* CVE-2023-53515 - virtio-mmio: don't break lifecycle of vm_dev {CVE-2023-53515} * CVE-2025-39967 - fbcon: fix integer overflow in fbcon_do_set_font {CVE-2025-39967} - fbcon: Fix OOB access in font allocation {CVE-2025-39967} * CVE-2025-38702 - fbdev: fix potential buffer overflow in do_register_framebuffer() {CVE-2025-38702} * CVE-2025-38563 - perf/core: Prevent VMA split of buffer mappings {CVE-2025-38563} * CVE-2025-39869 - dmaengine: ti: edma: Fix memory allocation size for queue_priority_map {CVE-2025-39869} * CVE-2023-53577 - bpf, cpumap: Make sure kthread is running before map update returns {CVE-2023-53577} * CVE-2023-53608 - nilfs2: fix potential UAF of struct nilfs_sc_info in nilfs_segctor_thread() {CVE-2023-53608} * CVE-2023-53604 - dm integrity: call kmem_cache_destroy() in dm_integrity_init() error path {CVE-2023-53604} * CVE-2023-53619 - netfilter: Replace printk() with pr_*() and define pr_fmt() {CVE-2023-53619} - netfilter: use kvmalloc_array to allocate memory for hashtable {CVE-2023-53619} - netfilter: conntrack: Avoid nf_ct_helper_hash uses after free {CVE-2023-53619} * CVE-2025-38680 - media: uvcvideo: Fix 1-byte out-of-bounds read in {CVE-2025-38680} * CVE-2023-53454 - HID: multitouch: Correct devm device reference for hidinput {CVE-2023-53454} * CVE-2025-38699 - scsi: bfa: Double-free fix {CVE-2025-38699} - ubi: ensure that VID header offset + VID header size <= alloc, size {CVE-2023-53265} - scsi: target: iscsi: Fix buffer overflow in lio_target_nacl_info_show() {CVE-2023-53676} - fs: jfs: Fix UBSAN: array-index-out-of-bounds in {CVE-2025-38699} * CVE-2023-53596 - drivers: base: Free devm resources when unregistering a {CVE-2023-53596} * CVE-2023-53622 - gfs2: Fix possible data races in gfs2_show_options() {CVE-2023-53622} - HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition {CVE-2023-53622} * CVE-2023-53090 - drm/amdkfd: Fix an illegal memory access {CVE-2023-53090} * CVE-2023-53116 - nvmet: avoid potential UAF in nvmet_req_complete() {CVE-2023-53116} * CVE-2023-53138 - net: caif: Fix use-after-free in cfusbl_device_notify() {CVE-2023-53138} * CVE-2023-53035 - nilfs2: fix kernel-infoleak in nilfs_ioctl_wrap_copy() {CVE-2023-53035} * CVE-2023-53668 - ring-buffer: Fix deadloop issue on reading trace_pipe {CVE-2023-53668} * CVE-2023-53616 - jfs: fix invalid free of JFS_IP(ipimap)->i_imap in diUnmount {CVE-2023-53616} * CVE-2023-53554 - staging: ks7010: potential buffer overflow in ks_wlan_set_encode_ext() {CVE-2023-53554} * CVE-2023-53587 - ring-buffer: Sync IRQ works before buffer destruction {CVE-2023-53587} * CVE-2023-53541 - mtd: rawnand: brcmnand: Fix potential out-of-bounds access in oob write {CVE-2023-53541} * CVE-2023-53559 - ip_vti: fix potential slab-use-after-free in decode_session6 {CVE-2023-53559} * CVE-2023-53484 - lib: cpu_rmap: Avoid use after free on rmap->obj array entries {CVE-2023-53484} - lib: cpu_rmap: Fix potential use-after-free in irq_cpu_rmap_release() {CVE-2023-53484} * CVE-2025-39824 - HID: asus: fix UAF via HID_CLAIMED_INPUT validation {CVE-2025-39824} * CVE-2025-38715 - hfs: fix slab-out-of-bounds in hfs_bnode_read() {CVE-2025-38715} * CVE-2023-53153 - wifi: cfg80211: Fix use after free for wext {CVE-2023-53153} * CVE-2025-38555 - usb: gadget : fix use-after-free in composite_dev_cleanup() {CVE-2025-38555} * CVE-2025-39743 - jfs: truncate good inode pages when hard link is 0 {CVE-2025-39743} * CVE-2025-39945 - cnic: Fix use-after-free bugs in cnic_delete_task {CVE-2025-39945} * CVE-2023-53506 - udf: Do not bother merging very long extents {CVE-2023-53506} * CVE-2025-38714 - hfsplus: fix slab-out-of-bounds in hfsplus_bnode_read() {CVE-2025-38714} * CVE-2025-39685 - comedi: pcl726: Prevent invalid irq number {CVE-2025-39685} * CVE-2025-39839 - batman-adv: fix OOB read/write in network-coding decode {CVE-2025-39839} * CVE-2025-38708 - drbd: add missing kref_get in handle_write_conflicts {CVE-2025-38708} * CVE-2023-53521 - scsi: ses: Fix slab-out-of-bounds in ses_intf_remove() {CVE-2023-53521} * CVE-2025-38713 - hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc() {CVE-2025-38713} * CVE-2023-53675 - scsi: ses: Fix possible desc_ptr out-of-bounds accesses {CVE-2023-53675} * CVE-2025-39691 - fs/buffer: fix use-after-free when call bh_read() helper {CVE-2025-39691} * CVE-2023-53259 - VMCI: check context->notify_page after call to get_user_pages_fast() to avoid GPF {CVE-2023-53259} * CVE-2023-53285 - ext4: add bounds checking in get_max_inline_xattr_value_size() {CVE-2023-53285} * CVE-2023-53148 - igb: Fix igb_down hung on surprise removal {CVE-2023-53148} * CVE-2023-53219 - media: netup_unidvb: fix use-after-free at del_timer() {CVE-2023-53219} * CVE-2023-53215 - sched/fair: Don't balance task to its current running CPU {CVE-2023-53215} * CVE-2023-53305 - Bluetooth: L2CAP: Fix use-after-free {CVE-2023-53305} * CVE-2025-38103 - HID: usbhid: Eliminate recurrent out-of-bounds bug in usbhid_parse() {CVE-2025-38103} * CVE-2025-38051 - smb: client: Fix use-after-free in cifs_fill_dirent {CVE-2025-38051} * CVE-2025-38157 - wifi: ath9k_htc: Abort software beacon handling if disabled {CVE-2025-38157} * CVE-2023-53373 - crypto: seqiv - Handle EBUSY correctly {CVE-2023-53373} * CVE-2025-38079 - crypto: algif_hash - fix double free in hash_accept {CVE-2025-38079} * CVE-2025-38212 - ipc: fix to protect IPCS lookups using RCU {CVE-2025-38212} * CVE-2025-38313 - bus: fsl-mc: fix double-free on mc_dev {CVE-2025-38313} * CVE-2023-53311 - nilfs2: fix use-after-free of nilfs_root in dirtying inodes via iput {CVE-2023-53311} * CVE-2023-53307 - rbd: avoid use-after-free in do_rbd_add() when rbd_dev_create() fails {CVE-2023-53307} * CVE-2025-38403 - vsock/vmci: Clear the vmci transport packet properly when initializing it {CVE-2025-38403} * CVE-2025-39683 - tracing: Limit access to parser->buffer when trace_get_user failed {CVE-2025-39683} * CVE-2025-38697 - jfs: upper bound check of tree index in dbAllocAG {CVE-2025-38697} * CVE-2025-39689 - ftrace: Also allocate and copy hash for reading of filter files {CVE-2025-39689} * CVE-2025-38574 - pptp: ensure minimal skb length in pptp_xmit() {CVE-2025-38574} * CVE-2025-38572 - ipv6: reject malicious packets in ipv6_gso_segment() {CVE-2025-38572} * CVE-2025-38685 - fbdev: Fix vmalloc out-of-bounds write in fast_imageblit {CVE-2025-38685} * CVE-2025-39911 - i40e: fix IRQ freeing in i40e_vsi_request_irq_msix error path {CVE-2025-39911} * CVE-2025-39973 - i40e: increase max descriptors for XL710 {CVE-2025-39973} - i40e: add validation for ring_len param {CVE-2025-39973} * CVE-2025-38724 - nfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm() {CVE-2025-38724} * CVE-2025-39860 - Bluetooth: Fix use-after-free in l2cap_sock_cleanup_listen() {CVE-2025-39860} * CVE-2025-38530 - comedi: pcl812: Fix bit shift out of bounds {CVE-2025-38530} * CVE-2025-38529 - comedi: aio_iiro_16: Fix bit shift out of bounds {CVE-2025-38529} * CVE-2025-38497 - usb: gadget: configfs: Fix OOB read on empty string write {CVE-2025-38497} * CVE-2025-38483 - comedi: das16m1: Fix bit shift out of bounds {CVE-2025-38483} * CVE-2025-38482 - comedi: das6402: Fix bit shift out of bounds {CVE-2025-38482} * CVE-2025-39702 - ipv6: sr: Fix MAC comparison to be constant-time {CVE-2025-39702} * CVE-2025-39730 - NFS: Fix filehandle bounds checking in nfs_fh_to_dentry() {CVE-2025-39730} * CVE-2025-39817 - efivarfs: Fix slab-out-of-bounds in efivarfs_d_compare {CVE-2025-39817} * CVE-2025-38494 - HID: core: ensure the allocated report buffer can contain the reserved report ID {CVE-2025-38494} - HID: core: ensure __hid_request reserves the report ID as the first byte {CVE-2025-38494} - HID: core: do not bypass hid_hw_raw_request {CVE-2025-38494} * CVE-2025-38527 - smb: client: fix use-after-free in cifs_oplock_break {CVE-2025-38527} * CVE-2025-39965 - xfrm: Duplicate SPI Handling {CVE-2025-39965} * CVE-2025-37927 - iommu/amd: Fix potential buffer overflow in parse_ivrs_acpihid {CVE-2025-37927} * CVE-2025-37817 - mcb: fix error handling for different scenarios when parsing {CVE-2025-37817} - mcb: fix a double free bug in chameleon_parse_gdd() {CVE-2025-37817} * CVE-2025-38204 - jfs: fix array-index-out-of-bounds read in add_missing_indices {CVE-2025-38204} * CVE-2025-38323 - net: atm: add lec_mutex {CVE-2025-38323} * CVE-2025-38346 - ftrace: Fix UAF when lookup kallsym after ftrace disabled {CVE-2025-38346} * CVE-2025-38348 - wifi: p54: prevent buffer-overflow in p54_rx_eeprom_readback() {CVE-2025-38348} * CVE-2025-38416 - NFC: nci: uart: Set tty->disc_data only in success path {CVE-2025-38416} * CVE-2025-38428 - Input: ims-pcu - check record size in ims_pcu_flash_firmware() {CVE-2025-38428} * CVE-2025-38245 - atm: Release atm_dev_mutex after removing procfs in atm_dev_deregister(). {CVE-2025-38245} * CVE-2025-38377 - rose: fix dangling neighbour pointers in rose_rt_device_down() {CVE-2025-38377} * CVE-2025-38459 - atm: clip: Fix infinite recursive call of clip_push(). {CVE-2025-38459} * CVE-2025-39863 - wifi: brcmfmac: fix use-after-free when rescheduling brcmf_btcoex_info work {CVE-2025-39863} * CVE-2025-21726 - padata: avoid UAF for reorder_work {CVE-2025-21726} * CVE-2025-39760 - usb: core: config: Prevent OOB read in SS endpoint companion parsing {CVE-2025-39760} * CVE-2025-38198 - fbcon: Make sure modelist not set on unregistered console {CVE-2025-38198} * CVE-2025-38375 - virtio-net: ensure the received length does not exceed allocated size {CVE-2025-38375} * CVE-2025-39993 - media: imon: reorganize serialization {CVE-2025-39993} - media: rc: fix races with imon_disconnect() {CVE-2025-39993} * CVE-2025-39883 - mm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison memory {CVE-2025-39883} * Focal update: v5.4.211 upstream stable release (LP: #1990190) - scsi: lpfc: Prevent buffer overflow crashes in debugfs with malformed user input * Focal update: v5.4.231 upstream stable release (LP: #2011226) // CVE-2023-53000 - netlink: prevent potential spectre v1 gadgets * CVE-2022-49980 - USB: gadget: Fix use-after-free Read in usb_udc_uevent() * CVE-2022-21546 - scsi: target: Fix WRITE_SAME No Data Buffer crash * Focal update: v5.4.225 upstream stable release (LP: #2002347) // CVE-2022-49763 - ntfs: fix use-after-free in ntfs_attr_find() * Focal update: Focal update: v5.4.235 upstream stable release (LP: #2017706) // CVE-2022-50258 - wifi: brcmfmac: Fix potential stack-out-of-bounds in brcmf_c_preinit_dcmds() * CVE-2025-21727 - padata: fix UAF in padata_reorder * CVE-2025-37882 - usb: xhci: Fix isochronous Ring Underrun/Overrun event handling * CVE-2025-38250 - Bluetooth: hci_core: Fix use-after-free in vhci_flush() * CVE-2025-39751 - ALSA: hda/ca0132: Fix buffer overflow in add_tuning_control * CVE-2025-37810 - usb: dwc3: gadget: check that event count does not exceed event buffer length * CVE-2025-37839 - jbd2: remove wrong sb->s_sequence check * CVE-2025-37892 - mtd: inftlcore: Add error check for inftl_read_oob() * CVE-2025-37923 - tracing: Fix oob write in trace_seq_to_buffer() * CVE-2024-43883 - usb: vhci-hcd: Do not drop references before new references are gained * CVE-2025-37739 - f2fs: lost matching-pair of trace in f2fs_truncate_inode_blocks - f2fs: fix to avoid out-of-bounds access in f2fs_truncate_inode_blocks() * CVE-2025-38069 - PCI: endpoint: pci-epf-test: Fix double free that causes kernel to oops * CVE-2025-22083 - vhost-scsi: Fix handling of multiple calls to vhost_scsi_set_endpoint * Miscellaneous upstream changes - net_sched: hfsc: Fix a potential UAF in hfsc_dequeue() too - HID: core: Harden s32ton() against conversion to 0 bits - fbcon: Introduce wrapper for console->fb_info lookup {CVE-2025-38198} - net: atm: fix /proc/net/atm/lec handling {CVE-2025-38323}