- ALSA: usb-audio: Fix use-after-free in snd_usb_mixer_free() {CVE-2026-23089} - HID: core: Harden s32ton() against conversion to 0 bits {CVE-2025-38556} - KVM: nSVM: Ignore nCR3[4:0] when loading PDPTEs from memory {CVE-2024-50115} - KVM: x86: Reset IRTE to host control if *new* route isn't postable {CVE-2025-37885} - NFSD: Protect against send buffer overflow in NFSv2 READ {CVE-2022-43945} - NFSv4/pNFS: Clear NFS_INO_LAYOUTCOMMIT in pnfs_mark_layout_stateid_invalid {CVE-2025-68349} - Revert "IB/core: Implement clear counters" - Revert "IB/mlx5: Implement clear counters" - Revert "ib/core: add SET_DEVICE_OP call for clear_hw_stats()" - Revert "perf/x86: Always store regs->ip in perf_callchain_kernel()" - Revert "xfrm: destroy xfrm_state synchronously on net exit path" - bpf, sockmap: Fix race between element replace and close() {CVE-2024-56664} - can: kvaser_usb: kvaser_usb_read_bulk_callback(): fix URB memory leak {CVE-2026-23061} - crypto: authencesn - reject too-short AAD (assoclen<8) to match ESP/ESN spec {CVE-2026-23060} - crypto: lzo - Fix compression buffer overrun {CVE-2025-38068} - drm/amd/pm: fix the Out-of-bounds read warning {CVE-2024-46731} - drm/amdgpu: Fix out-of-bounds read of df_v1_7_channel_number {CVE-2024-46724} - drm/amdkfd: amdkfd_free_gtt_mem clear the correct pointer {CVE-2024-49991} - ext4/jbd2: skip sb flush when EIO happened - ext4: save the error code which triggered an - fou: remove warn in gue_gro_receive on unsupported protocol {CVE-2024-44940} - fs: proc: inode: delay put_pid() by RCU - fs: writeback: fix use-after-free in __mark_inode_dirty() {CVE-2025-39866} - genirq/cpuhotplug: Notify about affinity changes breaking the affinity mask - io_uring: fix filename leak in __io_openat_prep() {CVE-2025-68814} - jbd2: store more accurate errno in superblock - libceph: fix potential use-after-free in have_mon_and_osd_map() {CVE-2025-68285} - libceph: make free_choose_arg_map() resilient to partial allocation {CVE-2026-22991} - macvlan: Add nodst option to macvlan type source - macvlan: Use 'hash' iterators to simplify code - macvlan: fix error recovery in macvlan_common_newlink() {CVE-2026-23209} - macvlan: fix possible UAF in macvlan_forward_source() {CVE-2026-23001} - macvlan: observe an RCU grace period in macvlan_common_newlink() error path {CVE-2026-23273} - media: xc2028: avoid use-after-free in load_firmware_cb() {CVE-2024-43900} - mm: call the security_mmap_file() LSM hook in remap_file_pages() {CVE-2024-47745} - net/sched: sch_qfq: do not free existing class in qfq_change_class() {CVE-2026-22999} - net: sock: fix hardened usercopy panic in sock_recv_errqueue {CVE-2026-22977} - net: usb: rtl8150: fix memory leak on usb_submit_urb() failure {CVE-2025-71154} - rds: Add state field to RDS trace logs. - rds: Drop rds conn in connect worker if not in down state. - scsi: mpi3mr: Sanitise num_phys {CVE-2024-42159} - scsi: target: iscsi: Fix use-after-free in iscsit_dec_session_usage_count() {CVE-2026-23193} - tty: n_gsm: Fix use-after-free in gsm_cleanup_mux {CVE-2024-50073} - usb: core: config: Prevent OOB read in SS endpoint companion parsing {CVE-2025-39760} - vhost-scsi: Fix handling of multiple calls to vhost_scsi_set_endpoint {CVE-2025-22083} - wifi: iwlwifi: mvm: check n_ssids before accessing the ssids {CVE-2024-40929} - xfrm: also call xfrm_state_delete_tunnel at destroy time for states that were never added {CVE-2025-40256} - xfrm: delete x->tunnel as we delete x {CVE-2025-40215} - xfrm: flush all states in xfrm_state_fini