- mm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison memory {CVE-2025-39883} - comedi: aio_iiro_16: Fix bit shift out of bounds {CVE-2025-38529} - comedi: das6402: Fix bit shift out of bounds {CVE-2025-38482} - comedi: pcl812: Fix bit shift out of bounds {CVE-2025-38530} - comedi: das16m1: Fix bit shift out of bounds {CVE-2025-38483} - tcp: Don't call reqsk_fastopen_remove() in tcp_conn_request(). {CVE-2025-40186} - wifi: brcmfmac: fix use-after-free when rescheduling brcmf_btcoex_info work {CVE-2025-39863} - smb: client: Fix use-after-free in cifs_fill_dirent {CVE-2025-38051} - libceph: fix potential use-after-free in have_mon_and_osd_map() {CVE-2025-68285} - sctp: avoid NULL dereference when chunk data buffer is missing {CVE-2025-40240} - smb: client: let recv_done verify data_offset, data_length and remaining_data_length {CVE-2025-39933} - vsock: Ignore signal/timeout on connect() if already established {CVE-2025-40248} - ASoC: Intel: bytcr_rt5640: Fix invalid quirk input mapping {CVE-2025-40154} - Bluetooth: hci_event: call disconnect callback before deleting conn {CVE-2023-53673} - net: fix information leakage in /proc/net/ptype {CVE-2022-48757} - net/mlx5e: fix a potential double-free in fs_any_create_groups {CVE-2023-52667} - mlxsw: spectrum_acl_tcam: Fix possible use-after-free during activity update {CVE-2024-35855} - Squashfs: check the inode number is not the invalid value of zero {CVE-2024-26982} - crypto: qat - resolve race condition during AER recovery {CVE-2024-26974} - perf/core: Bail out early if the request AUX area is out of bound {CVE-2023-52835} - ext4: fix double-free of blocks due to wrong extents moved_len {CVE-2024-26704} - stm class: Fix a double free in stm_register_device() {CVE-2024-38627} - pinctrl: core: delete incorrect free in pinctrl_enable() {CVE-2024-36940} - ipvlan: add ipvlan_route_v6_outbound() helper {CVE-2023-52796} - wifi: ath11k: fix gtk offload status event locking {CVE-2023-52777} - ice: fix memory corruption bug with suspend and rebuild {CVE-2024-35911} - drm/amdgpu: Fix potential out-of-bounds access in 'amdgpu_discovery_reg_base_init()' {CVE-2024-27042} - drm/i915/vma: Fix UAF on destroy against retire race {CVE-2024-26939} - netfilter: nf_tables: prefer nft_chain_validate {CVE-2024-41042} - Bluetooth: Fix potential use-after-free when clear keys {CVE-2023-53386} - drm/amd/display: Check num_valid_sets before accessing reader_wm_sets[] {CVE-2024-46815} - drm/amd/display: Check pipe offset before setting vblank {CVE-2024-42120} - nbd: fix incomplete validation of ioctl arg {CVE-2023-53513} - RDMA/rxe: Fix incomplete state save in rxe_requester {CVE-2023-53539} - netfilter: nftables: exthdr: fix 4-byte stack OOB write - net: ppp: Add bound checking for skb data on ppp_sync_txmung {CVE-2025-37749} - net_sched: hfsc: Fix a potential UAF in hfsc_dequeue() too {CVE-2025-37823} - iommu/amd: Fix potential buffer overflow in parse_ivrs_acpihid {CVE-2025-37927} - drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE {CVE-2025-40277} - nfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm() {CVE-2025-38724} - RDMA/rxe: Fix mr->map double free {CVE-2022-50543} - ipc: fix to protect IPCS lookups using RCU {CVE-2025-38212} - vsock/vmci: Clear the vmci transport packet properly when initializing it {CVE-2025-38403} - RDMA/rxe: Fix slab-use-after-free Read in rxe_queue_cleanup bug {CVE-2025-38024} - drm/sched: Fix potential double free in drm_sched_job_add_resv_dependencies {CVE-2025-40096} - HID: usbhid: Eliminate recurrent out-of-bounds bug in usbhid_parse() {CVE-2025-38103} - drm/i915: mark requests for GuC virtual engines to avoid use-after-free {CVE-2023-53552} - net: atlantic: fix fragment overflow handling in RX path {CVE-2025-68301} - net: atm: add lec_mutex {CVE-2025-38323} - net: openvswitch: fix nested key length validation in the set() action {CVE-2025-37789} - scsi: lpfc: Fix buffer free/clear order in deferred receive path {CVE-2025-39841} - jbd2: remove wrong sb->s_sequence check {CVE-2025-37839} - tracing: Fix oob write in trace_seq_to_buffer() {CVE-2025-37923} - Squashfs: check return result of sb_min_blocksize {CVE-2025-38415} - ftrace: Fix UAF when lookup kallsym after ftrace disabled {CVE-2025-38346} - tcp: Clear tcp_sk(sk)->fastopen_rsk in tcp_disconnect(). {CVE-2025-39955} - wifi: ath9k_htc: Abort software beacon handling if disabled {CVE-2025-38157} - atm: Release atm_dev_mutex after removing procfs in atm_dev_deregister(). {CVE-2025-38245} - ALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3() {CVE-2025-38249} - md/raid1: Fix stack memory use after return in raid1_reshape {CVE-2025-38445} - atm: clip: Fix infinite recursive call of clip_push(). {CVE-2025-38459} - bpf: Avoid __bpf_prog_ret0_warn when jit fails {CVE-2025-38280} - vsock: Do not allow binding to VMADDR_PORT_ANY {CVE-2025-38618} - fbcon: Make sure modelist not set on unregistered console {CVE-2025-38198}