizona: Fix regulator resource leak on
wm5102_clear_write_sequencer() failure
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45875
Introduced by commit 1c1c6bb ("mfd: wm5102: Ensure we always boot the
device fully") in v4.2-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
cip/4.19-st: [99d6d4af05d1cff91669f51a38555a2519917fd6]
cip/4.4-st: [cf221582edac9ffee401e1f4452912dd3fda9e08]
mainline: [4feb753ba6e5e5bbaba868b841a2db41c21e56fa]
stable/5.10: [54eafc1b0dbcf79c5f8b6dc8d9e92e56b9384c0a]
stable/5.15: [933c5463873582baaecf5c38401ec4095b1c6269]
stable/6.1: [445cec7b4fbb1546836ae8e332d158e8d37d0fb6]
stable/6.12: [e0527c09bcf1e6beeb685a7f4177683866b8609c]
stable/6.18: [5a4923726a165593d7601834a6fb2a10ab47b85d]
stable/6.6: [3ea01691738b0decb63ea2705d2cdf27f6f26fc0]
CVE-2026-45876: arm64/gcs: Fix error handling in arch_set_shadow_stack_status()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45876
Introduced by commit b57180c ("arm64/gcs: Implement shadow stack
prctl() interface") in v6.13-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [53c998527ffa60f9deda8974a11ad39790684159]
stable/6.18: [c787a235deb33be6eda40beee8f561da5fd8cb8c]
CVE-2026-45877: HID: intel-ish-hid: fix NULL-ptr-deref in
ishtp_bus_remove_all_clients
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45877
Introduced by commit 3703f53 ("HID: intel_ish-hid: ISH Transport
layer") in v4.9-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [56f7db581ee73af53cd512e00a6261a025bf1d58]
stable/6.12: [0b605e8ce60698c27a26f512968a597fd620d2e8]
stable/6.18: [feb4bcfd405282de60aba321f13a1272b30c5af4]
CVE-2026-45878: drm/amdkfd: Fix watch_id bounds checking in debug
address watch v2
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45878
Introduced by commit e0f85f4 ("drm/amdkfd: add debug set and clear
address watch points operation") in v6.5-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [5a19302cab5cec7ae7f1a60c619951e6c17d8742]
stable/6.12: [a0d367e13db63a6ed76ee0d0a8c3a58c1fa98488]
stable/6.18: [2b36c0c1bcbbe15f6cfa9652084b3124c835a150]
stable/6.6: [971bf8e61e9b4abaacf9b35eaf76ec222758f9d6]
CVE-2026-45879: power: supply: bq25980: Fix use-after-free in
power_supply_changed()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45879
Introduced by commit 5069185 ("power: supply: bq25980: Add support for
the BQ259xx family") in v5.10-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [5f0b1cb41906e86b64bf69f5ededb83b0d757c27]
stable/5.10: [86f93dfb23f5bf4f285c4256a7e909d222f7de56]
stable/5.15: [16875e3b7bc9e59bfa0acaf1e43f275a6f42a30f]
stable/6.1: [0560a4b09c92e2ecaa883965cf6f9ca51c158ff9]
stable/6.12: [4aeaf03c17260415c2fdd55992f9ad4188d5455a]
stable/6.18: [03d1e4ee4e6aa6d2966e883e4ca0e5be73bf1b7c]
stable/6.6: [0de95d29d847c6217b7d5845e24a71a4aee7b359]
CVE-2026-45880: PCI/P2PDMA: Release per-CPU pgmap ref when
vm_insert_page() fails
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45880
Introduced by commit 7e9c7ef ("PCI/P2PDMA: Allow userspace VMA
allocations through sysfs") in v6.2-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [6220694c52a5a04102b48109e4f24e958b559bd3]
stable/6.12: [51b7181cfbedf289ce794b6d97a1c596c309ec38]
stable/6.18: [e19cce88ec4c4877f4ff2469099b9cf23cc3e93e]
stable/6.6: [baa42b756d183a59572f3890981a3d32b8d05d40]
CVE-2026-45881: soc: mediatek: svs: Fix memory leak in svs_enable_debug_write()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45881
Introduced by commit 13f1bbc ("soc: mediatek: SVS: add debug
commands") in v6.0-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [6259094ee806fb813ca95894c65fb80e2ec98bf1]
stable/6.1: [47a3e372f7d68776adb749a27c0ec9058ff1b4fd]
stable/6.12: [a58c97828911c0b6e25d6b556789da974003efda]
stable/6.18: [0f6498077faa9cd89bb787bcc57063494a6f0601]
stable/6.6: [06195456c4e4de3826c4ca60eca941c472f991d0]
CVE-2026-45882: power: supply: pm8916_bms_vm: Fix use-after-free in
power_supply_changed()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45882
Introduced by commit 098bce1 ("power: supply: Add pm8916 VM-BMS
support") in v6.7-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [62914959b35e9a1e29cc0f64cb8cfc5075a5366f]
stable/6.12: [b69bb88e20c6f8e998dff3e13a316207f49d3fa2]
stable/6.18: [a8b7117ae3a791c6a328674d05a06cd45d8241bd]
CVE-2026-45883: iio: sca3000: Fix a resource leak in sca3000_probe()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45883
Introduced by commit 9a4936d ("staging:iio:accel:sca3000 Tidy up probe
order to avoid a race.") in v4.10-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
cip/4.19-st: [91162fef1c9622debca91c953860c0b5057fa3bf]
mainline: [62b44ebc1f2c71db3ca2d4737c52e433f6f03038]
stable/5.10: [55e13abf22c27a3b0ab5cf941dd07a2d9786736c]
stable/5.15: [40c860ece22542178cddcf01b08644bcdbc597b3]
stable/6.1: [597d749c5180f3e351837e851a6131b140324e9f]
stable/6.12: [103ac8e3a7f345a0966ef582b8a874ac31a92c7c]
stable/6.18: [517d9f2b963089b3d64c23accf7920d77f5a30c8]
stable/6.6: [e8e960c3d23fdb4882d70d34ce762368da0f1427]
CVE-2026-45884: apparmor: avoid per-cpu hold underflow in aa_get_buffer
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45884
Introduced by commit ea9bae1 ("apparmor: cache buffers on percpu list
if there is lock contention") in v6.7-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [640cf2f09575c9dc344b3f7be2498d31e3923ead]
stable/6.12: [202824a1f89a9786c20a3d646a7c88d223abb1b2]
stable/6.18: [80c334acc6d0bee8605a358a33e69b4aea1ffb92]
CVE-2026-45885: power: supply: cpcap-battery: Fix use-after-free in
power_supply_changed()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45885
Introduced by commit 874b2ad ("power: supply: cpcap-battery: Add a
battery driver") in v4.13-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [642f33e34b969eedec334738fd5df95d2dc42742]
stable/5.10: [c549dd3de4b3f6e726d1b8386d40ccf7d3abdbe4]
stable/5.15: [3ff75cba1c98349a23a8f9333981deba1972cc11]
stable/6.1: [2ce2334be155bd8bad6377e99984246ce4dbd08c]
stable/6.12: [f3fbe309c9bfe1aac1e2b26543e9dc4829f3275a]
stable/6.18: [2841bbb5a35c4449c0a0458e8e476b2a62f95147]
stable/6.6: [cbb9b07f88a9ef6518934c41eb3e8cf840d657d5]
CVE-2026-45886: bpf: Fix bpf_xdp_store_bytes proto for read-only arg
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45886
Introduced by commit 3f36422 ("net: xdp: introduce bpf_xdp_pointer
utility routine") in v5.18-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [6557f1565d779851c4db9c488c49c05a47a6e72f]
stable/6.1: [ffb5d1c5e3933b947fc7303ad68bf0c536d0c85e]
stable/6.12: [0db169a91381a473b7974021d1c02f8da72c5775]
stable/6.18: [d7b87adeb0eb539b9b824b101bb14fb01e41240b]
stable/6.6: [ddc34a1b85505c919026ddc82fafdada9a160b15]
CVE-2026-45887: af_unix: Fix memleak of newsk in unix_stream_connect().
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45887
Introduced by commit fd0a109 ("net, pidfs: prepare for handing out
pidfds for reaped sk->sk_peer_pid") in v6.16-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [6884028cd7f275f8bcb854a347265cb1fb0e4bea]
stable/6.18: [365996a2b14d07caa9e33d367b67ea26c09d89b4]
CVE-2026-45888: md/raid1: fix memory leak in raid1_run()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45888
Introduced by commit 97894f7 ("md/raid1: use the atomic queue limit
update APIs") in v6.9-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [6abc7d5dcf0ee0f85e16e41c87fbd06231f28753]
stable/6.12: [c94fd6e8a71efd047ff36930e840f3c25679e136]
stable/6.18: [ec10e3dc93994b87adf7c759a4639fe34013989a]
CVE-2026-45889: mptcp: do not account for OoO in mptcp_rcvbuf_grow()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45889
Introduced by commit e118cdc ("mptcp: rcvbuf auto-tuning improvement")
in v6.18-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [6b329393502e5857662b851a13f947209c588587]
stable/6.18: [fb7bf00b04a6b48859f52035d4e745848c2b4c79]
CVE-2026-45890: xen-netback: reject zero-queue configuration from guest
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45890
Introduced by commit 8d3d53b ("xen-netback: Add support for multiple
queues") in v3.16-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
cip/4.19-st: [311d876e64a13a1022c983bcab20679c7c106ef6]
cip/4.4-st: [9859c4a4b50d2859e8a98e3116f9c1e61ab60114]
mainline: [6d1dc8014334c7fb25719999bca84d811e60a559]
stable/5.10: [2993e0f904c45f8af12917344bb1cac7ccd05a60]
stable/5.15: [787bfa423228c4b02ba3368128f625d579085353]
stable/6.1: [ce66d6786de45b7ed9cbbdc0988054bf09e58f54]
stable/6.12: [ec4859ac5c933e3315543a61adc1ca4358006a41]
stable/6.18: [654780dee9eae419e1648ea58462c4efe54518fa]
stable/6.6: [88b0fced1bbbfdb356a007592604008ffc93a6a1]
CVE-2026-45891: net: hns3: fix double free issue for tx spare buffer
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45891
Introduced by commit 907676b ("net: hns3: use tx bounce buffer for
small packets") in v5.14-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [6d2f142b1e4b203387a92519d9d2e34752a79dbb]
stable/5.15: [fb6a4c376d454b425555b1b0bda36e99f56ec307]
stable/6.1: [43015461662d41dcfb3bb95fadd8a2a42ad8eacf]
stable/6.12: [d2c785733dfb853ea0b53984c75662a1af230a94]
stable/6.18: [fdbccddb7e7822016601829f95de4008e193f7bc]
stable/6.6: [6dc10494cfe27b6f1e9adb7e293293ae39c50b7c]
CVE-2026-45892: ext4: drop extent cache after doing PARTIAL_VALID1 zeroout
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45892
Introduced commit is not determined.Fixed in v7.0-rc1.
Fixed status
mainline: [6d882ea3b0931b43530d44149b79fcd4ffc13030]
stable/6.1: [9e79460b3aae6bbf33f5ccea6c44bf2eefa45daf]
stable/6.12: [d8ee559fccdef713f058cfe5f2c03dc9b18be3b1]
stable/6.18: [c2ee51d684adca7645e4aa74adca13f6750390bc]
stable/6.6: [f0931a5c17005a0c4fc35bd1a001245effc3354b]
CVE-2026-45893: apparmor: Fix & Optimize table creation from possibly
unaligned memory
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45893
Introduced by commit e6e8bf4 ("apparmor: fix restricted endian type
warnings for dfa unpack") in v4.11-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [6fc367bfd4c8886e6b1742aabbd1c0bdc310db3a]
stable/6.12: [47e351dfef60ab0e3285133556e1a9c7f646a969]
stable/6.18: [e027999049c493fb728ead5a90db76942181a935]
CVE-2026-45894: iommu/vt-d: Clear Present bit before tearing down PASID entry
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45894
Introduced by commit 0bbeb01 ("iommu/vt-d: Manage scalalble mode PASID
tables") in v5.0-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [75ed00055c059dedc47b5daaaa2f8a7a019138ff]
stable/6.12: [a84d30e8d2bacd21782a6481158b7c9c552f4868]
stable/6.18: [821807c167b7b48a41b95b6607c6b9f97600f7d9]
CVE-2026-45895: quota: fix livelock between quotactl and freeze_super
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45895
Introduced by commit 576215c ("fs: Drop wait_unfrozen wait queue") in v6.5-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [77449e453dfc006ad738dec55374c4cbc056fd39]
stable/6.12: [414259caf81a397563fc9baca9c0ef856c4a97cf]
stable/6.18: [02bb1500f1479750e6557c8044f6a2d7e9d30c12]
stable/6.6: [37ccd48cf35f3c8b9f2ea961a7b486b91eb71a82]
CVE-2026-45896: mtd: intel-dg: Fix accessing regions before setting nregions
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45896
Introduced by commit ceb5ab3 ("mtd: add driver for intel graphics
non-volatile memory device") in v6.17-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [779c59274d03cc5c07237a2c845dfb71cff77705]
stable/6.18: [721bd22bcf45a63ebd9bd0f478ef721b45cc5383]
CVE-2026-45897: netfilter: nft_counter: serialize reset with spinlock
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45897
Introduced by commit bd662c4 ("netfilter: nf_tables: Add locking for
NFT_MSG_GETOBJ_RESET requests") in v6.11-rc4.
Introduced by commit 3d483fa ("netfilter: nf_tables: Add locking for
NFT_MSG_GETSETELEM_RESET requests") in v6.8-rc1.
Introduced by commit 3cb03ed ("netfilter: nf_tables: Add locking for
NFT_MSG_GETRULE_RESET requests") in v6.7-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [779c60a5190c42689534172f4b49e927c9959e4e]
CVE-2026-45898: RDMA/iwcm: Fix workqueue list corruption by removing work_list
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45898
Introduced by commit e1168f0 ("RDMA/iwcm: Simplify
cm_event_handler()") in v6.11-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [7874eeacfa42177565c01d5198726671acf7adf2]
stable/6.12: [38c5b49fffa1b760959af74f11806eeb3ef4706d]
stable/6.18: [eb715133e0ae12514bba4d2d5ce1dee774476056]
CVE-2026-45899: ext4: drop extent cache when splitting extent fails
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45899
Introduced commit is not determined.Fixed in v7.0-rc1.
Fixed status
cip/4.19-st: [cc24452e8666b35f601c4124e7106e13eba01cb1]
cip/4.4-st: [8519b9b867c21ea906d5250877e880b46f7d924b]
mainline: [79b592e8f1b435796cbc2722190368e3e8ffd7a1]
stable/5.10: [6e54f8dfee359bbd58086c883ea8cffd5312999d]
stable/5.15: [337506dc652383c80839edb8d8dcdd8ff2129b4f]
stable/6.1: [de8e1b17e3876a44c4537bff0bc2dfd244efe8d9]
stable/6.12: [120c6bd7ca9d3e80a968b758cbb3fbd67570f132]
stable/6.18: [808f3191498f300174523c54cab101e18795ae4e]
stable/6.6: [dc7c9b9d03a59a7fe483574531327e650a4b4adc]
CVE-2026-45900: crypto: caam - fix netdev memory leak in dpaa2_caam_probe
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45900
Introduced by commit 0e1a4d4 ("crypto: caam: Unembed net_dev structure
in dpaa2") in v6.11-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [7d43252b3060b0ba4a192dce5dba85a3f39ffe39]
stable/6.12: [d5c6f254528caf78d5de7d9646dc21c81d351827]
stable/6.18: [d7decb572b55d2af33e59e9858fcee5d9ae69175]
CVE-2026-45901: netfilter: nf_tables: revert commit_mutex usage in reset path
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45901
Introduced by commit bd662c4 ("netfilter: nf_tables: Add locking for
NFT_MSG_GETOBJ_RESET requests") in v6.11-rc4.
Introduced by commit 3d483fa ("netfilter: nf_tables: Add locking for
NFT_MSG_GETSETELEM_RESET requests") in v6.8-rc1.
Introduced by commit 3cb03ed ("netfilter: nf_tables: Add locking for
NFT_MSG_GETRULE_RESET requests") in v6.7-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [7f261bb906bf527c4a6e2a646e2d5f3679f2a8bc]
CVE-2026-45902: power: supply: bq256xx: Fix use-after-free in
power_supply_changed()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45902
Introduced by commit 32e4978 ("power: supply: bq256xx: Introduce the
BQ256XX charger driver") in v5.12-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [8005843369723d9c8975b7c4202d1b85d6125302]
stable/5.15: [81d3688c9a2158329391e08f2d0b8ba204216044]
stable/6.1: [74b5a88318db97d51bb40f774736553c2acd1514]
stable/6.12: [83c27fdd696ac13d023ef7a0345301be93209c53]
stable/6.18: [4b6fb0b6124f558131e502e3ffd03e6583b3ace6]
stable/6.6: [cb5c743936edcebc51880eeb6bf04979b5c9438b]
CVE-2026-45903: bpf: Fix memory access flags in helper prototypes
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45903
Introduced by commit 37cce22 ("bpf: verifier: Refactor helper access
type tracking") in v6.14-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [802eef5afb1865bc5536a5302c068ba2215a1f72]
stable/6.18: [fdfe75161f6e8c41a7d3023fbb815b537107b806]
CVE-2026-45904: powerpc/eeh: fix recursive pci_lock_rescan_remove
locking in EEH event handling
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45904
Introduced by commit 1010b4c ("powerpc/eeh: Make EEH driver device
hotplug safe") in v6.17-rc1.
Fixed in v7.0-rc1.
Bug introduced commit was backported to following branches.
cip/5.10 cip/5.10-rt cip/6.1 cip/6.1-rt cip/6.12 stable/5.10
stable/5.15 stable/6.1 stable/6.12 stable/6.6
Fixed status
mainline: [815a8d2feb5615ae7f0b5befd206af0b0160614c]
stable/5.10: [89810e2d80281d42f855fac813786758ee16e323]
stable/5.15: [788dd28fd49610d6047cbb15dbf1186afffdfbaf]
stable/6.1: [f49faa4a64f8ac0e38983e606075b25dfcfc9ad4]
stable/6.12: [f8b16d5764ee1e78c1ef333017ad383ffe76fcdc]
stable/6.18: [6e6561231c6cfc32c5631aeecc0928ff2b14265c]
stable/6.6: [87a1f93986aa1500b85aeff16b0b71c29ea116ea]
CVE-2026-45905: xfrm: fix ip_rt_bug race in icmp_route_lookup reverse path
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45905
Introduced by commit 8b7817f ("[IPSEC]: Add ICMP host relookup
support") in v2.6.25-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [81b84de32bb27ae1ae2eb9acf0420e9d0d14bf00]
stable/6.1: [9a95ec9144eeff1fc6fbcc21b677e322c6f1430b]
stable/6.12: [b04061f89ffc6168e7ec3c71d0086ec3c3797228]
stable/6.18: [1c9ef28f643cce34a6a6c36c8f4d6d60a60db7e1]
stable/6.6: [2c1f59005da9dd4b07b26984fd719e36557dc57c]
CVE-2026-45906: power: supply: pf1550: Fix use-after-free in
power_supply_changed()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45906
Introduced by commit 4b6b643 ("power: supply: pf1550: add battery
charger support") in v6.19-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [838767f5074700552d3f006d867caed65edc7328]
CVE-2026-45907: net/mlx5e: Fix deadlocks between devlink and netdev
instance locks
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45907
Introduced by commit 8f7b003 ("net/mlx5e: Convert mlx5 netdevs to
instance locking") in v6.16-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [83ac0304a2d77519dae1e54c9713cbe1aedf19c9]
stable/6.18: [4329514c61abefe4961541b128c549b017bab5ad]
CVE-2026-45908: accel/amdxdna: Fix memory leak in amdxdna_ubuf_map
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45908
Introduced by commit bd72d4a ("accel/amdxdna: Support user space
allocated buffer") in v6.18-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [84dd57fb0359500092f1101409ca32091731490d]
stable/6.18: [5a68d2c99c859e6e8e36fa4e32749abf6d1fb66a]
CVE-2026-45909: clk: mediatek: Drop __initconst from gates
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45909
Introduced by commit 8ceff24 ("clk: mediatek: clk-gate: Refactor
mtk_clk_register_gate to use mtk_gate struct") in v6.18-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [871afb43e41ad4e8246438de495a939cd0f8113c]
stable/6.18: [1debd9ba7eb18af8fb63dc93517c6bbcab0e31ee]
CVE-2026-45910: RDMA/rxe: Fix race condition in QP timer handlers
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45910
Introduced by commit d946716 ("RDMA/rxe: Rewrite rxe_task.c") in v6.4-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [87bf646921430e303176edc4eb07c30160361b73]
stable/6.12: [3c2ae79fb19dfd67341c14f1e78a5f1744eacfe2]
stable/6.18: [5ae9da022ee3c97e6469eabcddce9271501ddbad]
stable/6.6: [756c93d6df7c3bc599f6590b8e5afead6a41de1c]
CVE-2026-45911: usb: cdns3: fix role switching during resume
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45911
Introduced by commit 2cf2581 ("usb: cdns3: add power lost support for
system resume") in v5.13-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [87e4b043b98a1d269be0b812f383881abee0ca45]
stable/5.15: [ff02bd303d2d78051771db51119d66c0cf442f47]
stable/6.1: [94c742614899ff18a6b3e6f3cfbe7b9f36c865f3]
stable/6.12: [56289298431ed76700b9aac27a3b1d929fe61b8d]
stable/6.18: [fc086c0ce3db0eefbbeb66a5b1e626296336e33a]
stable/6.6: [d637f6ec149ffd2f8257bcc261561dc2e44dbb8c]
CVE-2026-45912: ext4: don't cache extent during splitting extent
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45912
Introduced commit is not determined.Fixed in v7.0-rc1.
Fixed status
cip/4.19-st: [3656ec552a870a4903159ad5a6f849b0be50cb1a]
cip/4.4-st: [4d73db6c36f19dca4cd4daf90def26157fc5e733]
mainline: [8b4b19a2f96348d70bfa306ef7d4a13b0bcbea79]
stable/5.10: [8302b5b4aacdbb378f7b1216bb2ee782b5142415]
stable/5.15: [692103feca376ae4298c92aa8828015d20f1d87b]
stable/6.1: [4c2d9dac4d328244f9365b0a1fa27ec802821820]
stable/6.12: [96007fd3c106aea773c1afae2d6f64cceb6da208]
stable/6.18: [5b1f4290453314e11cd8e15c7baa8a9b76c19b23]
stable/6.6: [93b2ebbbcb2e63cfc21a1946dfe91d3aa7952036]
CVE-2026-45913: net: bridge: mcast: always update mdb_n_entries for
vlan contexts
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45913
Introduced by commit b57e8d8 ("net: bridge: Maintain number of MDB
entries in net_bridge_mcast_port") in v6.3-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [8b769e311a86bb9d15c5658ad283b86fc8f080a2]
stable/6.12: [724a405ce0309676f1e993c173382b4c4a022beb]
stable/6.18: [fae260fc84e1eae8f590c7907e53e8768df2d986]
stable/6.6: [d0fdad1bdd21a358cc2c85da3681ae27b86ce6ce]
CVE-2026-45914: Revert "hwmon: (ibmpex) fix use-after-free in high/low store"
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45914
Introduced by commit 6946c72 ("hwmon: (ibmpex) fix use-after-free in
high/low store") in v6.19-rc2.
Fixed in v7.0-rc1.
Bug introduced commit was backported to following branches.
cip/4.19 cip/4.19-rt cip/4.19-st cip/4.4 cip/4.4-rt cip/4.4-st
cip/5.10 cip/5.10-rt cip/6.1 cip/6.1-rt cip/6.12 stable/5.10
stable/6.1 stable/6.12 stable/6.18 stable/6.6
Fixed status
cip/4.19-st: [befd26c92611aae8b323f5bb92dbc4c9e1e51ef9]
cip/4.4-st: [3dc2d2b29bbf0e5bcc3f04d1da935eefadc700bf]
mainline: [8bde3e395a85017f12af2b0ba5c3684f5af9c006]
stable/5.10: [05112ba67c824ab416cd54307c0b50aba9f0047a]
stable/6.1: [efd68429f23fb4015b0ebc2392334059e06fad18]
stable/6.12: [914b47c9b824d3d74f31c764163edf93302100b1]
stable/6.18: [14a38784e09aebc21207dc32fffa05247fc3dd64]
stable/6.6: [f448acd86835a650f9ea83460b9ca347d3aafba5]
CVE-2026-45915: fat: avoid parent link count underflow in rmdir
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45915
Introduced by commit 9a53c3a ("[PATCH] r/o bind mounts: unlink:
monitor i_nlink") in v2.6.20.16.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
cip/4.19-st: [31e8035b626c29413d787d71d299a1c5c6bc097e]
cip/4.4-st: [3a48d61672583f2e1d2b1a1894858971c78151e3]
mainline: [8cafcb881364af5ef3a8b9fed4db254054033d8a]
stable/5.10: [7fe0de287e931e07cb96ecf1f449b2ebdb0e1115]
stable/5.15: [9894c79fd9466612d0514be157b5c30cd93aa645]
stable/6.1: [cd569b87378b9c33ae13c23d6bb9d205d66f7c4b]
stable/6.12: [955c5d670b5ae07c78f4345e23a895638db96ce1]
stable/6.18: [17866f8a0822d414cb02e621cf003a7d04396ef8]
stable/6.6: [d3b7ffa90f613938128432c7b2f35b7aa4bdd86b]
CVE-2026-45916: power: supply: sbs-battery: Fix use-after-free in
power_supply_changed()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45916
Introduced by commit d2cec82 ("power: sbs-battery: Request threaded
irq and fix dev callback cookie") in v4.9-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
cip/4.19-st: [85d3f4fd090a3786a349132d9f363d141036f6e3]
mainline: [8d59cf3887fbabacef53bfba473e33e8a8d9d07b]
stable/5.10: [ca7dd71773e4e050b0fb98768b7eae60f8d1f38b]
stable/5.15: [f1f472b14ad56104ba228b8fbec60d5b21829913]
stable/6.1: [8010b745b436c3e1ca5dd960aa29fa3e0f6d8841]
stable/6.12: [82d3eb97a976c9d56bb92b241397610e57a9c629]
stable/6.18: [861dda7a9074c0ff67788928165ae39d7f647491]
stable/6.6: [2078830c32d1e49ac942c6f8c21f35c806ae5e94]
CVE-2026-45917: ipvs: do not keep dest_dst if dev is going down
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45917
Introduced by commit 7a4f076 ("IPVS: init and cleanup restructuring")
in v2.6.39.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [8fde939b0206afc1d5846217a01a16b9bc8c7896]
stable/6.12: [64af43033503458c46023e56d6ae7bb0f824b55f]
stable/6.18: [bae53b3baf2ff2f45f9205c438818fc055601a54]
CVE-2026-45918: ovpn: tcp - don't deref NULL sk_socket member after tcp_close()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45918
Introduced by commit 11851cb ("ovpn: implement TCP transport") in v6.16-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [94560267d6c41b1ff3fafbab726e3f8a55a6af34]
stable/6.18: [f998b2c4bec487063a586695159f9a1856e81c56]
CVE-2026-45919: sched/rt: Skip currently executing CPU in rto_next_cpu()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45919
Introduced by commit 4bdced5 ("sched/rt: Simplify the IPI based RT
balancing logic") in v4.15-rc1.
Fixed in v7.0-rc1.
Bug introduced commit was backported to following branches.
cip/4.4 cip/4.4-rt cip/4.4-st
Fixed status
cip/4.19-st: [95ce8247de7ca958a03328513fdc99f63c7b5058]
cip/4.4-st: [1f0084ce242353b5d8a4fdcda3f9c6be8fab42cd]
mainline: [94894c9c477e53bcea052e075c53f89df3d2a33e]
stable/5.10: [d57d0746276a88ea43a2cc62b849fd8a95e32e41]
stable/5.15: [3b3c672a66db3de3b40f8a7057864bc1f874ede3]
stable/6.1: [16ca9f3117e9a294646c897daf08a5ab546c711b]
stable/6.12: [a6a73403733e86748421f2eeaf028c85683ef896]
stable/6.18: [52aeb1e07ec223caf212f036817976c98d2aa250]
stable/6.6: [8ad5577b2d4acfd83f03d97a0aece2d18aac5f07]
CVE-2026-45920: ext4: fix dirtyclusters double decrement on fs shutdown
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45920
Introduced by commit 0087d9f ("ext4: Fix s_dirty_blocks_counter if
block allocation failed with nodelalloc") in v2.6.29-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
cip/4.19-st: [1c3cc44f4bfbbfcecace466e3a040df6fbfca2e8]
cip/4.4-st: [c7ff09d66ac8a037fc4bcd474d7b957943376f17]
mainline: [94a8cea54cd935c54fa2fba70354757c0fc245e3]
stable/5.10: [523d5a4df3c649fa305c89efb552ec62a1ce9d3d]
stable/5.15: [ca408af08544d96769c93a3d81a7f63f61129e95]
stable/6.1: [55576fa14771d33994c29a9ae960e07bb3f56c20]
stable/6.12: [61e372122b6d95aec940fdaea0a16f988f359897]
stable/6.18: [3924aea2c33df3864929c1acd178bfc29d8f005f]
stable/6.6: [dbc4e10619ed87a50e637b96f2e574df36a7a769]
CVE-2026-45921: mtd: parsers: Fix memory leak in
mtd_parser_tplink_safeloader_parse()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45921
Introduced by commit 00a3588 ("mtd: parsers: add TP-Link SafeLoader
partitions table parser") in v6.2-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [980ce2b02dd06a4fdf5fee38b2e14becf9cf7b8b]
stable/6.12: [e97f5fac8ce9a6b9ec724c97d86b0985e915fdca]
stable/6.18: [ec121ad626c319085f6d40a52cd04e99b4554926]
stable/6.6: [0f5e62ea5c43146eacdc6861cb1022ffae1b79bc]
CVE-2026-45922: RDMA/mlx5: Fix memory leak in GET_DATA_DIRECT_SYSFS_PATH handler
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45922
Introduced by commit ec7ad65 ("RDMA/mlx5: Introduce
GET_DATA_DIRECT_SYSFS_PATH ioctl") in v6.12-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [9b9d253908478f504297ac283c514e5953ddafa6]
stable/6.12: [ee998cdbff6680891b0efd9d6ce53a388e5342c3]
stable/6.18: [b2bc649c18fbe8a7fd38d17266da3dcbfbcc44d2]
CVE-2026-45923: net: usb: catc: enable basic endpoint checking
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45923
Introduced by commit 1da177e ("Linux-2.6.12-rc2") in v2.6.12.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
cip/4.19-st: [fb5824e8df6223af8620fdc255a5dd5175e1f902]
cip/4.4-st: [c7c41f8865f93a03cf14a7d128fa6d782f20d67c]
mainline: [9e7021d2aeae57c323a6f722ed7915686cdcc123]
stable/5.10: [eade522d3e6ac3f3bfb51bfa5b5b4b32bd0b846f]
stable/6.1: [ac7739b78ded519e1d9919a814da3b34120bec8c]
stable/6.12: [a488001a8197da4f9c413eec8f6acbff71c60145]
stable/6.18: [36c28b028efba0f42218d41fed12c47ce217c1f1]
stable/6.6: [163d04897e57633c5d2e69734e4e4b22bb63f50d]
CVE-2026-45924: ksmbd: call ksmbd_vfs_kern_path_end_removing() on some
error paths
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45924
Introduced by commit d5fc140 ("smb/server: avoid deadlock when linking
with ReplaceIfExists") in v6.17-rc1.
Fixed in v7.0-rc1.
Bug introduced commit was backported to following branches.
cip/6.1 cip/6.1-rt cip/6.12 stable/5.15 stable/6.1 stable/6.12 stable/6.6
Fixed status
mainline: [a09dc10d1353f0e92c21eae2a79af1c2b1ddcde8]
stable/5.15: [8e3a3192ef78d8302916408d62813b1fddfc8972]
stable/6.1: [f221baa80e5959a0c08a7e34abbf2a4d3cf0e1c2]
stable/6.12: [34d6691933682f0516259a31b39d2cebcedec0a5]
stable/6.18: [0c578e8065c4b08d5635a4cbc0f6321df9d20f79]
stable/6.6: [cf29329a13df79c198b45dfc92577638d30b56fa]
CVE-2026-45925: thermal/of: Fix reference leak in thermal_of_cm_lookup()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45925
Introduced by commit 423de5b ("thermal/of: Fix cdev lookup in
thermal_of_should_bind()") in v6.14-rc5.
Fixed in v7.0-rc1.
Bug introduced commit was backported to following branches.
cip/6.12 stable/6.12
Fixed status
mainline: [a1fe789a96fe47733c133134fd264cb7ca832395]
stable/6.12: [8af710156c53cdb392d529497ef2b3a10a1f9370]
stable/6.18: [8344d5da9df74fdbef676214d0c482fc822a01ca]
CVE-2026-45926: rust: pwm: Fix potential memory leak on init error
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45926
Introduced by commit 7b3dce8 ("rust: pwm: Add Kconfig and basic data
structures") in v6.19-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [a2633dc243c35754a0c2270131d8a199c987c9bf]
CVE-2026-45927: bpf: Require frozen map for calculating map hash
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45927
Introduced by commit ea2e646 ("bpf: Return hashes of maps in
BPF_OBJ_GET_INFO_BY_FD") in v6.18-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [a2c86aa621c22f2a7e26c654f936d65cfff0aa91]
stable/6.18: [7752d36343862323bbeea4ce3adf0ec2ed86e122]
CVE-2026-45928: media: chips-media: wave5: Fix memory leak on
codec_info allocation failure
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45928
Introduced by commit 9707a62 ("media: chips-media: wave5: Add the v4l2
layer") in v6.8-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [a519e21e32398459ba357e67b541402f7295ee1b]
stable/6.12: [52defdd4034db1a34bb48006f889d66a3629224b]
stable/6.18: [1de71556cbd6e1d0d26fb86b9b3bb8caa0df8495]
CVE-2026-45929: ovpn: fix possible use-after-free in ovpn_net_xmit
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45929
Introduced by commit 08857b5 ("ovpn: implement basic TX path (UDP)")
in v6.16-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [a5ec7baa44ea3a1d6aa0ca31c0ad82edf9affe41]
stable/6.18: [3e4fbcb4e078915367ba5576cd70d76dbc970f95]
CVE-2026-45930: net: mctp: ensure our nlmsg responses are initialised
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45930
Introduced by commit 831119f ("mctp: Add neighbour netlink interface")
in v5.15-rc1.
Introduced by commit 06d2f4c ("mctp: Add netlink route management") in
v5.15-rc1.
Introduced by commit 583be98 ("mctp: Add device handling and netlink
interface") in v5.15-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [a6a9bc544b675d8b5180f2718ec985ad267b5cbf]
CVE-2026-45931: accel/amdxdna: Hold mm structure across
iommu_sva_unbind_device()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45931
Introduced by commit be462c9 ("accel/amdxdna: Add hardware context")
in v6.14-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [a9162439ad792afcddc04718408ec1380b7a5f63]
stable/6.18: [f6b4c1d98a7b8040d4d02e89425b3942016a2c2c]
CVE-2026-45932: bpf: Fix tcx/netkit detach permissions when prog fd isn't given
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45932
Introduced by commit e420bed ("bpf: Add fd-based tcx multi-prog infra
with link support") in v6.6-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [ae23bc81ddf7c17b663c4ed1b21e35527b0a7131]
stable/6.18: [4e0772cded109c238411f2fac36ac39302758b81]
CVE-2026-45933: bpf: Preserve id of register in sync_linked_regs()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45933
Introduced by commit 98d7ca3 ("bpf: Track delta between "linked"
registers.") in v6.11-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [af9e89d8dd39530c8bd14c33ddf6b502df1071b6]
stable/6.12: [58059335e46537de682db84984f7716c813208c4]
stable/6.18: [92a8cb1806adefb263cf096eab6705705cf7eee1]
CVE-2026-45934: btrfs: fix EEXIST abort due to non-consecutive gaps in
chunk allocation
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45934
Introduced by commit 1b98450 ("Btrfs: fix find_free_dev_extent()
malfunction in case device tree has hole") in v4.1-rc2.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [b14c5e04bd0f722ed631845599d52d03fcae1bc1]
stable/6.18: [7d4eadee7042d27fcea659fcdd738f463a7d2e70]
CVE-2026-45935: fs/ntfs3: Fix slab-out-of-bounds read in DeleteIndexEntryRoot
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45935
Introduced by commit b46acd6 ("fs/ntfs3: Add NTFS journal") in v5.15-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [b2bc7c44ed1779fc9eaab9a186db0f0d01439622]
stable/5.15: [36c03f7f177b34d51f1cf1d2304b1074607bf4b0]
stable/6.1: [b271c9cb85927210b1b799e55ee7f702d12b4336]
stable/6.12: [c065541b71b79874c83d418a9acd18ad5826339b]
stable/6.18: [78942172d5bff4d4afed8674abc09cc560ce44a0]
stable/6.6: [a584b9d1059b29e97e17c919274e9adfb846f2a0]
CVE-2026-45936: power: supply: goldfish: Fix use-after-free in
power_supply_changed()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45936
Introduced by commit 84d7b76 ("power: Add battery driver for goldfish
emulator") in v3.9-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [b2ce982e2e0c888dc55c888ad0e20ea04daf2e6b]
stable/5.10: [589d4fe56713c6344cd9f8939f9c7621c85f0966]
stable/5.15: [bad8b61eb5059acd88349680e47839342dc89e94]
stable/6.1: [33751e28842bf5aee5ef7b2b8d5e456a069095cb]
stable/6.12: [4350505e82b4f972ddb788e1c712c557c38859d0]
stable/6.18: [8c89aade8335e26a6a7dcda18992d15f51943927]
stable/6.6: [77ea437faa4c06362e3ecfd2d7264eaa7ac1e82c]
CVE-2026-45937: crypto: inside-secure/eip93 - fix kernel panic in driver detach
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45937
Introduced by commit 9739f5f ("crypto: eip93 - Add Inside Secure
SafeXcel EIP-93 crypto engine support") in v6.15-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [b6e32ba6d32503440a3e3e16c8d0521cbb7e0c5d]
stable/6.18: [7530c3595d1e23bc5938cbd44b7e8f33457fc71f]
CVE-2026-45938: power: supply: pm8916_lbc: Fix use-after-free in
power_supply_changed()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45938
Introduced by commit f8d7a3d ("power: supply: Add driver for pm8916
lbc") in v6.7-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [b7508129978ae1e2ed9b0410396abc05def9c4eb]
stable/6.12: [dbe579e620ef0f53db490ec79a8566e4ea8918ac]
stable/6.18: [08e674e9862a2db46fb234eb7c5442455ece0131]
CVE-2026-45939: gpib: Fix memory leak in ni_usb_init()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45939
Introduced by commit 4e127de ("staging: gpib: Add National Instruments
USB GPIB driver") in v6.13-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [b89921eed8cf2d97250bac4be38dbcfbf048b586]
stable/6.18: [9c97fcfb7a62dea893104a046d544da8ac23370b]
CVE-2026-45940: net: stmmac: fix oops when split header is enabled
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45940
Introduced by commit ec22200 ("net: stmmac: Prepare to add Split
Header support") in v5.4-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [babab1b42ed68877ef669a08384becf281ad2582]
stable/6.18: [b1f23df09e7dbf4c86b6908dff7efb8cb2b7d609]
CVE-2026-45941: tpm: tpm_i2c_infineon: Fix locality leak on
get_burstcount() failure
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45941
Introduced by commit aad628c ("char/tpm: Add new driver for Infineon
I2C TIS TPM") in v3.7-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
cip/4.19-st: [06b6c632f87cb35c492dd0e5f69829f82761bbd7]
cip/4.4-st: [449864e5eae0b21beeda22a71d0adbcff7139214]
mainline: [bbd6e97c836cbeb9606d7b7e5dcf8a1d89525713]
stable/5.10: [8f124c5582d443ac9fb690db26d08cab5d6ba76e]
stable/5.15: [c24c9c4cab11858f22f309521ba7ea5b1e7385f2]
stable/6.1: [1bb8f8826d0748b4b92a98fb6b6dfe52081739f5]
stable/6.12: [a61b8412e3eb8b71646dba867e8252d8560a1a27]
stable/6.18: [1a22048c1117cdfac185ba450aba67ed6b65dc87]
stable/6.6: [948966e546f29af04391d98b8e378e4a7670c1c1]
CVE-2026-45942: ext4: fix e4b bitmap inconsistency reports
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45942
Introduced commit is not determined.Fixed in v7.0-rc1.
Fixed status
mainline: [bdc56a9c46b2a99c12313122b9352b619a2e719e]
stable/6.12: [c05033cfc5c7699cd4df8d48cef94d01da755f24]
stable/6.18: [29a07d691d282faf38c33d4b61839b89399110f9]
stable/6.6: [57e83bfbe1e412ac42daced2086f3c6f9a17bba0]
CVE-2026-45943: erofs: fix inline data read failure for ztailpacking pclusters
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45943
Introduced by commit cecf864 ("erofs: support inline data
decompression") in v5.17-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [c134a40f86efb8d6b5a949ef70e06d5752209be5]
stable/6.12: [ad07ea069f924465061cfee40ef2861bb99f4dd8]
stable/6.18: [5de1aa0bf3a5db0b3cbf61959da5ac61250833ed]
CVE-2026-45944: iommu/vt-d: Clear Present bit before tearing down context entry
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45944
Introduced by commit ba39592 ("Intel IOMMU: Intel IOMMU driver") in v2.6.24-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [c1e4f1dccbe9d7656d1c6872ebeadb5992d0aaa2]
stable/6.18: [d2138abc8f0a7fce4101b7229b43b06811ed083d]
CVE-2026-45945: iommu/vt-d: Fix race condition during PASID entry replacement
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45945
Introduced by commit 7543ee6 ("iommu/vt-d: Add pasid replace helpers")
in v6.13-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [c3b1edea3791fa91ab7032faa90355913ad9451b]
CVE-2026-45946: power: supply: ab8500: Fix use-after-free in
power_supply_changed()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45946
Introduced by commit 1c1f13a ("power: supply: ab8500: Move to
componentized binding") in v5.14-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [c4af8a98bb52825a5331ae1d0604c0ea6956ba4b]
stable/5.15: [43cbb78ee047b9b12d096d40e3be265969d4c1f8]
stable/6.1: [551672981fe227122258a25a385a05f5c0746ad6]
stable/6.12: [847eeb6c0efcd76c7def73857cf798a4fcd8f79b]
stable/6.18: [709db4b476e254579d9c48ec34d397a41ca0c407]
stable/6.6: [f50433f2603def08b21a4bf2fd238687fb5cbde9]
CVE-2026-45947: drm/amdgpu: Fix memory leak in amdgpu_acpi_enumerate_xcc()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45947
Introduced by commit 4d5275a ("drm/amdgpu: Add parsing of acpi xcc
objects") in v6.5-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [c9be63d565789b56ca7b0197e2cb78a3671f95a8]
stable/6.12: [18a7bbd11f17a7cd4c42fd5955d3675d68c692df]
stable/6.18: [d1370ef2ecf7d4df25e3e1e430cd191b1e7f8596]
stable/6.6: [e87c73a80a12d337cf5f493c0956f6c2c9eafd80]
CVE-2026-45948: ext4: fix memory leak in ext4_ext_shift_extents()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45948
Introduced by commit a18ed35 ("ext4: always check ext4_ext_find_extent
result") in v3.15-rc3.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
cip/4.19-st: [6894a6cdec5734b43405543a1da2201d7d4b0971]
cip/4.4-st: [6a930dec1cc3a1482a97db188f0c72f60df335ea]
mainline: [ca81109d4a8f192dc1cbad4a1ee25246363c2833]
stable/5.10: [7e807cb8603b7664fa630a696cd891d9a03c248d]
stable/5.15: [afc5e61e1a07b2b833bd72cbee36ecce9cd901e2]
stable/6.1: [1bce219ee5512cf179ba40cf114945a14a16e21f]
stable/6.12: [2f4b1052246ca646bb17bfe0f53df2fdf9729b58]
stable/6.18: [12615ab4bfb69678e5d961b28bb70040299e51b1]
stable/6.6: [4a79fde8db7eba7f1128d971ceba4e3c9ac84aec]
CVE-2026-45949: hwrng: core - use RCU and work_struct to fix race condition
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45949
Introduced by commit be4000b ("hwrng: create filler thread") in v3.17-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [cc2f39d6ac48e6e3cb2d6240bc0d6df839dd0828]
stable/6.12: [d5b7730f06994499632026c30e38e0317c4569e2]
stable/6.18: [dcf416eb88eafe1e3c0f920a14bdffd10bc4d259]
CVE-2026-45950: crypto: starfive - Fix memory leak in
starfive_aes_aead_do_one_req()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45950
Introduced by commit 7467147 ("crypto: starfive - Use dma for aes
requests") in v6.10-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [ccb679fdae2e62ed92fd9acb25ed809c0226fcc6]
stable/6.12: [38d80307decc1132626a30e2a62af734630ecca5]
stable/6.18: [4869d0e4e48a5301b267d359b2561c4080791a55]
CVE-2026-45951: bpf: Fix a potential use-after-free of BTF object
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45951
Introduced by commit 76145f7 ("bpf: Refactor check_pseudo_btf_id") in v6.14-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [ccd2d799ed4467c07f5ee18c2f5c59bcc990822c]
stable/6.18: [eac65c272f3b49021a843cba5107d63627395e0e]
CVE-2026-45952: eth: fbnic: Add validation for MTU changes
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45952
Introduced by commit 1b0a395 ("eth: fbnic: Add XDP pass, drop, abort
support") in v6.18-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [ccd8e87748ad083047d6c8544c5809b7f96cc8df]
stable/6.18: [d7eaa006c0444a5d4671be7efe6dbb33ef8b515e]
CVE-2026-45953: md/raid5: fix IO hang with degraded array with llbitmap
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45953
Introduced by commit 5ab829f ("md/md-llbitmap: introduce new lockless
bitmap") in v6.18-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [cd1635d844d26471c56c0a432abdee12fc9ad735]
stable/6.18: [870b9f15867b0e70f3459ef3974b043e8b229690]
CVE-2026-45954: fbdev: au1200fb: Fix a memory leak in au1200fb_drv_probe()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45954
Introduced by commit 4e88761 ("fbdev: au1200fb: Fix missing IRQ check
in au1200fb_drv_probe") in v6.5-rc3.
Fixed in v7.0-rc1.
Bug introduced commit was backported to following branches.
cip/4.19 cip/4.19-rt cip/4.19-st cip/4.4 cip/4.4-rt cip/4.4-st
cip/5.10 cip/5.10-rt cip/6.1 cip/6.1-rt stable/5.10 stable/5.15
stable/6.1
Fixed status
cip/4.19-st: [d90ffe410d77f9973708de3ee063dfbba1f7db45]
mainline: [ce4e25198a6aaaaf36248edf8daf3d744ec8e309]
stable/5.10: [81831d56b723bc1090ce3158feddaca88e85f939]
stable/5.15: [071d8fb757a8318f72c8e02898c2cf7e14e21fb6]
stable/6.1: [bd1ad63e11b2a568e98de536f319054d2de29f56]
stable/6.12: [762a26818934241b8b0172a229d2cf5d87260e40]
stable/6.18: [3d4202ee6494c0d576cdc104b12e0834ca8136a8]
stable/6.6: [3e5349e54113e2dce1a659c57935e18032742e56]
CVE-2026-45955: md/md-llbitmap: fix percpu_ref not resurrected on
suspend timeout
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45955
Introduced by commit 5ab829f ("md/md-llbitmap: introduce new lockless
bitmap") in v6.18-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [d119bd2e1643cc023210ff3c6f0657e4f914e71d]
stable/6.18: [095417d6b669c2dec39a5842ccb94df915f97f54]
CVE-2026-45956: drm/exynos: vidi: use priv->vidi_dev for ctx lookup in
vidi_connection_ioctl()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45956
Introduced commit is not determined.Fixed in v7.0-rc1.
Fixed status
cip/4.19-st: [24dcd1c4171726a32c448cce00e71abde07c666b]
mainline: [d3968a0d85b211e197f2f4f06268a7031079e0d0]
stable/5.10: [2987642c5213508c6c9e718324c0d5289a92c474]
stable/5.15: [65d1213baffa363f2eb1117b1dc7acc573b890f8]
stable/6.1: [875fa28690e93ed5296c31d3344556c6bb867234]
stable/6.18: [b5fc86d753dd4c281a943b92f0eef02d31af03d7]
stable/6.6: [21ca24ba51a2c28bcc4df9d7e5a40b0eb66ab76d]
CVE-2026-45957: rcu: Fix rcu_read_unlock() deadloop due to softirq
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45957
Introduced by commit 5f5fa7e ("rcu: Don't use negative nesting depth
in __rcu_read_unlock()") in v5.8-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [d41e37f26b3157b3f1d10223863519a943aa239b]
stable/6.12: [1f16679a5aa60238466ce339c35f5e82ece60337]
stable/6.18: [4a4a6e12c9c829be3f74b7206fa8640fc4e1c566]
stable/6.6: [979c708e6c9d7fc461daef2dad8b45f22e23464c]
CVE-2026-45958: drm/exynos: vidi: fix to avoid directly dereferencing
user pointer
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45958
Introduced commit is not determined.Fixed in v7.0-rc1.
Fixed status
mainline: [d4c98c077c7fb2dfdece7d605e694b5ea2665085]
stable/5.10: [13537f7f6d28a87ee2e496e071b6ad9541905f23]
stable/5.15: [c2914c0ca7557c6c5c845621cb6d6c9f26ab5a8c]
stable/6.1: [7efb6a4e6b1b523e744d17e6249757ed97caae7c]
stable/6.12: [4c4193829109f38b2855de77981adc2e066286c7]
stable/6.18: [4949e32387fe315b59ad5f422c9fc52836fbdd1e]
stable/6.6: [2e147aa3169b83eaf044776f81d86235bf147de1]
CVE-2026-45959: crypto: ccp - Fix a crash due to incorrect cleanup
usage of kfree
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45959
Introduced by commit a714755 ("crypto: ccp - reduce stack usage in
ccp_run_aes_gcm_cmd") in v6.17-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [d5abcc33ee76bc26d58b39dc1a097e43a99dd438]
stable/6.18: [9a3ace9b010ffd8c422c97844ae152f7c53d6b18]
CVE-2026-45960: hfsplus: return error when node already exists in
hfs_bnode_create
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45960
Introduced by commit 634725a ("[PATCH] hfs: cleanup HFS+ prints") in v2.6.20.16.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
cip/4.19-st: [f159703caf7244659069f3b3ef40b87ca4bd94b9]
cip/4.4-st: [43b88ebc498164c6f3b9e6f71fbef98099668499]
mainline: [d8a73cc46c8462a969a7516131feb3096f4c49d3]
stable/5.10: [1ca428769cb4737a25bd32fb4d1573cc09eeaeef]
stable/5.15: [507a1de58c21c95ad7c44afccaf1222d1c42246b]
stable/6.1: [986455135b95f32c1f142068e451098fc751749e]
stable/6.12: [51838112d9c22502333c3085ca0c0d691e7093c6]
stable/6.18: [2e6ff6a6fc69cc17ed10c9cb6242935d52acd52d]
stable/6.6: [7b57ada854b32310f224abd61bcfec2d5790ff0a]
CVE-2026-45961: gfs2: fix memory leaks in gfs2_fill_super error path
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45961
Introduced by commit 6c7410f ("gfs2: gfs2_freeze_lock_shared cleanup")
in v6.5-rc1.
Introduced by commit b66f723 ("gfs2: Improve gfs2_make_fs_rw error
handling") in v6.3-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [da6f5bbc2e7902f578b503f2a4c3d8d09ca4b102]
CVE-2026-45962: ublk: Validate SQE128 flag before accessing the cmd
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45962
Introduced by commit 71f28f3 ("ublk_drv: add io_uring based userspace
block driver") in v6.0-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [da7e4b75e50c087d2031a92f6646eb90f7045a67]
stable/6.1: [4b4dff498f46e9802f71bc84258bf73065f51c6a]
stable/6.12: [dbe8e81a2ec608f87f79a34f6444cd62f6a243bb]
stable/6.18: [f75a5555e0049e7857eae25b60aee98b80e287ec]
stable/6.6: [31cac6acf77ece488f29fb8f79589d9298e969c8]
CVE-2026-45963: ASoC: nau8821: Cancel delayed work on component remove
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45963
Introduced by commit aab1ad1 ("ASoC: nau8821: new driver") in v5.16-rc1.
Introduced by commit ee70bac ("ASoC: nau8821: Avoid unnecessary
blocking in IRQ handler") in v6.18-rc2.
Fixed in v7.0-rc1.
Bug introduced commit was backported to following branches.
cip/6.1 cip/6.1-rt cip/6.12 stable/6.1 stable/6.12 stable/6.6
Fixed status
mainline: [dbd3fd05cddfdeec1e49b0a66269881c09eebd17]
CVE-2026-45964: SUNRPC: fix gss_auth kref leak in gss_alloc_msg error path
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45964
Introduced by commit 5940d1c ("SUNRPC: Rebalance a kref in
auth_gss.c") in v5.2-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
cip/4.19-st: [6d307f0dce6c6468cb949c610b39dc2e7b5dfa13]
mainline: [dd2fdc3504592d85e549c523b054898a036a6afe]
stable/5.10: [3b2b6c42070ce4204936288253baf101e995c2d3]
stable/5.15: [b559be2ec6cdb2e9c2c36c23fbbd4690d8a5c3f7]
stable/6.1: [a1bc9561b617ec7e2d09e6c134d1db8fcf9ca4a6]
stable/6.12: [e464e26b2457005c87e158570498274b9f3b90c7]
stable/6.18: [c20f925214249bb4fc04f7e197bea142a6438af6]
stable/6.6: [655c9ba9915f05266998dbbf4b76b3c79b8a70aa]
CVE-2026-45965: apparmor: fix invalid deref of rawdata when
export_binary is unset
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45965
Introduced by commit 1180b4c ("apparmor: fix dangling symlinks to
policy rawdata after replacement") in v4.17-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
cip/4.19-st: [481b6b31de88b39953030654938b4765850c44c2]
mainline: [df9ac55abd18628bd8cff687ea043660532a3654]
stable/5.10: [e6b2fc7e34d4e7ca6b8598c33a3d45d59e455d8d]
stable/5.15: [6d8c180c825cbc73eeffaa79591f8e142dacae70]
stable/6.1: [3c36b87fc2a4cf88eadea8cf13923bd2b4f9a3fa]
stable/6.12: [19f2e4055626a58842ddec3282ad4465a80c6625]
stable/6.18: [1d2b2b58fde9059a488bc25399e6c3d74e9b5548]
stable/6.6: [b25298e89a297c42eb4c4d6f081d60375b820abb]
CVE-2026-45966: apparmor: fix NULL pointer dereference in
__unix_needs_revalidation
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45966
Introduced by commit 88fec35 ("apparmor: make sure unix socket
labeling is correctly updated.") in v6.17-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [e2938ad00b21340c0362562dfedd7cfec0554d67]
stable/6.18: [fea017a7f6abe179decf575a2d8464c74edb3964]
CVE-2026-45967: bpf: Return proper address for non-zero offsets in insn array
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45967
Introduced by commit 493d9e0 ("bpf, x86: add support for indirect
jumps") in v6.19-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [e3bd7bdf5ffe49d8381e42843f6e98cd0c78a1e8]
CVE-2026-45968: cpuidle: Skip governor when only one idle state is available
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45968
Introduced by commit dc2251b ("cpuidle: Eliminate the
CPUIDLE_DRIVER_STATE_START symbol") in v4.14-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
cip/4.19-st: [aac344983ab61913ac942bb107be03db3c135d89]
mainline: [e5c9ffc6ae1bcdb1062527d611043681ac301aca]
stable/5.10: [a0f7e804edc82e513d1ccb7c95ed8b351522ec81]
stable/5.15: [5d103a38e2ae96eca57fd17161bcd29bd4622d1c]
stable/6.1: [4da2b897283c39980d6ae09dc1560fcd937879e5]
stable/6.12: [8f6833d919bae915ead6c599a53e81e19b32da52]
stable/6.18: [63ae78336f40bcd9a44952a7c6bafb9c88a8effd]
stable/6.6: [5c577ac939bca486cb02069505cfe47a5312ce02]
CVE-2026-45969: HID: playstation: Add missing check for input_ff_create_memless
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45969
Introduced by commit 5115109 ("HID: playstation: add DualSense classic
rumble support.") in v5.12-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [e6807641ac94e832988655a1c0e60ccc806b76dc]
stable/5.15: [496a345cc047a2c2d9d5a76956e1182525578bd5]
stable/6.1: [987dee1486e975e2baa6a5d062cfdf18bbe901c8]
stable/6.12: [d955aeb26e1210a018492b3b32cbdfaf017aaa25]
stable/6.18: [35301ca2a83d17aac2f3e8e35c696f0da2a13111]
stable/6.6: [33acf9a4d6eb1f6d01691faca96ad6b2ab0fcfc0]
CVE-2026-45970: bonding: alb: fix UAF in rlb_arp_recv during bond up/down
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45970
Introduced by commit 3aba891 ("bonding: move processing of recv
handlers into handle_frame()") in v3.0-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
cip/4.19-st: [8c280cccfbfad2e3f79e0077a6b1a9bf318342db]
cip/4.4-st: [8d88dd01136add611175737e02f3f48650fb8a55]
mainline: [e6834a4c474697df23ab9948fd3577b26bf48656]
stable/5.10: [fd54ddc929be1d6c3b3b7b35d6d4642a5d9e803c]
stable/5.15: [de7c097800f07f3c108185c7a38b53a530ba30ff]
stable/6.1: [db5435b5342e3aaa4521d0f3ccfe94316b253ca1]
stable/6.12: [c65cdf46ce340c9c00fbbaf84599d2daff43626e]
stable/6.18: [fef13c403be3fb685cb06419e6b3623106aab5ba]
stable/6.6: [f94a0de7b9f32745a14a1621c63087a092823587]
CVE-2026-45971: bpf: Limit bpf program signature size
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45971
Introduced by commit 3492715 ("bpf: Implement signature verification
for BPF programs") in v6.18-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [ea1535e28bb3773fc0b3cbd1f3842b808016990c]
stable/6.18: [5835a077c6f5c565d525eaca9fac01572b97a9b9]
CVE-2026-45972: smb: client: fix potential UAF and double free in
smb2_open_file()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45972
Introduced by commit e3a4363 ("smb/client: fix memory leak in
smb2_open_file()") in v6.19.
Fixed in v7.0-rc1.
Bug introduced commit was backported to following branches.
cip/6.1 cip/6.1-rt cip/6.12 stable/6.1 stable/6.12 stable/6.18 stable/6.6
Fixed status
mainline: [ebbbc4bfad4cb355d17c671223d0814ee3ef4eda]
stable/6.1: [96e53bb3ee2f354cf6b4ab07bcc56e500f8b3f74]
stable/6.12: [4d339b219004869e96c4ce56b8891f83a38da4c0]
stable/6.18: [e66dcf7bb9c4df5582c82bc3582725abcbfbea73]
stable/6.6: [7425453ea16dbc3bbb0f6cac4d60b537e5e4d151]
CVE-2026-45973: RDMA/mlx5: Fix UMR hang in LAG error state unload
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45973
Introduced by commit ede132a ("RDMA/mlx5: Move events notifier
registration to be after device registration") in v6.13-rc1.
Fixed in v7.0-rc1.
Bug introduced commit was backported to following branches.
cip/6.12 stable/6.12 stable/6.6
Fixed status
mainline: [ebc2164a4cd4314503f1a0c8e7aaf76d7e5fa211]
stable/6.12: [c8fb5c965ac7d0104872a8e4f6451f3bc6328199]
stable/6.18: [6d838873da9cb97551d42316967cc82bf8f8031b]
CVE-2026-45974: btrfs: fix invalid leaf access in btrfs_quota_enable()
if ref key not found
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45974
Introduced by commit 5223cc6 ("btrfs: drop the path before adding
qgroup items when enabling qgroups") in v5.10-rc2.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [ecb7c2484cfc83a93658907580035a8adf1e0a92]
stable/5.10: [023545e272f369d487e6a986c1e321c6e04be1da]
stable/5.15: [fd4913a53e3b54ad7e161847291439fe445d6356]
stable/6.1: [b5b8ade9da452086e78f5d519b90d3769e354853]
stable/6.12: [0761447f6f51e1c7997960d8e6559337deed6729]
stable/6.18: [d7cf2314dd5e8661c05d076cd627eea9a7f76616]
stable/6.6: [1ee1d006c9fe4d6be5527ab1c84216b80cccbe40]
CVE-2026-45975: ublk: use READ_ONCE() to read struct ublksrv_ctrl_cmd
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45975
Introduced by commit 87213b0 ("ublk: allow non-blocking ctrl cmds in
IO_URING_F_NONBLOCK issue") in v6.19-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [ed9f54cc1e335096733aed03c2a46de3d58922ed]
CVE-2026-45976: drm/amdgpu: Fix memory leak in amdgpu_ras_init()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45976
Introduced by commit fdc94d3 ("drm/amdgpu: Rework pcie_bif ras
sw_init") in v6.4-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [ee41e5b63c8210525c936ee637a2c8d185ce873c]
stable/6.12: [c11cd77a18115d2cd3f4b6915c4a537b6042f950]
stable/6.18: [2fef8c2ac67e7c1b0409d23653300b134c63e54c]
stable/6.6: [f8a5426652bdadd4a5cb48326d48abbdfebe8153]
CVE-2026-45977: fbnic: close fw_log race between users and teardown
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45977
Introduced by commit ecc53b1 ("eth: fbnic: Enable firmware logging")
in v6.17-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [ee5492fd88cfc079c19fbeac78e9e53b7f6c04f3]
stable/6.18: [223cfef4812bdfa5ac5c1aa761cdba03cfe2c9cd]
CVE-2026-45978: staging: greybus: lights: avoid NULL deref
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45978
Introduced by commit 2870b52 ("greybus: lights: add lights
implementation") in v4.9-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
cip/4.19-st: [250f16e08b94d62f8c0b6294c6bce6dc6332c3e7]
mainline: [efcffd9a6ad8d190651498d5eda53bfc7cf683a7]
stable/5.10: [a118724d7641b832fa14323e2733e28ae4834552]
stable/5.15: [3cbe694d235d96f628ec7dc6ae4d8bdddb768699]
stable/6.1: [ba5022162da63059bae36c4fd84d7031f582c71f]
stable/6.12: [01b91cb3e748032fd96bbe0043812b426a52f091]
stable/6.18: [06162d85f830582da6e9e5fcf9c9504d6da9ae0b]
stable/6.6: [65f2c608096d766540953d9b170d216aa3b5eb95]
CVE-2026-45979: drm/amdgpu: clean up the amdgpu_cs_parser_bos
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45979
Introduced by commit 737da53 ("drm/amdgpu: update the functions to use
amdgpu version of hmm") in v6.19-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [f025a2b8d93358467b8e8f4b3a617e88c5f02fab]
CVE-2026-45980: accel/amdxdna: Stop job scheduling across
aie2_release_resource()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45980
Introduced by commit 4fd6ca9 ("accel/amdxdna: Refactor hardware
context destroy routine") in v6.15-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [f1370241fe8045702bc9d0812b996791f0500f1b]
stable/6.18: [b79d31dce49b50c79620389b3639280802a86960]
CVE-2026-45981: s390/cio: Fix device lifecycle handling in
css_alloc_subchannel()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45981
Introduced by commit e5dcf00 ("s390/css: move subchannel lock
allocation") in v3.10-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
cip/4.19-st: [998cb503a553dcaedcfbb0540dbb764250baa0e0]
cip/4.4-st: [b82b54eaf48f11db22c0278a0746ba79db39a941]
mainline: [f65c75b0b9b5a390bc3beadcde0a6fbc3ad118f7]
stable/5.10: [2b2ad7ad4a28ffdb9f94e6d979b88a5b12b71681]
stable/5.15: [b1d4e6fb241672850296956c4d782a69363a3807]
stable/6.1: [fd295a75d828c11acfcc6869c2a12cdaaf9b7722]
stable/6.12: [f96c5ccf95ae5f27218c1ce2d6a3ad2d3e105424]
stable/6.18: [6715560527e343a387e4a0d2e6c401748e89fa55]
stable/6.6: [abb6e07f46a740cda4f07d1b561ae4eaa7a1df42]
CVE-2026-45982: ACPICA: Fix NULL pointer dereference in
acpi_ev_address_space_dispatch()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45982
Introduced by commit 0acf24a ("ACPICA: Add support for PCC Opregion
special context data") in v5.17-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [f851e03bce968ff9b3faad1b616062e1244fd38d]
stable/6.1: [7d99cbe717c1b15a66559215df32312d8cf7e525]
stable/6.12: [cce354524da4d10fd2c7eb835e2e4e8ab8c0ce97]
stable/6.18: [b24595b86920911d2b04f862422b896a0620e9ad]
stable/6.6: [f2cf475d23b8486dfa414f7ac09f918ffd3c32a5]
CVE-2026-45983: nfsd: never defer requests during idmap lookup
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45983
Introduced by commit 2f42587 ("nfsd: don't use the deferral service,
return NFS4ERR_DELAY") in v2.6.30-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [f9c206cdc4266caad6a9a7f46341420a10f03ccb]
stable/5.10: [b9abb760db20504240a7147f27934d900cd80b23]
stable/5.15: [3a72c7dedc99b321e0f267e4e999e5baf07c4593]
stable/6.1: [99e17b20fddac19a228d213e00f6b9e1c10daff9]
stable/6.12: [063a6f22478ef929625000a2caf54667725c1dfd]
stable/6.18: [d75ec4504a4340b033b15cad0303988b3089dd93]
stable/6.6: [243f71ed873ff3feeb6f9b5cb145d63f7188b4c4]
CVE-2026-45984: gfs2: Fix use-after-free in iomap inline data write path
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45984
Introduced by commit d0a22a4 ("gfs2: Fix iomap write page reclaim
deadlock") in v5.2-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [faddeb848305e79db89ee0479bb0e33380656321]
stable/5.10: [1403989d1b502f4a2c0d0b42ccf1c25748442eff]
stable/5.15: [1cae1bafdf9caa9b462b19af06b1a06902e4e142]
stable/6.1: [764c3c84b5683e608f43735c803a5f415046686c]
stable/6.12: [87d4954b5c59735a99ea98cb208d47130f6dce7d]
stable/6.18: [6d76febba07c40bcf358f63216d36ea68cf1c215]
stable/6.6: [d87268326b277af3665237ac76a73dd9fa8e21b4]
CVE-2026-45985: ext4: don't set EXT4_GET_BLOCKS_CONVERT when splitting
before submitting I/O
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45985
Introduced by commit b8a8684 ("ext4: Introduce FALLOC_FL_ZERO_RANGE
flag for fallocate") in v3.15-rc1.
Fixed in v7.0-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [feaf2a80e78f89ee8a3464126077ba8683b62791]
stable/5.10: [77e407967cd872cd75d7e4a691908e49c8e6b4d4]
stable/5.15: [37555690f39f78ef69af347d9aff897e07445949]
stable/6.12: [2920ec61c98b9476781359f05b94da84e80f54d4]
stable/6.18: [2698731d25823267c29190cb578da9296a0c0d7b]
stable/6.6: [67cdb7bd7442bd3cdc6d6088bbb2df9be2fe936c]
CVE-2026-45986: crypto: ccree - fix a memory leak in cc_mac_digest()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45986
Introduced by commit 6389381 ("crypto: ccree - add ahash support") in v4.17-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [02c64052fad03699b9c6d1df2f9b444d17e4ac50]
stable/6.12: [22f1dd4ca3bfe77db52cc7df3cc353dc114aab8b]
stable/6.18: [910f335786a0a0f0b46c3c8c19a13d25cb4454b6]
stable/6.6: [3061c9bfb3f5b3522ab174e2fa7473b24422d1c6]
stable/7.0: [502440c235fe34cee02b24d7f893841f7565b3bc]
CVE-2026-45987: KVM: nSVM: Sync interrupt shadow to cached vmcb12
after VMRUN of L2
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45987
Introduced by commit cc440cd ("KVM: nSVM: implement
KVM_GET_NESTED_STATE and KVM_SET_NESTED_STATE") in v5.8-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [03bee264f8ebfd39e0254c98e112d033a7aa9055]
stable/6.12: [2f950eeb27af6885416232761700b8820cae0a61]
stable/6.18: [497f6af9679fc9c6ce2f438e11ed5d51b1aa8297]
stable/6.6: [1709418535a8df95532999d61b03d59975280258]
stable/7.0: [e0377e52f3c10ee572732d11b04625b7f517a862]
CVE-2026-45988: rxrpc: Fix re-decryption of RESPONSE packets
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45988
Introduced by commit 17926a7 ("[AF_RXRPC]: Provide secure RxRPC
sockets for use by userspace and kernel both") in v2.6.22-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [0422e7a4883f25101903f3e8105c0808aa5f4ce9]
stable/6.12: [7b89868305052b94a91b708c462bc2281fa42a4a]
stable/6.18: [76cb9a2d252274adfae6e293a292434631a7d472]
stable/6.6: [d61482be4aae1835b78875761206241835a7510e]
stable/7.0: [f55b383070170e988e4dec28be2af1714d258521]
CVE-2026-45989: of: unittest: fix use-after-free in testdrv_probe()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45989
Introduced by commit 26409dd ("of: unittest: Add pci_dt_testdrv pci
driver") in v6.6-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [07fd339b2c253205794bea5d9b4b7548a4546c56]
stable/6.12: [d68347b07b9801791c9eaab8f772770b52b8cd5c]
stable/6.18: [5b6122a67a295f8a08b7c18d908a1bd974dfaec8]
stable/6.6: [0ba03e06f037df704d9b032e36d417633e2326bc]
stable/7.0: [6b2023286d2c6ed3bf964fb92e34c9c14d42eb69]
CVE-2026-45990: slub: fix data loss and overflow in krealloc()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45990
Introduced by commit 2cd8231 ("mm/slub: allow to set node and align in
k[v]realloc") in v6.18-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [082a6d03a2d685a83a332666b500ad3966349588]
stable/6.18: [38387ccc0fbe38d14fb4c2ad7ee1d7404e5e59fd]
stable/7.0: [550fa6b5aabb096554536ac1e3ec96b76cbb35fd]
CVE-2026-45991: udf: fix partition descriptor append bookkeeping
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45991
Introduced by commit ee4af50 ("udf: Fix mounting of Win7 created UDF
filesystems") in v4.19-rc2.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [08841b06fa64d8edbd1a21ca6e613420c90cc4b8]
stable/6.12: [b5597bb83fc37b5b5da74a4453fa920b932cf39a]
stable/6.6: [058b451b1039f056d1362c4fec2229e522366ab0]
stable/7.0: [08fa5d818e5bf53c7ca234d88ba334f32004e9b6]
CVE-2026-45992: ALSA: caiaq: Fix potentially leftover ep1_in_urb at error path
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45992
Introduced by commit 28abd22 ("ALSA: caiaq: Handle probe errors
properly") in v7.1-rc1.
Fixed in v7.1-rc2.
Bug introduced commit was backported to following branches.
cip/6.12 stable/6.12 stable/6.18 stable/6.6 stable/7.0
Fixed status
mainline: [0a7b5221b5b51cc798fcfc3be00d02eade149d69]
stable/6.12: [e0fb842af7052f0ab9e709db0c59300aa4051fc0]
stable/6.18: [1d160e30aa42b7c41163e51366bb34432367260d]
stable/6.6: [be62c8bb03b6aec3790a943d4a7567d4d73b8be9]
stable/7.0: [438ab932dc6fef5b001dfeba08a18a491edc8f7b]
CVE-2026-45993: LoongArch: Add spectre boundry for syscall dispatch table
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45993
Introduced commit is not determined.Fixed in v7.1-rc1.
Affected function was added by be76964 ("LoongArch: Add system call
support") in v5.19-rc1.
Fixed status
mainline: [0c965d2784fbbd7f8e3b96d875c9cfdf7c00da3d]
stable/6.12: [07040904ad217545be096d4280ed33c02f6a3750]
stable/6.18: [85cbf7fb568af5358aae61925c4e66b8f5e1439d]
stable/6.6: [108f2cd13577a410c0ad6ea00708596d9d0dfc90]
stable/7.0: [bc84a109c2082dd0c4b38e8d923c046b41977533]
CVE-2026-45994: ibmasm: fix OOB reads in command_file_write due to
missing size checks
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45994
Introduced by commit 1da177e ("Linux-2.6.12-rc2") in v2.6.12.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [0eb09f737428e482a32a2e31e5e223f2b35a71d3]
stable/6.12: [aefc1a97da17d8309974690c8a03e439a91ebb1c]
stable/6.18: [ee5737891464030a189837467df3b81a273718ad]
stable/6.6: [a672682d39dd34e2b5ba4feb436723bed65125ff]
stable/7.0: [d0fb4d1dc43f8d5179917a2daaa82680993d4cdf]
CVE-2026-45995: io_uring/zcrx: fix user_struct uaf
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45995
Introduced by commit 5c68645 ("io_uring/zcrx: add user_struct and
mm_struct to io_zcrx_ifq") in v6.19-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [0fcccfd87152f957fa8312b841f6efef42a05a20]
stable/7.0: [9feb88eeda6d288f93fcfb6bca563f89e316479d]
CVE-2026-45996: spi: imx: fix use-after-free on unbind
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45996
Introduced by commit 307c897 ("spi: spi-imx: replace struct
spi_imx_data::bitbang by pointer to struct spi_controller") in
v5.19-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [1c78c2002380a1fe31bfb01a3d5f29809e55a096]
stable/6.12: [385a330083f8dd47c15b02e9a83aef9234a37003]
stable/6.18: [132e47030b0b5e398e0da6c59df5a5dae9b52cff]
stable/6.6: [f99165ef067723221472ce1aff632bc74f562643]
stable/7.0: [aa9025a498036b6012769f7af36d421385386c17]
CVE-2026-45997: scsi: sd: fix missing put_disk() when
device_add(&disk_dev) fails
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45997
Introduced by commit 265dfe8 ("scsi: sd: Free scsi_disk device via
put_device()") in v5.15-rc3.
Fixed in v7.1-rc1.
Bug introduced commit was backported to following branches.
cip/4.19 cip/4.19-rt cip/4.19-st cip/4.4 cip/4.4-rt cip/4.4-st
cip/5.10 cip/5.10-rt stable/5.10
Fixed status
mainline: [1e111c4b3a726df1254670a5cc4868cedb946d37]
stable/6.12: [b64b4f499801b12d0e2785447e4df6c164c608a9]
stable/6.18: [13e550fbfccdb311e76ec96892dfe35f0dba0657]
stable/6.6: [262152ec37101f9dc524743ccdbd6c7641d14573]
stable/7.0: [a95d38c5701431bfc826e7b18acc0785919d5c88]
CVE-2026-45998: rxrpc: Fix potential UAF after skb_unshare() failure
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45998
Introduced by commit 2d1faf7 ("rxrpc: Simplify skbuff accounting in
receive path") in v6.2-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [1f2740150f904bfa60e4bad74d65add3ccb5e7f8]
stable/6.12: [bf20f46d94f1db38e6ffc0ca204a5fe0de01b495]
stable/6.18: [996b0487b3cdda4c91811dbb1c9564626bc840bd]
stable/6.6: [e3bf143b1e98fb3d6d9e6825bcd683974d478e8c]
stable/7.0: [8fde6296c4d4da2be7ab761305ab7f232b94eefd]
CVE-2026-45999: erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-45999
Introduced by commit 598162d ("erofs: support decompress big pcluster
for lz4 backend") in v5.13-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [21e161de2dc660b1bb70ef5b156ab8e6e1cca3ab]
stable/6.12: [f1374fa6e57fd836623668d782ded9244cfd2938]
stable/6.18: [c9ce18e6bb2c467ec85756dc7989b547b7584fee]
stable/6.6: [43a878639b90e9721ffa5eb616a7e6d8454adef3]
stable/7.0: [bbbbb3f0d7864238a8da2a94cd6ec013fee06a2e]
CVE-2026-46000: rxrpc: Fix conn-level packet handling to unshare
RESPONSE packets
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46000
Introduced by commit 17926a7 ("[AF_RXRPC]: Provide secure RxRPC
sockets for use by userspace and kernel both") in v2.6.22-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [24481a7f573305706054c59e275371f8d0fe919f]
stable/6.12: [98a2046d155f73f6cf5d2c493c5e09b4963e2e12]
stable/6.18: [ca71ac2de389b01eecdc48bfafbdf073ec232044]
stable/6.6: [c0428a22daf69714dc042b67ea759956b74c74e5]
stable/7.0: [d9b93a0f57ca5f6831bfaa34014b6cd705564a00]
CVE-2026-46001: hwmon: (pt5161l) Fix bugs in pt5161l_read_block_data()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46001
Introduced by commit 1b2ca93 ("hwmon: Add driver for Astera Labs
PT5161L retimer") in v6.9-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [24c73e93d6a756e1b8626bb259d2e07c5b89b370]
stable/6.12: [7eccabff1c9ec15e4b6fe186d5c147b13a9cdb4e]
stable/6.18: [95d48e37a1304d6148406c799479c0fb505aefa7]
stable/7.0: [a11aa9c5fd9dfe62be7cfec1f2a7546afb77254c]
CVE-2026-46002: ext2: reject inodes with zero i_nlink and valid mode
in ext2_iget()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46002
Introduced by commit 1da177e ("Linux-2.6.12-rc2") in v2.6.12.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [25947cc5b2374cd5bf627fe3141496444260d04f]
stable/6.12: [d3af04a43db86379df7438bf8bade71685b8a239]
stable/6.18: [2dde6377ab2e46bb80cf066c659ef016f3ad7a9b]
stable/6.6: [32e0b925572686399243834ec99e2a9d85c62eae]
stable/7.0: [470264bbec499e276a89a6431144ae58f411ea4d]
CVE-2026-46003: net: qrtr: ns: Limit the total number of nodes
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46003
Introduced by commit 0c2204a ("net: qrtr: Migrate nameservice to
kernel from userspace") in v5.7-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [27d5e84e810b0849d08b9aec68e48570461ce313]
stable/6.12: [4665a29c08e1b36bc9db4814f9dde3d23e8fd1b0]
stable/6.18: [5cf6d5e5e3b804a44692fbf548a5179442e2e923]
stable/6.6: [4c46413661431aa60fb134cd4ecdf8beaa39f824]
stable/7.0: [8022876894d09ae485b499058c3357da683bcc5d]
CVE-2026-46004: ALSA: caiaq: Handle probe errors properly
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46004
Introduced by commit 8e3cd08 ("[ALSA] caiaq - add control API and more
input features") in v2.6.25-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [28abd224db4a49560b452115bca3672a20e45b2f]
stable/6.12: [6251e3e256337a30160ef59ab1580dde4d1acd28]
stable/6.18: [e59ecd4ee3a450db6cb4e4ecaa3efdd593f80056]
stable/6.6: [f537e3ad69609f6924a4db6b4a7f6561f5288bdd]
stable/7.0: [096dd8519cf2f768e9e14f224b627f7aaee1a9c5]
CVE-2026-46005: xfs: fix a resource leak in xfs_alloc_buftarg()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46005
Introduced by commit 6f643c5 ("xfs: implement ->notify_failure() for
XFS") in v6.0-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [29a7b2614357393b176ef06ba5bc3ff5afc8df69]
stable/6.12: [28a6c132b8c6e5eeefa889c4fb43d65b12989d48]
stable/6.18: [5c293a1e1ef0f838772d20ae8afae4cbd87cd3f9]
stable/6.6: [82fb9da6477d08bdab954dc7bc081a41f2f9cae6]
stable/7.0: [5804cb507233ed767a83ac70527b2f6c4566ec75]
CVE-2026-46006: drm/nouveau: fix u32 overflow in pushbuf reloc bounds check
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46006
Introduced by commit a1606a9 ("drm/nouveau: new gem pushbuf interface,
bump to 0.0.16") in v2.6.34-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [2fc87d37be1b730a149b035f9375fdb8cc5333a5]
stable/6.12: [d749a9a0ee4014681487e7ae549901aa8c176637]
stable/6.18: [332884f5eb79dd60a7162b079d09d39208567a31]
stable/6.6: [fa297e919d1680c38ab268ff952b1698dac987f6]
stable/7.0: [e441d5c23ec644c8d27593db3b8928e8933512a9]
CVE-2026-46007: hwmon: (powerz) Avoid cacheline sharing for DMA buffer
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46007
Introduced by commit 4381a36 ("hwmon: add POWER-Z driver") in v6.7-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [3023c050af3600bf451153335dea5e073c9a3088]
stable/6.12: [270e5c576a6e30f6b337fa91d35b44c241297533]
stable/6.18: [1869da3efe703b016b23d4885f3fe6c1751959c6]
stable/7.0: [2fa2273016a0483217404cfe330967c4ac6832a9]
CVE-2026-46008: mm/damon/core: fix damos_walk() vs kdamond_fn() exit race
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46008
Introduced by commit bf0eaba ("mm/damon/core: implement damos_walk()")
in v6.14-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [33c3f6c2b48cd84b441dba1ee3e62290e53930f4]
stable/7.0: [0ba956a239ba6e3fae8555d3660e22e675be63b5]
CVE-2026-46009: PCI: endpoint: pci-epf-ntb: Remove duplicate resource teardown
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46009
Introduced by commit 8b821cf ("PCI: endpoint: Add EP function driver
to provide NTB functionality") in v5.12-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [3446beddba450c8d6f9aca2f028712ac527fead3]
stable/6.12: [756ca5e7ed22d9045bb4de4c981f9149278d5cd3]
stable/6.18: [65fc57c8b8f0b31be62be291cb1bb01755cec85d]
stable/6.6: [72099f015d3c77bf2eb703d1aab113bd7a60915a]
stable/7.0: [e813c95e4c8edd31599081e6356e20ada30e266d]
CVE-2026-46010: rxrpc: Fix error handling in rxgk_extract_token()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46010
Introduced by commit 64863f4 ("rxrpc: Fix unhandled errors in
rxgk_verify_packet_integrity()") in v6.17-rc7.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [3476c8bb960f48e49355d6f93fb7673211e0163f]
stable/6.18: [293095ef618818852bac5488c1bc223935e2ca17]
stable/7.0: [c52803e925604e2a17962ab0c99dce2d3f7238db]
CVE-2026-46011: media: mtk-jpeg: fix use-after-free in release path
due to uncancelled work
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46011
Introduced by commit 5fb1c23 ("mtk-jpegenc: add jpeg encode worker
interface") in v6.2-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [34c519feef3e4fcff1078dc8bdb25fbbbd10303f]
stable/6.12: [0498b27a1542021d90269d58347501d4c3ccd84e]
stable/6.18: [26506a30e0e26d612f82a7bf0e395626968a44e6]
stable/6.6: [2209fdae5c2f615930c9af1379c1cfca199ec5d8]
stable/7.0: [e78c39f720679fcf3a2eacd82725ec3ea2648301]
CVE-2026-46012: rxrpc: Fix memory leaks in rxkad_verify_response()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46012
Introduced by commit 57af281 ("rxrpc: Tidy up abort generation
infrastructure") in v6.2-rc4.
Introduced by commit ec832bd ("rxrpc: Don't retain the server key in
the connection") in v5.11-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [34f61a07e0cdefaecd3ec03bb5fb22215643678f]
stable/6.12: [852b9d64cea421336579b2de3d1338dfa677e2dd]
stable/6.18: [861b9a0a1823bf064a7b810d29502a9ef043f40f]
stable/6.6: [c4b8f32e73eafd4a5076be890c7c8506ec04567c]
stable/7.0: [c91f33fb8356dedc82bc56ce210f1a5dbee62a52]
CVE-2026-46013: mm/memfd_luo: fix physical address conversion in
put_folios cleanup
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46013
Introduced by commit b3749f1 ("mm: memfd_luo: allow preserving memfd")
in v6.19-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [3538f90ab89aaf302782b4b073a0aae66904cd67]
stable/7.0: [bd0d6bde286a2b8e3ae7975b0dcc2d43875d5fc9]
CVE-2026-46014: KVM: SVM: Add missing save/restore handling of LBR MSRs
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46014
Introduced by commit 24e09cb ("KVM: SVM: enable LBR virtualization")
in v2.6.26-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [3700f0788da6acf73b2df56690f4b201aa4aefd2]
stable/6.18: [2b922a42b531a82d7881add14a7698dcdc5e1f0a]
stable/7.0: [13a89ada5dcfc2539514c83ba5a2c61157f1ec6c]
CVE-2026-46015: tcp: call sk_data_ready() after listener migration
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46015
Introduced by commit 54b92e8 ("tcp: Migrate
TCP_ESTABLISHED/TCP_SYN_RECV sockets in accept queues.") in v5.14-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [3864c6ba1e041bc75342353a70fa2a2c6f909923]
stable/6.12: [bebd058ef40c67a81fe6d9ee8beaa4ede90e0704]
stable/6.18: [83bb57635d7cbafde32f865b577ecfd969f02337]
stable/6.6: [ab5fdcd535645f6dbe6e9e21d96a08d141e88b4b]
stable/7.0: [12625b4da84caf4d84a04988710a7b9bcf702b18]
CVE-2026-46016: remoteproc: xlnx: Only access buffer information if
IPI is buffered
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46016
Introduced by commit 5dfb28c ("remoteproc: xilinx: Add mailbox
channels for rpmsg") in v6.4-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [38dd6ccfdfbbe865569a52fe1ba9fa1478f672e6]
stable/6.12: [7ddbf21116770b7011f2bb0a6056b7604b24c497]
stable/6.18: [06d0bed2552fd0dae27d374d4492a2b672e24eed]
stable/6.6: [5d1451cb2cf6f3d9884d76035a1460aa9bb4b053]
stable/7.0: [8242579859a78c801bb626e9aa4823aca93e28e7]
CVE-2026-46017: mm: fix deferred split queue races during migration
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46017
Introduced commit is not determined.Fixed in v7.1-rc1.
Fixed status
mainline: [3bac01168982ec3e3bf87efdc1807c7933590a85]
stable/7.0: [cbf75cf212ee6e499abc1757fb4b5ae6d70ed0aa]
CVE-2026-46018: ALSA: usb-audio: stop parsing UAC2 rates at MAX_NR_RATES
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46018
Introduced by commit 4fa0e81 ("ALSA: usb-audio: fix possible hang and
overflow in parse_uac2_sample_rate_range()") in v3.3-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [3c318f97dcc50b2e0556a1813bd6958678e881fd]
stable/6.12: [ba036305323814ec1f8655313b2fa6a0f7048716]
stable/6.18: [4d7893a137eadb6163ea4298bf67d74b811d76ef]
stable/6.6: [ab5ba9fd138758ddc50222264ff246b31e397abf]
stable/7.0: [a0b78639ef09b2e77974a3de3b1c07f6de3c5e56]
CVE-2026-46019: crypto: atmel-aes - Fix 3-page memory leak in
atmel_aes_buff_cleanup
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46019
Introduced by commit bbe628e ("crypto: atmel-aes - improve
performances of data transfer") in v4.5-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [3fcfff4ed35f963380a68741bcd52742baff7f76]
stable/6.12: [65b3589d39d05699c3850202f8333e5361033ea3]
stable/6.18: [61516b4a5b2647dc3f8f67b5dffaf038be997511]
stable/6.6: [b63f1e2f0e319ad3fe4a58eb3db4fd50cc98baca]
stable/7.0: [230ad8a78fe67266b1ba4685da1abdd61471c5b8]
CVE-2026-46020: mm/damon/core: validate damos_quota_goal->nid for
node_mem_{used,free}_bp
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46020
Introduced by commit 0e1c773 ("mm/damon/core: introduce damos quota
goal metrics for memory node utilization") in v6.16-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [40250b2dded0604a112be605f3828700d80ad7c2]
stable/6.18: [b09958e235f2b9cd3898b85a8529172afa80d212]
stable/7.0: [bcad74078708f2330a45b55358ebc38f8f4b1127]
CVE-2026-46021: thermal: core: Fix thermal zone governor cleanup issues
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46021
Introduced by commit e33df1d ("thermal: let governors have private
data for each thermal zone") in v4.2-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [41ff66baf81c6541f4f985dd7eac4494d03d9440]
stable/6.12: [f412e541d25a3dfaf3d53e012ade6ff03cae8a45]
stable/6.18: [75f8f3c3e09122270986de9d7aa347d701676761]
stable/6.6: [37a430a2d4e66ec8238da6c7f7e48809bf265e13]
stable/7.0: [64d4ebf91d082034bbc5ae3ba2d7fd800bc02d06]
CVE-2026-46022: misc: ibmasm: fix OOB MMIO read in
ibmasm_handle_mouse_interrupt()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46022
Introduced by commit 278d72a ("[PATCH] ibmasm driver: redesign
handling of remote control events") in v2.6.13-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [4b6e6ead556734bdc14024c5f837132b1e7a4b84]
stable/6.12: [07c4f18b303106e6b24492c12b95d48a4b985841]
stable/6.18: [22a16d3eafee92a165c756081587c95850127107]
stable/6.6: [fc7e9a74e32299d7e93e178ca482a0b59ef1595b]
stable/7.0: [1ca75f6b74ec7f685464e5745ecfcf3a76d284e9]
CVE-2026-46023: dm mirror: fix integer overflow in create_dirty_log()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46023
Introduced by commit 1da177e ("Linux-2.6.12-rc2") in v2.6.12.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [4c788c6f921b22f9b6c3f316c4a071c05683e7de]
stable/6.12: [47dad9eea75d33212d3d2cea10e7ed6a1bfc0713]
stable/6.18: [87c99a50e0fdc68a5b9b52a94d49452cd3ff02ca]
stable/6.6: [35f6b3281efd44d19110574663bc17a610bc73b9]
stable/7.0: [17a08791d428885d00e510864283a7b839792368]
CVE-2026-46024: libceph: Prevent potential null-ptr-deref in
ceph_handle_auth_reply()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46024
Introduced commit is not determined.Fixed in v7.1-rc1.
Fixed status
mainline: [5199c125d25aeae8615c4fc31652cc0fe624338e]
stable/6.12: [927e4bd5692f2a4901808822981fb2c8d4456548]
stable/6.18: [016bc663657366d386993f63eb31072eb45a2b77]
stable/6.6: [4b2738b93edad661178340239de657d876b73d3d]
stable/7.0: [8f2be7285941a33a9f72579a23b96392f83c758e]
CVE-2026-46025: mm/damon/core: fix damon_call() vs kdamond_fn() exit race
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46025
Introduced by commit 42b7491 ("mm/damon/core: introduce damon_call()")
in v6.14-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [55da81663b9642dd046b26dd6f1baddbcf337c1e]
stable/6.18: [2691332ad88b57179c38653e2cd613d5820a52cf]
stable/7.0: [e6a053a6f4b5048746c49432a5cc5b79fe4695fe]
CVE-2026-46026: net: qrtr: ns: Limit the maximum number of lookups
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46026
Introduced by commit 0c2204a ("net: qrtr: Migrate nameservice to
kernel from userspace") in v5.7-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [5640227d9a21c6a8be249a10677b832e7f40dc55]
stable/6.12: [76adf8f69b0bb3ab20be7c58f5d555027332d113]
stable/6.18: [20855cef7e659ef84ac73251256fa530819b2346]
stable/6.6: [0dbec101a7076e9b1e4bd1876f7cf07c56ff4ce3]
stable/7.0: [2b930bc77e00cb27e1d6e1d497b3b596283465ef]
CVE-2026-46027: net/smc: avoid early lgr access in smc_clc_wait_msg
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46027
Introduced by commit 0cfdd8f ("smc: connection and link group
creation") in v4.11-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [5a8db80f721deee8e916c2cfdee78decda02ce4f]
stable/6.12: [6180a296ca65b08a81914805cbc0f78da5f10a1f]
stable/6.18: [ea0b5d0fe96356dce38f98375a57c52a04e13712]
stable/6.6: [f0858e1d5624bb120b198f2a8528f97a9b0ae069]
stable/7.0: [83bcf9228b0501694fb2589ed1d142855a2887f2]
CVE-2026-46028: crypto: algif_aead - snapshot IV for async AEAD requests
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46028
Introduced by commit d887c52 ("crypto: algif_aead - overhaul memory
management") in v4.14-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
cip/4.19-st: [732cdd28b4b03df1ba6ec9911b598b237932cdcb]
mainline: [5aa58c3a572b3e3b6c786953339f7978b845cc52]
stable/5.10: [08ea39a556ecd39b33c2b4888861001c6706a62e]
stable/5.15: [a920cabdb0b7cf1f4e11a20524253ae5bd09092b]
stable/6.1: [fa0fcec9b49d58e71df7ede91ecd86855f608e85]
stable/6.12: [46fdb39e83227b5d39f7c934a0947ea913f13c18]
stable/6.18: [ebc235675f24b0e3f8bc92b8419471d42f837d8f]
stable/6.6: [c2138c9bd02af19e0b407376140cd5435b0d81da]
stable/7.0: [3d72f8c6490dc79210b64270740cb2a8619361a4]
CVE-2026-46029: mm/slab: return NULL early from kmalloc_nolock() in NMI on UP
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46029
Introduced by commit af92793 ("slab: Introduce kmalloc_nolock() and
kfree_nolock().") in v6.18-rc1.
Fixed in v7.1-rc2.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [5b31044e649e3e54c2caef135c09b371c2fbcd08]
stable/6.18: [a8d95d274be241ad21f6523bf2d6ba0d7d7e46b7]
stable/7.0: [d66553204a15bdb257d9ef8aca1e12f5fbb910b2]
CVE-2026-46030: EDAC/versalnet: Fix device_node leak in mc_probe()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46030
Introduced by commit d5fe2fe ("EDAC: Add a driver for the AMD Versal
NET DDR controller") in v6.18-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [5c709b376460ff322580c41600e31c02f7cc0307]
stable/6.18: [b6e61356ad24987be40bf25369d22dd8dd00a513]
stable/7.0: [17e136993b2b5111d1ee1c57bbd188ae0bb0e128]
CVE-2026-46031: net: ks8851: Reinstate disabling of BHs around IRQ handler
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46031
Introduced by commit e086363 ("net: ks8851: Queue RX packets in IRQ
handler instead of disabling BHs") in v6.9.
Fixed in v7.1-rc1.
Bug introduced commit was backported to following branches.
cip/6.1 cip/6.1-rt stable/6.1 stable/6.6
Fixed status
mainline: [5c9fcac3c872224316714d0d8914d9af16c76a6d]
stable/6.12: [518040324067d8efaa2da1992297b7e7bf5640f4]
stable/6.18: [be8aad558b4675f45b43080f81a9ffdeddea73a5]
stable/6.6: [640a7631d31db87d5fa1b34cea44a99b6e78854b]
stable/7.0: [21f1707a8e978558dcb11b053855521e32ac0eec]
CVE-2026-46032: KVM: nSVM: Triple fault if restore host CR3 fails on
nested #VMEXIT
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46032
Introduced by commit d82aaef ("KVM: nSVM: use nested_svm_load_cr3() on
guest->host switch") in v5.9-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [5d291ef0585ed880ed4dd71ea1a5965e0a65fb53]
stable/7.0: [9a738cf170a4a2332ea3a15e23ec65b5757fe4a1]
CVE-2026-46033: crypto: authencesn - reject short ahash digests during
instance creation
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46033
Introduced by commit f15f05b ("crypto: ccm - switch to separate cbcmac
driver") in v4.11-rc1.
Fixed in v7.1-rc2.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [5db6ef9847717329f12c5ea8aba7e9f588a980c0]
stable/6.12: [67f1f0933cc3d78dde222842bcad2778ec7a0b88]
stable/6.18: [b42821c15445f93daea3e76ada682b2b7181c476]
stable/6.6: [b69933e97efea238ebbfcf70c2b1be1cd03f13e3]
stable/7.0: [9aff81e8217e9de2929084b03b3c7f81988c112b]
CVE-2026-46034: vfio/cdx: Fix NULL pointer dereference in interrupt trigger path
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46034
Introduced by commit 848e447 ("vfio/cdx: add interrupt support") in v6.10-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [5ea5880764cbb164afb17a62e76ca75dc371409d]
stable/6.12: [51bf7638f33aece41cb3f4cbeb942cc52950e329]
stable/6.18: [5d6c349c9823eb819fed8b537b088cf38126018c]
stable/7.0: [338a736aaf15e8ba3635ce20b29af5b8fc15e66a]
CVE-2026-46035: mm/page_alloc: return NULL early from
alloc_frozen_pages_nolock() in NMI on UP
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46035
Introduced by commit d7242af ("mm: Introduce
alloc_frozen_pages_nolock()") in v6.18-rc1.
Fixed in v7.1-rc2.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [620b46ed6ae17c8438d889c8c0cfddab36a1476c]
stable/6.18: [05b4ed8bef30bba4f559c8d835e2dd20c48cf8a4]
stable/7.0: [a6d57efeaae3f3b3656514f600eac96be713d90e]
CVE-2026-46036: vfio/cdx: Serialize VFIO_DEVICE_SET_IRQS with a per-device mutex
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46036
Introduced by commit 848e447 ("vfio/cdx: add interrupt support") in v6.10-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [670e8864b1a218d72f08db40d0103adf38fa1d9b]
stable/6.12: [ddf96e23c366c566283fce8377928851fa7f5e81]
stable/6.18: [7b436ade16cc81095d79b79f8efa3af0a4f5c5a2]
stable/7.0: [7530f34ec0ca1438d45a75dcb43183a1cc92eced]
CVE-2026-46037: ipv4: icmp: validate reply type before using icmp_pointers
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46037
Introduced by commit d329ea5 ("icmp: add response to RFC 8335 PROBE
messages") in v5.13-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [67bf002a2d7387a6312138210d0bd06e3cf4879b]
stable/6.12: [bc64a66e0b9ad937d3d49934242ee62b01ba9a94]
stable/6.18: [c2178ff1c70ebfc2ab9651b230c58a34683db759]
stable/6.6: [92e7c209036dcc0e8ffdf806fdfd3645b263bea5]
stable/7.0: [d700c34a5d186b9ba0715bcb19e0ff80ffbfbfc1]
CVE-2026-46038: net: qrtr: ns: Free the node during ctrl_cmd_bye()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46038
Introduced by commit 0c2204a ("net: qrtr: Migrate nameservice to
kernel from userspace") in v5.7-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [68efba36446a7774ea5b971257ade049272a07ac]
stable/6.12: [65932f5102bb5377db36c8a4f0c28179a1967a9a]
stable/6.18: [154fc7fe3f62c46891c3c4302f4b5b5391c932e6]
stable/6.6: [ff78ed177a66763085e3214d6fbe13ca8f0b3f11]
stable/7.0: [076e4b162d6caba12c229e7f262df5b6881162b0]
CVE-2026-46039: rxgk: Fix potential integer overflow in length check
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46039
Introduced by commit 2429a19 ("rxrpc: Fix untrusted unsigned
subtract") in v6.17-rc7.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [6929350080f4da292d111a3b33e53138fee51cec]
stable/6.18: [43222ac484f93b3ec2d240a7575e1cedd31f5fa4]
stable/7.0: [183d37f12d1c8ed24a5bfc7addad05510da22a94]
CVE-2026-46040: inotify: fix watch count leak when
fsnotify_add_inode_mark_locked() fails
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46040
Introduced by commit 1cce1ee ("inotify: Convert to using per-namespace
limits") in v4.11-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [6a320935fa4293e9e599ec9f85dc9eb3be7029f8]
stable/6.12: [73ddc8518a32baff6bc17afda4ee1ebae5b4ed12]
stable/6.18: [fdaa42ca370d056428e5e171247c8fdce8dff36a]
stable/6.6: [8bcc1cd237ab5ccfdd102869fa031c541943cf40]
stable/7.0: [9e48844f708eb48bae4e79cb21edc097c966306d]
CVE-2026-46041: greybus: gb-beagleplay: fix sleep in atomic context in
hdlc_tx_frames()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46041
Introduced by commit ec558bb ("greybus: Add BeaglePlay Linux Driver")
in v6.7-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [6b526dca0966f2370835765019a54319b78fca8d]
stable/6.12: [9f2b87bcdfed55145acbf932dc12f2c057145cad]
stable/6.18: [b2801647c203a38e013802e9e9616b5bfac64968]
stable/7.0: [51667fe2d9294d66e0228b9f51d1f01b6680a641]
CVE-2026-46042: mm/mempolicy: fix memory leaks in
weighted_interleave_auto_store()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46042
Introduced by commit e341f9c ("mm/mempolicy: Weighted Interleave
Auto-tuning") in v6.16-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [6fae274ce0e3109cbbc4c18b354eaace1f0af7d7]
stable/6.18: [c42a7efb9060d89b72708ffaf255d0002c2164a7]
stable/7.0: [39caa9ca863f96b3d00447c5aa200cabda489856]
CVE-2026-46043: RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46043
Introduced by commit 8700e3e ("Soft RoCE driver") in v4.8-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [7244491dab347f648e661da96dc0febadd9daec3]
stable/6.12: [f83519a4c122c9c7a850a2197648a9ff4c67c520]
stable/6.18: [9b924f3a26b21330a837cfe72e819b6393bbeeaa]
stable/6.6: [2fd4f8b749309a61c3f3f88ee8891d94f79e1240]
stable/7.0: [e8ee0e792d475b1067c199ef0af1b6221fa6f43d]
CVE-2026-46044: ipmi:ssif: Clean up kthread on errors
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46044
Introduced by commit 2593070 ("ipmi: Add SMBus interface driver
(SSIF)") in v3.19-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [75c486cb1bcaa1a3ec3a6438498176a3a4998ae4]
stable/6.18: [858bc8b9edb6eaf0522900128bb9053e2df6b0f6]
stable/6.6: [07f9bff69da84e462178d3f0ad1b32f19f13ad94]
stable/7.0: [800febc637d1c1974b1e899dea8a07e115d60766]
CVE-2026-46045: md/md-llbitmap: skip reading rdevs that are not in_sync
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46045
Introduced by commit 5ab829f ("md/md-llbitmap: introduce new lockless
bitmap") in v6.18-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [7701e68b5072faa03a8f30b4081dc16df9092381]
stable/6.18: [98623c7e2a51eab1833c8628d33fa9c6ef3ce325]
stable/7.0: [3115fa2f62970d98f2a639145fb8e2767db8bbf9]
CVE-2026-46046: ext4: fix missing brelse() in ext4_xattr_inode_dec_ref_all()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46046
Introduced by commit c8e008b ("ext4: ignore xattrs past end") in v6.15-rc1.
Fixed in v7.1-rc1.
Bug introduced commit was backported to following branches.
cip/4.19 cip/4.19-rt cip/4.19-st cip/5.10 cip/5.10-rt cip/6.1
cip/6.1-rt cip/6.12 stable/5.10 stable/5.15 stable/6.1 stable/6.12
stable/6.6
Fixed status
mainline: [77d059519382bd66283e6a4e83ee186e87e7708f]
stable/6.12: [097227f1ffe1a85bc3c359f81c71e3d40e06e920]
stable/6.18: [1e6b0a69bf2c9c819255c7566e4355536d81d9cf]
stable/6.6: [1bc1107a3a403a6d440673ed6666f7b07ef868a8]
stable/7.0: [f072906688933bf47fabbaf63560be03357c8298]
CVE-2026-46047: net: qrtr: ns: Fix use-after-free in driver remove()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46047
Introduced by commit 0c2204a ("net: qrtr: Migrate nameservice to
kernel from userspace") in v5.7-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [7809fea20c9404bfcfa6112ec08d1fe1d3520beb]
stable/6.12: [db3c60ec772de30acae92d560dfcc5258e58dbe8]
stable/6.18: [2e127ceb1c415e246076d8e09e23e443a7a2038f]
stable/6.6: [0f313eb6a8f6dffa491373cf3afab979fa1c02f4]
stable/7.0: [f96779e916576e81430ebb326baff6e433fef8ae]
CVE-2026-46048: ALSA: caiaq: fix usb_dev refcount leak on probe failure
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46048
Introduced by commit 80bb50e ("ALSA: caiaq: take a reference on the
USB device in create_card()") in v7.1-rc1.
Fixed in v7.1-rc2.
Bug introduced commit was backported to following branches.
cip/6.12 stable/6.12 stable/6.18 stable/6.6 stable/7.0
Fixed status
mainline: [7a5f1cd22d47f8ca4b760b6334378ae42c1bd24b]
stable/6.12: [da3b8fd6a202d94fef11a443abc9171c52426a1c]
stable/6.18: [6153878c5255bb69b7d0868105ca078ef13cbcf8]
stable/6.6: [50c6a1f05973f56d23280c9d7645a7a5734e0907]
stable/7.0: [21ca595aafa40d3ac70eab1f4cb62cc00ca21657]
CVE-2026-46049: ALSA: ctxfi: Add fallback to default RSR for S/PDIF
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46049
Introduced by commit 8cc7236 ("ALSA: SB X-Fi driver merge") in v2.6.31-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [7d61662197ecdc458e33e475b6ada7f6da61d364]
stable/6.12: [30f9494c6f2b53a78822cfb653ffbb1d092d44c8]
stable/6.18: [09496158f6ebba8830593f8972035c02f97124c1]
stable/6.6: [25ded535ee261161bcf19dafd525c542e606559d]
stable/7.0: [95b1ee8442cabbde83b2848e7c6100df90f3a00d]
CVE-2026-46050: md/raid10: fix deadlock with check operation and nowait requests
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46050
Introduced by commit 43806c3 ("raid10: cleanup memleak at
raid10_make_request") in v6.16-rc6.
Fixed in v7.1-rc1.
Bug introduced commit was backported to following branches.
cip/6.1 cip/6.1-rt cip/6.12 stable/5.15 stable/6.1 stable/6.12 stable/6.6
Fixed status
mainline: [7d96f3120a7fb7210d21b520c5b6f495da6ba436]
stable/6.12: [42fe37c90184cd1568838b84b488934c3671c963]
stable/6.18: [cac2106bb9a2180b288079b49ed626414fb5bc45]
stable/6.6: [965d6162dd88cc7cc193cf7f5bfc132d8bbf0523]
stable/7.0: [1cdff2937c618f81058422bbdc4974a3e7ec9379]
CVE-2026-46051: md/raid5: fix soft lockup in retry_aligned_read()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46051
Introduced by commit 773ca82 ("raid5: make release_stripe lockless")
in v3.12-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [7f9f7c697474268d9ef9479df3ddfe7cdcfbbffc]
stable/6.12: [80fc6ca2cbde018d52e13f305edcd643911bd94b]
stable/6.18: [1985cb3247e87ff6b8ca4bc5f9626f4f51024507]
stable/6.6: [09880592f5a9dc73377d6eb5ac123537b5f8df49]
stable/7.0: [883cc33b7af1c448663287f069ef9dfea001e90f]
CVE-2026-46052: ceph: only d_add() negative dentries when they are unhashed
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46052
Introduced by commit 2817b00 ("ceph: directory operations") in v2.6.34-rc2.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [803447f93d75ab6e40c85e6d12b5630d281d70d6]
stable/6.12: [4179cc390dacebc87079419ec92f86f3dc46294d]
stable/6.18: [b91e535f208c48a5e7464f1aa38338a30e7912df]
stable/6.6: [83ce43a21bb7df8dd52228afdd918d2d058eefde]
stable/7.0: [2010cb06b9df7d3c816c78358c566bdacbdf38ff]
CVE-2026-46053: net: rds: fix MR cleanup on copy error
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46053
Introduced by commit 0d4597c ("net/rds: Track user mapped pages
through special API") in v5.6-rc3.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [8141a2dc70080eda1aedc0389ed2db2b292af5bd]
stable/6.12: [d95cea9298be1ba8876e3f156be96d3a492085ca]
stable/6.18: [033370ffb3c9c0264d19f8ba9ef769523266589a]
stable/6.6: [8fdbb6262a4a3ed44a0830a7793903b54bb27bdc]
stable/7.0: [b3cb8cae530b2727d8245684148bb49425f6765c]
CVE-2026-46054: selinux: fix overlayfs mmap() and mprotect() access checks
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46054
Introduced commit is not determined.Fixed in v7.1-rc1.
Fixed status
mainline: [82544d36b1729153c8aeb179e84750f0c085d3b1]
stable/7.0: [cd0e707a927a70cdfd8bc5a512a9719a87f5ed51]
CVE-2026-46055: apparmor: Fix string overrun due to missing termination
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46055
Introduced by commit 93d4dbd ("apparmor: Replace deprecated strcpy in
d_namespace_path") in v7.0-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [828bf7929bedcb79b560b5b4e44f22abee07d31b]
stable/7.0: [4b877ef27adc8ec187b0418629169856e7264e01]
CVE-2026-46056: Bluetooth: hci_event: fix potential UAF in SSP passkey handlers
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46056
Introduced by commit 92a2525 ("Bluetooth: mgmt: Implement support for
passkey notification") in v3.7-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [85fa3512048793076eef658f66489112dcc91993]
stable/6.12: [01a6431766c35dfedb86e0cb5d3fc80c6d604a47]
stable/6.18: [e08d75753db17aa943d7622f09d9c217b5bfd3b8]
stable/6.6: [204028af77a265e31ceb4ba7f643349a3cca72b2]
stable/7.0: [8c6443bb9257b780986fb67ec08565bf48ecb8d7]
CVE-2026-46057: landlock: Fix LOG_SUBDOMAINS_OFF inheritance across fork()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46057
Introduced by commit ead9079 ("landlock: Add
LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF") in v6.15-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [874c8f83826c95c62c21d9edfe9ef43e5c346724]
stable/6.18: [2fcde49092aac55d5beef43fdd3633217672f7d1]
stable/7.0: [1c513b8a00df13d231021e74ad92babb3fedf64a]
CVE-2026-46058: media: amphion: Fix race between m2m job_abort and device_run
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46058
Introduced by commit 3cd0845 ("media: amphion: add vpu v4l2 m2m
support") in v5.18-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [8cd35ceadcfc8c5da2eb7f7ce24525ce9d4ee62e]
stable/6.12: [da4f46c5cf1d26e6b09418ad453e152f2e75a02c]
stable/6.18: [fdc150dac1adb9a98be9d6956cff0348838b024a]
stable/6.6: [42dc622776f3ce1a6c31b13bdc686f7295e3b323]
stable/7.0: [6be2cb75bc1300080cfc8051579f22efae9401f7]
CVE-2026-46059: KVM: nSVM: Always use NextRIP as vmcb02's NextRIP
after first L2 VMRUN
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46059
Introduced by commit cc440cd ("KVM: nSVM: implement
KVM_GET_NESTED_STATE and KVM_SET_NESTED_STATE") in v5.8-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [8d397582f6b5e9fbcf09781c7c934b4910e94a50]
stable/6.18: [3428ed1529a1af4cce5aff6c5bd2fcc39ad726bb]
stable/7.0: [69fe1411a5ce678b4da6489b5d2282b4e1d13acf]
CVE-2026-46060: crypto: qat - fix IRQ cleanup on 6xxx probe failure
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46060
Introduced by commit 17fd751 ("crypto: qat - add qat_6xxx driver") in v6.16-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [95aed2af87ec43fa7624cc81dd13d37824ad4972]
stable/6.18: [27f561bf894e46bdc2d6209c50884adad79d8277]
stable/7.0: [7cd651f1357dcc477e6483c3a4706836b46bdc92]
CVE-2026-46061: jbd2: fix deadlock in jbd2_journal_cancel_revoke()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46061
Introduced by commit f76d4c2 ("fs/jbd2: use sleeping version of
__find_get_block()") in v6.15-rc4.
Fixed in v7.1-rc1.
Bug introduced commit was backported to following branches.
cip/6.12 stable/6.12
Fixed status
mainline: [981fcc5674e67158d24d23e841523eccba19d0e7]
stable/6.12: [dff07cc98fdf6af57a7c054dc09b2050a9d5c287]
stable/6.18: [2b2fee890250ab647a601124471a334bb01a0790]
stable/7.0: [bbd943d6a2d566428324b516a37f98328dfb802d]
CVE-2026-46062: ntfs3: fix integer overflow in run_unpack() volume
boundary check
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46062
Introduced by commit 82cae26 ("fs/ntfs3: Add initialization of super
block") in v5.15-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [984a415f019536ea2d24de9010744e5302a9a948]
stable/6.12: [60dab3e2931f3d792438a77a6cb0cb731c43300b]
stable/6.18: [f1af27cec07a9fd0847166bdb23c99e86b05bfdc]
stable/6.6: [a954061b334ec67c79ae9d0cadd83fa521396487]
stable/7.0: [6175d09c23bec4b60860ee9a0170308ff4b56e10]
CVE-2026-46063: x86/shstk: Prevent deadlock during shstk sigreturn
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46063
Introduced by commit 7fad2a4 ("x86/shstk: Check that signal frame is
shadow stack mem") in v6.6-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [9874b2917b9fbc30956fee209d3c4aa47201c64e]
stable/6.12: [d042d69b417515959e49021fef008c9b04a99bd5]
stable/6.18: [4f3374c990fb2adec06d20fd6d780927811c9aa0]
stable/6.6: [e2c2b044458cbf22da05264fa707308e8d4f86f9]
stable/7.0: [3d29db827502067626062f5c74dd502d14ab15bc]
CVE-2026-46064: ibmasm: fix heap over-read in ibmasm_send_i2o_message()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46064
Introduced by commit 1da177e ("Linux-2.6.12-rc2") in v2.6.12.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [9aad71144fa3682cca3837a06c8623016790e7ec]
stable/6.12: [fe31722b0194ff76bf8b461e8bf97a2081147787]
stable/6.18: [c1c2417c60dbdca5ebb00462f21ee71c2d7f7083]
stable/6.6: [fd19eb1c75047a4ed4e855f56cafd704dc3914e0]
stable/7.0: [9e8f6c9d4ecddda2f28baa1678340286cff3969c]
CVE-2026-46065: fbdev: defio: Disconnect deferred I/O from the
lifetime of struct fb_info
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46065
Introduced by commit 60b59be ("fbdev: mm: Deferred IO support") in v2.6.22-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [9ded47ad003f09a94b6a710b5c47f4aa5ceb7429]
stable/6.12: [2b53d3a52e8e5403a4f4fb57ac6cad3fd2cb1066]
stable/6.18: [25c2b77bc463f29ee71a54b883548baf9386a0db]
stable/6.6: [2a40f8bc9bb713329f1c35ffc199ee961a7135b0]
stable/7.0: [a0aafb421dd15e935d81543152617f2742cefa70]
CVE-2026-46066: ceph: fix num_ops off-by-one when crypto allocation fails
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46066
Introduced by commit d552077 ("ceph: add encryption support to
writepage and writepages") in v6.6-rc1.
Introduced by commit cac190c ("ceph: fix write storm on fscrypted
files") in v7.0-rc1.
Fixed in v7.1-rc1.
Bug introduced commit was backported to following branches.
stable/6.18
Fixed status
mainline: [a0d9555bf9eaeba34fe6b6bb86f442fe08ba3842]
stable/6.18: [6200f41d6fcf2ac7e24866431e381cbc914560e4]
stable/7.0: [ba12c1e578890f6337a415b7dedf476c6d455105]
CVE-2026-46067: mm/damon/core: validate damos_quota_goal->nid for
node_memcg_{used,free}_bp
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46067
Introduced by commit b74a120 ("mm/damon/core: implement
DAMOS_QUOTA_NODE_MEMCG_USED_BP") in v6.19-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [a34dac6482e53e2c76944f25b1489b9b7da3a6e6]
stable/7.0: [da10db73ada26345244ea5dc52f974692bd05f66]
CVE-2026-46068: crypto: nx - fix bounce buffer leaks in
nx842_crypto_{alloc,free}_ctx
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46068
Introduced by commit ed70b47 ("crypto: nx - add hardware 842 crypto
comp alg") in v4.2-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [adb3faf2db1a66d0f015b44ac909a32dfc7f2f9c]
stable/6.12: [910bb34b801d39794e656f7d48414844b2bd354e]
stable/6.18: [5c07962fed66e1238fad7635fa150570bd38b4c5]
stable/6.6: [6923cde8dc1d501e79b312139819c88b54463803]
stable/7.0: [80fd99d7c30ea889662d21f1b44d8fea4c83138d]
CVE-2026-46069: wifi: mwifiex: fix use-after-free in mwifiex_adapter_cleanup()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46069
Introduced by commit 4636187 ("mwifiex: add wakeup timer based
recovery mechanism") in v4.0-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [ae5e95d4157481693be2317e3ffcd84e36010cbb]
stable/6.12: [63fe3389b3e092d6c0eeea9fc0318e7918b16618]
stable/6.18: [4e179a60a60c0a5aea245e8e67768343c0f070b8]
stable/6.6: [11869ce402d95519d49b25a2a97741f68d69d103]
stable/7.0: [030abbae49cf9fd1fba7aa08e15ec81efbeb78cf]
CVE-2026-46070: md/raid5: validate payload size before accessing
journal metadata
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46070
Introduced by commit b4c625c ("md/r5cache: r5cache recovery: part 1")
in v4.10-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [b0cc3ae97e893bf54bbce447f4e9fd2e0b88bff9]
stable/6.12: [c3a1cf78bd1bbb51b2cc5189b4743056553c1e0e]
stable/6.18: [73ce72edd113374801045924d4417199963f73a3]
stable/6.6: [33698bd1b2db9764a29df7751533d33967ff5c98]
stable/7.0: [406aa86394ead347c47428fb51b6359bdaa2257d]
CVE-2026-46071: KVM: nSVM: Avoid clearing VMCB_LBR in vmcb12
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46071
Introduced by commit d20c796 ("KVM: x86: nSVM: implement nested LBR
virtualization") in v5.19-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [b53ab5167a81537777ac780bbd93d32613aa3bda]
stable/6.18: [a3f0981a5a0e0bd51ad74cc7d9eed32294b24002]
stable/7.0: [9efe23568806d1cd06f7d146f9b3037b8d585a9f]
CVE-2026-46072: ntfs3: add buffer boundary checks to run_unpack()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46072
Introduced by commit 82cae26 ("fs/ntfs3: Add initialization of super
block") in v5.15-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [b62567bca47408e6739dee75f02a2113548af875]
stable/6.12: [e64f7dfcaff79e7dfff9121a382dd77f9b462f62]
stable/6.18: [d3012690a7065d9ca86521a525ad11e8af491d45]
stable/6.6: [bf7ac4a1d3bfc6e56e54635c3d331a68170d37c9]
stable/7.0: [41aadf5cb482793a24e05aa136224e179a778586]
CVE-2026-46073: hwmon: (powerz) Fix missing usb_kill_urb() on signal interrupt
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46073
Introduced by commit 4381a36 ("hwmon: add POWER-Z driver") in v6.7-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [b66437cb20a2d9ef201f40b675569f8ea7787c9f]
stable/6.12: [8b51277eec433d4e724b273a5a5c64e8acfbe405]
stable/6.18: [b6cb07f02253bdefd2339e57eaa1428a7b28cd0f]
stable/7.0: [d64458784036f5818e22781254b6be299d52a19c]
CVE-2026-46074: spi: ch341: fix memory leaks on probe failures
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46074
Introduced by commit 8846739 ("spi: add ch341a usb2spi driver") in v6.11-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [b99e3ddb91b499d920e63a2daff8880be68cfe9e]
stable/6.12: [5c6518633702d7f7b1153e9d8e042af847f11ef3]
stable/6.18: [ff8a7996dc8bf433efe2126ffdaee5b374a89e30]
stable/7.0: [9bee2faf9e21c796d0d222c9d84a98f41bd303a0]
CVE-2026-46075: crypto: atmel-sha204a - Fix potential UAF and memory
leak in remove path
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46075
Introduced by commit da001fb ("crypto: atmel-i2c - add support for
SHA204A random number generator") in v5.3-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [bab1adf3b87e4bfac92c4f5963c63db434d561c1]
stable/6.12: [775c00d87c385b758da9504cf053acea00e2ed40]
stable/6.18: [1193c12126d39bf986a5a9214827b73707b193ab]
stable/6.6: [c5a45d14234bf26e28a89e3a5dcc08336595cf11]
stable/7.0: [31901371ccd16b42d2f167b1018ba9ae8bd5a6c7]
CVE-2026-46076: KVM: nSVM: Raise #UD if unhandled VMMCALL isn't
intercepted by L1
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46076
Introduced by commit 3f4a812 ("KVM: nSVM: hyper-v: Enable L2 TLB
flush") in v6.2-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [c36991c6f8d2ab56ee67aff04e3c357f45cfc76c]
stable/6.12: [924d721fae95687acedbaf624a094ed0e8b67104]
stable/6.18: [009c0f726abeaa67aad1d96b883bdce01d405ce2]
stable/7.0: [5fb4a5f361565f5b629d8a8fe5288ce8463c5727]
CVE-2026-46077: crypto: atmel-tdes - fix DMA sync direction
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46077
Introduced by commit 1380200 ("crypto: atmel - add Atmel DES/TDES
driver") in v3.6-rc1.
Introduced by commit 1f85804 ("crypto: atmel-tdes - add support for
latest release of the IP (0x700)") in v3.10-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [c8a9a647532f5c2a04180352693215e24e9dba03]
stable/6.12: [12a0adfe498cd5d87e6365d7ca5f6b3eed79e523]
stable/6.18: [863d11b3927703ad95077c81a8a6489c5c7872f7]
stable/6.6: [5281e6e2302362f6b75b70cbfe4098d2a25dafd9]
stable/7.0: [b5f5df801d161ba244f391519cbff2f4e5c6edc2]
CVE-2026-46078: erofs: fix the out-of-bounds nameoff handling for
trailing dirents
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46078
Introduced by commit 3aa8ec7 ("staging: erofs: add directory
operations") in v4.19-rc1.
Introduced by commit 33bac91 ("staging: erofs: keep corrupted fs from
crashing kernel in erofs_readdir()") in v5.1-rc3.
Fixed in v7.1-rc1.
Bug introduced commit was backported to following branches.
cip/4.19 cip/4.19-rt cip/4.19-st
Fixed status
mainline: [d18a3b5d337fa412a38e776e6b4b857a58836575]
stable/6.12: [48b27a955d22391c7f30169fa7b6b2e1977f1ce4]
stable/6.18: [8ebb951a284b7446e025afc7dc5e9516ef9a7214]
stable/6.6: [222055e6b4063abd2d9e13c3d49bbd1724c50789]
stable/7.0: [1d55445226c75ddd4e78b09b3e7d99109b28c366]
CVE-2026-46079: rbd: fix null-ptr-deref when device_add_disk() fails
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46079
Introduced by commit 27c97ab ("rbd: add add_disk() error handling") in
v5.16-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [d1fef92e414433ca7b89abf85cb0df42b8d475eb]
stable/6.12: [564cd8f4aeb9a938e470c5c91922fd02e4d41acc]
stable/6.18: [ad0126ffcba8777109852979eaaa6dca6703abdb]
stable/6.6: [2f4809a879f0750c7790bbeeae86c9505797a06f]
stable/7.0: [059fb7656723c1b77c2fc0e64b7aa99d6bb65e8e]
CVE-2026-46080: ocfs2: split transactions in dio completion to avoid
credit exhaustion
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46080
Introduced commit is not determined.Fixed in v7.1-rc1.
Fixed status
mainline: [d647c5b2fbf81560818dacade360abc8c00a9665]
stable/6.12: [ea5bb1d20da756e4f41a48dad42b2e7d6e73f71e]
stable/6.18: [3c636a3edca9c3f180b3079f94fe7e115730d9c6]
stable/6.6: [886f97fa59d0bbfa9859fb1a66dd9e014b522d89]
stable/7.0: [069c3fb310e9336cf48cfdf8748a32c29fd0193d]
CVE-2026-46081: crypto: acomp - fix wrong pointer stored by acomp_save_req()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46081
Introduced by commit 64929fe ("crypto: acomp - Remove request
chaining") in v6.16-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [d7e20b9bd6c990773cf0c09e2642250b8a70263d]
stable/6.18: [343a5bf68a8ff9affcf2b70677ea4cf40c195ee4]
stable/7.0: [1a2785e5985627f2265ba7775949601a29ba0d1e]
CVE-2026-46082: KVM: SVM: Inject #UD for INVLPGA if EFER.SVME=0
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46082
Introduced by commit ff09238 ("KVM: SVM: Implement INVLPGA") in v2.6.32-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [d99df02ff427f461102230f9c5b90a6c64ee8e23]
stable/6.12: [643125b66ffc1147c66616b749475ba9efb15971]
stable/6.18: [c15392ed9e49c1a16b4d3a3ccf1b3bf2318a6c28]
stable/6.6: [3ac9d4241d205f5d0df06358349ca718ebb0fa12]
stable/7.0: [ee24928ecd85db4b68ed111e91fef36af0ca37b0]
CVE-2026-46083: spi: fix resource leaks on device setup failure
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46083
Introduced by commit c7299fe ("spi: Fix spi device unregister flow")
in v5.13-rc4.
Fixed in v7.1-rc1.
Bug introduced commit was backported to following branches.
cip/5.10 cip/5.10-rt stable/5.10
Fixed status
mainline: [db357034f7e0cf23f233f414a8508312dfe8fbbe]
stable/6.12: [1e774294b2f944f59e03a04eb438768a4b93c3ce]
stable/6.18: [11baa8b24bcb07ae2048f2566a220021d766abe0]
stable/6.6: [a2c817c629430fbbd54273525b472dac96e2c8fd]
stable/7.0: [dbcead54b12468d9aa54c0e1f0042d838ec3b0ae]
CVE-2026-46084: RDMA/mana_ib: Disable RX steering on RSS QP destroy
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46084
Introduced by commit 0266a17 ("RDMA/mana_ib: Add a driver for
Microsoft Azure Network Adapter") in v6.2-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [dbeb256e8dd87233d891b170c0b32a6466467036]
stable/6.12: [f1ccc4d500a0b87a5599343fc2f798048836e184]
stable/6.18: [8ba804869382ce307f2a15f5f6f2adfd791f41dc]
stable/6.6: [6a2d6273b6c3581ce7b90ce17b5cbb4efd19438f]
stable/7.0: [3be5ed233de03b00ae868cfc06e95331d8d9007c]
CVE-2026-46085: rxrpc: Fix rxkad crypto unalignment handling
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46085
Introduced by commit f93af41 ("rxrpc: Fix missing error checks for
rxkad encryption/decryption failure") in v7.0.
Fixed in v7.1-rc1.
Bug introduced commit was backported to following branches.
cip/6.12 stable/6.12 stable/6.18 stable/6.6
Fixed status
mainline: [def304aae2edf321d2671fd6ca766a93c21f877e]
stable/6.12: [440d20d95e844b657a93a0b2dcc2aae155efdce6]
stable/6.18: [f0d3efd03b2a9e0f1ffa6df8fcb264af3d494286]
stable/6.6: [f1c6bd0cc786a8fa74829ce3c4b3673944a308f4]
stable/7.0: [af9271eb666d07b6f65612dc160a47f7cb5220ed]
CVE-2026-46086: net: bridge: use a stable FDB dst snapshot in RCU readers
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46086
Introduced by commit 960b589 ("bridge: Properly check if local fdb
entry can be deleted in br_fdb_change_mac_address") in v3.14-rc3.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [df4601653201de21b487c3e7fffd464790cab808]
stable/6.12: [81af4137a30c4c2dc694dea8cacb180bd66000ef]
stable/6.18: [5424e678f9b304e148cf5dcc047cffc7a56a3bb5]
stable/6.6: [0b9e4bbfb7c949151e3acd44ed4aa33614d2e110]
stable/7.0: [9a2d9d4e657b23dc21f24cf139e3aeff0b61341f]
CVE-2026-46087: mm/damon/stat: fix memory leak on damon_start()
failure in damon_stat_start()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46087
Introduced by commit 369c415 ("mm/damon: introduce DAMON_STAT module")
in v6.17-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [e04ed278d25bf15769800bf6e35c6737f137186f]
stable/6.18: [8a62c58411cbd748d7aeab0e5b0963e33ff47a7a]
stable/7.0: [50bc1d7e0f3bb6932c8dc5da0907eead0790176b]
CVE-2026-46088: ALSA: control: Validate buf_len before strnlen() in
snd_ctl_elem_init_enum_names()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46088
Introduced by commit 8d44816 ("ALSA: control: add support for
ENUMERATED user space controls") in v3.2-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [e0da8a8cac74f4b9f577979d131f0d2b88a84487]
stable/6.12: [8ba0214c3dd32b8ec652947e3f2bc5b8f6e6be9e]
stable/6.18: [654c818a69c21d2bea4e8fd9eae7da865df9a5c8]
stable/6.6: [1fbe46d2b72754d8bd580e13e59ccb5d3d0e8cb0]
stable/7.0: [82012fd3e78a14360fbc2f1a7491589896704f97]
CVE-2026-46089: zram: do not forget to endio for partial discard requests
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46089
Introduced by commit 0120dd6 ("zram: make zram_bio_discard more
self-contained") in v6.4-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [e3668b371329ea036ff022ce8ecc82f8befcf003]
stable/6.12: [35d3300f6357cfaa72db2721dc2b345b19bac5df]
stable/6.18: [a02363f71a79b755daa78a70d6b217f9c13c8c85]
stable/6.6: [2d1f18efccdb8b29552399d024c36b705447e975]
stable/7.0: [68ce397e8236088fc53b9532d383a722288c8194]
CVE-2026-46090: ALSA: aloop: Fix peer runtime UAF during format-change stop
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46090
Introduced by commit 597603d ("ALSA: introduce the snd-aloop module
for the PCM loopback") in v2.6.37-rc1.
Fixed in v7.1-rc2.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [e5c33cdc6f402eab8abd36ecf436b22c9d3a8aff]
stable/6.12: [03f52a9c170431e8f10e156b9dc0dae80b3e9198]
stable/6.18: [bdd9503c3d222d2735b56c7a8b4422ccf3de6e5c]
stable/7.0: [5d45e34bf001344e2966dabca1897561bbc9e913]
CVE-2026-46091: media: rc: igorplugusb: heed coherency rules
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46091
Introduced by commit b1c9719 ("[media] rc: port IgorPlug-USB to
rc-core") in v3.19-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [eac69475b01fe1e861dfe3960b57fa95671c132e]
stable/6.12: [0be8fcd9005e3d3b5a61fe34b070a9663adbb4dc]
stable/6.18: [0adac0ee2c42027d80bac02ea9b576a88f8955d3]
stable/6.6: [18d6a7c9e4e63c57157e9a57dd9bf3cd38e4c45a]
stable/7.0: [a62ca67e3c72fb297dc7c86495ba8f7329d7f150]
CVE-2026-46092: wifi: rtw88: check for PCI upstream bridge existence
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46092
Introduced by commit 24f5e38 ("rtw88: Disable PCIe ASPM while doing
NAPI poll on 8821CE") in v5.17-rc1.
Fixed in v7.1-rc1.
Bug introduced commit was backported to following branches.
stable/5.15
Fixed status
mainline: [eb101d2abdcccb514ca4fccd3b278dd8267374f6]
stable/6.12: [6c53d68e3bcfc8faccdd76c3383a9232b05c9ae6]
stable/6.18: [000134a20bbf89b1152520a2eef71f91fdb83a5b]
stable/6.6: [cc9b6303e7ea91bc360b42c7edc1fe9ceb2f47fe]
stable/7.0: [3bbbb56204f7359ce2139a9341b43b52a186261c]
CVE-2026-46093: mm/vmalloc: take vmap_purge_lock in shrinker
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46093
Introduced by commit 7679ba6 ("mm: vmalloc: add a shrinker to drain
vmap pools") in v6.9-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [ec05f51f1e65bce95528543eb73fda56fd201d94]
stable/6.18: [687ccdf582169cd680aeaf24cc953807c4cd4345]
stable/7.0: [12f2341b4c235d5593a433abac201c1c6725787f]
CVE-2026-46094: ext4: fix bounds check in check_xattrs() to prevent
out-of-bounds access
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46094
Introduced by commit 3478c83 ("ext4: improve xattr consistency
checking and error reporting") in v6.3-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [eceafc31ea7b42c984ece10d79d505c0bb6615d5]
stable/6.12: [5a5314d2387633a272a04d1bd8727f99058e4e68]
stable/6.18: [537e065977022aa22f2c2503e8accaf16622e0fd]
stable/6.6: [ab6da97bc310db35d4e4ef5354bc3ff626b0698c]
stable/7.0: [520986722dbf869c122252123fc161c7302eab7d]
CVE-2026-46095: md/md-llbitmap: raise barrier before state machine transition
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46095
Introduced by commit 5ab829f ("md/md-llbitmap: introduce new lockless
bitmap") in v6.18-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [ef4ca3d4bf09716cff9ba00eb0351deadc8417ab]
stable/6.18: [9142f00a9287ca38152717e3e88a033a27774e7f]
stable/7.0: [9701d51dd378380ba05293fa391e8ba01065ae8d]
CVE-2026-46096: tpm2-sessions: Fix missing tpm_buf_destroy() in
tpm2_read_public()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46096
Introduced by commit bda1cbf ("tpm2-sessions: Fix tpm2_read_public
range checks") in v6.19-rc1.
Fixed in v7.1-rc1.
Bug introduced commit was backported to following branches.
cip/6.12 stable/6.12 stable/6.18
Fixed status
mainline: [f0f75a3d98b7959a8677b6363e23190f3018636b]
stable/6.18: [f8775d9d9062da662cc861f9ff7722a65896d4cd]
stable/7.0: [2f434be87e256fd58254f60ddf5d7d58e775ca0b]
CVE-2026-46097: Input: edt-ft5x06 - fix use-after-free in debugfs teardown
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46097
Introduced by commit 68743c5 ("Input: edt-ft5x06 - use per-client
debugfs directory") in v6.17-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [f5f9e07060519e2287e99019a6de1eb3ebb65c37]
stable/6.18: [a516d43886623e3cca5fa3446bed8fc7c7982be2]
stable/7.0: [9f6c5e7b747d40e1c65cbfcb975857d25154c075]
CVE-2026-46098: net: caif: clear client service pointer on teardown
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46098
Introduced by commit 43e3692 ("caif: Move refcount from service layer
to sock and dev.") in v3.0-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [f7cf8ece8cee3c1ee361991470cdb1eb65ab02e8]
stable/6.12: [3ac6db584d9d420267bb8413115707eeec76d9cf]
stable/6.18: [63d21a3aa0108b9dde4e99b0d3d5d679ac68c0f9]
stable/6.6: [914c6456fcfc21a3d553945dff62fd1621d6155d]
stable/7.0: [a4b191ddc12c55ddb62feb096536f819f384d6f1]
CVE-2026-46099: net: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46099
Introduced by commit af4a220 ("ipv6: sr: use dst_cache in seg6_input")
in v4.12-rc1.
Introduced by commit a7a29f9 ("net: ipv6: add rpl sr tunnel") in v5.7-rc1.
Fixed in v7.1-rc2.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [f9c52a6ba9780bd27e0bf4c044fd91c13c778b6e]
stable/6.12: [52f9db67f8f35f436366cf4980b4f0a2583d0ef0]
stable/6.18: [b778b6d095421619c331fd2d7751143cd5387103]
stable/6.6: [6bd17925bd6866027a6555db17905b9fc073d38d]
stable/7.0: [9dd5481f960e337b81d7dfe429529495c1c481c0]
CVE-2026-46100: fs: afs: revert mmap_prepare() change
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46100
Introduced by commit 9d5403b ("fs: convert most other
generic_file_*mmap() users to .mmap_prepare()") in v6.17-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [fbfc6578eaca12daa0c09df1e9ba7f2c657b49da]
stable/6.18: [f51f85c044809fbd39ac8ae07ac99bc43ce32bd5]
stable/7.0: [48c7a0eaeea41da17d1d84d2d7a4c40be122b246]
CVE-2026-46101: netfilter: reject zero shift in nft_bitwise
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46101
Introduced by commit 567d746 ("netfilter: bitwise: add support for
shifts.") in v5.6-rc1.
Fixed in v7.1-rc2.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [fe11e5c40817b84abaa5d83bfb6586d8412bfd07]
stable/6.12: [ca24f1243ad1a4d12d6a23876bbbe3ed02099853]
stable/6.18: [6f820139d16a4c9865a145d4a9cf9c92cc632c14]
stable/6.6: [bffef0acec9c3b837a785248a893137fb7f26c95]
stable/7.0: [f370205974f171a5868c13ff30d7642fed46e47b]
CVE-2026-46102: net: strparser: fix skb_head leak in strp_abort_strp()
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46102
Introduced by commit 43a0c67 ("strparser: Stream parser for messages")
in v4.9-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [fe72340daaf1af588be88056faf98965f39e6032]
stable/6.12: [5327dad2ffe9c1b49881dd6d51ff3c6893847568]
stable/6.18: [19ca9475f18f991735f98a22e735c43e95e6298d]
stable/6.6: [e9ae00490d474757c0f9c65073de83e6bb1e5a00]
stable/7.0: [56082f442023db9be1a5a29d4ee361de4017c0b7]
CVE-2026-46103: can: ucan: fix devres lifetime
Announce: https://www.cve.org/CVERecord?id=CVE-2026-46103
Introduced by commit 9f2d3ea ("can: ucan: add driver for Theobroma
Systems UCAN devices") in v4.19-rc1.
Fixed in v7.1-rc1.
Bug introduced commit is not backported to older stable kernels.
Fixed status
mainline: [fed4626501c871890da287bec62a96e52da1af89]
stable/6.12: [10b7b676b78a7bd888d19729b459aad7fc1f428b]
stable/6.18: [c524c124e3094d2de12235a513854c03d06a2b58]
stable/6.6: [4b7d07747400cfd7eff1ba7b8b5a7c8d5a58f705]
stable/7.0: [c0d3ccc6929e4509076df8f30a4fb1dc5018b0ae]
* Updated CVEs
CVE-2025-68251: erofs: avoid infinite loops due to corrupted subpage
compact indexes
stable/6.12 was fixed.
Fixed status
stable/6.12: [dbfac1b85d0753996ddfef636934d431b588dd1f]
CVE-2026-23272: netfilter: nf_tables: unconditionally bump set->nelems
before insertion
stable/6.12, stable/6.6 were fixed.
Fixed status
stable/6.12: [86bc4b1a0f672d47ac19f9022432cb6a2e01cb33]
stable/6.6: [e3ccb11fc8249759d23326038c8db987ddaabc77]
CVE-2026-31613: smb: client: fix OOB reads parsing symlink error response
stable/6.12, stable/6.6 were fixed.
Fixed status
stable/6.12: [20ac98f0eb6047edb73c9a27af782bdde08b3757]
stable/6.6: [d65a64755a3df68a2fd19d2a81395e9f723aca23]
CVE-2026-31707: ksmbd: validate response sizes in ipc_validate_msg()
stable/6.6 was fixed.
Fixed status
stable/6.6: [bf396208418371174869baba9434535cd3288e80]
CVE-2026-43137: ASoC: SOF: Intel: hda: Fix NULL pointer dereference
stable/6.6 was fixed.
Fixed status
stable/6.6: [a1d4f3d3c0dc86527da6a19f6901a6a48375500d]
CVE-2026-43245: ntfs: ->d_compare() must not block
stable/6.12, stable/6.6 were fixed.
Fixed status
stable/6.12: [1be7ca86ce1794d966fda5d82181bc978b150fbc]
stable/6.6: [02ecc0978c459fd90bb24b2a946dd16d43e68fe5]
CVE-2026-43490: ksmbd: validate inherited ACE SID length
stable/6.6 was fixed.
Fixed status
stable/6.6: [a7fb771314fb3a265d30f8ac245869a367ab065c]
CVE-2026-46300: Fragnesia: the Dirty Frag vulnerability class
stable/5.10, stable/6.1, stable/6.12, stable/6.18, stable/6.6,
stable/7.0 were fixed.
Fixed status
stable/5.10: [3599e6b3cc1ada96883d496a50a210d3afbb6987]
stable/5.15: [2f2b16022a2e10ca7bccfb98db5ed2ec0f72641c]
stable/6.1: [9d3e5fd19fe1063bf607219e8562fbd567b8e8d5]
stable/6.12: [760e1addc27ba1a7beb4a0a7e8b3e9ec49e7a34e]
stable/6.18: [3bd9e113d50034db99d7ef69fd8e5242d15e414a]
stable/6.6: [78bf6b6bb19541d19fbda6242e7cfe2c682763c0]
stable/7.0: [3884358a9286b17f389a72b1426fc4547c23c111]
Regards,
--
Masami Ichikawa
Cybertrust Japan Co., Ltd.
Email :masami.ichikawa@cybertrust.co.jp
:masami.ichikawa@miraclelinux.com
^ permalink raw reply
* Re: [PATCH 5.10.y-cip 0/9] i2c: riic: Driver enhancements
From: Pavel Machek @ 2026-05-27 21:15 UTC (permalink / raw)
To: Lad Prabhakar; +Cc: cip-dev, Nobuhiro Iwamatsu, Pavel Machek, Biju Das
In-Reply-To: <20260527161446.48789-1-prabhakar.mahadev-lad.rj@bp.renesas.com>
[-- Attachment #1: Type: text/plain, Size: 548 bytes --]
Hi!
> This patch series aims to add I2C bus recovery support to the Renesas
> RIIC driver. Along with adding I2C bus recovery trivial cleanup patches
> have also been backported.
>
> All the patches have been cherry-picked from the upstream kernel.
This looks okay to me. Do you plan to do more backports to 5.10?
Reviewed-by: Pavel Machek <pavel@nabladev.com>
I can apply the series if it passes testing and there are no other
comments.
Best regards,
Pavel
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
^ permalink raw reply
* Re: [PATCH 6.1.y-cip] i2c: riic: Implement bus recovery
From: Pavel Machek @ 2026-05-27 21:07 UTC (permalink / raw)
To: Lad Prabhakar; +Cc: cip-dev, Nobuhiro Iwamatsu, Pavel Machek, Biju Das
In-Reply-To: <20260527162119.52245-1-prabhakar.mahadev-lad.rj@bp.renesas.com>
[-- Attachment #1: Type: text/plain, Size: 863 bytes --]
HI!
> commit ba9e1b5254783528e10b45b1f0fb40e21f4ff88a upstream.
>
> Implement I2C bus recovery support for the RIIC controller by making use
> of software-controlled SCL and SDA line manipulation. The controller allows
> forcing SCL and SDA levels through control bits, which enables generation
> of manual clock pulses and a stop condition to free a stuck bus.
>
> This implementation wires up the bus recovery mechanism using
> i2c_generic_scl_recovery and provides get/set operations for SCL and SDA.
>
> This allows the RIIC driver to recover from bus hang scenarios where SDA
> is held low by a slave.
This looks okay to me.
Reviewed-by: Pavel Machek <pavel@nabladev.com>
I can apply this if it passes testing and there are no other comments.
Best regards,
Pavel
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
^ permalink raw reply
* [PATCH 6.1.y-cip] i2c: riic: Implement bus recovery
From: Lad Prabhakar @ 2026-05-27 16:21 UTC (permalink / raw)
To: cip-dev, Nobuhiro Iwamatsu, Pavel Machek; +Cc: Biju Das
commit ba9e1b5254783528e10b45b1f0fb40e21f4ff88a upstream.
Implement I2C bus recovery support for the RIIC controller by making use
of software-controlled SCL and SDA line manipulation. The controller allows
forcing SCL and SDA levels through control bits, which enables generation
of manual clock pulses and a stop condition to free a stuck bus.
This implementation wires up the bus recovery mechanism using
i2c_generic_scl_recovery and provides get/set operations for SCL and SDA.
This allows the RIIC driver to recover from bus hang scenarios where SDA
is held low by a slave.
Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
Reviewed-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Tested-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Reviewed-by: Fabrizio Castro <fabrizio.castro.jz@renesas.com>
Link: https://lore.kernel.org/r/20250501204003.141134-1-prabhakar.mahadev-lad.rj@bp.renesas.com
Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
---
drivers/i2c/busses/i2c-riic.c | 53 +++++++++++++++++++++++++++++++++--
1 file changed, 51 insertions(+), 2 deletions(-)
diff --git a/drivers/i2c/busses/i2c-riic.c b/drivers/i2c/busses/i2c-riic.c
index f1570872a63fc..e6a45bc7a0876 100644
--- a/drivers/i2c/busses/i2c-riic.c
+++ b/drivers/i2c/busses/i2c-riic.c
@@ -53,6 +53,8 @@
#define ICCR1_ICE BIT(7)
#define ICCR1_IICRST BIT(6)
#define ICCR1_SOWP BIT(4)
+#define ICCR1_SCLO BIT(3)
+#define ICCR1_SDAO BIT(2)
#define ICCR1_SCLI BIT(1)
#define ICCR1_SDAI BIT(0)
@@ -152,11 +154,11 @@ static int riic_bus_barrier(struct riic_dev *riic)
ret = readb_poll_timeout(riic->base + riic->info->regs[RIIC_ICCR2], val,
!(val & ICCR2_BBSY), 10, riic->adapter.timeout);
if (ret)
- return ret;
+ return i2c_recover_bus(&riic->adapter);
if ((riic_readb(riic, RIIC_ICCR1) & (ICCR1_SDAI | ICCR1_SCLI)) !=
(ICCR1_SDAI | ICCR1_SCLI))
- return -EBUSY;
+ return i2c_recover_bus(&riic->adapter);
return 0;
}
@@ -440,6 +442,52 @@ static int riic_init_hw(struct riic_dev *riic)
return 0;
}
+static int riic_get_scl(struct i2c_adapter *adap)
+{
+ struct riic_dev *riic = i2c_get_adapdata(adap);
+
+ return !!(riic_readb(riic, RIIC_ICCR1) & ICCR1_SCLI);
+}
+
+static int riic_get_sda(struct i2c_adapter *adap)
+{
+ struct riic_dev *riic = i2c_get_adapdata(adap);
+
+ return !!(riic_readb(riic, RIIC_ICCR1) & ICCR1_SDAI);
+}
+
+static void riic_set_scl(struct i2c_adapter *adap, int val)
+{
+ struct riic_dev *riic = i2c_get_adapdata(adap);
+
+ if (val)
+ riic_clear_set_bit(riic, ICCR1_SOWP, ICCR1_SCLO, RIIC_ICCR1);
+ else
+ riic_clear_set_bit(riic, ICCR1_SOWP | ICCR1_SCLO, 0, RIIC_ICCR1);
+
+ riic_clear_set_bit(riic, 0, ICCR1_SOWP, RIIC_ICCR1);
+}
+
+static void riic_set_sda(struct i2c_adapter *adap, int val)
+{
+ struct riic_dev *riic = i2c_get_adapdata(adap);
+
+ if (val)
+ riic_clear_set_bit(riic, ICCR1_SOWP, ICCR1_SDAO, RIIC_ICCR1);
+ else
+ riic_clear_set_bit(riic, ICCR1_SOWP | ICCR1_SDAO, 0, RIIC_ICCR1);
+
+ riic_clear_set_bit(riic, 0, ICCR1_SOWP, RIIC_ICCR1);
+}
+
+static struct i2c_bus_recovery_info riic_bri = {
+ .recover_bus = i2c_generic_scl_recovery,
+ .get_scl = riic_get_scl,
+ .set_scl = riic_set_scl,
+ .get_sda = riic_get_sda,
+ .set_sda = riic_set_sda,
+};
+
static const struct riic_irq_desc riic_irqs[] = {
{ .res_num = 0, .isr = riic_tend_isr, .name = "riic-tend" },
{ .res_num = 1, .isr = riic_rdrf_isr, .name = "riic-rdrf" },
@@ -509,6 +557,7 @@ static int riic_i2c_probe(struct platform_device *pdev)
adap->algo = &riic_algo;
adap->dev.parent = dev;
adap->dev.of_node = dev->of_node;
+ adap->bus_recovery_info = &riic_bri;
init_completion(&riic->msg_done);
base-commit: d71d7aba7486b2803b7ca15255ba5f643ace1e9b
--
2.43.0
^ permalink raw reply related
* [PATCH 5.10.y-cip 8/9] i2c: riic: Add `riic_bus_barrier()` to check bus availability
From: Lad Prabhakar @ 2026-05-27 16:14 UTC (permalink / raw)
To: cip-dev, Nobuhiro Iwamatsu, Pavel Machek; +Cc: Biju Das
In-Reply-To: <20260527161446.48789-1-prabhakar.mahadev-lad.rj@bp.renesas.com>
commit b31addf2a08bc5c16dfd6eae8785546f3eea92b8 upstream.
Introduce a new `riic_bus_barrier()` function to verify bus availability
before initiating an I2C transfer. This function enhances the bus
arbitration check by ensuring that the SDA and SCL lines are not held low,
in addition to checking the BBSY flag using `readb_poll_timeout()`.
Previously, only the BBSY flag was checked to determine bus availability.
However, it is possible for the SDA line to remain low even when BBSY = 0.
This new implementation performs an additional check on the SDA and SCL
lines to avoid potential bus contention issues.
Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Reviewed-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Tested-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Tested-by: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
Reviewed-by: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
Reviewed-by: Andy Shevchenko <andy@kernel.org>
Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
---
drivers/i2c/busses/i2c-riic.c | 30 ++++++++++++++++++++++++++----
1 file changed, 26 insertions(+), 4 deletions(-)
diff --git a/drivers/i2c/busses/i2c-riic.c b/drivers/i2c/busses/i2c-riic.c
index 086f404859ffb..0bde3c25878f9 100644
--- a/drivers/i2c/busses/i2c-riic.c
+++ b/drivers/i2c/busses/i2c-riic.c
@@ -41,6 +41,7 @@
#include <linux/i2c.h>
#include <linux/interrupt.h>
#include <linux/io.h>
+#include <linux/iopoll.h>
#include <linux/module.h>
#include <linux/of.h>
#include <linux/of_device.h>
@@ -52,6 +53,8 @@
#define ICCR1_ICE BIT(7)
#define ICCR1_IICRST BIT(6)
#define ICCR1_SOWP BIT(4)
+#define ICCR1_SCLI BIT(1)
+#define ICCR1_SDAI BIT(0)
#define ICCR2_BBSY BIT(7)
#define ICCR2_SP BIT(3)
@@ -137,6 +140,27 @@ static inline void riic_clear_set_bit(struct riic_dev *riic, u8 clear, u8 set, u
riic_writeb(riic, (riic_readb(riic, reg) & ~clear) | set, reg);
}
+static int riic_bus_barrier(struct riic_dev *riic)
+{
+ int ret;
+ u8 val;
+
+ /*
+ * The SDA line can still be low even when BBSY = 0. Therefore, after checking
+ * the BBSY flag, also verify that the SDA and SCL lines are not being held low.
+ */
+ ret = readb_poll_timeout(riic->base + riic->info->regs[RIIC_ICCR2], val,
+ !(val & ICCR2_BBSY), 10, riic->adapter.timeout);
+ if (ret)
+ return ret;
+
+ if ((riic_readb(riic, RIIC_ICCR1) & (ICCR1_SDAI | ICCR1_SCLI)) !=
+ (ICCR1_SDAI | ICCR1_SCLI))
+ return -EBUSY;
+
+ return 0;
+}
+
static int riic_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[], int num)
{
struct riic_dev *riic = i2c_get_adapdata(adap);
@@ -149,13 +173,11 @@ static int riic_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[], int num)
if (ret)
return ret;
- if (riic_readb(riic, RIIC_ICCR2) & ICCR2_BBSY) {
- riic->err = -EBUSY;
+ riic->err = riic_bus_barrier(riic);
+ if (riic->err)
goto out;
- }
reinit_completion(&riic->msg_done);
- riic->err = 0;
riic_writeb(riic, 0, RIIC_ICSR2);
--
2.43.0
^ permalink raw reply related
* [PATCH 5.10.y-cip 6/9] i2c: riic: Mark riic_irqs array as const
From: Lad Prabhakar @ 2026-05-27 16:14 UTC (permalink / raw)
To: cip-dev, Nobuhiro Iwamatsu, Pavel Machek; +Cc: Biju Das
In-Reply-To: <20260527161446.48789-1-prabhakar.mahadev-lad.rj@bp.renesas.com>
commit 9ae0e7f77cfb638c3cd4198ad1ce7a3bce9a5c2a upstream.
The riic_irqs array describes the supported IRQs by the RIIC driver and
does not change at runtime.
Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Tested-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Tested-by: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
Reviewed-by: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
Reviewed-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Reviewed-by: Andy Shevchenko <andy@kernel.org>
Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
---
drivers/i2c/busses/i2c-riic.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/i2c/busses/i2c-riic.c b/drivers/i2c/busses/i2c-riic.c
index c884faa0d4ad2..98d5c2f512a3c 100644
--- a/drivers/i2c/busses/i2c-riic.c
+++ b/drivers/i2c/busses/i2c-riic.c
@@ -416,7 +416,7 @@ static int riic_init_hw(struct riic_dev *riic)
return 0;
}
-static struct riic_irq_desc riic_irqs[] = {
+static const struct riic_irq_desc riic_irqs[] = {
{ .res_num = 0, .isr = riic_tend_isr, .name = "riic-tend" },
{ .res_num = 1, .isr = riic_rdrf_isr, .name = "riic-rdrf" },
{ .res_num = 2, .isr = riic_tdre_isr, .name = "riic-tdre" },
--
2.43.0
^ permalink raw reply related
* [PATCH 5.10.y-cip 4/9] i2c: riic: Use BIT macro consistently
From: Lad Prabhakar @ 2026-05-27 16:14 UTC (permalink / raw)
To: cip-dev, Nobuhiro Iwamatsu, Pavel Machek; +Cc: Biju Das
In-Reply-To: <20260527161446.48789-1-prabhakar.mahadev-lad.rj@bp.renesas.com>
commit 0094d6b70d6b4eb5084e3b7dd99ebfc94d3ca58d upstream.
Easier to read and ensures proper types.
Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Reviewed-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Tested-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Tested-by: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
Reviewed-by: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
Reviewed-by: Andy Shevchenko <andy@kernel.org>
Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
---
drivers/i2c/busses/i2c-riic.c | 37 ++++++++++++++++++-----------------
1 file changed, 19 insertions(+), 18 deletions(-)
diff --git a/drivers/i2c/busses/i2c-riic.c b/drivers/i2c/busses/i2c-riic.c
index 521589cb5264f..e3730b8730170 100644
--- a/drivers/i2c/busses/i2c-riic.c
+++ b/drivers/i2c/busses/i2c-riic.c
@@ -34,6 +34,7 @@
* Also check the comments in the interrupt routines for some gory details.
*/
+#include <linux/bits.h>
#include <linux/clk.h>
#include <linux/completion.h>
#include <linux/err.h>
@@ -47,32 +48,32 @@
#include <linux/pm_runtime.h>
#include <linux/reset.h>
-#define ICCR1_ICE 0x80
-#define ICCR1_IICRST 0x40
-#define ICCR1_SOWP 0x10
+#define ICCR1_ICE BIT(7)
+#define ICCR1_IICRST BIT(6)
+#define ICCR1_SOWP BIT(4)
-#define ICCR2_BBSY 0x80
-#define ICCR2_SP 0x08
-#define ICCR2_RS 0x04
-#define ICCR2_ST 0x02
+#define ICCR2_BBSY BIT(7)
+#define ICCR2_SP BIT(3)
+#define ICCR2_RS BIT(2)
+#define ICCR2_ST BIT(1)
#define ICMR1_CKS_MASK 0x70
-#define ICMR1_BCWP 0x08
+#define ICMR1_BCWP BIT(3)
#define ICMR1_CKS(_x) ((((_x) << 4) & ICMR1_CKS_MASK) | ICMR1_BCWP)
-#define ICMR3_RDRFS 0x20
-#define ICMR3_ACKWP 0x10
-#define ICMR3_ACKBT 0x08
+#define ICMR3_RDRFS BIT(5)
+#define ICMR3_ACKWP BIT(4)
+#define ICMR3_ACKBT BIT(3)
-#define ICFER_FMPE 0x80
+#define ICFER_FMPE BIT(7)
-#define ICIER_TIE 0x80
-#define ICIER_TEIE 0x40
-#define ICIER_RIE 0x20
-#define ICIER_NAKIE 0x10
-#define ICIER_SPIE 0x08
+#define ICIER_TIE BIT(7)
+#define ICIER_TEIE BIT(6)
+#define ICIER_RIE BIT(5)
+#define ICIER_NAKIE BIT(4)
+#define ICIER_SPIE BIT(3)
-#define ICSR2_NACKF 0x10
+#define ICSR2_NACKF BIT(4)
#define ICBR_RESERVED 0xe0 /* Should be 1 on writes */
--
2.43.0
^ permalink raw reply related
* [PATCH 5.10.y-cip 7/9] i2c: riic: Use predefined macro and simplify clock tick calculation
From: Lad Prabhakar @ 2026-05-27 16:14 UTC (permalink / raw)
To: cip-dev, Nobuhiro Iwamatsu, Pavel Machek; +Cc: Biju Das
In-Reply-To: <20260527161446.48789-1-prabhakar.mahadev-lad.rj@bp.renesas.com>
commit 385bb1c2678b59db201831255b524a6d7f7a25ff upstream.
Replace the hardcoded `1000000000` with the predefined `NSEC_PER_SEC`
macro for clarity. Simplify the code by introducing a `ns_per_tick`
variable to store `NSEC_PER_SEC / rate`, reducing redundancy and
improving readability.
Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Tested-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Reviewed-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Reviewed-by: Andy Shevchenko <andy@kernel.org>
Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
---
drivers/i2c/busses/i2c-riic.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/drivers/i2c/busses/i2c-riic.c b/drivers/i2c/busses/i2c-riic.c
index 98d5c2f512a3c..086f404859ffb 100644
--- a/drivers/i2c/busses/i2c-riic.c
+++ b/drivers/i2c/busses/i2c-riic.c
@@ -47,6 +47,7 @@
#include <linux/platform_device.h>
#include <linux/pm_runtime.h>
#include <linux/reset.h>
+#include <linux/time.h>
#define ICCR1_ICE BIT(7)
#define ICCR1_IICRST BIT(6)
@@ -314,6 +315,7 @@ static int riic_init_hw(struct riic_dev *riic)
{
int ret;
unsigned long rate;
+ unsigned long ns_per_tick;
int total_ticks, cks, brl, brh;
struct i2c_timings *t = &riic->i2c_t;
struct device *dev = riic->adapter.dev.parent;
@@ -377,8 +379,9 @@ static int riic_init_hw(struct riic_dev *riic)
* Remove clock ticks for rise and fall times. Convert ns to clock
* ticks.
*/
- brl -= t->scl_fall_ns / (1000000000 / rate);
- brh -= t->scl_rise_ns / (1000000000 / rate);
+ ns_per_tick = NSEC_PER_SEC / rate;
+ brl -= t->scl_fall_ns / ns_per_tick;
+ brh -= t->scl_rise_ns / ns_per_tick;
/* Adjust for min register values for when SCLE=1 and NFE=1 */
if (brl < 1)
@@ -388,8 +391,7 @@ static int riic_init_hw(struct riic_dev *riic)
pr_debug("i2c-riic: freq=%lu, duty=%d, fall=%lu, rise=%lu, cks=%d, brl=%d, brh=%d\n",
rate / total_ticks, ((brl + 3) * 100) / (brl + brh + 6),
- t->scl_fall_ns / (1000000000 / rate),
- t->scl_rise_ns / (1000000000 / rate), cks, brl, brh);
+ t->scl_fall_ns / ns_per_tick, t->scl_rise_ns / ns_per_tick, cks, brl, brh);
ret = pm_runtime_resume_and_get(dev);
if (ret)
--
2.43.0
^ permalink raw reply related
* [PATCH 5.10.y-cip 9/9] i2c: riic: Implement bus recovery
From: Lad Prabhakar @ 2026-05-27 16:14 UTC (permalink / raw)
To: cip-dev, Nobuhiro Iwamatsu, Pavel Machek; +Cc: Biju Das
In-Reply-To: <20260527161446.48789-1-prabhakar.mahadev-lad.rj@bp.renesas.com>
commit ba9e1b5254783528e10b45b1f0fb40e21f4ff88a upstream.
Implement I2C bus recovery support for the RIIC controller by making use
of software-controlled SCL and SDA line manipulation. The controller allows
forcing SCL and SDA levels through control bits, which enables generation
of manual clock pulses and a stop condition to free a stuck bus.
This implementation wires up the bus recovery mechanism using
i2c_generic_scl_recovery and provides get/set operations for SCL and SDA.
This allows the RIIC driver to recover from bus hang scenarios where SDA
is held low by a slave.
Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
Reviewed-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Tested-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Reviewed-by: Fabrizio Castro <fabrizio.castro.jz@renesas.com>
Link: https://lore.kernel.org/r/20250501204003.141134-1-prabhakar.mahadev-lad.rj@bp.renesas.com
Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
---
drivers/i2c/busses/i2c-riic.c | 53 +++++++++++++++++++++++++++++++++--
1 file changed, 51 insertions(+), 2 deletions(-)
diff --git a/drivers/i2c/busses/i2c-riic.c b/drivers/i2c/busses/i2c-riic.c
index 0bde3c25878f9..a71e5fc678f15 100644
--- a/drivers/i2c/busses/i2c-riic.c
+++ b/drivers/i2c/busses/i2c-riic.c
@@ -53,6 +53,8 @@
#define ICCR1_ICE BIT(7)
#define ICCR1_IICRST BIT(6)
#define ICCR1_SOWP BIT(4)
+#define ICCR1_SCLO BIT(3)
+#define ICCR1_SDAO BIT(2)
#define ICCR1_SCLI BIT(1)
#define ICCR1_SDAI BIT(0)
@@ -152,11 +154,11 @@ static int riic_bus_barrier(struct riic_dev *riic)
ret = readb_poll_timeout(riic->base + riic->info->regs[RIIC_ICCR2], val,
!(val & ICCR2_BBSY), 10, riic->adapter.timeout);
if (ret)
- return ret;
+ return i2c_recover_bus(&riic->adapter);
if ((riic_readb(riic, RIIC_ICCR1) & (ICCR1_SDAI | ICCR1_SCLI)) !=
(ICCR1_SDAI | ICCR1_SCLI))
- return -EBUSY;
+ return i2c_recover_bus(&riic->adapter);
return 0;
}
@@ -440,6 +442,52 @@ static int riic_init_hw(struct riic_dev *riic)
return 0;
}
+static int riic_get_scl(struct i2c_adapter *adap)
+{
+ struct riic_dev *riic = i2c_get_adapdata(adap);
+
+ return !!(riic_readb(riic, RIIC_ICCR1) & ICCR1_SCLI);
+}
+
+static int riic_get_sda(struct i2c_adapter *adap)
+{
+ struct riic_dev *riic = i2c_get_adapdata(adap);
+
+ return !!(riic_readb(riic, RIIC_ICCR1) & ICCR1_SDAI);
+}
+
+static void riic_set_scl(struct i2c_adapter *adap, int val)
+{
+ struct riic_dev *riic = i2c_get_adapdata(adap);
+
+ if (val)
+ riic_clear_set_bit(riic, ICCR1_SOWP, ICCR1_SCLO, RIIC_ICCR1);
+ else
+ riic_clear_set_bit(riic, ICCR1_SOWP | ICCR1_SCLO, 0, RIIC_ICCR1);
+
+ riic_clear_set_bit(riic, 0, ICCR1_SOWP, RIIC_ICCR1);
+}
+
+static void riic_set_sda(struct i2c_adapter *adap, int val)
+{
+ struct riic_dev *riic = i2c_get_adapdata(adap);
+
+ if (val)
+ riic_clear_set_bit(riic, ICCR1_SOWP, ICCR1_SDAO, RIIC_ICCR1);
+ else
+ riic_clear_set_bit(riic, ICCR1_SOWP | ICCR1_SDAO, 0, RIIC_ICCR1);
+
+ riic_clear_set_bit(riic, 0, ICCR1_SOWP, RIIC_ICCR1);
+}
+
+static struct i2c_bus_recovery_info riic_bri = {
+ .recover_bus = i2c_generic_scl_recovery,
+ .get_scl = riic_get_scl,
+ .set_scl = riic_set_scl,
+ .get_sda = riic_get_sda,
+ .set_sda = riic_set_sda,
+};
+
static const struct riic_irq_desc riic_irqs[] = {
{ .res_num = 0, .isr = riic_tend_isr, .name = "riic-tend" },
{ .res_num = 1, .isr = riic_rdrf_isr, .name = "riic-rdrf" },
@@ -509,6 +557,7 @@ static int riic_i2c_probe(struct platform_device *pdev)
adap->algo = &riic_algo;
adap->dev.parent = dev;
adap->dev.of_node = dev->of_node;
+ adap->bus_recovery_info = &riic_bri;
init_completion(&riic->msg_done);
--
2.43.0
^ permalink raw reply related
page: next (older)
- recent:[subjects (threaded)|topics (new)|topics (active)]
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox