{ "summary": { "snap": { "added": [], "removed": [], "diff": [] }, "deb": { "added": [ "linux-headers-7.0.0-27", "linux-headers-7.0.0-27-generic", "linux-image-7.0.0-27-generic", "linux-main-modules-zfs-7.0.0-27-generic", "linux-modules-7.0.0-27-generic", "linux-tools-7.0.0-27", "linux-tools-7.0.0-27-generic" ], "removed": [ "linux-headers-7.0.0-22", "linux-headers-7.0.0-22-generic", "linux-image-7.0.0-22-generic", "linux-main-modules-zfs-7.0.0-22-generic", "linux-modules-7.0.0-22-generic", "linux-tools-7.0.0-22", "linux-tools-7.0.0-22-generic" ], "diff": [ "bpftool", "ca-certificates", "gir1.2-packagekitglib-1.0", "libpackagekit-glib2-18:ppc64el", "libperl5.40:ppc64el", "libsgutils2-1.48:ppc64el", "libxml2-16:ppc64el", "linux-headers-generic", "linux-headers-virtual", "linux-image-virtual", "linux-libc-dev:ppc64el", "linux-perf", "linux-tools-common", "linux-virtual", "packagekit", "perl", "perl-base", "perl-modules-5.40", "python3-distupgrade", "sg3-utils", "sg3-utils-udev", "tar", "tmux", "ubuntu-release-upgrader-core", "update-notifier-common", "vim", "vim-common", "vim-runtime", "vim-tiny", "xxd" ] } }, "diff": { "deb": [ { "name": "bpftool", "from_version": { "source_package_name": "linux", "source_package_version": "7.0.0-22.22", "version": "7.7.0+7.0.0-22.22" }, "to_version": { "source_package_name": "linux", "source_package_version": "7.0.0-27.27", "version": "7.7.0+7.0.0-27.27" }, "cves": [ { "cve": "CVE-2026-46316", "url": "https://ubuntu.com/security/CVE-2026-46316", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: vgic-its: Drop the translation cache reference only for the erased entry vgic_its_invalidate_cache() walks the per-ITS translation cache with xa_for_each() and drops the cache's reference on each entry with vgic_put_irq(). It puts the iterated pointer, though, rather than the value returned by xa_erase(). The function is called from contexts that do not exclude one another: the ITS command handlers hold its_lock, the GITS_CTLR write path holds cmd_lock, and the path that clears EnableLPIs in a redistributor's GICR_CTLR holds neither. Two or more of them can drain the same cache concurrently, and if each one observes the same entry, erases it and then puts it, the single reference the cache holds on that entry is dropped more than once. The entry can then be freed while an ITE still maps it. xa_erase() is atomic and returns the previous entry, so put only the entry that this context actually removed. The cache reference is then dropped exactly once per entry even when the invalidations run concurrently, and the behavior is unchanged when only one context runs.", "cve_priority": "medium", "cve_public_date": "2026-06-09 13:16:00 UTC" }, { "cve": "CVE-2026-46244", "url": "https://ubuntu.com/security/CVE-2026-46244", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_inner: Fix IPv6 inner_thoff desync In nft_inner_parse_l2l3(), when processing inner IPv6 packets, ipv6_find_hdr() correctly computes the transport header offset traversing all extension headers, but the result is immediately overwritten with nhoff + sizeof(_ip6h) (40 bytes), which only accounts for the IPv6 base header. This creates a desync between inner_thoff (wrong — points to extension header start) and l4proto (correct — e.g., IPPROTO_TCP), enabling transport header forgery and potential firewall bypass. This issue affects stable versions from Linux 6.2. For comparison, the normal (non-inner) IPv6 path correctly preserves ipv6_find_hdr()'s result. Removing the incorrect overwrite ensures that ipv6_find_hdr()'s calculated transport header offset is preserved, thereby fixing the desynchronization.", "cve_priority": "medium", "cve_public_date": "2026-06-03 18:16:00 UTC" }, { "cve": "CVE-2026-46137", "url": "https://ubuntu.com/security/CVE-2026-46137", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: ADD_ADDR rtx: fix potential data-race This mptcp_pm_add_timer() helper is executed as a timer callback in softirq context. To avoid any data races, the socket lock needs to be held with bh_lock_sock(). If the socket is in use, retry again soon after, similar to what is done with the keepalive timer.", "cve_priority": "medium", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46185", "url": "https://ubuntu.com/security/CVE-2026-46185", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb/client: fix out-of-bounds read in symlink_data() Since smb2_check_message() returns success without length validation for the symlink error response, in symlink_data() it is possible for iov->iov_len to be smaller than sizeof(struct smb2_err_rsp). If the buffer only contains the base SMB2 header (64 bytes), accessing err->ErrorContextCount (at offset 66) or err->ByteCount later in symlink_data() will cause an out-of-bounds read.", "cve_priority": "high", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46195", "url": "https://ubuntu.com/security/CVE-2026-46195", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: validate dacloffset before building DACL pointers parse_sec_desc(), build_sec_desc(), and the chown path in id_mode_to_cifs_acl() all add the server-supplied dacloffset to pntsd before proving a DACL header fits inside the returned security descriptor. On 32-bit builds a malicious server can return dacloffset near U32_MAX, wrap the derived DACL pointer below end_of_acl, and then slip past the later pointer-based bounds checks. build_sec_desc() and id_mode_to_cifs_acl() can then dereference DACL fields from the wrapped pointer in the chmod/chown rewrite paths. Validate dacloffset numerically before building any DACL pointer and reuse the same helper at the three DACL entry points.", "cve_priority": "high", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46289", "url": "https://ubuntu.com/security/CVE-2026-46289", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: lib/scatterlist: fix length calculations in extract_kvec_to_sg Patch series \"Fix bugs in extract_iter_to_sg()\", v3. Fix bugs in the kvec and user variants of extract_iter_to_sg. This series is growing due to useful remarks made by sashiko.dev. The main bugs are: - The length for an sglist entry when extracting from a kvec can exceed the number of bytes in the page. This is obviously not intended. - When extracting a user buffer the sglist is temporarily used as a scratch buffer for extracted page pointers. If the sglist already contains some elements this scratch buffer could overlap with existing entries in the sglist. The series adds test cases to the kunit_iov_iter test that demonstrate all of these bugs. Additionally, there is a memory leak fix for the test itself. The bugs were orignally introduced into kernel v6.3 where the function lived in fs/netfs/iterator.c. It was later moved to lib/scatterlist.c in v6.5. Thus the actual fix is only marked for backports to v6.5+. This patch (of 5): When extracting from a kvec to a scatterlist, do not cross page boundaries. The required length was already calculated but not used as intended. Adjust the copied length if the loop runs out of sglist entries without extracting everything. While there, return immediately from extract_iter_to_sg if there are no sglist entries at all. A subsequent commit will add kunit test cases that demonstrate that the patch is necessary.", "cve_priority": "medium", "cve_public_date": "2026-06-08 17:16:00 UTC" }, { "cve": "CVE-2026-46119", "url": "https://ubuntu.com/security/CVE-2026-46119", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: libceph: Fix slab-out-of-bounds access in auth message processing If a (potentially corrupted) message of type CEPH_MSG_AUTH_REPLY contains a positive value in its result field, it is treated as an error code by ceph_handle_auth_reply() and returned to handle_auth_reply(). Thereafter, an attempt is made to send the preallocated message of type CEPH_MSG_AUTH, where the returned value is interpreted as the size of the front segment to send. If the result value in the message is greater than the size of the memory buffer allocated for the front segment, an out-of-bounds access occurs, and the content of the memory region beyond this buffer is sent out. This patch fixes the issue by treating only negative values in the result field as errors. Positive values are therefore treated as success in the same way as a zero value. Additionally, a BUG_ON is added to __send_prepared_auth_request() comparing the len parameter to front_alloc_len to prevent sending the message if it exceeds the bounds of the allocation and to make it easier to catch any logic flaws leading to this.", "cve_priority": "high", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46135", "url": "https://ubuntu.com/security/CVE-2026-46135", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: fix race between ICReq handling and queue teardown nvmet_tcp_handle_icreq() updates queue->state after sending an Initialization Connection Response (ICResp), but it does so without serializing against target-side queue teardown. If an NVMe/TCP host sends an Initialization Connection Request (ICReq) and immediately closes the connection, target-side teardown may start in softirq context before io_work drains the already buffered ICReq. In that case, nvmet_tcp_schedule_release_queue() sets queue->state to NVMET_TCP_Q_DISCONNECTING and drops the queue reference under state_lock. If io_work later processes that ICReq, nvmet_tcp_handle_icreq() can still overwrite the state back to NVMET_TCP_Q_LIVE. That defeats the DISCONNECTING-state guard in nvmet_tcp_schedule_release_queue() and allows a later socket state change to re-enter teardown and issue a second kref_put() on an already released queue. The ICResp send failure path has the same problem. If teardown has already moved the queue to DISCONNECTING, a send error can still overwrite the state with NVMET_TCP_Q_FAILED, again reopening the window for a second teardown path to drop the queue reference. Fix this by serializing both post-send state transitions with state_lock and bailing out if teardown has already started. Use -ESHUTDOWN as an internal sentinel for that bail-out path rather than propagating it as a transport error like -ECONNRESET. Keep nvmet_tcp_socket_error() setting rcv_state to NVMET_TCP_RECV_ERR before honoring that sentinel so receive-side parsing stays quiesced until the existing release path completes.", "cve_priority": "critical", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46155", "url": "https://ubuntu.com/security/CVE-2026-46155", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb/client: fix out-of-bounds read in smb2_compound_op() If a server sends a truncated response but a large OutputBufferLength, and terminates the EA list early, check_wsl_eas() returns success without validating that the entire OutputBufferLength fits within iov_len. Then smb2_compound_op() does: memcpy(idata->wsl.eas, data[0], size[0]); Where size[0] is OutputBufferLength. If iov_len is smaller than size[0], memcpy can read beyond the end of the rsp_iov allocation and leak adjacent kernel heap memory.", "cve_priority": "medium", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46115", "url": "https://ubuntu.com/security/CVE-2026-46115", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: block: add pgmap check to biovec_phys_mergeable biovec_phys_mergeable() is used by the request merge, DMA mapping, and integrity merge paths to decide if two physically contiguous bvec segments can be coalesced into one. It currently has no check for whether the segments belong to different dev_pagemaps. When zone device memory is registered in multiple chunks, each chunk gets its own dev_pagemap. A single bio can legitimately contain bvecs from different pgmaps -- iov_iter_extract_bvecs() breaks at pgmap boundaries but the outer loop in bio_iov_iter_get_pages() continues filling the same bio. If such bvecs are physically contiguous, biovec_phys_mergeable() will coalesce them, making it impossible to recover the correct pgmap for the merged segment via page_pgmap(). Add a zone_device_pages_have_same_pgmap() check to prevent merging bvec segments that span different pgmaps.", "cve_priority": "medium", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46243", "url": "https://ubuntu.com/security/CVE-2026-46243", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: reject userspace cifs.spnego descriptions cifs.spnego key descriptions contain authority-bearing fields such as pid, uid, creduid, and upcall_target that cifs.upcall treats as kernel-originating inputs. However, userspace can also create keys of this type through request_key(2) or add_key(2), allowing those fields to be supplied without CIFS origin. Only accept cifs.spnego descriptions while CIFS is using its private spnego_cred to request the key.", "cve_priority": "medium", "cve_public_date": "2026-06-01 17:17:00 UTC" }, { "cve": "CVE-2026-47337", "url": "https://ubuntu.com/security/CVE-2026-47337", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a possible NULL pointer dereference in the handling of AF_INET/AF_INET6 socket mediation. The bug can be triggered by an unprivileged local user. This can lead to a kernel oops.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47334", "url": "https://ubuntu.com/security/CVE-2026-47334", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly sleep while holding a spinlock in notification handling code. The bug can be triggered by an unprivileged local user and can result in kernel panic or deadlock.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47333", "url": "https://ubuntu.com/security/CVE-2026-47333", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which can potentially incorrectly compute the size of an internal buffer, leading to a heap memory out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in invalid data being processed by the AppArmor DFA policy engine.", "cve_priority": "high", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47332", "url": "https://ubuntu.com/security/CVE-2026-47332", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly validate the size of an internal structure, leading to an out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in information disclosure from adjacent slab objects.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47330", "url": "https://ubuntu.com/security/CVE-2026-47330", "cve_description": "Ubuntu Linux 6.8, 7.17 and 7.0 contain AppArmor SAUCE patches which can, under certain circumstances, use an uninitialized variable in notification handling code. The bug can be triggered by an unprivileged local user and can result in the incorrect caching of AppArmor notification responses.", "cve_priority": "low", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47329", "url": "https://ubuntu.com/security/CVE-2026-47329", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches which fail to validate invalid sizes of the name field in AppAmor notification responses. The bug can be triggered by an unprivileged local user and could result in handling of crafted responses.", "cve_priority": "low", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47327", "url": "https://ubuntu.com/security/CVE-2026-47327", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a possible NULL pointer dereference in the handling of AppArmor notifications. The bug can be triggered by an unprivileged local user. This can lead to a kernel oops.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47328", "url": "https://ubuntu.com/security/CVE-2026-47328", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly attempt to free a pointer which was not previously kmalloc()d, while at the same time leaking allocated memory. The bug can be triggered by an unprivileged local user and can result in the corruption of slab metadata and could lead to resource exhaustion.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47326", "url": "https://ubuntu.com/security/CVE-2026-47326", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a memory leak in the handling of big responses to AppArmor notifications. The bug can be triggered by an unprivileged local user. The memory leak could lead to resource exhaustion.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-46300", "url": "https://ubuntu.com/security/CVE-2026-46300", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: skbuff: preserve shared-frag marker during coalescing skb_try_coalesce() can attach paged frags from @from to @to. If @from has SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same externally-owned or page-cache-backed frags, but the shared-frag marker is currently lost. That breaks the invariant relied on by later in-place writers. In particular, ESP input checks skb_has_shared_frag() before deciding whether an uncloned nonlinear skb can skip skb_cow_data(). If TCP receive coalescing has moved shared frags into an unmarked skb, ESP can see skb_has_shared_frag() as false and decrypt in place over page-cache backed frags. Propagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged frags. The tailroom copy path does not need the marker because it copies bytes into @to's linear data rather than transferring frag descriptors.", "cve_priority": "high", "cve_public_date": "2026-05-23 12:17:00 UTC" }, { "cve": "CVE-2026-46333", "url": "https://ubuntu.com/security/CVE-2026-46333", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ptrace: slightly saner 'get_dumpable()' logic The 'dumpability' of a task is fundamentally about the memory image of the task - the concept comes from whether it can core dump or not - and makes no sense when you don't have an associated mm. And almost all users do in fact use it only for the case where the task has a mm pointer. But we have one odd special case: ptrace_may_access() uses 'dumpable' to check various other things entirely independently of the MM (typically explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for threads that no longer have a VM (and maybe never did, like most kernel threads). It's not what this flag was designed for, but it is what it is. The ptrace code does check that the uid/gid matches, so you do have to be uid-0 to see kernel thread details, but this means that the traditional \"drop capabilities\" model doesn't make any difference for this all. Make it all make a *bit* more sense by saying that if you don't have a MM pointer, we'll use a cached \"last dumpability\" flag if the thread ever had a MM (it will be zero for kernel threads since it is never set), and require a proper CAP_SYS_PTRACE capability to override.", "cve_priority": "high", "cve_public_date": "2026-05-15 14:16:00 UTC" }, { "cve": "CVE-2026-43500", "url": "https://ubuntu.com/security/CVE-2026-43500", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE handler in rxrpc_verify_response() copy the skb to a linear one before calling into the security ops only when skb_cloned() is true. An skb that is not cloned but still carries externally-owned paged fragments (e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via __ip_append_data, or a chained skb_has_frag_list()) falls through to the in-place decryption path, which binds the frag pages directly into the AEAD/skcipher SGL via skb_to_sgvec(). Extend the gate to also unshare when skb_has_frag_list() or skb_has_shared_frag() is true. This catches the splice-loopback vector and other externally-shared frag sources while preserving the zero-copy fast path for skbs whose frags are kernel-private (e.g. NIC page_pool RX, GRO). The OOM/trace handling already in place is reused.", "cve_priority": "high", "cve_public_date": "2026-05-11 08:16:00 UTC" }, { "cve": "CVE-2026-43284", "url": "https://ubuntu.com/security/CVE-2026-43284", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place decrypt on shared skb frags MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later paths that may modify packet data can first make a private copy. The IPv4/IPv6 datagram append paths did not set this flag when splicing pages into UDP skbs. That leaves an ESP-in-UDP packet made from shared pipe pages looking like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW fast path for uncloned skbs without a frag_list and decrypts in place over data that is not owned privately by the skb. Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching TCP. Also make ESP input fall back to skb_cow_data() when the flag is present, so ESP does not decrypt externally backed frags in place. Private nonlinear skb frags still use the existing fast path. This intentionally does not change ESP output. In esp_output_head(), the path that appends the ESP trailer to existing skb tailroom without calling skb_cow_data() is not reachable for nonlinear skbs: skb_tailroom() returns zero when skb->data_len is nonzero, while ESP tailen is positive. Thus ESP output will either use the separate destination-frag path or fall back to skb_cow_data().", "cve_priority": "high", "cve_public_date": "2026-05-08 08:16:00 UTC" } ], "launchpad_bugs_fixed": [ 2157114, 1786013, 2150845, 2154530, 1786013, 2150065, 2146517, 2147409, 2121852, 2150196, 2129844, 2150845, 2152558, 2152556, 2152552, 2152550, 2150553, 2150547, 2154172, 2151747, 2151747, 2151747, 2151747, 2151747, 2148809, 2151747, 2151747, 2151747, 2153962 ], "changes": [ { "cves": [ { "cve": "CVE-2026-46316", "url": "https://ubuntu.com/security/CVE-2026-46316", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: vgic-its: Drop the translation cache reference only for the erased entry vgic_its_invalidate_cache() walks the per-ITS translation cache with xa_for_each() and drops the cache's reference on each entry with vgic_put_irq(). It puts the iterated pointer, though, rather than the value returned by xa_erase(). The function is called from contexts that do not exclude one another: the ITS command handlers hold its_lock, the GITS_CTLR write path holds cmd_lock, and the path that clears EnableLPIs in a redistributor's GICR_CTLR holds neither. Two or more of them can drain the same cache concurrently, and if each one observes the same entry, erases it and then puts it, the single reference the cache holds on that entry is dropped more than once. The entry can then be freed while an ITE still maps it. xa_erase() is atomic and returns the previous entry, so put only the entry that this context actually removed. The cache reference is then dropped exactly once per entry even when the invalidations run concurrently, and the behavior is unchanged when only one context runs.", "cve_priority": "medium", "cve_public_date": "2026-06-09 13:16:00 UTC" }, { "cve": "CVE-2026-46244", "url": "https://ubuntu.com/security/CVE-2026-46244", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_inner: Fix IPv6 inner_thoff desync In nft_inner_parse_l2l3(), when processing inner IPv6 packets, ipv6_find_hdr() correctly computes the transport header offset traversing all extension headers, but the result is immediately overwritten with nhoff + sizeof(_ip6h) (40 bytes), which only accounts for the IPv6 base header. This creates a desync between inner_thoff (wrong — points to extension header start) and l4proto (correct — e.g., IPPROTO_TCP), enabling transport header forgery and potential firewall bypass. This issue affects stable versions from Linux 6.2. For comparison, the normal (non-inner) IPv6 path correctly preserves ipv6_find_hdr()'s result. Removing the incorrect overwrite ensures that ipv6_find_hdr()'s calculated transport header offset is preserved, thereby fixing the desynchronization.", "cve_priority": "medium", "cve_public_date": "2026-06-03 18:16:00 UTC" }, { "cve": "CVE-2026-46137", "url": "https://ubuntu.com/security/CVE-2026-46137", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: ADD_ADDR rtx: fix potential data-race This mptcp_pm_add_timer() helper is executed as a timer callback in softirq context. To avoid any data races, the socket lock needs to be held with bh_lock_sock(). If the socket is in use, retry again soon after, similar to what is done with the keepalive timer.", "cve_priority": "medium", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46185", "url": "https://ubuntu.com/security/CVE-2026-46185", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb/client: fix out-of-bounds read in symlink_data() Since smb2_check_message() returns success without length validation for the symlink error response, in symlink_data() it is possible for iov->iov_len to be smaller than sizeof(struct smb2_err_rsp). If the buffer only contains the base SMB2 header (64 bytes), accessing err->ErrorContextCount (at offset 66) or err->ByteCount later in symlink_data() will cause an out-of-bounds read.", "cve_priority": "high", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46195", "url": "https://ubuntu.com/security/CVE-2026-46195", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: validate dacloffset before building DACL pointers parse_sec_desc(), build_sec_desc(), and the chown path in id_mode_to_cifs_acl() all add the server-supplied dacloffset to pntsd before proving a DACL header fits inside the returned security descriptor. On 32-bit builds a malicious server can return dacloffset near U32_MAX, wrap the derived DACL pointer below end_of_acl, and then slip past the later pointer-based bounds checks. build_sec_desc() and id_mode_to_cifs_acl() can then dereference DACL fields from the wrapped pointer in the chmod/chown rewrite paths. Validate dacloffset numerically before building any DACL pointer and reuse the same helper at the three DACL entry points.", "cve_priority": "high", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46289", "url": "https://ubuntu.com/security/CVE-2026-46289", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: lib/scatterlist: fix length calculations in extract_kvec_to_sg Patch series \"Fix bugs in extract_iter_to_sg()\", v3. Fix bugs in the kvec and user variants of extract_iter_to_sg. This series is growing due to useful remarks made by sashiko.dev. The main bugs are: - The length for an sglist entry when extracting from a kvec can exceed the number of bytes in the page. This is obviously not intended. - When extracting a user buffer the sglist is temporarily used as a scratch buffer for extracted page pointers. If the sglist already contains some elements this scratch buffer could overlap with existing entries in the sglist. The series adds test cases to the kunit_iov_iter test that demonstrate all of these bugs. Additionally, there is a memory leak fix for the test itself. The bugs were orignally introduced into kernel v6.3 where the function lived in fs/netfs/iterator.c. It was later moved to lib/scatterlist.c in v6.5. Thus the actual fix is only marked for backports to v6.5+. This patch (of 5): When extracting from a kvec to a scatterlist, do not cross page boundaries. The required length was already calculated but not used as intended. Adjust the copied length if the loop runs out of sglist entries without extracting everything. While there, return immediately from extract_iter_to_sg if there are no sglist entries at all. A subsequent commit will add kunit test cases that demonstrate that the patch is necessary.", "cve_priority": "medium", "cve_public_date": "2026-06-08 17:16:00 UTC" }, { "cve": "CVE-2026-46119", "url": "https://ubuntu.com/security/CVE-2026-46119", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: libceph: Fix slab-out-of-bounds access in auth message processing If a (potentially corrupted) message of type CEPH_MSG_AUTH_REPLY contains a positive value in its result field, it is treated as an error code by ceph_handle_auth_reply() and returned to handle_auth_reply(). Thereafter, an attempt is made to send the preallocated message of type CEPH_MSG_AUTH, where the returned value is interpreted as the size of the front segment to send. If the result value in the message is greater than the size of the memory buffer allocated for the front segment, an out-of-bounds access occurs, and the content of the memory region beyond this buffer is sent out. This patch fixes the issue by treating only negative values in the result field as errors. Positive values are therefore treated as success in the same way as a zero value. Additionally, a BUG_ON is added to __send_prepared_auth_request() comparing the len parameter to front_alloc_len to prevent sending the message if it exceeds the bounds of the allocation and to make it easier to catch any logic flaws leading to this.", "cve_priority": "high", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46135", "url": "https://ubuntu.com/security/CVE-2026-46135", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: fix race between ICReq handling and queue teardown nvmet_tcp_handle_icreq() updates queue->state after sending an Initialization Connection Response (ICResp), but it does so without serializing against target-side queue teardown. If an NVMe/TCP host sends an Initialization Connection Request (ICReq) and immediately closes the connection, target-side teardown may start in softirq context before io_work drains the already buffered ICReq. In that case, nvmet_tcp_schedule_release_queue() sets queue->state to NVMET_TCP_Q_DISCONNECTING and drops the queue reference under state_lock. If io_work later processes that ICReq, nvmet_tcp_handle_icreq() can still overwrite the state back to NVMET_TCP_Q_LIVE. That defeats the DISCONNECTING-state guard in nvmet_tcp_schedule_release_queue() and allows a later socket state change to re-enter teardown and issue a second kref_put() on an already released queue. The ICResp send failure path has the same problem. If teardown has already moved the queue to DISCONNECTING, a send error can still overwrite the state with NVMET_TCP_Q_FAILED, again reopening the window for a second teardown path to drop the queue reference. Fix this by serializing both post-send state transitions with state_lock and bailing out if teardown has already started. Use -ESHUTDOWN as an internal sentinel for that bail-out path rather than propagating it as a transport error like -ECONNRESET. Keep nvmet_tcp_socket_error() setting rcv_state to NVMET_TCP_RECV_ERR before honoring that sentinel so receive-side parsing stays quiesced until the existing release path completes.", "cve_priority": "critical", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46155", "url": "https://ubuntu.com/security/CVE-2026-46155", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb/client: fix out-of-bounds read in smb2_compound_op() If a server sends a truncated response but a large OutputBufferLength, and terminates the EA list early, check_wsl_eas() returns success without validating that the entire OutputBufferLength fits within iov_len. Then smb2_compound_op() does: memcpy(idata->wsl.eas, data[0], size[0]); Where size[0] is OutputBufferLength. If iov_len is smaller than size[0], memcpy can read beyond the end of the rsp_iov allocation and leak adjacent kernel heap memory.", "cve_priority": "medium", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46115", "url": "https://ubuntu.com/security/CVE-2026-46115", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: block: add pgmap check to biovec_phys_mergeable biovec_phys_mergeable() is used by the request merge, DMA mapping, and integrity merge paths to decide if two physically contiguous bvec segments can be coalesced into one. It currently has no check for whether the segments belong to different dev_pagemaps. When zone device memory is registered in multiple chunks, each chunk gets its own dev_pagemap. A single bio can legitimately contain bvecs from different pgmaps -- iov_iter_extract_bvecs() breaks at pgmap boundaries but the outer loop in bio_iov_iter_get_pages() continues filling the same bio. If such bvecs are physically contiguous, biovec_phys_mergeable() will coalesce them, making it impossible to recover the correct pgmap for the merged segment via page_pgmap(). Add a zone_device_pages_have_same_pgmap() check to prevent merging bvec segments that span different pgmaps.", "cve_priority": "medium", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46243", "url": "https://ubuntu.com/security/CVE-2026-46243", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: reject userspace cifs.spnego descriptions cifs.spnego key descriptions contain authority-bearing fields such as pid, uid, creduid, and upcall_target that cifs.upcall treats as kernel-originating inputs. However, userspace can also create keys of this type through request_key(2) or add_key(2), allowing those fields to be supplied without CIFS origin. Only accept cifs.spnego descriptions while CIFS is using its private spnego_cred to request the key.", "cve_priority": "medium", "cve_public_date": "2026-06-01 17:17:00 UTC" } ], "log": [ "", " * resolute/linux: 7.0.0-27.27 -proposed tracker (LP: #2157114)", "", " * Packaging resync (LP: #1786013)", " - [Packaging] update annotations scripts", "", " * Ubuntu 26.04 linux kernel has non-functional nova-core GPU driver enabled,", " conflicting with nouveau (LP: #2150845)", " - [Config] Disable NOVA_CORE", "", " * CVE-2026-46316", " - KVM: arm64: vgic-its: Drop the translation cache reference only for the", " erased entry", "", " * CVE-2026-46244", " - netfilter: nft_inner: Fix IPv6 inner_thoff desync", "", " * CVE-2026-46137", " - mptcp: pm: ADD_ADDR rtx: allow ID 0", " - mptcp: pm: ADD_ADDR rtx: fix potential data-race", "", " * CVE-2026-46185", " - smb/client: fix out-of-bounds read in symlink_data()", "", " * CVE-2026-46195", " - smb: client: validate dacloffset before building DACL pointers", "", " * CVE-2026-46289", " - lib/scatterlist: fix length calculations in extract_kvec_to_sg", "", " * CVE-2026-46119", " - libceph: Fix slab-out-of-bounds access in auth message processing", "", " * CVE-2026-46135", " - nvmet-tcp: fix race between ICReq handling and queue teardown", "", " * CVE-2026-46155", " - smb/client: fix out-of-bounds read in smb2_compound_op()", "", " * CVE-2026-46115", " - block: add pgmap check to biovec_phys_mergeable", "", " * CVE-2026-46243", " - smb: client: reject userspace cifs.spnego descriptions", "" ], "package": "linux", "version": "7.0.0-27.27", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2157114, 1786013, 2150845 ], "author": "Manuel Diewald ", "date": "Thu, 18 Jun 2026 18:54:56 +0200" }, { "cves": [ { "cve": "CVE-2026-47337", "url": "https://ubuntu.com/security/CVE-2026-47337", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a possible NULL pointer dereference in the handling of AF_INET/AF_INET6 socket mediation. The bug can be triggered by an unprivileged local user. This can lead to a kernel oops.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47334", "url": "https://ubuntu.com/security/CVE-2026-47334", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly sleep while holding a spinlock in notification handling code. The bug can be triggered by an unprivileged local user and can result in kernel panic or deadlock.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47333", "url": "https://ubuntu.com/security/CVE-2026-47333", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which can potentially incorrectly compute the size of an internal buffer, leading to a heap memory out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in invalid data being processed by the AppArmor DFA policy engine.", "cve_priority": "high", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47332", "url": "https://ubuntu.com/security/CVE-2026-47332", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly validate the size of an internal structure, leading to an out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in information disclosure from adjacent slab objects.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47330", "url": "https://ubuntu.com/security/CVE-2026-47330", "cve_description": "Ubuntu Linux 6.8, 7.17 and 7.0 contain AppArmor SAUCE patches which can, under certain circumstances, use an uninitialized variable in notification handling code. The bug can be triggered by an unprivileged local user and can result in the incorrect caching of AppArmor notification responses.", "cve_priority": "low", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47329", "url": "https://ubuntu.com/security/CVE-2026-47329", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches which fail to validate invalid sizes of the name field in AppAmor notification responses. The bug can be triggered by an unprivileged local user and could result in handling of crafted responses.", "cve_priority": "low", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47327", "url": "https://ubuntu.com/security/CVE-2026-47327", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a possible NULL pointer dereference in the handling of AppArmor notifications. The bug can be triggered by an unprivileged local user. This can lead to a kernel oops.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47328", "url": "https://ubuntu.com/security/CVE-2026-47328", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly attempt to free a pointer which was not previously kmalloc()d, while at the same time leaking allocated memory. The bug can be triggered by an unprivileged local user and can result in the corruption of slab metadata and could lead to resource exhaustion.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47326", "url": "https://ubuntu.com/security/CVE-2026-47326", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a memory leak in the handling of big responses to AppArmor notifications. The bug can be triggered by an unprivileged local user. The memory leak could lead to resource exhaustion.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-46300", "url": "https://ubuntu.com/security/CVE-2026-46300", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: skbuff: preserve shared-frag marker during coalescing skb_try_coalesce() can attach paged frags from @from to @to. If @from has SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same externally-owned or page-cache-backed frags, but the shared-frag marker is currently lost. That breaks the invariant relied on by later in-place writers. In particular, ESP input checks skb_has_shared_frag() before deciding whether an uncloned nonlinear skb can skip skb_cow_data(). If TCP receive coalescing has moved shared frags into an unmarked skb, ESP can see skb_has_shared_frag() as false and decrypt in place over page-cache backed frags. Propagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged frags. The tailroom copy path does not need the marker because it copies bytes into @to's linear data rather than transferring frag descriptors.", "cve_priority": "high", "cve_public_date": "2026-05-23 12:17:00 UTC" }, { "cve": "CVE-2026-46333", "url": "https://ubuntu.com/security/CVE-2026-46333", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ptrace: slightly saner 'get_dumpable()' logic The 'dumpability' of a task is fundamentally about the memory image of the task - the concept comes from whether it can core dump or not - and makes no sense when you don't have an associated mm. And almost all users do in fact use it only for the case where the task has a mm pointer. But we have one odd special case: ptrace_may_access() uses 'dumpable' to check various other things entirely independently of the MM (typically explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for threads that no longer have a VM (and maybe never did, like most kernel threads). It's not what this flag was designed for, but it is what it is. The ptrace code does check that the uid/gid matches, so you do have to be uid-0 to see kernel thread details, but this means that the traditional \"drop capabilities\" model doesn't make any difference for this all. Make it all make a *bit* more sense by saying that if you don't have a MM pointer, we'll use a cached \"last dumpability\" flag if the thread ever had a MM (it will be zero for kernel threads since it is never set), and require a proper CAP_SYS_PTRACE capability to override.", "cve_priority": "high", "cve_public_date": "2026-05-15 14:16:00 UTC" }, { "cve": "CVE-2026-43500", "url": "https://ubuntu.com/security/CVE-2026-43500", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE handler in rxrpc_verify_response() copy the skb to a linear one before calling into the security ops only when skb_cloned() is true. An skb that is not cloned but still carries externally-owned paged fragments (e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via __ip_append_data, or a chained skb_has_frag_list()) falls through to the in-place decryption path, which binds the frag pages directly into the AEAD/skcipher SGL via skb_to_sgvec(). Extend the gate to also unshare when skb_has_frag_list() or skb_has_shared_frag() is true. This catches the splice-loopback vector and other externally-shared frag sources while preserving the zero-copy fast path for skbs whose frags are kernel-private (e.g. NIC page_pool RX, GRO). The OOM/trace handling already in place is reused.", "cve_priority": "high", "cve_public_date": "2026-05-11 08:16:00 UTC" }, { "cve": "CVE-2026-43284", "url": "https://ubuntu.com/security/CVE-2026-43284", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place decrypt on shared skb frags MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later paths that may modify packet data can first make a private copy. The IPv4/IPv6 datagram append paths did not set this flag when splicing pages into UDP skbs. That leaves an ESP-in-UDP packet made from shared pipe pages looking like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW fast path for uncloned skbs without a frag_list and decrypts in place over data that is not owned privately by the skb. Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching TCP. Also make ESP input fall back to skb_cow_data() when the flag is present, so ESP does not decrypt externally backed frags in place. Private nonlinear skb frags still use the existing fast path. This intentionally does not change ESP output. In esp_output_head(), the path that appends the ESP trailer to existing skb tailroom without calling skb_cow_data() is not reachable for nonlinear skbs: skb_tailroom() returns zero when skb->data_len is nonzero, while ESP tailen is positive. Thus ESP output will either use the separate destination-frag path or fall back to skb_cow_data().", "cve_priority": "high", "cve_public_date": "2026-05-08 08:16:00 UTC" } ], "log": [ "", " * resolute/linux: 7.0.0-26.26 -proposed tracker (LP: #2154530)", "", " * Packaging resync (LP: #1786013)", " - Revert \"UBUNTU: SAUCE: import Huawei ES3000_V2 (2.1.0.23)\"", " - [Packaging] debian.master/dkms-versions -- remove dkms-versions", " (main/2026.05.18)", "", " * Fix mic mute led on a HP EliteBook 6 G2a platform (LP: #2150065)", " - ALSA: hda/realtek: Add LED fixup for HP EliteBook 6 G2a Laptops", "", " * ov08x40 module mounted upside down on a certain DELL platforms", " (LP: #2146517)", " - SAUCE: media: ipu-bridge: Add DMI quirk for new Dell XPS laptops with", " upside down sensors", " - SAUCE: media: ipu-bridge: Add DMI quirk for Dell 14 laptops with upside", " down sensors", "", " * Support additional 2888x1808@30fps 900MHz for OVTI05C1 camera sensor", " (LP: #2147409)", " - SAUCE: media: ipu-bridge: Add 900MHz for OV05C10", " - SAUCE: platform/x86: int3472: increase handshake delay to 50ms for", " OV05C10", "", " * Support Samsung S5K3J1 sensor for Intel MIPI camera (LP: #2121852)", " - SAUCE: media: ipu-bridge: Support s5k3j1 sensor", "", " * [SRU] ASoC: enable rt1320 speaker amp and DMIC on PTL SoundWire platforms", " (LP: #2150196)", " - ASoC: Intel: soc-acpi-intel-ptl-match: drop rt722 monolithic match", " tables", " - ASoC: SOF: Intel: Add a is_amp flag to fix the wrong name prefix", " - ASoC: sdw_utils: add rt1320 and rt1321 dmic dai in codec_info_list", "", " * powerpc-build in ubuntu_kernel_selftests fails to build due to", " uninitialized value (LP: #2129844)", " - selftests/powerpc: Suppress -Wmaybe-uninitialized with GCC 15", "", " * Ubuntu 26.04 linux kernel has non-functional nova-core GPU driver enabled,", " conflicting with nouveau (LP: #2150845)", " - [Config] Disable DRM_NOVA", "", " * Resolute update: v7.0.6 upstream stable release (LP: #2152558)", " - Linux 7.0.6", " - Upstream stable to v7.0.6", "", " * Resolute update: v7.0.5 upstream stable release (LP: #2152556)", " - Linux 7.0.5", " - Upstream stable to v7.0.5", "", " * Resolute update: v7.0.4 upstream stable release (LP: #2152552)", " - ALSA: usb-audio: stop parsing UAC2 rates at MAX_NR_RATES", " - ALSA: usb-audio: Avoid false E-MU sample-rate notifications", " - ALSA: usb-audio: Fix Audio Advantage Micro II SPDIF switch", " - usb: xhci: Make usb_host_endpoint.hcpriv survive endpoint_disable()", " - usb: chipidea: otg: not wait vbus drop if use role_switch", " - usb: chipidea: core: allow ci_irq_handler() handle both ID and VBUS", " change", " - ALSA: usb-audio: Evaluate packsize caps at the right place", " - LoongArch: Add spectre boundry for syscall dispatch table", " - drm/nouveau: fix u32 overflow in pushbuf reloc bounds check", " - leds: qcom-lpg: Check for array overflow when selecting the high", " resolution", " - greybus: gb-beagleplay: bound bootloader receive buffering", " - greybus: gb-beagleplay: fix sleep in atomic context in hdlc_tx_frames()", " - misc: ibmasm: fix OOB MMIO read in ibmasm_handle_mouse_interrupt()", " - ibmasm: fix OOB reads in command_file_write due to missing size checks", " - ibmasm: fix heap over-read in ibmasm_send_i2o_message()", " - sysfs: attribute_group: Respect is_visible_const() when changing owner", " - driver core: Don't let a device probe until it's ready", " - device property: Make modifications of fwnode \"flags\" thread safe", " - drm/nouveau: fix nvkm_device leak on aperture removal failure", " - rust: dma: remove DMA_ATTR_NO_KERNEL_MAPPING from public attrs", " - kbuild: rust: allow `clippy::uninlined_format_args`", " - fs: afs: revert mmap_prepare() change", " - firmware: google: framebuffer: Do not mark framebuffer as busy", " - lib: test_hmm: evict device pages on file close to avoid use-after-free", " - arm64/mm: Enable batched TLB flush in unmap_hotplug_range()", " - arm64: mm: Fix rodata=full block mapping support for realm guests", " - mm: migrate: requeue destination folio on deferred split queue", " - mm: prevent droppable mappings from being locked", " - mm: fix deferred split queue races during migration", " - ocfs2: split transactions in dio completion to avoid credit exhaustion", " - Input: edt-ft5x06 - fix use-after-free in debugfs teardown", " - zram: do not forget to endio for partial discard requests", " - wifi: rtw88: check for PCI upstream bridge existence", " - wifi: mwifiex: fix use-after-free in mwifiex_adapter_cleanup()", " - vfio: selftests: Fix VLA initialisation in vfio_pci_irq_set()", " - vfio/xe: Add a missing vfio_pci_core_release_dev()", " - vfio/virtio: Convert list_lock from spinlock to mutex", " - vfio/cdx: Serialize VFIO_DEVICE_SET_IRQS with a per-device mutex", " - vfio/cdx: Fix NULL pointer dereference in interrupt trigger path", " - um: drivers: call kernel_strrchr() explicitly in cow_user.c", " - thermal: core: Fix thermal zone governor cleanup issues", " - spi: imx: fix use-after-free on unbind", " - spi: ch341: fix memory leaks on probe failures", " - crypto: algif_aead - snapshot IV for async AEAD requests", " - crypto: pcrypt - Fix handling of MAY_BACKLOG requests", " - dt-bindings: display: ti, am65x-dss: Fix AM62L DSS reg and clock", " constraints", " - of: unittest: fix use-after-free in of_unittest_changeset()", " - of: unittest: fix use-after-free in testdrv_probe()", " - hwmon: (powerz) Fix missing usb_kill_urb() on signal interrupt", " - EDAC/versalnet: Fix device_node leak in mc_probe()", " - PCI: imx6: Skip waiting for L2/L3 Ready on i.MX6SX", " - media: amphion: Fix race between m2m job_abort and device_run", " - ALSA: control: Validate buf_len before strnlen() in", " snd_ctl_elem_init_enum_names()", " - net: caif: clear client service pointer on teardown", " - net: strparser: fix skb_head leak in strp_abort_strp()", " - media: mtk-jpeg: fix use-after-free in release path due to uncancelled", " work", " - crypto: atmel-sha204a - Fix OTP sysfs read and error handling", " - PCI: endpoint: pci-epf-ntb: Remove duplicate resource teardown", " - Revert \"ALSA: usb: Increase volume range that triggers a warning\"", " - phy: qcom: m31-eusb2: clear PLL_EN during init", " - PCI: epf-mhi: Return 0, not remaining timeout, when eDMA ops complete", " - lib/ts_kmp: fix integer overflow in pattern length calculation", " - media: i2c: imx219: Check return value of devm_gpiod_get_optional() in", " imx219_probe()", " - net: qrtr: ns: Fix use-after-free in driver remove()", " - ext2: reject inodes with zero i_nlink and valid mode in ext2_iget()", " - mm/zsmalloc: copy KMSAN metadata in zs_page_migrate()", " - ALSA: aoa: i2sbus: clear stale prepared state", " - ALSA: aoa: i2sbus: fix OF node lifetime handling", " - ALSA: aoa: Skip devices with no codecs in i2sbus_resume()", " - ALSA: ctxfi: Add fallback to default RSR for S/PDIF", " - ALSA: seq_oss: return full count for successful SEQ_FULLSIZE writes", " - erofs: fix the out-of-bounds nameoff handling for trailing dirents", " - ipmi:ssif: Clean up kthread on errors", " - jbd2: fix deadlock in jbd2_journal_cancel_revoke()", " - KVM: selftests: Fix reserved value WRMSR testcase for multi-feature MSRs", " - md/raid10: fix deadlock with check operation and nowait requests", " - media: rc: igorplugusb: heed coherency rules", " - media: rockchip: rkcif: fix off by one bugs", " - media: rockchip: rkcif: comply with minimum number of buffers", " requirement", " - mfd: stpmic1: Attempt system shutdown twice in case PMIC is confused", " - mm/alloc_tag: clear codetag for pages allocated before page_ext", " initialization", " - mm/damon/core: fix damon_call() vs kdamond_fn() exit race", " - mm/damon/core: fix damos_walk() vs kdamond_fn() exit race", " - mm/hugetlb: fix early boot crash on parameters without '=' separator", " - mtd: docg3: fix use-after-free in docg3_release()", " - nvme-pci: add NVME_QUIRK_DISABLE_WRITE_ZEROES for Kingston OM3SGP4", " - nvme: respect NVME_QUIRK_DISABLE_WRITE_ZEROES when wzsl is set", " - parisc: _llseek syscall is only available for 32-bit userspace", " - parisc: Drop ip_fast_csum() inline assembly implementation", " - PCI: cadence: Use cdns_pcie_read_sz() for byte or word read access", " - PCI: imx6: Fix reference clock source selection for i.MX95", " - perf annotate: Use jump__delete when freeing LoongArch jumps", " - RDMA/mana_ib: Disable RX steering on RSS QP destroy", " - remoteproc: xlnx: Only access buffer information if IPI is buffered", " - reset: rzv2h-usb2phy: Keep PHY clock enabled for entire device lifetime", " - sched: Use u64 for bandwidth ratio calculations", " - selftests/mqueue: Fix incorrectly named file", " - landlock: Fix LOG_SUBDOMAINS_OFF inheritance across fork()", " - landlock: Allow TSYNC with LOG_SUBDOMAINS_OFF and fd=-1", " - selftests/landlock: Drain stale audit records on init", " - selftests/landlock: Fix format warning for __u64 in net_test", " - selftests/landlock: Fix snprintf truncation checks in audit helpers", " - selftests/landlock: Skip stale records in audit_match_record()", " - rbd: fix null-ptr-deref when device_add_disk() fails", " - mm/zone_device: do not touch device folio after calling ->folio_free()", " - block: fix zone write plugs refcount handling in", " disk_zone_wplug_schedule_bio_work()", " - io_uring/zcrx: return back two step unregistration", " - io_uring/timeout: check unused sqe fields", " - block: relax pgmap check in bio_add_page for compatible zone device", " pages", " - iio: adc: ti-ads7950: use iio_push_to_buffers_with_ts_unaligned()", " - io_uring/register: fix ring resizing with mixed/large SQEs/CQEs", " - io_uring/zcrx: fix user_struct uaf", " - io_uring/poll: fix signed comparison in io_poll_get_ownership()", " - io_uring/poll: ensure EPOLL_ONESHOT is propagated for EPOLL_URING_WAKE", " - module.lds,codetag: force 0 sh_addr for sections", " - module.lds.S: Fix modules on 32-bit parisc architecture", " - ALSA: core: Fix potential data race at fasync handling", " - ALSA: caiaq: Fix control_put() result and cache rollback", " - ALSA: caiaq: Handle probe errors properly", " - ALSA: 6fire: Fix input volume change detection", " - ALSA: hda/realtek - Add mute LED support for HP Victus 15-fa2xxx", " - ALSA: pcmtest: fix reference leak on failed device registration", " - ALSA: pcmtest: Fix resource leaks in module init error paths", " - iio: adc: ad7768-1: fix one-shot mode data acquisition", " - iio: adc: ad7768-1: remove switch to one-shot mode", " - rxrpc: Fix memory leaks in rxkad_verify_response()", " - rxrpc: Fix rxkad crypto unalignment handling", " - rxrpc: Fix error handling in rxgk_extract_token()", " - rxrpc: Fix re-decryption of RESPONSE packets", " - EDAC/versalnet: Fix memory leak in remove and probe error paths", " - tools/accounting: handle truncated taskstats netlink messages", " - net: txgbe: fix RTNL assertion warning when remove module", " - arm64: dts: marvell: uDPU: add ethernet aliases", " - net: qrtr: ns: Limit the maximum server registration per node", " - net: qrtr: ns: Limit the maximum number of lookups", " - net: qrtr: ns: Free the node during ctrl_cmd_bye()", " - net: qrtr: ns: Limit the total number of nodes", " - net: rds: fix MR cleanup on copy error", " - net: txgbe: fix firmware version check", " - net/smc: avoid early lgr access in smc_clc_wait_msg", " - net: ks8851: Reinstate disabling of BHs around IRQ handler", " - net: bridge: use a stable FDB dst snapshot in RCU readers", " - netconsole: avoid out-of-bounds access on empty string in trim_newline()", " - net: mctp: fix don't require received header reserved bits to be zero", " - net: ks8851: Avoid excess softirq scheduling", " - drm/arcpgu: fix device node leak", " - slub: fix data loss and overflow in krealloc()", " - tracing/fprobe: Reject registration of a registered fprobe before init", " - RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv", " - printf: Compile the kunit test with DISABLE_BRANCH_PROFILING", " DISABLE_BRANCH_PROFILING", " - ipv4: icmp: validate reply type before using icmp_pointers", " - libceph: Prevent potential null-ptr-deref in ceph_handle_auth_reply()", " - spi: fix resource leaks on device setup failure", " - extract-cert: Wrap key_pass with '#ifdef USE_PKCS11_ENGINE'", " - tpm: avoid -Wunused-but-set-variable", " - LoongArch: Make arch_irq_work_has_interrupt() true only if IPI HW exist", " - LoongArch: Show CPU vulnerabilites correctly", " - fbdev: defio: Disconnect deferred I/O from the lifetime of struct", " fb_info", " - power: supply: axp288_charger: Do not cancel work before initializing it", " - hwmon: (isl28022) Fix integer overflow in power calculation on 32-bit", " - hwmon: (powerz) Avoid cacheline sharing for DMA buffer", " - media: rzv2h-ivc: Revise default VBLANK formula", " - media: rzv2h-ivc: Fix AXIRX_VBLANK register write", " - fs: prepare for adding LSM blob to backing_file", " - lsm: add backing_file LSM hooks", " - selinux: fix overlayfs mmap() and mprotect() access checks", " - hwmon: (pt5161l) Fix bugs in pt5161l_read_block_data()", " - randomize_kstack: Maintain kstack_offset per task", " - mmc: block: use single block write in retry", " - mmc: sdhci-of-dwcmshc: Disable clock before DLL configuration", " - arm64: dts: ti: am62-verdin: Enable pullup for eMMC data pins", " - crypto: qat - fix IRQ cleanup on 6xxx probe failure", " - xfs: start gc on zonegc_low_space attribute updates", " - xfs: fix a resource leak in xfs_alloc_buftarg()", " - firmware: google: framebuffer: Do not unregister platform device", " - firmware: exynos-acpm: Drop fake 'const' on handle pointer", " - crypto: talitos - fix SEC1 32k ahash request limitation", " - crypto: talitos - rename first/last to first_desc/last_desc", " - pwm: imx-tpm: Count the number of enabled channels in probe", " - tpm2-sessions: Fix missing tpm_buf_destroy() in tpm2_read_public()", " - tpm: Fix auth session leak in tpm2_get_random() error path", " - tpm: Use kfree_sensitive() to free auth session in tpm_dev_release()", " - tpm: tpm_tis: add error logging for data transfer", " - tpm: tpm_tis: stop transmit if retries are exhausted", " - rtc: ntxec: fix OF node reference imbalance", " - mm/vmalloc: take vmap_purge_lock in shrinker", " - mm/memfd_luo: fix physical address conversion in put_folios cleanup", " - mm/mempolicy: fix memory leaks in weighted_interleave_auto_store()", " - mm/damon/stat: fix memory leak on damon_start() failure in", " damon_stat_start()", " - mm/damon/core: validate damos_quota_goal->nid for", " node_mem_{used,free}_bp", " - mm/damon/core: validate damos_quota_goal->nid for", " node_memcg_{used,free}_bp", " - mm/damon/core: use time_in_range_open() for damos quota window start", " - mm/damon/core: disallow time-quota setting zero esz", " - mm/damon/core: disallow non-power of two min_region_sz on damon_start()", " - userfaultfd: allow registration of ranges below mmap_min_addr", " - LoongArch: KVM: Use CSR_CRMD_PLV in kvm_arch_vcpu_in_kernel()", " - KVM: x86: Defer non-architectural deliver of exception payload to", " userspace read", " - KVM: nSVM: Mark all of vmcb02 dirty when restoring nested state", " - KVM: nSVM: Sync NextRIP to cached vmcb12 after VMRUN of L2", " - KVM: nSVM: Sync interrupt shadow to cached vmcb12 after VMRUN of L2", " - KVM: SVM: Inject #UD for INVLPGA if EFER.SVME=0", " - KVM: SVM: Explicitly mark vmcb01 dirty after modifying VMCB intercepts", " - KVM: nSVM: Ensure AVIC is inhibited when restoring a vCPU to guest mode", " - KVM: nSVM: Always use NextRIP as vmcb02's NextRIP after first L2 VMRUN", " - KVM: nSVM: Delay stuffing L2's current RIP into NextRIP until vCPU run", " - KVM: nSVM: Use vcpu->arch.cr2 when updating vmcb12 on nested #VMEXIT", " - KVM: arm64: Account for RESx bits in __compute_fgt()", " - KVM: nSVM: Avoid clearing VMCB_LBR in vmcb12", " - KVM: nSVM: Delay setting soft IRQ RIP tracking fields until vCPU run", " - KVM: SVM: Switch svm_copy_lbrs() to a macro", " - KVM: SVM: Add missing save/restore handling of LBR MSRs", " - KVM: nSVM: Always inject a #GP if mapping VMCB12 fails on nested VMRUN", " - KVM: nSVM: Refactor checking LBRV enablement in vmcb12 into a helper", " - KVM: nSVM: Refactor writing vmcb12 on nested #VMEXIT as a helper", " - KVM: nSVM: Triple fault if restore host CR3 fails on nested #VMEXIT", " - KVM: nSVM: Triple fault if mapping VMCB12 fails on nested #VMEXIT", " - KVM: nSVM: Clear GIF on nested #VMEXIT(INVALID)", " - KVM: nSVM: Clear EVENTINJ fields in vmcb12 on nested #VMEXIT", " - KVM: nSVM: Clear tracking of L1->L2 NMI and soft IRQ on nested #VMEXIT", " - KVM: nSVM: Add missing consistency check for EFER, CR0, CR4, and CS", " - KVM: nSVM: Drop the non-architectural consistency check for NP_ENABLE", " - KVM: nSVM: Add missing consistency check for nCR3 validity", " - KVM: nSVM: Raise #UD if unhandled VMMCALL isn't intercepted by L1", " - KVM: nSVM: Always intercept VMMCALL when L2 is active", " - ARM: 9472/1: fix race condition on PG_dcache_clean in", " __sync_icache_dcache()", " - ring-buffer: Do not double count the reader_page", " - ext4: fix bounds check in check_xattrs() to prevent out-of-bounds access", " - ext4: fix missing brelse() in ext4_xattr_inode_dec_ref_all()", " - udf: fix partition descriptor append bookkeeping", " - mtd: spi-nor: sst: Fix write enable before AAI sequence", " - mtd: spinand: winbond: Declare the QE bit on W25NxxJW", " - amdgpu/jpeg: fix deepsleep register for jpeg 5_0_0 and 5_0_2", " - md/md-llbitmap: skip reading rdevs that are not in_sync", " - md/md-llbitmap: raise barrier before state machine transition", " - md/raid5: fix soft lockup in retry_aligned_read()", " - md/raid5: validate payload size before accessing journal metadata", " - check-uapi: link into shared objects", " - mm, swap: speed up hibernation allocation and writeout", " - HID: apple: ensure the keyboard backlight is off if suspending", " - inotify: fix watch count leak when fsnotify_add_inode_mark_locked()", " fails", " - x86/cpu: Disable FRED when PTI is forced on", " - x86/shstk: Prevent deadlock during shstk sigreturn", " - wifi: rtl8xxxu: fix potential use of uninitialized value", " - tcp: call sk_data_ready() after listener migration", " - taskstats: set version in TGID exit notifications", " - mptcp: sync the msk->sndbuf at accept() time", " - mfd: core: Preserve OF node when ACPI handle is present", " - 9p: fix access mode flags being ORed instead of replaced", " - Bluetooth: hci_event: fix potential UAF in SSP passkey handlers", " - bus: mhi: host: pci_generic: Switch to async power up to avoid boot", " delays", " - can: ucan: fix devres lifetime", " - crypto: acomp - fix wrong pointer stored by acomp_save_req()", " - crypto: arm64/aes - Fix 32-bit aes_mac_update() arg treated as 64-bit", " - crypto: atmel-aes - Fix 3-page memory leak in atmel_aes_buff_cleanup", " - crypto: atmel-ecc - Release client on allocation failure", " - crypto: hisilicon - Fix dma_unmap_single() direction", " - crypto: ccree - fix a memory leak in cc_mac_digest()", " - crypto: atmel-tdes - fix DMA sync direction", " - crypto: atmel-sha204a - Fix error codes in OTP reads", " - crypto: atmel-sha204a - Fix potential UAF and memory leak in remove path", " - crypto: atmel-sha204a - Fix uninitialized data access on OTP read error", " - crypto: nx - fix bounce buffer leaks in nx842_crypto_{alloc,free}_ctx", " - crypto: nx - fix context leak in nx842_crypto_free_ctx", " - crypto: nx - Fix packed layout in struct nx842_crypto_header", " - dm mirror: fix integer overflow in create_dirty_log()", " - erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap()", " - ceph: fix num_ops off-by-one when crypto allocation fails", " - ceph: only d_add() negative dentries when they are unhashed", " - gtp: disable BH before calling udp_tunnel_xmit_skb()", " - IB/core: Fix zero dmac race in neighbor resolution", " - ktest: Fix the month in the name of the failure directory", " - NFSv4.1: Apply session size limits on clone path", " - ntfs3: add buffer boundary checks to run_unpack()", " - ntfs3: fix integer overflow in run_unpack() volume boundary check", " - rtmutex: Use waiter::task instead of current in remove_waiter()", " - rxgk: Fix potential integer overflow in length check", " - sched_ext: Documentation: Clarify ops.dispatch() role in task lifecycle", " - scsi: sd: fix missing put_disk() when device_add(&disk_dev) fails", " - seg6: fix seg6 lwtunnel output redirect for L2 reduced encap mode", " - perf loongarch: Fix build failure with CONFIG_LIBDW_DWARF_UNWIND", " - iio: frequency: admv1013: add dev variable", " - iio: frequency: admv1013: fix NULL pointer dereference on str", " - wifi: mt76: mt792x: describe USB WFSYS reset with a descriptor", " - wifi: mt76: mt792x: fix mt7925u USB WFSYS reset handling", " - mm: various small mmap_prepare cleanups", " - mm: avoid deadlock when holding rmap on mmap_prepare error", " - mei: me: use PCI_DEVICE_DATA macro", " - mei: me: add nova lake point H DID", " - crypto: authencesn - reject short ahash digests during instance creation", " - driver core: Add kernel-doc for DEV_FLAG_COUNT enum value", " - ALSA: caiaq: Fix potentially leftover ep1_in_urb at error path", " - ALSA: caiaq: Don't abort when no input device is available", " - ipv6: rpl: reserve mac_len headroom when recompressed SRH grows", " - drm/amdgpu: fix zero-size GDS range init on RDNA4", " - drm/imagination: Fix segfault when updating ftrace mask", " - ALSA: caiaq: fix usb_dev refcount leak on probe failure", " - ALSA: aloop: Fix peer runtime UAF during format-change stop", " - vmalloc: fix buffer overflow in vrealloc_node_align()", " - mm/page_alloc: return NULL early from alloc_frozen_pages_nolock() in NMI", " on UP", " - mm/slab: return NULL early from kmalloc_nolock() in NMI on UP", " - net: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels", " - netfilter: reject zero shift in nft_bitwise", " - ipmi:ssif: Remove unnecessary indention", " - ipmi:ssif: NULL thread on error", " - Linux 7.0.4", " - Upstream stable to v7.0.4", "", " * Resolute update: v7.0.3 upstream stable release (LP: #2152550)", " - Buffer overflow in drivers/xen/sys-hypervisor.c", " - xen/privcmd: fix double free via VMA splitting", " - Linux 7.0.3", " - Upstream stable to v7.0.3", "", " * Resolute update: v7.0.2 upstream stable release (LP: #2150553)", " - crypto: authencesn - Fix src offset when decrypting in-place", " - pwm: th1520: fix `CLIPPY=1` warning", " - drm/amdgpu: replace PASID IDR with XArray", " - crypto: krb5enc - fix sleepable flag handling in encrypt dispatch", " - crypto: krb5enc - fix async decrypt skipping hash verification", " - ksmbd: fix use-after-free in __ksmbd_close_fd() via durable scavenger", " - ksmbd: validate owner of durable handle on reconnect", " - scripts: generate_rust_analyzer.py: define scripts", " - scripts/dtc: Remove unused dts_version in dtc-lexer.l", " - fs/ntfs3: validate rec->used in journal-replay file record check", " - f2fs: fix to do sanity check on dcc->discard_cmd_cnt conditionally", " - f2fs: fix UAF caused by decrementing sbi->nr_pages[] in", " f2fs_write_end_io()", " - f2fs: fix to avoid memory leak in f2fs_rename()", " - f2fs: fix to avoid uninit-value access in f2fs_sanity_check_node_footer", " - fuse: reject oversized dirents in page cache", " - fuse: abort on fatal signal during sync init", " - fuse: Check for large folio with SPLICE_F_MOVE", " - fuse: quiet down complaints in fuse_conn_limit_write", " - fuse: fuse_dev_ioctl_clone() should wait for device file to be", " initialized", " - ksmbd: require minimum ACE size in smb_check_perm_dacl()", " - smb: server: fix active_num_conn leak on transport allocation failure", " - smb: client: fix dir separator in SMB1 UNIX mounts", " - smb: server: fix max_connections off-by-one in tcp accept path", " - smb: client: require a full NFS mode SID before reading mode bits", " - smb: client: validate the whole DACL before rewriting it in cifsacl", " - smb: client: fix OOB read in smb2_ioctl_query_info QUERY_INFO path", " - ksmbd: validate response sizes in ipc_validate_msg()", " - ksmbd: validate num_aces and harden ACE walk in smb_inherit_dacl()", " - ksmbd: fix out-of-bounds write in smb2_get_ea() EA alignment", " - ksmbd: use check_add_overflow() to prevent u16 DACL size overflow", " - ksmbd: reset rcount per connection in ksmbd_conn_wait_idle_sess_id()", " - writeback: Fix use after free in inode_switch_wbs_work_fn()", " - f2fs: fix use-after-free of sbi in f2fs_compress_write_end_io()", " - ALSA: usb-audio: apply quirk for MOONDROP JU Jiu", " - ALSA: hda/realtek: Add quirk for Legion S7 15IMH", " - ALSA: caiaq: take a reference on the USB device in create_card()", " - net/packet: fix TOCTOU race on mmap'd vnet_hdr in tpacket_snd()", " - crypto: ccp: Don't attempt to copy CSR to userspace if PSP command", " failed", " - crypto: ccp: Don't attempt to copy PDH cert to userspace if PSP command", " failed", " - crypto: ccp: Don't attempt to copy ID to userspace if PSP command failed", " - rxrpc: Fix missing validation of ticket length in non-XDR key preparsing", " - mshv_vtl: Fix vmemmap_shift exceeding MAX_FOLIO_ORDER", " - Linux 7.0.2", "", " * Resolute update: v7.0.1 upstream stable release (LP: #2150547)", " - Revert \"UBUNTU: SAUCE: cdc-acm: Exclude Exar USB serial ports\"", " - nfc: llcp: add missing return after LLCP_CLOSED checks", " - x86/CPU: Fix FPDSS on Zen1", " - can: raw: fix ro->uniq use-after-free in raw_rcv()", " - i2c: s3c24xx: check the size of the SMBUS message before using it", " - staging: rtl8723bs: initialize le_tmp64 in rtw_BIP_verify()", " - HID: alps: fix NULL pointer dereference in alps_raw_event()", " - HID: core: clamp report_size in s32ton() to avoid undefined shift", " - net: usb: cdc-phonet: fix skb frags[] overflow in rx_complete()", " - NFC: digital: Bounds check NFC-A cascade depth in SDD response handler", " - drm/vc4: platform_get_irq_byname() returns an int", " - bnge: return after auxiliary_device_uninit() in error path", " - ALSA: usx2y: us144mkii: fix NULL deref on missing interface 0", " - ALSA: fireworks: bound device-supplied status before string array lookup", " - fbdev: tdfxfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO", " - usb: gadget: f_ncm: validate minimum block_len in ncm_unwrap_ntb()", " - usb: gadget: f_phonet: fix skb frags[] overflow in pn_rx_complete()", " - usb: gadget: renesas_usb3: validate endpoint index in standard request", " handlers", " - smb: client: fix off-by-8 bounds check in check_wsl_eas()", " - smb: client: fix OOB reads parsing symlink error response", " - ksmbd: validate EaNameLength in smb2_get_ea()", " - ksmbd: require 3 sub-authorities before reading sub_auth[2]", " - ksmbd: fix mechToken leak when SPNEGO decode fails after token alloc", " - smb: client: avoid double-free in smbd_free_send_io() after", " smbd_send_batch_flush()", " - smb: server: avoid double-free in smb_direct_free_sendmsg after", " smb_direct_flush_send_list()", " - usbip: validate number_of_packets in usbip_pack_ret_submit()", " - usb: typec: fusb302: Switch to threaded IRQ handler", " - usb: storage: Expand range of matched versions for VL817 quirks entry", " - USB: cdc-acm: Add quirks for Yoga Book 9 14IAH10 INGENIC touchscreen", " - usb: gadget: f_hid: don't call cdev_init while cdev in use", " - usb: port: add delay after usb_hub_set_port_power()", " - fbdev: udlfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO", " - scripts/gdb/symbols: handle module path parameters", " - scripts: generate_rust_analyzer.py: avoid FD leak", " - wifi: rtw88: fix device leak on probe failure", " - staging: sm750fb: fix division by zero in ps_to_hz()", " - selftests/mm: hmm-tests: don't hardcode THP size to 2MB", " - USB: serial: option: add Telit Cinterion FN990A MBIM composition", " - Docs/admin-guide/mm/damon/reclaim: warn commit_inputs vs param updates", " race", " - Docs/admin-guide/mm/damon/lru_sort: warn commit_inputs vs param updates", " race", " - ALSA: ctxfi: Limit PTP to a single page", " - dcache: Limit the minimal number of bucket to two", " - vfio/xe: Reorganize the init to decouple migration from reset", " - arm64: mm: Handle invalid large leaf mappings correctly", " - media: vidtv: fix NULL pointer dereference in", " vidtv_channel_pmt_match_sections", " - ocfs2: fix possible deadlock between unlink and dio_end_io_write", " - ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY", " - ocfs2: handle invalid dinode in ocfs2_group_extend", " - PCI: endpoint: pci-epf-vntb: Stop cmd_handler work in", " epf_ntb_epc_cleanup", " - PCI: endpoint: pci-epf-vntb: Remove duplicate resource teardown", " - KVM: selftests: Remove duplicate LAUNCH_UPDATE_VMSA call in SEV-ES", " migrate test", " - KVM: SEV: Reject attempts to sync VMSA of an already-launched/encrypted", " vCPU", " - KVM: SEV: Protect *all* of sev_mem_enc_register_region() with kvm->lock", " - KVM: SEV: Disallow LAUNCH_FINISH if vCPUs are actively being created", " - KVM: SEV: Lock all vCPUs when synchronzing VMSAs for SNP launch finish", " - KVM: SEV: Drop WARN on large size for KVM_MEMORY_ENCRYPT_REG_REGION", " - mm: call ->free_folio() directly in folio_unmap_invalidate()", " - checkpatch: add support for Assisted-by tag", " - x86-64: rename misleadingly named '__copy_user_nocache()' function", " - x86: rename and clean up __copy_from_user_inatomic_nocache()", " - x86-64/arm64/powerpc: clean up and rename __copy_from_user_flushcache", " - KVM: x86: Use scratch field in MMIO fragment to hold small write values", " - ASoC: qcom: q6apm: move component registration to unmanaged version", " - mm/kasan: fix double free for kasan pXds", " - mm: blk-cgroup: fix use-after-free in cgwb_release_workfn()", " - media: vidtv: fix nfeeds state corruption on start_streaming failure", " - media: mediatek: vcodec: fix use-after-free in encoder release path", " - media: em28xx: fix use-after-free in em28xx_v4l2_open()", " - hwmon: (powerz) Fix use-after-free on USB disconnect", " - ALSA: 6fire: fix use-after-free on disconnect", " - bcache: fix cached_dev.sb_bio use-after-free and crash", " - wireguard: device: use exit_rtnl callback instead of manual rtnl_lock in", " pre_exit", " - media: as102: fix to not free memory after the device is registered in", " as102_usb_probe()", " - nilfs2: fix NULL i_assoc_inode dereference in", " nilfs_mdt_save_to_shadow_map", " - media: vidtv: fix pass-by-value structs causing MSAN warnings", " - media: hackrf: fix to not free memory after the device is registered in", " hackrf_probe()", " - mm/userfaultfd: fix hugetlb fault mutex hash calculation", " - clockevents: Add missing resets of the next_event_forced flag", " - Linux 7.0.1", "", " * GRO managed-frag use-after-free leading to local privilege escalation", " (LP: #2154172)", " - net: gro: don't merge zcopy skbs", "", " * AppArmor Vulnerabilities (LP: #2151747)", " - SAUCE: apparmor: pass big_resp to handler", " - SAUCE: apparmor: remove redundant kref_init for listener->count", " - SAUCE: apparmor: fix NULL pointer dereference in unpack_pdb", "", " * AppArmor Vulnerabilities (LP: #2151747) // CVE-2026-47337", " - SAUCE: apparmor: fix NULL pointer dereference in bind_map_addr", "", " * AppArmor Vulnerabilities (LP: #2151747) // CVE-2026-47334", " - SAUCE: apparmor: fix sleep prone memory allocation under a spin_lock", "", " * AppArmor Vulnerabilities (LP: #2151747) // CVE-2026-47333", " - SAUCE: apparmor: fix dfa unpacking size of the notification filter", "", " * AppArmor Vulnerabilities (LP: #2151747) // CVE-2026-47332", " - SAUCE: apparmor: fix size check against type instead of pointer", "", " * apparmor: LLVM/clang build failure due to uninitialized variable in", " notify.c (LP: #2148809) // CVE-2026-47330", " - SAUCE: apparmor: initialize variable used in uninitialized context", "", " * AppArmor Vulnerabilities (LP: #2151747) // CVE-2026-47329", " - SAUCE: apparmor: fix name validation bypass on notification", "", " * AppArmor Vulnerabilities (LP: #2151747) // CVE-2026-47327 //", " CVE-2026-47328", " - SAUCE: apparmor: fix glob memory leak after kstrdup", "", " * AppArmor Vulnerabilities (LP: #2151747) // CVE-2026-47326", " - SAUCE: apparmor: fix inverted NULL check after aa_get_buffer", "", " * CVE-2026-46300", " - net: skbuff: preserve shared-frag marker during coalescing", " - net: skbuff: propagate shared-frag marker through frag-transfer helpers", "", " * net/rds: reset op_nents when zerocopy page pin fails (LP: #2153962)", " - net/rds: reset op_nents when zerocopy page pin fails", "", " * CVE-2026-46333", " - ptrace: slightly saner 'get_dumpable()' logic", "", " * CVE-2026-43500", " - rxrpc: Fix conn-level packet handling to unshare RESPONSE packets", " - rxrpc: Fix potential UAF after skb_unshare() failure", " - rxrpc: Fix rxrpc_input_call_event() to only unshare DATA packets", " - rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present", "", " * CVE-2026-43284", " - xfrm: esp: avoid in-place decrypt on shared skb frags", "" ], "package": "linux", "version": "7.0.0-26.26", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2154530, 1786013, 2150065, 2146517, 2147409, 2121852, 2150196, 2129844, 2150845, 2152558, 2152556, 2152552, 2152550, 2150553, 2150547, 2154172, 2151747, 2151747, 2151747, 2151747, 2151747, 2148809, 2151747, 2151747, 2151747, 2153962 ], "author": "Edoardo Canepa ", "date": "Fri, 29 May 2026 03:41:14 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "ca-certificates", "from_version": { "source_package_name": "ca-certificates", "source_package_version": "20260223", "version": "20260223" }, "to_version": { "source_package_name": "ca-certificates", "source_package_version": "20260601~26.04.1", "version": "20260601~26.04.1" }, "cves": [], "launchpad_bugs_fixed": [ 2156786 ], "changes": [ { "cves": [], "log": [ "", " * Update Mozilla certificate authority bundle to version 2.86", " (LP: #2156786)", " The following certificate authority was added (+):", " + e-Szigno TLS Root CA 2023", " The following certificate authorities were removed (-):", " - QuoVadis Root CA 2", " - QuoVadis Root CA 3", " - DigiCert Assured ID Root CA", " - DigiCert Global Root CA", " - DigiCert High Assurance EV Root CA", " - SwissSign Gold CA - G2", " - SecureTrust CA", " - Secure Global CA", " - COMODO Certification Authority", " - Certigna", " - certSIGN ROOT CA", " - AffirmTrust Commercial", " - AffirmTrust Networking", " - AffirmTrust Premium", " - AffirmTrust Premium ECC", " - TeliaSonera Root CA v1", " - Entrust Root Certification Authority - G2", " - Entrust Root Certification Authority - EC1", " - Trustwave Global Certification Authority", " - Trustwave Global ECC P256 Certification Authority", " - Trustwave Global ECC P384 Certification Authority", " - GLOBALTRUST 2020", " - GTS Root R2", " - FIRMAPROFESIONAL CA ROOT-A WEB", " The following certificate authority was renamed (~):", " ~ \"OISTE Server Root RSA G1\" (removed leading space)", "" ], "package": "ca-certificates", "version": "20260601~26.04.1", "urgency": "medium", "distributions": "resolute-security", "launchpad_bugs_fixed": [ 2156786 ], "author": "Marc Deslauriers ", "date": "Mon, 15 Jun 2026 12:17:29 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "gir1.2-packagekitglib-1.0", "from_version": { "source_package_name": "packagekit", "source_package_version": "1.3.4-3ubuntu1", "version": "1.3.4-3ubuntu1" }, "to_version": { "source_package_name": "packagekit", "source_package_version": "1.3.4-3ubuntu1.1", "version": "1.3.4-3ubuntu1.1" }, "cves": [], "launchpad_bugs_fixed": [ 2148474 ], "changes": [ { "cves": [], "log": [ "", " * d/p: Honour allow_deps=false when removing packages.", " The PackageKit API allows restricting a RemovePackages transaction to", " prevent removing any dependent packages, but the APT backend was not", " honouring it.", " This could have lead to the accidental removal of system packages when", " trying to uninstall applications from simple PackageKit frontends.", " (LP: #2148474)", "", "" ], "package": "packagekit", "version": "1.3.4-3ubuntu1.1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2148474 ], "author": "Alessandro Astone ", "date": "Tue, 09 Jun 2026 11:47:30 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "libpackagekit-glib2-18:ppc64el", "from_version": { "source_package_name": "packagekit", "source_package_version": "1.3.4-3ubuntu1", "version": "1.3.4-3ubuntu1" }, "to_version": { "source_package_name": "packagekit", "source_package_version": "1.3.4-3ubuntu1.1", "version": "1.3.4-3ubuntu1.1" }, "cves": [], "launchpad_bugs_fixed": [ 2148474 ], "changes": [ { "cves": [], "log": [ "", " * d/p: Honour allow_deps=false when removing packages.", " The PackageKit API allows restricting a RemovePackages transaction to", " prevent removing any dependent packages, but the APT backend was not", " honouring it.", " This could have lead to the accidental removal of system packages when", " trying to uninstall applications from simple PackageKit frontends.", " (LP: #2148474)", "", "" ], "package": "packagekit", "version": "1.3.4-3ubuntu1.1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2148474 ], "author": "Alessandro Astone ", "date": "Tue, 09 Jun 2026 11:47:30 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "libperl5.40:ppc64el", "from_version": { "source_package_name": "perl", "source_package_version": "5.40.1-7build1", "version": "5.40.1-7build1" }, "to_version": { "source_package_name": "perl", "source_package_version": "5.40.1-7ubuntu0.1", "version": "5.40.1-7ubuntu0.1" }, "cves": [ { "cve": "CVE-2026-42496", "url": "https://ubuntu.com/security/CVE-2026-42496", "cve_description": "Archive::Tar versions before 3.08 for Perl extract symlinks with attacker controlled targets outside the extraction directory. _make_special_file() passes the tar header's linkname to symlink() without validating it against absolute paths or .. segments. The secure-extract mode check that guards regular file extraction does not cover the symlink target. A subsequent open through the extracted name reads or writes the attacker chosen path.", "cve_priority": "medium", "cve_public_date": "2026-05-26 02:16:00 UTC" }, { "cve": "CVE-2026-8376", "url": "https://ubuntu.com/security/CVE-2026-8376", "cve_description": "Perl versions through 5.43.10 have a heap buffer overflow when compiling regular expressions with a repeated fixed string on 32-bit builds. Perl_study_chunk in regcomp_study.c checked the size of the joined substring buffer in characters rather than bytes. For a quantified fixed substring with a large minimum count, the byte length mincount * l could overflow SSize_t, producing an undersized SvGROW allocation; the subsequent copy writes past the end of the buffer. A caller that compiles an attacker-controlled regular expression on a 32-bit perl build triggers a heap buffer overflow at compile time.", "cve_priority": "medium", "cve_public_date": "2026-05-26 00:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-42496", "url": "https://ubuntu.com/security/CVE-2026-42496", "cve_description": "Archive::Tar versions before 3.08 for Perl extract symlinks with attacker controlled targets outside the extraction directory. _make_special_file() passes the tar header's linkname to symlink() without validating it against absolute paths or .. segments. The secure-extract mode check that guards regular file extraction does not cover the symlink target. A subsequent open through the extracted name reads or writes the attacker chosen path.", "cve_priority": "medium", "cve_public_date": "2026-05-26 02:16:00 UTC" }, { "cve": "CVE-2026-8376", "url": "https://ubuntu.com/security/CVE-2026-8376", "cve_description": "Perl versions through 5.43.10 have a heap buffer overflow when compiling regular expressions with a repeated fixed string on 32-bit builds. Perl_study_chunk in regcomp_study.c checked the size of the joined substring buffer in characters rather than bytes. For a quantified fixed substring with a large minimum count, the byte length mincount * l could overflow SSize_t, producing an undersized SvGROW allocation; the subsequent copy writes past the end of the buffer. A caller that compiles an attacker-controlled regular expression on a 32-bit perl build triggers a heap buffer overflow at compile time.", "cve_priority": "medium", "cve_public_date": "2026-05-26 00:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: path traversal in Archive::Tar symlink/hardlink extraction", " - debian/patches/CVE-2026-42496.patch: validate symlink and hardlink", " targets against absolute paths and directory traversal in", " cpan/Archive-Tar/lib/Archive/Tar.pm", " - CVE-2026-42496", " * SECURITY UPDATE: integer overflow in regular expression compiler", " - debian/patches/CVE-2026-8376_1.patch: add test cases for heap buffer", " overflow via quantified fixed-string regex in t/re/pat_psycho.t", " - debian/patches/CVE-2026-8376_2.patch: add overflow check before", " fixed-string buffer allocation in regcomp.c / regcomp_study.c", " - CVE-2026-8376", "" ], "package": "perl", "version": "5.40.1-7ubuntu0.1", "urgency": "high", "distributions": "resolute-security", "launchpad_bugs_fixed": [], "author": "Chrisa Oikonomou ", "date": "Fri, 12 Jun 2026 16:42:16 +0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "libsgutils2-1.48:ppc64el", "from_version": { "source_package_name": "sg3-utils", "source_package_version": "1.48-3ubuntu3", "version": "1.48-3ubuntu3" }, "to_version": { "source_package_name": "sg3-utils", "source_package_version": "1.48-3ubuntu3.1", "version": "1.48-3ubuntu3.1" }, "cves": [], "launchpad_bugs_fixed": [ 2152092 ], "changes": [ { "cves": [], "log": [ "", " * d/p/lp2152092-sg_wr_mode-fix-contents-and-cfile=-handling: fix", " command-line argument handling for --contents and --cfile in sg_wr_mode", " (LP: #2152092)", " * d/t/basic-scsi-device:", " - Don't try to install linux-modules-extra anymore.", " - Fix portal cleanup to handle both IPv4 (0.0.0.0) and IPv6 (::0)", " default portal addresses.", " - Use die() instead of bare string on sg_dd commands.", "" ], "package": "sg3-utils", "version": "1.48-3ubuntu3.1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2152092 ], "author": "Guilherme Puida Moreira ", "date": "Thu, 28 May 2026 16:50:21 -0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "libxml2-16:ppc64el", "from_version": { "source_package_name": "libxml2", "source_package_version": "2.15.2+dfsg-0.1", "version": "2.15.2+dfsg-0.1" }, "to_version": { "source_package_name": "libxml2", "source_package_version": "2.15.2+dfsg-0.1ubuntu0.1", "version": "2.15.2+dfsg-0.1ubuntu0.1" }, "cves": [ { "cve": "CVE-2026-6732", "url": "https://ubuntu.com/security/CVE-2026-6732", "cve_description": "A flaw was found in libxml2. This vulnerability occurs when the library processes a specially crafted XML Schema Definition (XSD) validated document that includes an internal entity reference. An attacker could exploit this by providing a malicious document, leading to a type confusion error that causes the application to crash. This results in a denial of service (DoS), making the affected system or application unavailable.", "cve_priority": "medium", "cve_public_date": "2026-04-23 23:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-6732", "url": "https://ubuntu.com/security/CVE-2026-6732", "cve_description": "A flaw was found in libxml2. This vulnerability occurs when the library processes a specially crafted XML Schema Definition (XSD) validated document that includes an internal entity reference. An attacker could exploit this by providing a malicious document, leading to a type confusion error that causes the application to crash. This results in a denial of service (DoS), making the affected system or application unavailable.", "cve_priority": "medium", "cve_public_date": "2026-04-23 23:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Denial of service in parser.", " - debian/patches/CVE-2026-6732.patch: Pass userData instead of ctxt in", " parser.c", " - CVE-2026-6732", "" ], "package": "libxml2", "version": "2.15.2+dfsg-0.1ubuntu0.1", "urgency": "medium", "distributions": "resolute-security", "launchpad_bugs_fixed": [], "author": "Kyle Kernick ", "date": "Fri, 19 Jun 2026 11:43:10 -0600" } ], "notes": null, "is_version_downgrade": false }, { "name": "linux-headers-generic", "from_version": { "source_package_name": "linux-meta", "source_package_version": "7.0.0-22.22", "version": "7.0.0-22.22" }, "to_version": { "source_package_name": "linux-meta", "source_package_version": "7.0.0-27.27", "version": "7.0.0-27.27" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Main version: 7.0.0-27.27", "" ], "package": "linux-meta", "version": "7.0.0-27.27", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Manuel Diewald ", "date": "Thu, 18 Jun 2026 19:19:29 +0200" }, { "cves": [], "log": [ "", " * Main version: 7.0.0-26.26", "" ], "package": "linux-meta", "version": "7.0.0-26.26", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Edoardo Canepa ", "date": "Fri, 29 May 2026 03:43:13 +0200" }, { "cves": [], "log": [ "", " * Main version: 7.0.0-23.23", "" ], "package": "linux-meta", "version": "7.0.0-23.23", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Edoardo Canepa ", "date": "Fri, 29 May 2026 02:54:03 +0200" }, { "cves": [], "log": [ "", " * Main version: 7.0.0-21.21", "" ], "package": "linux-meta", "version": "7.0.0-21.21", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Edoardo Canepa ", "date": "Fri, 22 May 2026 21:09:26 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "linux-headers-virtual", "from_version": { "source_package_name": "linux-meta", "source_package_version": "7.0.0-22.22", "version": "7.0.0-22.22" }, "to_version": { "source_package_name": "linux-meta", "source_package_version": "7.0.0-27.27", "version": "7.0.0-27.27" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Main version: 7.0.0-27.27", "" ], "package": "linux-meta", "version": "7.0.0-27.27", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Manuel Diewald ", "date": "Thu, 18 Jun 2026 19:19:29 +0200" }, { "cves": [], "log": [ "", " * Main version: 7.0.0-26.26", "" ], "package": "linux-meta", "version": "7.0.0-26.26", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Edoardo Canepa ", "date": "Fri, 29 May 2026 03:43:13 +0200" }, { "cves": [], "log": [ "", " * Main version: 7.0.0-23.23", "" ], "package": "linux-meta", "version": "7.0.0-23.23", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Edoardo Canepa ", "date": "Fri, 29 May 2026 02:54:03 +0200" }, { "cves": [], "log": [ "", " * Main version: 7.0.0-21.21", "" ], "package": "linux-meta", "version": "7.0.0-21.21", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Edoardo Canepa ", "date": "Fri, 22 May 2026 21:09:26 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "linux-image-virtual", "from_version": { "source_package_name": "linux-meta", "source_package_version": "7.0.0-22.22", "version": "7.0.0-22.22" }, "to_version": { "source_package_name": "linux-meta", "source_package_version": "7.0.0-27.27", "version": "7.0.0-27.27" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Main version: 7.0.0-27.27", "" ], "package": "linux-meta", "version": "7.0.0-27.27", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Manuel Diewald ", "date": "Thu, 18 Jun 2026 19:19:29 +0200" }, { "cves": [], "log": [ "", " * Main version: 7.0.0-26.26", "" ], "package": "linux-meta", "version": "7.0.0-26.26", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Edoardo Canepa ", "date": "Fri, 29 May 2026 03:43:13 +0200" }, { "cves": [], "log": [ "", " * Main version: 7.0.0-23.23", "" ], "package": "linux-meta", "version": "7.0.0-23.23", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Edoardo Canepa ", "date": "Fri, 29 May 2026 02:54:03 +0200" }, { "cves": [], "log": [ "", " * Main version: 7.0.0-21.21", "" ], "package": "linux-meta", "version": "7.0.0-21.21", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Edoardo Canepa ", "date": "Fri, 22 May 2026 21:09:26 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "linux-libc-dev:ppc64el", "from_version": { "source_package_name": "linux", "source_package_version": "7.0.0-22.22", "version": "7.0.0-22.22" }, "to_version": { "source_package_name": "linux", "source_package_version": "7.0.0-27.27", "version": "7.0.0-27.27" }, "cves": [ { "cve": "CVE-2026-46316", "url": "https://ubuntu.com/security/CVE-2026-46316", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: vgic-its: Drop the translation cache reference only for the erased entry vgic_its_invalidate_cache() walks the per-ITS translation cache with xa_for_each() and drops the cache's reference on each entry with vgic_put_irq(). It puts the iterated pointer, though, rather than the value returned by xa_erase(). The function is called from contexts that do not exclude one another: the ITS command handlers hold its_lock, the GITS_CTLR write path holds cmd_lock, and the path that clears EnableLPIs in a redistributor's GICR_CTLR holds neither. Two or more of them can drain the same cache concurrently, and if each one observes the same entry, erases it and then puts it, the single reference the cache holds on that entry is dropped more than once. The entry can then be freed while an ITE still maps it. xa_erase() is atomic and returns the previous entry, so put only the entry that this context actually removed. The cache reference is then dropped exactly once per entry even when the invalidations run concurrently, and the behavior is unchanged when only one context runs.", "cve_priority": "medium", "cve_public_date": "2026-06-09 13:16:00 UTC" }, { "cve": "CVE-2026-46244", "url": "https://ubuntu.com/security/CVE-2026-46244", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_inner: Fix IPv6 inner_thoff desync In nft_inner_parse_l2l3(), when processing inner IPv6 packets, ipv6_find_hdr() correctly computes the transport header offset traversing all extension headers, but the result is immediately overwritten with nhoff + sizeof(_ip6h) (40 bytes), which only accounts for the IPv6 base header. This creates a desync between inner_thoff (wrong — points to extension header start) and l4proto (correct — e.g., IPPROTO_TCP), enabling transport header forgery and potential firewall bypass. This issue affects stable versions from Linux 6.2. For comparison, the normal (non-inner) IPv6 path correctly preserves ipv6_find_hdr()'s result. Removing the incorrect overwrite ensures that ipv6_find_hdr()'s calculated transport header offset is preserved, thereby fixing the desynchronization.", "cve_priority": "medium", "cve_public_date": "2026-06-03 18:16:00 UTC" }, { "cve": "CVE-2026-46137", "url": "https://ubuntu.com/security/CVE-2026-46137", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: ADD_ADDR rtx: fix potential data-race This mptcp_pm_add_timer() helper is executed as a timer callback in softirq context. To avoid any data races, the socket lock needs to be held with bh_lock_sock(). If the socket is in use, retry again soon after, similar to what is done with the keepalive timer.", "cve_priority": "medium", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46185", "url": "https://ubuntu.com/security/CVE-2026-46185", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb/client: fix out-of-bounds read in symlink_data() Since smb2_check_message() returns success without length validation for the symlink error response, in symlink_data() it is possible for iov->iov_len to be smaller than sizeof(struct smb2_err_rsp). If the buffer only contains the base SMB2 header (64 bytes), accessing err->ErrorContextCount (at offset 66) or err->ByteCount later in symlink_data() will cause an out-of-bounds read.", "cve_priority": "high", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46195", "url": "https://ubuntu.com/security/CVE-2026-46195", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: validate dacloffset before building DACL pointers parse_sec_desc(), build_sec_desc(), and the chown path in id_mode_to_cifs_acl() all add the server-supplied dacloffset to pntsd before proving a DACL header fits inside the returned security descriptor. On 32-bit builds a malicious server can return dacloffset near U32_MAX, wrap the derived DACL pointer below end_of_acl, and then slip past the later pointer-based bounds checks. build_sec_desc() and id_mode_to_cifs_acl() can then dereference DACL fields from the wrapped pointer in the chmod/chown rewrite paths. Validate dacloffset numerically before building any DACL pointer and reuse the same helper at the three DACL entry points.", "cve_priority": "high", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46289", "url": "https://ubuntu.com/security/CVE-2026-46289", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: lib/scatterlist: fix length calculations in extract_kvec_to_sg Patch series \"Fix bugs in extract_iter_to_sg()\", v3. Fix bugs in the kvec and user variants of extract_iter_to_sg. This series is growing due to useful remarks made by sashiko.dev. The main bugs are: - The length for an sglist entry when extracting from a kvec can exceed the number of bytes in the page. This is obviously not intended. - When extracting a user buffer the sglist is temporarily used as a scratch buffer for extracted page pointers. If the sglist already contains some elements this scratch buffer could overlap with existing entries in the sglist. The series adds test cases to the kunit_iov_iter test that demonstrate all of these bugs. Additionally, there is a memory leak fix for the test itself. The bugs were orignally introduced into kernel v6.3 where the function lived in fs/netfs/iterator.c. It was later moved to lib/scatterlist.c in v6.5. Thus the actual fix is only marked for backports to v6.5+. This patch (of 5): When extracting from a kvec to a scatterlist, do not cross page boundaries. The required length was already calculated but not used as intended. Adjust the copied length if the loop runs out of sglist entries without extracting everything. While there, return immediately from extract_iter_to_sg if there are no sglist entries at all. A subsequent commit will add kunit test cases that demonstrate that the patch is necessary.", "cve_priority": "medium", "cve_public_date": "2026-06-08 17:16:00 UTC" }, { "cve": "CVE-2026-46119", "url": "https://ubuntu.com/security/CVE-2026-46119", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: libceph: Fix slab-out-of-bounds access in auth message processing If a (potentially corrupted) message of type CEPH_MSG_AUTH_REPLY contains a positive value in its result field, it is treated as an error code by ceph_handle_auth_reply() and returned to handle_auth_reply(). Thereafter, an attempt is made to send the preallocated message of type CEPH_MSG_AUTH, where the returned value is interpreted as the size of the front segment to send. If the result value in the message is greater than the size of the memory buffer allocated for the front segment, an out-of-bounds access occurs, and the content of the memory region beyond this buffer is sent out. This patch fixes the issue by treating only negative values in the result field as errors. Positive values are therefore treated as success in the same way as a zero value. Additionally, a BUG_ON is added to __send_prepared_auth_request() comparing the len parameter to front_alloc_len to prevent sending the message if it exceeds the bounds of the allocation and to make it easier to catch any logic flaws leading to this.", "cve_priority": "high", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46135", "url": "https://ubuntu.com/security/CVE-2026-46135", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: fix race between ICReq handling and queue teardown nvmet_tcp_handle_icreq() updates queue->state after sending an Initialization Connection Response (ICResp), but it does so without serializing against target-side queue teardown. If an NVMe/TCP host sends an Initialization Connection Request (ICReq) and immediately closes the connection, target-side teardown may start in softirq context before io_work drains the already buffered ICReq. In that case, nvmet_tcp_schedule_release_queue() sets queue->state to NVMET_TCP_Q_DISCONNECTING and drops the queue reference under state_lock. If io_work later processes that ICReq, nvmet_tcp_handle_icreq() can still overwrite the state back to NVMET_TCP_Q_LIVE. That defeats the DISCONNECTING-state guard in nvmet_tcp_schedule_release_queue() and allows a later socket state change to re-enter teardown and issue a second kref_put() on an already released queue. The ICResp send failure path has the same problem. If teardown has already moved the queue to DISCONNECTING, a send error can still overwrite the state with NVMET_TCP_Q_FAILED, again reopening the window for a second teardown path to drop the queue reference. Fix this by serializing both post-send state transitions with state_lock and bailing out if teardown has already started. Use -ESHUTDOWN as an internal sentinel for that bail-out path rather than propagating it as a transport error like -ECONNRESET. Keep nvmet_tcp_socket_error() setting rcv_state to NVMET_TCP_RECV_ERR before honoring that sentinel so receive-side parsing stays quiesced until the existing release path completes.", "cve_priority": "critical", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46155", "url": "https://ubuntu.com/security/CVE-2026-46155", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb/client: fix out-of-bounds read in smb2_compound_op() If a server sends a truncated response but a large OutputBufferLength, and terminates the EA list early, check_wsl_eas() returns success without validating that the entire OutputBufferLength fits within iov_len. Then smb2_compound_op() does: memcpy(idata->wsl.eas, data[0], size[0]); Where size[0] is OutputBufferLength. If iov_len is smaller than size[0], memcpy can read beyond the end of the rsp_iov allocation and leak adjacent kernel heap memory.", "cve_priority": "medium", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46115", "url": "https://ubuntu.com/security/CVE-2026-46115", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: block: add pgmap check to biovec_phys_mergeable biovec_phys_mergeable() is used by the request merge, DMA mapping, and integrity merge paths to decide if two physically contiguous bvec segments can be coalesced into one. It currently has no check for whether the segments belong to different dev_pagemaps. When zone device memory is registered in multiple chunks, each chunk gets its own dev_pagemap. A single bio can legitimately contain bvecs from different pgmaps -- iov_iter_extract_bvecs() breaks at pgmap boundaries but the outer loop in bio_iov_iter_get_pages() continues filling the same bio. If such bvecs are physically contiguous, biovec_phys_mergeable() will coalesce them, making it impossible to recover the correct pgmap for the merged segment via page_pgmap(). Add a zone_device_pages_have_same_pgmap() check to prevent merging bvec segments that span different pgmaps.", "cve_priority": "medium", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46243", "url": "https://ubuntu.com/security/CVE-2026-46243", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: reject userspace cifs.spnego descriptions cifs.spnego key descriptions contain authority-bearing fields such as pid, uid, creduid, and upcall_target that cifs.upcall treats as kernel-originating inputs. However, userspace can also create keys of this type through request_key(2) or add_key(2), allowing those fields to be supplied without CIFS origin. Only accept cifs.spnego descriptions while CIFS is using its private spnego_cred to request the key.", "cve_priority": "medium", "cve_public_date": "2026-06-01 17:17:00 UTC" }, { "cve": "CVE-2026-47337", "url": "https://ubuntu.com/security/CVE-2026-47337", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a possible NULL pointer dereference in the handling of AF_INET/AF_INET6 socket mediation. The bug can be triggered by an unprivileged local user. This can lead to a kernel oops.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47334", "url": "https://ubuntu.com/security/CVE-2026-47334", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly sleep while holding a spinlock in notification handling code. The bug can be triggered by an unprivileged local user and can result in kernel panic or deadlock.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47333", "url": "https://ubuntu.com/security/CVE-2026-47333", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which can potentially incorrectly compute the size of an internal buffer, leading to a heap memory out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in invalid data being processed by the AppArmor DFA policy engine.", "cve_priority": "high", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47332", "url": "https://ubuntu.com/security/CVE-2026-47332", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly validate the size of an internal structure, leading to an out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in information disclosure from adjacent slab objects.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47330", "url": "https://ubuntu.com/security/CVE-2026-47330", "cve_description": "Ubuntu Linux 6.8, 7.17 and 7.0 contain AppArmor SAUCE patches which can, under certain circumstances, use an uninitialized variable in notification handling code. The bug can be triggered by an unprivileged local user and can result in the incorrect caching of AppArmor notification responses.", "cve_priority": "low", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47329", "url": "https://ubuntu.com/security/CVE-2026-47329", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches which fail to validate invalid sizes of the name field in AppAmor notification responses. The bug can be triggered by an unprivileged local user and could result in handling of crafted responses.", "cve_priority": "low", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47327", "url": "https://ubuntu.com/security/CVE-2026-47327", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a possible NULL pointer dereference in the handling of AppArmor notifications. The bug can be triggered by an unprivileged local user. This can lead to a kernel oops.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47328", "url": "https://ubuntu.com/security/CVE-2026-47328", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly attempt to free a pointer which was not previously kmalloc()d, while at the same time leaking allocated memory. The bug can be triggered by an unprivileged local user and can result in the corruption of slab metadata and could lead to resource exhaustion.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47326", "url": "https://ubuntu.com/security/CVE-2026-47326", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a memory leak in the handling of big responses to AppArmor notifications. The bug can be triggered by an unprivileged local user. The memory leak could lead to resource exhaustion.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-46300", "url": "https://ubuntu.com/security/CVE-2026-46300", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: skbuff: preserve shared-frag marker during coalescing skb_try_coalesce() can attach paged frags from @from to @to. If @from has SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same externally-owned or page-cache-backed frags, but the shared-frag marker is currently lost. That breaks the invariant relied on by later in-place writers. In particular, ESP input checks skb_has_shared_frag() before deciding whether an uncloned nonlinear skb can skip skb_cow_data(). If TCP receive coalescing has moved shared frags into an unmarked skb, ESP can see skb_has_shared_frag() as false and decrypt in place over page-cache backed frags. Propagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged frags. The tailroom copy path does not need the marker because it copies bytes into @to's linear data rather than transferring frag descriptors.", "cve_priority": "high", "cve_public_date": "2026-05-23 12:17:00 UTC" }, { "cve": "CVE-2026-46333", "url": "https://ubuntu.com/security/CVE-2026-46333", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ptrace: slightly saner 'get_dumpable()' logic The 'dumpability' of a task is fundamentally about the memory image of the task - the concept comes from whether it can core dump or not - and makes no sense when you don't have an associated mm. And almost all users do in fact use it only for the case where the task has a mm pointer. But we have one odd special case: ptrace_may_access() uses 'dumpable' to check various other things entirely independently of the MM (typically explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for threads that no longer have a VM (and maybe never did, like most kernel threads). It's not what this flag was designed for, but it is what it is. The ptrace code does check that the uid/gid matches, so you do have to be uid-0 to see kernel thread details, but this means that the traditional \"drop capabilities\" model doesn't make any difference for this all. Make it all make a *bit* more sense by saying that if you don't have a MM pointer, we'll use a cached \"last dumpability\" flag if the thread ever had a MM (it will be zero for kernel threads since it is never set), and require a proper CAP_SYS_PTRACE capability to override.", "cve_priority": "high", "cve_public_date": "2026-05-15 14:16:00 UTC" }, { "cve": "CVE-2026-43500", "url": "https://ubuntu.com/security/CVE-2026-43500", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE handler in rxrpc_verify_response() copy the skb to a linear one before calling into the security ops only when skb_cloned() is true. An skb that is not cloned but still carries externally-owned paged fragments (e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via __ip_append_data, or a chained skb_has_frag_list()) falls through to the in-place decryption path, which binds the frag pages directly into the AEAD/skcipher SGL via skb_to_sgvec(). Extend the gate to also unshare when skb_has_frag_list() or skb_has_shared_frag() is true. This catches the splice-loopback vector and other externally-shared frag sources while preserving the zero-copy fast path for skbs whose frags are kernel-private (e.g. NIC page_pool RX, GRO). The OOM/trace handling already in place is reused.", "cve_priority": "high", "cve_public_date": "2026-05-11 08:16:00 UTC" }, { "cve": "CVE-2026-43284", "url": "https://ubuntu.com/security/CVE-2026-43284", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place decrypt on shared skb frags MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later paths that may modify packet data can first make a private copy. The IPv4/IPv6 datagram append paths did not set this flag when splicing pages into UDP skbs. That leaves an ESP-in-UDP packet made from shared pipe pages looking like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW fast path for uncloned skbs without a frag_list and decrypts in place over data that is not owned privately by the skb. Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching TCP. Also make ESP input fall back to skb_cow_data() when the flag is present, so ESP does not decrypt externally backed frags in place. Private nonlinear skb frags still use the existing fast path. This intentionally does not change ESP output. In esp_output_head(), the path that appends the ESP trailer to existing skb tailroom without calling skb_cow_data() is not reachable for nonlinear skbs: skb_tailroom() returns zero when skb->data_len is nonzero, while ESP tailen is positive. Thus ESP output will either use the separate destination-frag path or fall back to skb_cow_data().", "cve_priority": "high", "cve_public_date": "2026-05-08 08:16:00 UTC" } ], "launchpad_bugs_fixed": [ 2157114, 1786013, 2150845, 2154530, 1786013, 2150065, 2146517, 2147409, 2121852, 2150196, 2129844, 2150845, 2152558, 2152556, 2152552, 2152550, 2150553, 2150547, 2154172, 2151747, 2151747, 2151747, 2151747, 2151747, 2148809, 2151747, 2151747, 2151747, 2153962 ], "changes": [ { "cves": [ { "cve": "CVE-2026-46316", "url": "https://ubuntu.com/security/CVE-2026-46316", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: vgic-its: Drop the translation cache reference only for the erased entry vgic_its_invalidate_cache() walks the per-ITS translation cache with xa_for_each() and drops the cache's reference on each entry with vgic_put_irq(). It puts the iterated pointer, though, rather than the value returned by xa_erase(). The function is called from contexts that do not exclude one another: the ITS command handlers hold its_lock, the GITS_CTLR write path holds cmd_lock, and the path that clears EnableLPIs in a redistributor's GICR_CTLR holds neither. Two or more of them can drain the same cache concurrently, and if each one observes the same entry, erases it and then puts it, the single reference the cache holds on that entry is dropped more than once. The entry can then be freed while an ITE still maps it. xa_erase() is atomic and returns the previous entry, so put only the entry that this context actually removed. The cache reference is then dropped exactly once per entry even when the invalidations run concurrently, and the behavior is unchanged when only one context runs.", "cve_priority": "medium", "cve_public_date": "2026-06-09 13:16:00 UTC" }, { "cve": "CVE-2026-46244", "url": "https://ubuntu.com/security/CVE-2026-46244", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_inner: Fix IPv6 inner_thoff desync In nft_inner_parse_l2l3(), when processing inner IPv6 packets, ipv6_find_hdr() correctly computes the transport header offset traversing all extension headers, but the result is immediately overwritten with nhoff + sizeof(_ip6h) (40 bytes), which only accounts for the IPv6 base header. This creates a desync between inner_thoff (wrong — points to extension header start) and l4proto (correct — e.g., IPPROTO_TCP), enabling transport header forgery and potential firewall bypass. This issue affects stable versions from Linux 6.2. For comparison, the normal (non-inner) IPv6 path correctly preserves ipv6_find_hdr()'s result. Removing the incorrect overwrite ensures that ipv6_find_hdr()'s calculated transport header offset is preserved, thereby fixing the desynchronization.", "cve_priority": "medium", "cve_public_date": "2026-06-03 18:16:00 UTC" }, { "cve": "CVE-2026-46137", "url": "https://ubuntu.com/security/CVE-2026-46137", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: ADD_ADDR rtx: fix potential data-race This mptcp_pm_add_timer() helper is executed as a timer callback in softirq context. To avoid any data races, the socket lock needs to be held with bh_lock_sock(). If the socket is in use, retry again soon after, similar to what is done with the keepalive timer.", "cve_priority": "medium", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46185", "url": "https://ubuntu.com/security/CVE-2026-46185", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb/client: fix out-of-bounds read in symlink_data() Since smb2_check_message() returns success without length validation for the symlink error response, in symlink_data() it is possible for iov->iov_len to be smaller than sizeof(struct smb2_err_rsp). If the buffer only contains the base SMB2 header (64 bytes), accessing err->ErrorContextCount (at offset 66) or err->ByteCount later in symlink_data() will cause an out-of-bounds read.", "cve_priority": "high", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46195", "url": "https://ubuntu.com/security/CVE-2026-46195", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: validate dacloffset before building DACL pointers parse_sec_desc(), build_sec_desc(), and the chown path in id_mode_to_cifs_acl() all add the server-supplied dacloffset to pntsd before proving a DACL header fits inside the returned security descriptor. On 32-bit builds a malicious server can return dacloffset near U32_MAX, wrap the derived DACL pointer below end_of_acl, and then slip past the later pointer-based bounds checks. build_sec_desc() and id_mode_to_cifs_acl() can then dereference DACL fields from the wrapped pointer in the chmod/chown rewrite paths. Validate dacloffset numerically before building any DACL pointer and reuse the same helper at the three DACL entry points.", "cve_priority": "high", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46289", "url": "https://ubuntu.com/security/CVE-2026-46289", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: lib/scatterlist: fix length calculations in extract_kvec_to_sg Patch series \"Fix bugs in extract_iter_to_sg()\", v3. Fix bugs in the kvec and user variants of extract_iter_to_sg. This series is growing due to useful remarks made by sashiko.dev. The main bugs are: - The length for an sglist entry when extracting from a kvec can exceed the number of bytes in the page. This is obviously not intended. - When extracting a user buffer the sglist is temporarily used as a scratch buffer for extracted page pointers. If the sglist already contains some elements this scratch buffer could overlap with existing entries in the sglist. The series adds test cases to the kunit_iov_iter test that demonstrate all of these bugs. Additionally, there is a memory leak fix for the test itself. The bugs were orignally introduced into kernel v6.3 where the function lived in fs/netfs/iterator.c. It was later moved to lib/scatterlist.c in v6.5. Thus the actual fix is only marked for backports to v6.5+. This patch (of 5): When extracting from a kvec to a scatterlist, do not cross page boundaries. The required length was already calculated but not used as intended. Adjust the copied length if the loop runs out of sglist entries without extracting everything. While there, return immediately from extract_iter_to_sg if there are no sglist entries at all. A subsequent commit will add kunit test cases that demonstrate that the patch is necessary.", "cve_priority": "medium", "cve_public_date": "2026-06-08 17:16:00 UTC" }, { "cve": "CVE-2026-46119", "url": "https://ubuntu.com/security/CVE-2026-46119", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: libceph: Fix slab-out-of-bounds access in auth message processing If a (potentially corrupted) message of type CEPH_MSG_AUTH_REPLY contains a positive value in its result field, it is treated as an error code by ceph_handle_auth_reply() and returned to handle_auth_reply(). Thereafter, an attempt is made to send the preallocated message of type CEPH_MSG_AUTH, where the returned value is interpreted as the size of the front segment to send. If the result value in the message is greater than the size of the memory buffer allocated for the front segment, an out-of-bounds access occurs, and the content of the memory region beyond this buffer is sent out. This patch fixes the issue by treating only negative values in the result field as errors. Positive values are therefore treated as success in the same way as a zero value. Additionally, a BUG_ON is added to __send_prepared_auth_request() comparing the len parameter to front_alloc_len to prevent sending the message if it exceeds the bounds of the allocation and to make it easier to catch any logic flaws leading to this.", "cve_priority": "high", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46135", "url": "https://ubuntu.com/security/CVE-2026-46135", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: fix race between ICReq handling and queue teardown nvmet_tcp_handle_icreq() updates queue->state after sending an Initialization Connection Response (ICResp), but it does so without serializing against target-side queue teardown. If an NVMe/TCP host sends an Initialization Connection Request (ICReq) and immediately closes the connection, target-side teardown may start in softirq context before io_work drains the already buffered ICReq. In that case, nvmet_tcp_schedule_release_queue() sets queue->state to NVMET_TCP_Q_DISCONNECTING and drops the queue reference under state_lock. If io_work later processes that ICReq, nvmet_tcp_handle_icreq() can still overwrite the state back to NVMET_TCP_Q_LIVE. That defeats the DISCONNECTING-state guard in nvmet_tcp_schedule_release_queue() and allows a later socket state change to re-enter teardown and issue a second kref_put() on an already released queue. The ICResp send failure path has the same problem. If teardown has already moved the queue to DISCONNECTING, a send error can still overwrite the state with NVMET_TCP_Q_FAILED, again reopening the window for a second teardown path to drop the queue reference. Fix this by serializing both post-send state transitions with state_lock and bailing out if teardown has already started. Use -ESHUTDOWN as an internal sentinel for that bail-out path rather than propagating it as a transport error like -ECONNRESET. Keep nvmet_tcp_socket_error() setting rcv_state to NVMET_TCP_RECV_ERR before honoring that sentinel so receive-side parsing stays quiesced until the existing release path completes.", "cve_priority": "critical", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46155", "url": "https://ubuntu.com/security/CVE-2026-46155", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb/client: fix out-of-bounds read in smb2_compound_op() If a server sends a truncated response but a large OutputBufferLength, and terminates the EA list early, check_wsl_eas() returns success without validating that the entire OutputBufferLength fits within iov_len. Then smb2_compound_op() does: memcpy(idata->wsl.eas, data[0], size[0]); Where size[0] is OutputBufferLength. If iov_len is smaller than size[0], memcpy can read beyond the end of the rsp_iov allocation and leak adjacent kernel heap memory.", "cve_priority": "medium", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46115", "url": "https://ubuntu.com/security/CVE-2026-46115", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: block: add pgmap check to biovec_phys_mergeable biovec_phys_mergeable() is used by the request merge, DMA mapping, and integrity merge paths to decide if two physically contiguous bvec segments can be coalesced into one. It currently has no check for whether the segments belong to different dev_pagemaps. When zone device memory is registered in multiple chunks, each chunk gets its own dev_pagemap. A single bio can legitimately contain bvecs from different pgmaps -- iov_iter_extract_bvecs() breaks at pgmap boundaries but the outer loop in bio_iov_iter_get_pages() continues filling the same bio. If such bvecs are physically contiguous, biovec_phys_mergeable() will coalesce them, making it impossible to recover the correct pgmap for the merged segment via page_pgmap(). Add a zone_device_pages_have_same_pgmap() check to prevent merging bvec segments that span different pgmaps.", "cve_priority": "medium", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46243", "url": "https://ubuntu.com/security/CVE-2026-46243", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: reject userspace cifs.spnego descriptions cifs.spnego key descriptions contain authority-bearing fields such as pid, uid, creduid, and upcall_target that cifs.upcall treats as kernel-originating inputs. However, userspace can also create keys of this type through request_key(2) or add_key(2), allowing those fields to be supplied without CIFS origin. Only accept cifs.spnego descriptions while CIFS is using its private spnego_cred to request the key.", "cve_priority": "medium", "cve_public_date": "2026-06-01 17:17:00 UTC" } ], "log": [ "", " * resolute/linux: 7.0.0-27.27 -proposed tracker (LP: #2157114)", "", " * Packaging resync (LP: #1786013)", " - [Packaging] update annotations scripts", "", " * Ubuntu 26.04 linux kernel has non-functional nova-core GPU driver enabled,", " conflicting with nouveau (LP: #2150845)", " - [Config] Disable NOVA_CORE", "", " * CVE-2026-46316", " - KVM: arm64: vgic-its: Drop the translation cache reference only for the", " erased entry", "", " * CVE-2026-46244", " - netfilter: nft_inner: Fix IPv6 inner_thoff desync", "", " * CVE-2026-46137", " - mptcp: pm: ADD_ADDR rtx: allow ID 0", " - mptcp: pm: ADD_ADDR rtx: fix potential data-race", "", " * CVE-2026-46185", " - smb/client: fix out-of-bounds read in symlink_data()", "", " * CVE-2026-46195", " - smb: client: validate dacloffset before building DACL pointers", "", " * CVE-2026-46289", " - lib/scatterlist: fix length calculations in extract_kvec_to_sg", "", " * CVE-2026-46119", " - libceph: Fix slab-out-of-bounds access in auth message processing", "", " * CVE-2026-46135", " - nvmet-tcp: fix race between ICReq handling and queue teardown", "", " * CVE-2026-46155", " - smb/client: fix out-of-bounds read in smb2_compound_op()", "", " * CVE-2026-46115", " - block: add pgmap check to biovec_phys_mergeable", "", " * CVE-2026-46243", " - smb: client: reject userspace cifs.spnego descriptions", "" ], "package": "linux", "version": "7.0.0-27.27", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2157114, 1786013, 2150845 ], "author": "Manuel Diewald ", "date": "Thu, 18 Jun 2026 18:54:56 +0200" }, { "cves": [ { "cve": "CVE-2026-47337", "url": "https://ubuntu.com/security/CVE-2026-47337", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a possible NULL pointer dereference in the handling of AF_INET/AF_INET6 socket mediation. The bug can be triggered by an unprivileged local user. This can lead to a kernel oops.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47334", "url": "https://ubuntu.com/security/CVE-2026-47334", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly sleep while holding a spinlock in notification handling code. The bug can be triggered by an unprivileged local user and can result in kernel panic or deadlock.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47333", "url": "https://ubuntu.com/security/CVE-2026-47333", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which can potentially incorrectly compute the size of an internal buffer, leading to a heap memory out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in invalid data being processed by the AppArmor DFA policy engine.", "cve_priority": "high", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47332", "url": "https://ubuntu.com/security/CVE-2026-47332", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly validate the size of an internal structure, leading to an out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in information disclosure from adjacent slab objects.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47330", "url": "https://ubuntu.com/security/CVE-2026-47330", "cve_description": "Ubuntu Linux 6.8, 7.17 and 7.0 contain AppArmor SAUCE patches which can, under certain circumstances, use an uninitialized variable in notification handling code. The bug can be triggered by an unprivileged local user and can result in the incorrect caching of AppArmor notification responses.", "cve_priority": "low", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47329", "url": "https://ubuntu.com/security/CVE-2026-47329", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches which fail to validate invalid sizes of the name field in AppAmor notification responses. The bug can be triggered by an unprivileged local user and could result in handling of crafted responses.", "cve_priority": "low", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47327", "url": "https://ubuntu.com/security/CVE-2026-47327", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a possible NULL pointer dereference in the handling of AppArmor notifications. The bug can be triggered by an unprivileged local user. This can lead to a kernel oops.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47328", "url": "https://ubuntu.com/security/CVE-2026-47328", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly attempt to free a pointer which was not previously kmalloc()d, while at the same time leaking allocated memory. The bug can be triggered by an unprivileged local user and can result in the corruption of slab metadata and could lead to resource exhaustion.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47326", "url": "https://ubuntu.com/security/CVE-2026-47326", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a memory leak in the handling of big responses to AppArmor notifications. The bug can be triggered by an unprivileged local user. The memory leak could lead to resource exhaustion.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-46300", "url": "https://ubuntu.com/security/CVE-2026-46300", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: skbuff: preserve shared-frag marker during coalescing skb_try_coalesce() can attach paged frags from @from to @to. If @from has SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same externally-owned or page-cache-backed frags, but the shared-frag marker is currently lost. That breaks the invariant relied on by later in-place writers. In particular, ESP input checks skb_has_shared_frag() before deciding whether an uncloned nonlinear skb can skip skb_cow_data(). If TCP receive coalescing has moved shared frags into an unmarked skb, ESP can see skb_has_shared_frag() as false and decrypt in place over page-cache backed frags. Propagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged frags. The tailroom copy path does not need the marker because it copies bytes into @to's linear data rather than transferring frag descriptors.", "cve_priority": "high", "cve_public_date": "2026-05-23 12:17:00 UTC" }, { "cve": "CVE-2026-46333", "url": "https://ubuntu.com/security/CVE-2026-46333", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ptrace: slightly saner 'get_dumpable()' logic The 'dumpability' of a task is fundamentally about the memory image of the task - the concept comes from whether it can core dump or not - and makes no sense when you don't have an associated mm. And almost all users do in fact use it only for the case where the task has a mm pointer. But we have one odd special case: ptrace_may_access() uses 'dumpable' to check various other things entirely independently of the MM (typically explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for threads that no longer have a VM (and maybe never did, like most kernel threads). It's not what this flag was designed for, but it is what it is. The ptrace code does check that the uid/gid matches, so you do have to be uid-0 to see kernel thread details, but this means that the traditional \"drop capabilities\" model doesn't make any difference for this all. Make it all make a *bit* more sense by saying that if you don't have a MM pointer, we'll use a cached \"last dumpability\" flag if the thread ever had a MM (it will be zero for kernel threads since it is never set), and require a proper CAP_SYS_PTRACE capability to override.", "cve_priority": "high", "cve_public_date": "2026-05-15 14:16:00 UTC" }, { "cve": "CVE-2026-43500", "url": "https://ubuntu.com/security/CVE-2026-43500", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE handler in rxrpc_verify_response() copy the skb to a linear one before calling into the security ops only when skb_cloned() is true. An skb that is not cloned but still carries externally-owned paged fragments (e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via __ip_append_data, or a chained skb_has_frag_list()) falls through to the in-place decryption path, which binds the frag pages directly into the AEAD/skcipher SGL via skb_to_sgvec(). Extend the gate to also unshare when skb_has_frag_list() or skb_has_shared_frag() is true. This catches the splice-loopback vector and other externally-shared frag sources while preserving the zero-copy fast path for skbs whose frags are kernel-private (e.g. NIC page_pool RX, GRO). The OOM/trace handling already in place is reused.", "cve_priority": "high", "cve_public_date": "2026-05-11 08:16:00 UTC" }, { "cve": "CVE-2026-43284", "url": "https://ubuntu.com/security/CVE-2026-43284", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place decrypt on shared skb frags MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later paths that may modify packet data can first make a private copy. The IPv4/IPv6 datagram append paths did not set this flag when splicing pages into UDP skbs. That leaves an ESP-in-UDP packet made from shared pipe pages looking like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW fast path for uncloned skbs without a frag_list and decrypts in place over data that is not owned privately by the skb. Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching TCP. Also make ESP input fall back to skb_cow_data() when the flag is present, so ESP does not decrypt externally backed frags in place. Private nonlinear skb frags still use the existing fast path. This intentionally does not change ESP output. In esp_output_head(), the path that appends the ESP trailer to existing skb tailroom without calling skb_cow_data() is not reachable for nonlinear skbs: skb_tailroom() returns zero when skb->data_len is nonzero, while ESP tailen is positive. Thus ESP output will either use the separate destination-frag path or fall back to skb_cow_data().", "cve_priority": "high", "cve_public_date": "2026-05-08 08:16:00 UTC" } ], "log": [ "", " * resolute/linux: 7.0.0-26.26 -proposed tracker (LP: #2154530)", "", " * Packaging resync (LP: #1786013)", " - Revert \"UBUNTU: SAUCE: import Huawei ES3000_V2 (2.1.0.23)\"", " - [Packaging] debian.master/dkms-versions -- remove dkms-versions", " (main/2026.05.18)", "", " * Fix mic mute led on a HP EliteBook 6 G2a platform (LP: #2150065)", " - ALSA: hda/realtek: Add LED fixup for HP EliteBook 6 G2a Laptops", "", " * ov08x40 module mounted upside down on a certain DELL platforms", " (LP: #2146517)", " - SAUCE: media: ipu-bridge: Add DMI quirk for new Dell XPS laptops with", " upside down sensors", " - SAUCE: media: ipu-bridge: Add DMI quirk for Dell 14 laptops with upside", " down sensors", "", " * Support additional 2888x1808@30fps 900MHz for OVTI05C1 camera sensor", " (LP: #2147409)", " - SAUCE: media: ipu-bridge: Add 900MHz for OV05C10", " - SAUCE: platform/x86: int3472: increase handshake delay to 50ms for", " OV05C10", "", " * Support Samsung S5K3J1 sensor for Intel MIPI camera (LP: #2121852)", " - SAUCE: media: ipu-bridge: Support s5k3j1 sensor", "", " * [SRU] ASoC: enable rt1320 speaker amp and DMIC on PTL SoundWire platforms", " (LP: #2150196)", " - ASoC: Intel: soc-acpi-intel-ptl-match: drop rt722 monolithic match", " tables", " - ASoC: SOF: Intel: Add a is_amp flag to fix the wrong name prefix", " - ASoC: sdw_utils: add rt1320 and rt1321 dmic dai in codec_info_list", "", " * powerpc-build in ubuntu_kernel_selftests fails to build due to", " uninitialized value (LP: #2129844)", " - selftests/powerpc: Suppress -Wmaybe-uninitialized with GCC 15", "", " * Ubuntu 26.04 linux kernel has non-functional nova-core GPU driver enabled,", " conflicting with nouveau (LP: #2150845)", " - [Config] Disable DRM_NOVA", "", " * Resolute update: v7.0.6 upstream stable release (LP: #2152558)", " - Linux 7.0.6", " - Upstream stable to v7.0.6", "", " * Resolute update: v7.0.5 upstream stable release (LP: #2152556)", " - Linux 7.0.5", " - Upstream stable to v7.0.5", "", " * Resolute update: v7.0.4 upstream stable release (LP: #2152552)", " - ALSA: usb-audio: stop parsing UAC2 rates at MAX_NR_RATES", " - ALSA: usb-audio: Avoid false E-MU sample-rate notifications", " - ALSA: usb-audio: Fix Audio Advantage Micro II SPDIF switch", " - usb: xhci: Make usb_host_endpoint.hcpriv survive endpoint_disable()", " - usb: chipidea: otg: not wait vbus drop if use role_switch", " - usb: chipidea: core: allow ci_irq_handler() handle both ID and VBUS", " change", " - ALSA: usb-audio: Evaluate packsize caps at the right place", " - LoongArch: Add spectre boundry for syscall dispatch table", " - drm/nouveau: fix u32 overflow in pushbuf reloc bounds check", " - leds: qcom-lpg: Check for array overflow when selecting the high", " resolution", " - greybus: gb-beagleplay: bound bootloader receive buffering", " - greybus: gb-beagleplay: fix sleep in atomic context in hdlc_tx_frames()", " - misc: ibmasm: fix OOB MMIO read in ibmasm_handle_mouse_interrupt()", " - ibmasm: fix OOB reads in command_file_write due to missing size checks", " - ibmasm: fix heap over-read in ibmasm_send_i2o_message()", " - sysfs: attribute_group: Respect is_visible_const() when changing owner", " - driver core: Don't let a device probe until it's ready", " - device property: Make modifications of fwnode \"flags\" thread safe", " - drm/nouveau: fix nvkm_device leak on aperture removal failure", " - rust: dma: remove DMA_ATTR_NO_KERNEL_MAPPING from public attrs", " - kbuild: rust: allow `clippy::uninlined_format_args`", " - fs: afs: revert mmap_prepare() change", " - firmware: google: framebuffer: Do not mark framebuffer as busy", " - lib: test_hmm: evict device pages on file close to avoid use-after-free", " - arm64/mm: Enable batched TLB flush in unmap_hotplug_range()", " - arm64: mm: Fix rodata=full block mapping support for realm guests", " - mm: migrate: requeue destination folio on deferred split queue", " - mm: prevent droppable mappings from being locked", " - mm: fix deferred split queue races during migration", " - ocfs2: split transactions in dio completion to avoid credit exhaustion", " - Input: edt-ft5x06 - fix use-after-free in debugfs teardown", " - zram: do not forget to endio for partial discard requests", " - wifi: rtw88: check for PCI upstream bridge existence", " - wifi: mwifiex: fix use-after-free in mwifiex_adapter_cleanup()", " - vfio: selftests: Fix VLA initialisation in vfio_pci_irq_set()", " - vfio/xe: Add a missing vfio_pci_core_release_dev()", " - vfio/virtio: Convert list_lock from spinlock to mutex", " - vfio/cdx: Serialize VFIO_DEVICE_SET_IRQS with a per-device mutex", " - vfio/cdx: Fix NULL pointer dereference in interrupt trigger path", " - um: drivers: call kernel_strrchr() explicitly in cow_user.c", " - thermal: core: Fix thermal zone governor cleanup issues", " - spi: imx: fix use-after-free on unbind", " - spi: ch341: fix memory leaks on probe failures", " - crypto: algif_aead - snapshot IV for async AEAD requests", " - crypto: pcrypt - Fix handling of MAY_BACKLOG requests", " - dt-bindings: display: ti, am65x-dss: Fix AM62L DSS reg and clock", " constraints", " - of: unittest: fix use-after-free in of_unittest_changeset()", " - of: unittest: fix use-after-free in testdrv_probe()", " - hwmon: (powerz) Fix missing usb_kill_urb() on signal interrupt", " - EDAC/versalnet: Fix device_node leak in mc_probe()", " - PCI: imx6: Skip waiting for L2/L3 Ready on i.MX6SX", " - media: amphion: Fix race between m2m job_abort and device_run", " - ALSA: control: Validate buf_len before strnlen() in", " snd_ctl_elem_init_enum_names()", " - net: caif: clear client service pointer on teardown", " - net: strparser: fix skb_head leak in strp_abort_strp()", " - media: mtk-jpeg: fix use-after-free in release path due to uncancelled", " work", " - crypto: atmel-sha204a - Fix OTP sysfs read and error handling", " - PCI: endpoint: pci-epf-ntb: Remove duplicate resource teardown", " - Revert \"ALSA: usb: Increase volume range that triggers a warning\"", " - phy: qcom: m31-eusb2: clear PLL_EN during init", " - PCI: epf-mhi: Return 0, not remaining timeout, when eDMA ops complete", " - lib/ts_kmp: fix integer overflow in pattern length calculation", " - media: i2c: imx219: Check return value of devm_gpiod_get_optional() in", " imx219_probe()", " - net: qrtr: ns: Fix use-after-free in driver remove()", " - ext2: reject inodes with zero i_nlink and valid mode in ext2_iget()", " - mm/zsmalloc: copy KMSAN metadata in zs_page_migrate()", " - ALSA: aoa: i2sbus: clear stale prepared state", " - ALSA: aoa: i2sbus: fix OF node lifetime handling", " - ALSA: aoa: Skip devices with no codecs in i2sbus_resume()", " - ALSA: ctxfi: Add fallback to default RSR for S/PDIF", " - ALSA: seq_oss: return full count for successful SEQ_FULLSIZE writes", " - erofs: fix the out-of-bounds nameoff handling for trailing dirents", " - ipmi:ssif: Clean up kthread on errors", " - jbd2: fix deadlock in jbd2_journal_cancel_revoke()", " - KVM: selftests: Fix reserved value WRMSR testcase for multi-feature MSRs", " - md/raid10: fix deadlock with check operation and nowait requests", " - media: rc: igorplugusb: heed coherency rules", " - media: rockchip: rkcif: fix off by one bugs", " - media: rockchip: rkcif: comply with minimum number of buffers", " requirement", " - mfd: stpmic1: Attempt system shutdown twice in case PMIC is confused", " - mm/alloc_tag: clear codetag for pages allocated before page_ext", " initialization", " - mm/damon/core: fix damon_call() vs kdamond_fn() exit race", " - mm/damon/core: fix damos_walk() vs kdamond_fn() exit race", " - mm/hugetlb: fix early boot crash on parameters without '=' separator", " - mtd: docg3: fix use-after-free in docg3_release()", " - nvme-pci: add NVME_QUIRK_DISABLE_WRITE_ZEROES for Kingston OM3SGP4", " - nvme: respect NVME_QUIRK_DISABLE_WRITE_ZEROES when wzsl is set", " - parisc: _llseek syscall is only available for 32-bit userspace", " - parisc: Drop ip_fast_csum() inline assembly implementation", " - PCI: cadence: Use cdns_pcie_read_sz() for byte or word read access", " - PCI: imx6: Fix reference clock source selection for i.MX95", " - perf annotate: Use jump__delete when freeing LoongArch jumps", " - RDMA/mana_ib: Disable RX steering on RSS QP destroy", " - remoteproc: xlnx: Only access buffer information if IPI is buffered", " - reset: rzv2h-usb2phy: Keep PHY clock enabled for entire device lifetime", " - sched: Use u64 for bandwidth ratio calculations", " - selftests/mqueue: Fix incorrectly named file", " - landlock: Fix LOG_SUBDOMAINS_OFF inheritance across fork()", " - landlock: Allow TSYNC with LOG_SUBDOMAINS_OFF and fd=-1", " - selftests/landlock: Drain stale audit records on init", " - selftests/landlock: Fix format warning for __u64 in net_test", " - selftests/landlock: Fix snprintf truncation checks in audit helpers", " - selftests/landlock: Skip stale records in audit_match_record()", " - rbd: fix null-ptr-deref when device_add_disk() fails", " - mm/zone_device: do not touch device folio after calling ->folio_free()", " - block: fix zone write plugs refcount handling in", " disk_zone_wplug_schedule_bio_work()", " - io_uring/zcrx: return back two step unregistration", " - io_uring/timeout: check unused sqe fields", " - block: relax pgmap check in bio_add_page for compatible zone device", " pages", " - iio: adc: ti-ads7950: use iio_push_to_buffers_with_ts_unaligned()", " - io_uring/register: fix ring resizing with mixed/large SQEs/CQEs", " - io_uring/zcrx: fix user_struct uaf", " - io_uring/poll: fix signed comparison in io_poll_get_ownership()", " - io_uring/poll: ensure EPOLL_ONESHOT is propagated for EPOLL_URING_WAKE", " - module.lds,codetag: force 0 sh_addr for sections", " - module.lds.S: Fix modules on 32-bit parisc architecture", " - ALSA: core: Fix potential data race at fasync handling", " - ALSA: caiaq: Fix control_put() result and cache rollback", " - ALSA: caiaq: Handle probe errors properly", " - ALSA: 6fire: Fix input volume change detection", " - ALSA: hda/realtek - Add mute LED support for HP Victus 15-fa2xxx", " - ALSA: pcmtest: fix reference leak on failed device registration", " - ALSA: pcmtest: Fix resource leaks in module init error paths", " - iio: adc: ad7768-1: fix one-shot mode data acquisition", " - iio: adc: ad7768-1: remove switch to one-shot mode", " - rxrpc: Fix memory leaks in rxkad_verify_response()", " - rxrpc: Fix rxkad crypto unalignment handling", " - rxrpc: Fix error handling in rxgk_extract_token()", " - rxrpc: Fix re-decryption of RESPONSE packets", " - EDAC/versalnet: Fix memory leak in remove and probe error paths", " - tools/accounting: handle truncated taskstats netlink messages", " - net: txgbe: fix RTNL assertion warning when remove module", " - arm64: dts: marvell: uDPU: add ethernet aliases", " - net: qrtr: ns: Limit the maximum server registration per node", " - net: qrtr: ns: Limit the maximum number of lookups", " - net: qrtr: ns: Free the node during ctrl_cmd_bye()", " - net: qrtr: ns: Limit the total number of nodes", " - net: rds: fix MR cleanup on copy error", " - net: txgbe: fix firmware version check", " - net/smc: avoid early lgr access in smc_clc_wait_msg", " - net: ks8851: Reinstate disabling of BHs around IRQ handler", " - net: bridge: use a stable FDB dst snapshot in RCU readers", " - netconsole: avoid out-of-bounds access on empty string in trim_newline()", " - net: mctp: fix don't require received header reserved bits to be zero", " - net: ks8851: Avoid excess softirq scheduling", " - drm/arcpgu: fix device node leak", " - slub: fix data loss and overflow in krealloc()", " - tracing/fprobe: Reject registration of a registered fprobe before init", " - RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv", " - printf: Compile the kunit test with DISABLE_BRANCH_PROFILING", " DISABLE_BRANCH_PROFILING", " - ipv4: icmp: validate reply type before using icmp_pointers", " - libceph: Prevent potential null-ptr-deref in ceph_handle_auth_reply()", " - spi: fix resource leaks on device setup failure", " - extract-cert: Wrap key_pass with '#ifdef USE_PKCS11_ENGINE'", " - tpm: avoid -Wunused-but-set-variable", " - LoongArch: Make arch_irq_work_has_interrupt() true only if IPI HW exist", " - LoongArch: Show CPU vulnerabilites correctly", " - fbdev: defio: Disconnect deferred I/O from the lifetime of struct", " fb_info", " - power: supply: axp288_charger: Do not cancel work before initializing it", " - hwmon: (isl28022) Fix integer overflow in power calculation on 32-bit", " - hwmon: (powerz) Avoid cacheline sharing for DMA buffer", " - media: rzv2h-ivc: Revise default VBLANK formula", " - media: rzv2h-ivc: Fix AXIRX_VBLANK register write", " - fs: prepare for adding LSM blob to backing_file", " - lsm: add backing_file LSM hooks", " - selinux: fix overlayfs mmap() and mprotect() access checks", " - hwmon: (pt5161l) Fix bugs in pt5161l_read_block_data()", " - randomize_kstack: Maintain kstack_offset per task", " - mmc: block: use single block write in retry", " - mmc: sdhci-of-dwcmshc: Disable clock before DLL configuration", " - arm64: dts: ti: am62-verdin: Enable pullup for eMMC data pins", " - crypto: qat - fix IRQ cleanup on 6xxx probe failure", " - xfs: start gc on zonegc_low_space attribute updates", " - xfs: fix a resource leak in xfs_alloc_buftarg()", " - firmware: google: framebuffer: Do not unregister platform device", " - firmware: exynos-acpm: Drop fake 'const' on handle pointer", " - crypto: talitos - fix SEC1 32k ahash request limitation", " - crypto: talitos - rename first/last to first_desc/last_desc", " - pwm: imx-tpm: Count the number of enabled channels in probe", " - tpm2-sessions: Fix missing tpm_buf_destroy() in tpm2_read_public()", " - tpm: Fix auth session leak in tpm2_get_random() error path", " - tpm: Use kfree_sensitive() to free auth session in tpm_dev_release()", " - tpm: tpm_tis: add error logging for data transfer", " - tpm: tpm_tis: stop transmit if retries are exhausted", " - rtc: ntxec: fix OF node reference imbalance", " - mm/vmalloc: take vmap_purge_lock in shrinker", " - mm/memfd_luo: fix physical address conversion in put_folios cleanup", " - mm/mempolicy: fix memory leaks in weighted_interleave_auto_store()", " - mm/damon/stat: fix memory leak on damon_start() failure in", " damon_stat_start()", " - mm/damon/core: validate damos_quota_goal->nid for", " node_mem_{used,free}_bp", " - mm/damon/core: validate damos_quota_goal->nid for", " node_memcg_{used,free}_bp", " - mm/damon/core: use time_in_range_open() for damos quota window start", " - mm/damon/core: disallow time-quota setting zero esz", " - mm/damon/core: disallow non-power of two min_region_sz on damon_start()", " - userfaultfd: allow registration of ranges below mmap_min_addr", " - LoongArch: KVM: Use CSR_CRMD_PLV in kvm_arch_vcpu_in_kernel()", " - KVM: x86: Defer non-architectural deliver of exception payload to", " userspace read", " - KVM: nSVM: Mark all of vmcb02 dirty when restoring nested state", " - KVM: nSVM: Sync NextRIP to cached vmcb12 after VMRUN of L2", " - KVM: nSVM: Sync interrupt shadow to cached vmcb12 after VMRUN of L2", " - KVM: SVM: Inject #UD for INVLPGA if EFER.SVME=0", " - KVM: SVM: Explicitly mark vmcb01 dirty after modifying VMCB intercepts", " - KVM: nSVM: Ensure AVIC is inhibited when restoring a vCPU to guest mode", " - KVM: nSVM: Always use NextRIP as vmcb02's NextRIP after first L2 VMRUN", " - KVM: nSVM: Delay stuffing L2's current RIP into NextRIP until vCPU run", " - KVM: nSVM: Use vcpu->arch.cr2 when updating vmcb12 on nested #VMEXIT", " - KVM: arm64: Account for RESx bits in __compute_fgt()", " - KVM: nSVM: Avoid clearing VMCB_LBR in vmcb12", " - KVM: nSVM: Delay setting soft IRQ RIP tracking fields until vCPU run", " - KVM: SVM: Switch svm_copy_lbrs() to a macro", " - KVM: SVM: Add missing save/restore handling of LBR MSRs", " - KVM: nSVM: Always inject a #GP if mapping VMCB12 fails on nested VMRUN", " - KVM: nSVM: Refactor checking LBRV enablement in vmcb12 into a helper", " - KVM: nSVM: Refactor writing vmcb12 on nested #VMEXIT as a helper", " - KVM: nSVM: Triple fault if restore host CR3 fails on nested #VMEXIT", " - KVM: nSVM: Triple fault if mapping VMCB12 fails on nested #VMEXIT", " - KVM: nSVM: Clear GIF on nested #VMEXIT(INVALID)", " - KVM: nSVM: Clear EVENTINJ fields in vmcb12 on nested #VMEXIT", " - KVM: nSVM: Clear tracking of L1->L2 NMI and soft IRQ on nested #VMEXIT", " - KVM: nSVM: Add missing consistency check for EFER, CR0, CR4, and CS", " - KVM: nSVM: Drop the non-architectural consistency check for NP_ENABLE", " - KVM: nSVM: Add missing consistency check for nCR3 validity", " - KVM: nSVM: Raise #UD if unhandled VMMCALL isn't intercepted by L1", " - KVM: nSVM: Always intercept VMMCALL when L2 is active", " - ARM: 9472/1: fix race condition on PG_dcache_clean in", " __sync_icache_dcache()", " - ring-buffer: Do not double count the reader_page", " - ext4: fix bounds check in check_xattrs() to prevent out-of-bounds access", " - ext4: fix missing brelse() in ext4_xattr_inode_dec_ref_all()", " - udf: fix partition descriptor append bookkeeping", " - mtd: spi-nor: sst: Fix write enable before AAI sequence", " - mtd: spinand: winbond: Declare the QE bit on W25NxxJW", " - amdgpu/jpeg: fix deepsleep register for jpeg 5_0_0 and 5_0_2", " - md/md-llbitmap: skip reading rdevs that are not in_sync", " - md/md-llbitmap: raise barrier before state machine transition", " - md/raid5: fix soft lockup in retry_aligned_read()", " - md/raid5: validate payload size before accessing journal metadata", " - check-uapi: link into shared objects", " - mm, swap: speed up hibernation allocation and writeout", " - HID: apple: ensure the keyboard backlight is off if suspending", " - inotify: fix watch count leak when fsnotify_add_inode_mark_locked()", " fails", " - x86/cpu: Disable FRED when PTI is forced on", " - x86/shstk: Prevent deadlock during shstk sigreturn", " - wifi: rtl8xxxu: fix potential use of uninitialized value", " - tcp: call sk_data_ready() after listener migration", " - taskstats: set version in TGID exit notifications", " - mptcp: sync the msk->sndbuf at accept() time", " - mfd: core: Preserve OF node when ACPI handle is present", " - 9p: fix access mode flags being ORed instead of replaced", " - Bluetooth: hci_event: fix potential UAF in SSP passkey handlers", " - bus: mhi: host: pci_generic: Switch to async power up to avoid boot", " delays", " - can: ucan: fix devres lifetime", " - crypto: acomp - fix wrong pointer stored by acomp_save_req()", " - crypto: arm64/aes - Fix 32-bit aes_mac_update() arg treated as 64-bit", " - crypto: atmel-aes - Fix 3-page memory leak in atmel_aes_buff_cleanup", " - crypto: atmel-ecc - Release client on allocation failure", " - crypto: hisilicon - Fix dma_unmap_single() direction", " - crypto: ccree - fix a memory leak in cc_mac_digest()", " - crypto: atmel-tdes - fix DMA sync direction", " - crypto: atmel-sha204a - Fix error codes in OTP reads", " - crypto: atmel-sha204a - Fix potential UAF and memory leak in remove path", " - crypto: atmel-sha204a - Fix uninitialized data access on OTP read error", " - crypto: nx - fix bounce buffer leaks in nx842_crypto_{alloc,free}_ctx", " - crypto: nx - fix context leak in nx842_crypto_free_ctx", " - crypto: nx - Fix packed layout in struct nx842_crypto_header", " - dm mirror: fix integer overflow in create_dirty_log()", " - erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap()", " - ceph: fix num_ops off-by-one when crypto allocation fails", " - ceph: only d_add() negative dentries when they are unhashed", " - gtp: disable BH before calling udp_tunnel_xmit_skb()", " - IB/core: Fix zero dmac race in neighbor resolution", " - ktest: Fix the month in the name of the failure directory", " - NFSv4.1: Apply session size limits on clone path", " - ntfs3: add buffer boundary checks to run_unpack()", " - ntfs3: fix integer overflow in run_unpack() volume boundary check", " - rtmutex: Use waiter::task instead of current in remove_waiter()", " - rxgk: Fix potential integer overflow in length check", " - sched_ext: Documentation: Clarify ops.dispatch() role in task lifecycle", " - scsi: sd: fix missing put_disk() when device_add(&disk_dev) fails", " - seg6: fix seg6 lwtunnel output redirect for L2 reduced encap mode", " - perf loongarch: Fix build failure with CONFIG_LIBDW_DWARF_UNWIND", " - iio: frequency: admv1013: add dev variable", " - iio: frequency: admv1013: fix NULL pointer dereference on str", " - wifi: mt76: mt792x: describe USB WFSYS reset with a descriptor", " - wifi: mt76: mt792x: fix mt7925u USB WFSYS reset handling", " - mm: various small mmap_prepare cleanups", " - mm: avoid deadlock when holding rmap on mmap_prepare error", " - mei: me: use PCI_DEVICE_DATA macro", " - mei: me: add nova lake point H DID", " - crypto: authencesn - reject short ahash digests during instance creation", " - driver core: Add kernel-doc for DEV_FLAG_COUNT enum value", " - ALSA: caiaq: Fix potentially leftover ep1_in_urb at error path", " - ALSA: caiaq: Don't abort when no input device is available", " - ipv6: rpl: reserve mac_len headroom when recompressed SRH grows", " - drm/amdgpu: fix zero-size GDS range init on RDNA4", " - drm/imagination: Fix segfault when updating ftrace mask", " - ALSA: caiaq: fix usb_dev refcount leak on probe failure", " - ALSA: aloop: Fix peer runtime UAF during format-change stop", " - vmalloc: fix buffer overflow in vrealloc_node_align()", " - mm/page_alloc: return NULL early from alloc_frozen_pages_nolock() in NMI", " on UP", " - mm/slab: return NULL early from kmalloc_nolock() in NMI on UP", " - net: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels", " - netfilter: reject zero shift in nft_bitwise", " - ipmi:ssif: Remove unnecessary indention", " - ipmi:ssif: NULL thread on error", " - Linux 7.0.4", " - Upstream stable to v7.0.4", "", " * Resolute update: v7.0.3 upstream stable release (LP: #2152550)", " - Buffer overflow in drivers/xen/sys-hypervisor.c", " - xen/privcmd: fix double free via VMA splitting", " - Linux 7.0.3", " - Upstream stable to v7.0.3", "", " * Resolute update: v7.0.2 upstream stable release (LP: #2150553)", " - crypto: authencesn - Fix src offset when decrypting in-place", " - pwm: th1520: fix `CLIPPY=1` warning", " - drm/amdgpu: replace PASID IDR with XArray", " - crypto: krb5enc - fix sleepable flag handling in encrypt dispatch", " - crypto: krb5enc - fix async decrypt skipping hash verification", " - ksmbd: fix use-after-free in __ksmbd_close_fd() via durable scavenger", " - ksmbd: validate owner of durable handle on reconnect", " - scripts: generate_rust_analyzer.py: define scripts", " - scripts/dtc: Remove unused dts_version in dtc-lexer.l", " - fs/ntfs3: validate rec->used in journal-replay file record check", " - f2fs: fix to do sanity check on dcc->discard_cmd_cnt conditionally", " - f2fs: fix UAF caused by decrementing sbi->nr_pages[] in", " f2fs_write_end_io()", " - f2fs: fix to avoid memory leak in f2fs_rename()", " - f2fs: fix to avoid uninit-value access in f2fs_sanity_check_node_footer", " - fuse: reject oversized dirents in page cache", " - fuse: abort on fatal signal during sync init", " - fuse: Check for large folio with SPLICE_F_MOVE", " - fuse: quiet down complaints in fuse_conn_limit_write", " - fuse: fuse_dev_ioctl_clone() should wait for device file to be", " initialized", " - ksmbd: require minimum ACE size in smb_check_perm_dacl()", " - smb: server: fix active_num_conn leak on transport allocation failure", " - smb: client: fix dir separator in SMB1 UNIX mounts", " - smb: server: fix max_connections off-by-one in tcp accept path", " - smb: client: require a full NFS mode SID before reading mode bits", " - smb: client: validate the whole DACL before rewriting it in cifsacl", " - smb: client: fix OOB read in smb2_ioctl_query_info QUERY_INFO path", " - ksmbd: validate response sizes in ipc_validate_msg()", " - ksmbd: validate num_aces and harden ACE walk in smb_inherit_dacl()", " - ksmbd: fix out-of-bounds write in smb2_get_ea() EA alignment", " - ksmbd: use check_add_overflow() to prevent u16 DACL size overflow", " - ksmbd: reset rcount per connection in ksmbd_conn_wait_idle_sess_id()", " - writeback: Fix use after free in inode_switch_wbs_work_fn()", " - f2fs: fix use-after-free of sbi in f2fs_compress_write_end_io()", " - ALSA: usb-audio: apply quirk for MOONDROP JU Jiu", " - ALSA: hda/realtek: Add quirk for Legion S7 15IMH", " - ALSA: caiaq: take a reference on the USB device in create_card()", " - net/packet: fix TOCTOU race on mmap'd vnet_hdr in tpacket_snd()", " - crypto: ccp: Don't attempt to copy CSR to userspace if PSP command", " failed", " - crypto: ccp: Don't attempt to copy PDH cert to userspace if PSP command", " failed", " - crypto: ccp: Don't attempt to copy ID to userspace if PSP command failed", " - rxrpc: Fix missing validation of ticket length in non-XDR key preparsing", " - mshv_vtl: Fix vmemmap_shift exceeding MAX_FOLIO_ORDER", " - Linux 7.0.2", "", " * Resolute update: v7.0.1 upstream stable release (LP: #2150547)", " - Revert \"UBUNTU: SAUCE: cdc-acm: Exclude Exar USB serial ports\"", " - nfc: llcp: add missing return after LLCP_CLOSED checks", " - x86/CPU: Fix FPDSS on Zen1", " - can: raw: fix ro->uniq use-after-free in raw_rcv()", " - i2c: s3c24xx: check the size of the SMBUS message before using it", " - staging: rtl8723bs: initialize le_tmp64 in rtw_BIP_verify()", " - HID: alps: fix NULL pointer dereference in alps_raw_event()", " - HID: core: clamp report_size in s32ton() to avoid undefined shift", " - net: usb: cdc-phonet: fix skb frags[] overflow in rx_complete()", " - NFC: digital: Bounds check NFC-A cascade depth in SDD response handler", " - drm/vc4: platform_get_irq_byname() returns an int", " - bnge: return after auxiliary_device_uninit() in error path", " - ALSA: usx2y: us144mkii: fix NULL deref on missing interface 0", " - ALSA: fireworks: bound device-supplied status before string array lookup", " - fbdev: tdfxfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO", " - usb: gadget: f_ncm: validate minimum block_len in ncm_unwrap_ntb()", " - usb: gadget: f_phonet: fix skb frags[] overflow in pn_rx_complete()", " - usb: gadget: renesas_usb3: validate endpoint index in standard request", " handlers", " - smb: client: fix off-by-8 bounds check in check_wsl_eas()", " - smb: client: fix OOB reads parsing symlink error response", " - ksmbd: validate EaNameLength in smb2_get_ea()", " - ksmbd: require 3 sub-authorities before reading sub_auth[2]", " - ksmbd: fix mechToken leak when SPNEGO decode fails after token alloc", " - smb: client: avoid double-free in smbd_free_send_io() after", " smbd_send_batch_flush()", " - smb: server: avoid double-free in smb_direct_free_sendmsg after", " smb_direct_flush_send_list()", " - usbip: validate number_of_packets in usbip_pack_ret_submit()", " - usb: typec: fusb302: Switch to threaded IRQ handler", " - usb: storage: Expand range of matched versions for VL817 quirks entry", " - USB: cdc-acm: Add quirks for Yoga Book 9 14IAH10 INGENIC touchscreen", " - usb: gadget: f_hid: don't call cdev_init while cdev in use", " - usb: port: add delay after usb_hub_set_port_power()", " - fbdev: udlfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO", " - scripts/gdb/symbols: handle module path parameters", " - scripts: generate_rust_analyzer.py: avoid FD leak", " - wifi: rtw88: fix device leak on probe failure", " - staging: sm750fb: fix division by zero in ps_to_hz()", " - selftests/mm: hmm-tests: don't hardcode THP size to 2MB", " - USB: serial: option: add Telit Cinterion FN990A MBIM composition", " - Docs/admin-guide/mm/damon/reclaim: warn commit_inputs vs param updates", " race", " - Docs/admin-guide/mm/damon/lru_sort: warn commit_inputs vs param updates", " race", " - ALSA: ctxfi: Limit PTP to a single page", " - dcache: Limit the minimal number of bucket to two", " - vfio/xe: Reorganize the init to decouple migration from reset", " - arm64: mm: Handle invalid large leaf mappings correctly", " - media: vidtv: fix NULL pointer dereference in", " vidtv_channel_pmt_match_sections", " - ocfs2: fix possible deadlock between unlink and dio_end_io_write", " - ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY", " - ocfs2: handle invalid dinode in ocfs2_group_extend", " - PCI: endpoint: pci-epf-vntb: Stop cmd_handler work in", " epf_ntb_epc_cleanup", " - PCI: endpoint: pci-epf-vntb: Remove duplicate resource teardown", " - KVM: selftests: Remove duplicate LAUNCH_UPDATE_VMSA call in SEV-ES", " migrate test", " - KVM: SEV: Reject attempts to sync VMSA of an already-launched/encrypted", " vCPU", " - KVM: SEV: Protect *all* of sev_mem_enc_register_region() with kvm->lock", " - KVM: SEV: Disallow LAUNCH_FINISH if vCPUs are actively being created", " - KVM: SEV: Lock all vCPUs when synchronzing VMSAs for SNP launch finish", " - KVM: SEV: Drop WARN on large size for KVM_MEMORY_ENCRYPT_REG_REGION", " - mm: call ->free_folio() directly in folio_unmap_invalidate()", " - checkpatch: add support for Assisted-by tag", " - x86-64: rename misleadingly named '__copy_user_nocache()' function", " - x86: rename and clean up __copy_from_user_inatomic_nocache()", " - x86-64/arm64/powerpc: clean up and rename __copy_from_user_flushcache", " - KVM: x86: Use scratch field in MMIO fragment to hold small write values", " - ASoC: qcom: q6apm: move component registration to unmanaged version", " - mm/kasan: fix double free for kasan pXds", " - mm: blk-cgroup: fix use-after-free in cgwb_release_workfn()", " - media: vidtv: fix nfeeds state corruption on start_streaming failure", " - media: mediatek: vcodec: fix use-after-free in encoder release path", " - media: em28xx: fix use-after-free in em28xx_v4l2_open()", " - hwmon: (powerz) Fix use-after-free on USB disconnect", " - ALSA: 6fire: fix use-after-free on disconnect", " - bcache: fix cached_dev.sb_bio use-after-free and crash", " - wireguard: device: use exit_rtnl callback instead of manual rtnl_lock in", " pre_exit", " - media: as102: fix to not free memory after the device is registered in", " as102_usb_probe()", " - nilfs2: fix NULL i_assoc_inode dereference in", " nilfs_mdt_save_to_shadow_map", " - media: vidtv: fix pass-by-value structs causing MSAN warnings", " - media: hackrf: fix to not free memory after the device is registered in", " hackrf_probe()", " - mm/userfaultfd: fix hugetlb fault mutex hash calculation", " - clockevents: Add missing resets of the next_event_forced flag", " - Linux 7.0.1", "", " * GRO managed-frag use-after-free leading to local privilege escalation", " (LP: #2154172)", " - net: gro: don't merge zcopy skbs", "", " * AppArmor Vulnerabilities (LP: #2151747)", " - SAUCE: apparmor: pass big_resp to handler", " - SAUCE: apparmor: remove redundant kref_init for listener->count", " - SAUCE: apparmor: fix NULL pointer dereference in unpack_pdb", "", " * AppArmor Vulnerabilities (LP: #2151747) // CVE-2026-47337", " - SAUCE: apparmor: fix NULL pointer dereference in bind_map_addr", "", " * AppArmor Vulnerabilities (LP: #2151747) // CVE-2026-47334", " - SAUCE: apparmor: fix sleep prone memory allocation under a spin_lock", "", " * AppArmor Vulnerabilities (LP: #2151747) // CVE-2026-47333", " - SAUCE: apparmor: fix dfa unpacking size of the notification filter", "", " * AppArmor Vulnerabilities (LP: #2151747) // CVE-2026-47332", " - SAUCE: apparmor: fix size check against type instead of pointer", "", " * apparmor: LLVM/clang build failure due to uninitialized variable in", " notify.c (LP: #2148809) // CVE-2026-47330", " - SAUCE: apparmor: initialize variable used in uninitialized context", "", " * AppArmor Vulnerabilities (LP: #2151747) // CVE-2026-47329", " - SAUCE: apparmor: fix name validation bypass on notification", "", " * AppArmor Vulnerabilities (LP: #2151747) // CVE-2026-47327 //", " CVE-2026-47328", " - SAUCE: apparmor: fix glob memory leak after kstrdup", "", " * AppArmor Vulnerabilities (LP: #2151747) // CVE-2026-47326", " - SAUCE: apparmor: fix inverted NULL check after aa_get_buffer", "", " * CVE-2026-46300", " - net: skbuff: preserve shared-frag marker during coalescing", " - net: skbuff: propagate shared-frag marker through frag-transfer helpers", "", " * net/rds: reset op_nents when zerocopy page pin fails (LP: #2153962)", " - net/rds: reset op_nents when zerocopy page pin fails", "", " * CVE-2026-46333", " - ptrace: slightly saner 'get_dumpable()' logic", "", " * CVE-2026-43500", " - rxrpc: Fix conn-level packet handling to unshare RESPONSE packets", " - rxrpc: Fix potential UAF after skb_unshare() failure", " - rxrpc: Fix rxrpc_input_call_event() to only unshare DATA packets", " - rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present", "", " * CVE-2026-43284", " - xfrm: esp: avoid in-place decrypt on shared skb frags", "" ], "package": "linux", "version": "7.0.0-26.26", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2154530, 1786013, 2150065, 2146517, 2147409, 2121852, 2150196, 2129844, 2150845, 2152558, 2152556, 2152552, 2152550, 2150553, 2150547, 2154172, 2151747, 2151747, 2151747, 2151747, 2151747, 2148809, 2151747, 2151747, 2151747, 2153962 ], "author": "Edoardo Canepa ", "date": "Fri, 29 May 2026 03:41:14 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "linux-perf", "from_version": { "source_package_name": "linux", "source_package_version": "7.0.0-22.22", "version": "7.0.0-22.22" }, "to_version": { "source_package_name": "linux", "source_package_version": "7.0.0-27.27", "version": "7.0.0-27.27" }, "cves": [ { "cve": "CVE-2026-46316", "url": "https://ubuntu.com/security/CVE-2026-46316", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: vgic-its: Drop the translation cache reference only for the erased entry vgic_its_invalidate_cache() walks the per-ITS translation cache with xa_for_each() and drops the cache's reference on each entry with vgic_put_irq(). It puts the iterated pointer, though, rather than the value returned by xa_erase(). The function is called from contexts that do not exclude one another: the ITS command handlers hold its_lock, the GITS_CTLR write path holds cmd_lock, and the path that clears EnableLPIs in a redistributor's GICR_CTLR holds neither. Two or more of them can drain the same cache concurrently, and if each one observes the same entry, erases it and then puts it, the single reference the cache holds on that entry is dropped more than once. The entry can then be freed while an ITE still maps it. xa_erase() is atomic and returns the previous entry, so put only the entry that this context actually removed. The cache reference is then dropped exactly once per entry even when the invalidations run concurrently, and the behavior is unchanged when only one context runs.", "cve_priority": "medium", "cve_public_date": "2026-06-09 13:16:00 UTC" }, { "cve": "CVE-2026-46244", "url": "https://ubuntu.com/security/CVE-2026-46244", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_inner: Fix IPv6 inner_thoff desync In nft_inner_parse_l2l3(), when processing inner IPv6 packets, ipv6_find_hdr() correctly computes the transport header offset traversing all extension headers, but the result is immediately overwritten with nhoff + sizeof(_ip6h) (40 bytes), which only accounts for the IPv6 base header. This creates a desync between inner_thoff (wrong — points to extension header start) and l4proto (correct — e.g., IPPROTO_TCP), enabling transport header forgery and potential firewall bypass. This issue affects stable versions from Linux 6.2. For comparison, the normal (non-inner) IPv6 path correctly preserves ipv6_find_hdr()'s result. Removing the incorrect overwrite ensures that ipv6_find_hdr()'s calculated transport header offset is preserved, thereby fixing the desynchronization.", "cve_priority": "medium", "cve_public_date": "2026-06-03 18:16:00 UTC" }, { "cve": "CVE-2026-46137", "url": "https://ubuntu.com/security/CVE-2026-46137", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: ADD_ADDR rtx: fix potential data-race This mptcp_pm_add_timer() helper is executed as a timer callback in softirq context. To avoid any data races, the socket lock needs to be held with bh_lock_sock(). If the socket is in use, retry again soon after, similar to what is done with the keepalive timer.", "cve_priority": "medium", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46185", "url": "https://ubuntu.com/security/CVE-2026-46185", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb/client: fix out-of-bounds read in symlink_data() Since smb2_check_message() returns success without length validation for the symlink error response, in symlink_data() it is possible for iov->iov_len to be smaller than sizeof(struct smb2_err_rsp). If the buffer only contains the base SMB2 header (64 bytes), accessing err->ErrorContextCount (at offset 66) or err->ByteCount later in symlink_data() will cause an out-of-bounds read.", "cve_priority": "high", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46195", "url": "https://ubuntu.com/security/CVE-2026-46195", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: validate dacloffset before building DACL pointers parse_sec_desc(), build_sec_desc(), and the chown path in id_mode_to_cifs_acl() all add the server-supplied dacloffset to pntsd before proving a DACL header fits inside the returned security descriptor. On 32-bit builds a malicious server can return dacloffset near U32_MAX, wrap the derived DACL pointer below end_of_acl, and then slip past the later pointer-based bounds checks. build_sec_desc() and id_mode_to_cifs_acl() can then dereference DACL fields from the wrapped pointer in the chmod/chown rewrite paths. Validate dacloffset numerically before building any DACL pointer and reuse the same helper at the three DACL entry points.", "cve_priority": "high", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46289", "url": "https://ubuntu.com/security/CVE-2026-46289", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: lib/scatterlist: fix length calculations in extract_kvec_to_sg Patch series \"Fix bugs in extract_iter_to_sg()\", v3. Fix bugs in the kvec and user variants of extract_iter_to_sg. This series is growing due to useful remarks made by sashiko.dev. The main bugs are: - The length for an sglist entry when extracting from a kvec can exceed the number of bytes in the page. This is obviously not intended. - When extracting a user buffer the sglist is temporarily used as a scratch buffer for extracted page pointers. If the sglist already contains some elements this scratch buffer could overlap with existing entries in the sglist. The series adds test cases to the kunit_iov_iter test that demonstrate all of these bugs. Additionally, there is a memory leak fix for the test itself. The bugs were orignally introduced into kernel v6.3 where the function lived in fs/netfs/iterator.c. It was later moved to lib/scatterlist.c in v6.5. Thus the actual fix is only marked for backports to v6.5+. This patch (of 5): When extracting from a kvec to a scatterlist, do not cross page boundaries. The required length was already calculated but not used as intended. Adjust the copied length if the loop runs out of sglist entries without extracting everything. While there, return immediately from extract_iter_to_sg if there are no sglist entries at all. A subsequent commit will add kunit test cases that demonstrate that the patch is necessary.", "cve_priority": "medium", "cve_public_date": "2026-06-08 17:16:00 UTC" }, { "cve": "CVE-2026-46119", "url": "https://ubuntu.com/security/CVE-2026-46119", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: libceph: Fix slab-out-of-bounds access in auth message processing If a (potentially corrupted) message of type CEPH_MSG_AUTH_REPLY contains a positive value in its result field, it is treated as an error code by ceph_handle_auth_reply() and returned to handle_auth_reply(). Thereafter, an attempt is made to send the preallocated message of type CEPH_MSG_AUTH, where the returned value is interpreted as the size of the front segment to send. If the result value in the message is greater than the size of the memory buffer allocated for the front segment, an out-of-bounds access occurs, and the content of the memory region beyond this buffer is sent out. This patch fixes the issue by treating only negative values in the result field as errors. Positive values are therefore treated as success in the same way as a zero value. Additionally, a BUG_ON is added to __send_prepared_auth_request() comparing the len parameter to front_alloc_len to prevent sending the message if it exceeds the bounds of the allocation and to make it easier to catch any logic flaws leading to this.", "cve_priority": "high", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46135", "url": "https://ubuntu.com/security/CVE-2026-46135", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: fix race between ICReq handling and queue teardown nvmet_tcp_handle_icreq() updates queue->state after sending an Initialization Connection Response (ICResp), but it does so without serializing against target-side queue teardown. If an NVMe/TCP host sends an Initialization Connection Request (ICReq) and immediately closes the connection, target-side teardown may start in softirq context before io_work drains the already buffered ICReq. In that case, nvmet_tcp_schedule_release_queue() sets queue->state to NVMET_TCP_Q_DISCONNECTING and drops the queue reference under state_lock. If io_work later processes that ICReq, nvmet_tcp_handle_icreq() can still overwrite the state back to NVMET_TCP_Q_LIVE. That defeats the DISCONNECTING-state guard in nvmet_tcp_schedule_release_queue() and allows a later socket state change to re-enter teardown and issue a second kref_put() on an already released queue. The ICResp send failure path has the same problem. If teardown has already moved the queue to DISCONNECTING, a send error can still overwrite the state with NVMET_TCP_Q_FAILED, again reopening the window for a second teardown path to drop the queue reference. Fix this by serializing both post-send state transitions with state_lock and bailing out if teardown has already started. Use -ESHUTDOWN as an internal sentinel for that bail-out path rather than propagating it as a transport error like -ECONNRESET. Keep nvmet_tcp_socket_error() setting rcv_state to NVMET_TCP_RECV_ERR before honoring that sentinel so receive-side parsing stays quiesced until the existing release path completes.", "cve_priority": "critical", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46155", "url": "https://ubuntu.com/security/CVE-2026-46155", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb/client: fix out-of-bounds read in smb2_compound_op() If a server sends a truncated response but a large OutputBufferLength, and terminates the EA list early, check_wsl_eas() returns success without validating that the entire OutputBufferLength fits within iov_len. Then smb2_compound_op() does: memcpy(idata->wsl.eas, data[0], size[0]); Where size[0] is OutputBufferLength. If iov_len is smaller than size[0], memcpy can read beyond the end of the rsp_iov allocation and leak adjacent kernel heap memory.", "cve_priority": "medium", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46115", "url": "https://ubuntu.com/security/CVE-2026-46115", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: block: add pgmap check to biovec_phys_mergeable biovec_phys_mergeable() is used by the request merge, DMA mapping, and integrity merge paths to decide if two physically contiguous bvec segments can be coalesced into one. It currently has no check for whether the segments belong to different dev_pagemaps. When zone device memory is registered in multiple chunks, each chunk gets its own dev_pagemap. A single bio can legitimately contain bvecs from different pgmaps -- iov_iter_extract_bvecs() breaks at pgmap boundaries but the outer loop in bio_iov_iter_get_pages() continues filling the same bio. If such bvecs are physically contiguous, biovec_phys_mergeable() will coalesce them, making it impossible to recover the correct pgmap for the merged segment via page_pgmap(). Add a zone_device_pages_have_same_pgmap() check to prevent merging bvec segments that span different pgmaps.", "cve_priority": "medium", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46243", "url": "https://ubuntu.com/security/CVE-2026-46243", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: reject userspace cifs.spnego descriptions cifs.spnego key descriptions contain authority-bearing fields such as pid, uid, creduid, and upcall_target that cifs.upcall treats as kernel-originating inputs. However, userspace can also create keys of this type through request_key(2) or add_key(2), allowing those fields to be supplied without CIFS origin. Only accept cifs.spnego descriptions while CIFS is using its private spnego_cred to request the key.", "cve_priority": "medium", "cve_public_date": "2026-06-01 17:17:00 UTC" }, { "cve": "CVE-2026-47337", "url": "https://ubuntu.com/security/CVE-2026-47337", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a possible NULL pointer dereference in the handling of AF_INET/AF_INET6 socket mediation. The bug can be triggered by an unprivileged local user. This can lead to a kernel oops.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47334", "url": "https://ubuntu.com/security/CVE-2026-47334", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly sleep while holding a spinlock in notification handling code. The bug can be triggered by an unprivileged local user and can result in kernel panic or deadlock.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47333", "url": "https://ubuntu.com/security/CVE-2026-47333", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which can potentially incorrectly compute the size of an internal buffer, leading to a heap memory out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in invalid data being processed by the AppArmor DFA policy engine.", "cve_priority": "high", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47332", "url": "https://ubuntu.com/security/CVE-2026-47332", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly validate the size of an internal structure, leading to an out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in information disclosure from adjacent slab objects.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47330", "url": "https://ubuntu.com/security/CVE-2026-47330", "cve_description": "Ubuntu Linux 6.8, 7.17 and 7.0 contain AppArmor SAUCE patches which can, under certain circumstances, use an uninitialized variable in notification handling code. The bug can be triggered by an unprivileged local user and can result in the incorrect caching of AppArmor notification responses.", "cve_priority": "low", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47329", "url": "https://ubuntu.com/security/CVE-2026-47329", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches which fail to validate invalid sizes of the name field in AppAmor notification responses. The bug can be triggered by an unprivileged local user and could result in handling of crafted responses.", "cve_priority": "low", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47327", "url": "https://ubuntu.com/security/CVE-2026-47327", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a possible NULL pointer dereference in the handling of AppArmor notifications. The bug can be triggered by an unprivileged local user. This can lead to a kernel oops.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47328", "url": "https://ubuntu.com/security/CVE-2026-47328", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly attempt to free a pointer which was not previously kmalloc()d, while at the same time leaking allocated memory. The bug can be triggered by an unprivileged local user and can result in the corruption of slab metadata and could lead to resource exhaustion.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47326", "url": "https://ubuntu.com/security/CVE-2026-47326", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a memory leak in the handling of big responses to AppArmor notifications. The bug can be triggered by an unprivileged local user. The memory leak could lead to resource exhaustion.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-46300", "url": "https://ubuntu.com/security/CVE-2026-46300", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: skbuff: preserve shared-frag marker during coalescing skb_try_coalesce() can attach paged frags from @from to @to. If @from has SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same externally-owned or page-cache-backed frags, but the shared-frag marker is currently lost. That breaks the invariant relied on by later in-place writers. In particular, ESP input checks skb_has_shared_frag() before deciding whether an uncloned nonlinear skb can skip skb_cow_data(). If TCP receive coalescing has moved shared frags into an unmarked skb, ESP can see skb_has_shared_frag() as false and decrypt in place over page-cache backed frags. Propagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged frags. The tailroom copy path does not need the marker because it copies bytes into @to's linear data rather than transferring frag descriptors.", "cve_priority": "high", "cve_public_date": "2026-05-23 12:17:00 UTC" }, { "cve": "CVE-2026-46333", "url": "https://ubuntu.com/security/CVE-2026-46333", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ptrace: slightly saner 'get_dumpable()' logic The 'dumpability' of a task is fundamentally about the memory image of the task - the concept comes from whether it can core dump or not - and makes no sense when you don't have an associated mm. And almost all users do in fact use it only for the case where the task has a mm pointer. But we have one odd special case: ptrace_may_access() uses 'dumpable' to check various other things entirely independently of the MM (typically explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for threads that no longer have a VM (and maybe never did, like most kernel threads). It's not what this flag was designed for, but it is what it is. The ptrace code does check that the uid/gid matches, so you do have to be uid-0 to see kernel thread details, but this means that the traditional \"drop capabilities\" model doesn't make any difference for this all. Make it all make a *bit* more sense by saying that if you don't have a MM pointer, we'll use a cached \"last dumpability\" flag if the thread ever had a MM (it will be zero for kernel threads since it is never set), and require a proper CAP_SYS_PTRACE capability to override.", "cve_priority": "high", "cve_public_date": "2026-05-15 14:16:00 UTC" }, { "cve": "CVE-2026-43500", "url": "https://ubuntu.com/security/CVE-2026-43500", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE handler in rxrpc_verify_response() copy the skb to a linear one before calling into the security ops only when skb_cloned() is true. An skb that is not cloned but still carries externally-owned paged fragments (e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via __ip_append_data, or a chained skb_has_frag_list()) falls through to the in-place decryption path, which binds the frag pages directly into the AEAD/skcipher SGL via skb_to_sgvec(). Extend the gate to also unshare when skb_has_frag_list() or skb_has_shared_frag() is true. This catches the splice-loopback vector and other externally-shared frag sources while preserving the zero-copy fast path for skbs whose frags are kernel-private (e.g. NIC page_pool RX, GRO). The OOM/trace handling already in place is reused.", "cve_priority": "high", "cve_public_date": "2026-05-11 08:16:00 UTC" }, { "cve": "CVE-2026-43284", "url": "https://ubuntu.com/security/CVE-2026-43284", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place decrypt on shared skb frags MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later paths that may modify packet data can first make a private copy. The IPv4/IPv6 datagram append paths did not set this flag when splicing pages into UDP skbs. That leaves an ESP-in-UDP packet made from shared pipe pages looking like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW fast path for uncloned skbs without a frag_list and decrypts in place over data that is not owned privately by the skb. Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching TCP. Also make ESP input fall back to skb_cow_data() when the flag is present, so ESP does not decrypt externally backed frags in place. Private nonlinear skb frags still use the existing fast path. This intentionally does not change ESP output. In esp_output_head(), the path that appends the ESP trailer to existing skb tailroom without calling skb_cow_data() is not reachable for nonlinear skbs: skb_tailroom() returns zero when skb->data_len is nonzero, while ESP tailen is positive. Thus ESP output will either use the separate destination-frag path or fall back to skb_cow_data().", "cve_priority": "high", "cve_public_date": "2026-05-08 08:16:00 UTC" } ], "launchpad_bugs_fixed": [ 2157114, 1786013, 2150845, 2154530, 1786013, 2150065, 2146517, 2147409, 2121852, 2150196, 2129844, 2150845, 2152558, 2152556, 2152552, 2152550, 2150553, 2150547, 2154172, 2151747, 2151747, 2151747, 2151747, 2151747, 2148809, 2151747, 2151747, 2151747, 2153962 ], "changes": [ { "cves": [ { "cve": "CVE-2026-46316", "url": "https://ubuntu.com/security/CVE-2026-46316", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: vgic-its: Drop the translation cache reference only for the erased entry vgic_its_invalidate_cache() walks the per-ITS translation cache with xa_for_each() and drops the cache's reference on each entry with vgic_put_irq(). It puts the iterated pointer, though, rather than the value returned by xa_erase(). The function is called from contexts that do not exclude one another: the ITS command handlers hold its_lock, the GITS_CTLR write path holds cmd_lock, and the path that clears EnableLPIs in a redistributor's GICR_CTLR holds neither. Two or more of them can drain the same cache concurrently, and if each one observes the same entry, erases it and then puts it, the single reference the cache holds on that entry is dropped more than once. The entry can then be freed while an ITE still maps it. xa_erase() is atomic and returns the previous entry, so put only the entry that this context actually removed. The cache reference is then dropped exactly once per entry even when the invalidations run concurrently, and the behavior is unchanged when only one context runs.", "cve_priority": "medium", "cve_public_date": "2026-06-09 13:16:00 UTC" }, { "cve": "CVE-2026-46244", "url": "https://ubuntu.com/security/CVE-2026-46244", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_inner: Fix IPv6 inner_thoff desync In nft_inner_parse_l2l3(), when processing inner IPv6 packets, ipv6_find_hdr() correctly computes the transport header offset traversing all extension headers, but the result is immediately overwritten with nhoff + sizeof(_ip6h) (40 bytes), which only accounts for the IPv6 base header. This creates a desync between inner_thoff (wrong — points to extension header start) and l4proto (correct — e.g., IPPROTO_TCP), enabling transport header forgery and potential firewall bypass. This issue affects stable versions from Linux 6.2. For comparison, the normal (non-inner) IPv6 path correctly preserves ipv6_find_hdr()'s result. Removing the incorrect overwrite ensures that ipv6_find_hdr()'s calculated transport header offset is preserved, thereby fixing the desynchronization.", "cve_priority": "medium", "cve_public_date": "2026-06-03 18:16:00 UTC" }, { "cve": "CVE-2026-46137", "url": "https://ubuntu.com/security/CVE-2026-46137", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: ADD_ADDR rtx: fix potential data-race This mptcp_pm_add_timer() helper is executed as a timer callback in softirq context. To avoid any data races, the socket lock needs to be held with bh_lock_sock(). If the socket is in use, retry again soon after, similar to what is done with the keepalive timer.", "cve_priority": "medium", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46185", "url": "https://ubuntu.com/security/CVE-2026-46185", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb/client: fix out-of-bounds read in symlink_data() Since smb2_check_message() returns success without length validation for the symlink error response, in symlink_data() it is possible for iov->iov_len to be smaller than sizeof(struct smb2_err_rsp). If the buffer only contains the base SMB2 header (64 bytes), accessing err->ErrorContextCount (at offset 66) or err->ByteCount later in symlink_data() will cause an out-of-bounds read.", "cve_priority": "high", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46195", "url": "https://ubuntu.com/security/CVE-2026-46195", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: validate dacloffset before building DACL pointers parse_sec_desc(), build_sec_desc(), and the chown path in id_mode_to_cifs_acl() all add the server-supplied dacloffset to pntsd before proving a DACL header fits inside the returned security descriptor. On 32-bit builds a malicious server can return dacloffset near U32_MAX, wrap the derived DACL pointer below end_of_acl, and then slip past the later pointer-based bounds checks. build_sec_desc() and id_mode_to_cifs_acl() can then dereference DACL fields from the wrapped pointer in the chmod/chown rewrite paths. Validate dacloffset numerically before building any DACL pointer and reuse the same helper at the three DACL entry points.", "cve_priority": "high", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46289", "url": "https://ubuntu.com/security/CVE-2026-46289", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: lib/scatterlist: fix length calculations in extract_kvec_to_sg Patch series \"Fix bugs in extract_iter_to_sg()\", v3. Fix bugs in the kvec and user variants of extract_iter_to_sg. This series is growing due to useful remarks made by sashiko.dev. The main bugs are: - The length for an sglist entry when extracting from a kvec can exceed the number of bytes in the page. This is obviously not intended. - When extracting a user buffer the sglist is temporarily used as a scratch buffer for extracted page pointers. If the sglist already contains some elements this scratch buffer could overlap with existing entries in the sglist. The series adds test cases to the kunit_iov_iter test that demonstrate all of these bugs. Additionally, there is a memory leak fix for the test itself. The bugs were orignally introduced into kernel v6.3 where the function lived in fs/netfs/iterator.c. It was later moved to lib/scatterlist.c in v6.5. Thus the actual fix is only marked for backports to v6.5+. This patch (of 5): When extracting from a kvec to a scatterlist, do not cross page boundaries. The required length was already calculated but not used as intended. Adjust the copied length if the loop runs out of sglist entries without extracting everything. While there, return immediately from extract_iter_to_sg if there are no sglist entries at all. A subsequent commit will add kunit test cases that demonstrate that the patch is necessary.", "cve_priority": "medium", "cve_public_date": "2026-06-08 17:16:00 UTC" }, { "cve": "CVE-2026-46119", "url": "https://ubuntu.com/security/CVE-2026-46119", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: libceph: Fix slab-out-of-bounds access in auth message processing If a (potentially corrupted) message of type CEPH_MSG_AUTH_REPLY contains a positive value in its result field, it is treated as an error code by ceph_handle_auth_reply() and returned to handle_auth_reply(). Thereafter, an attempt is made to send the preallocated message of type CEPH_MSG_AUTH, where the returned value is interpreted as the size of the front segment to send. If the result value in the message is greater than the size of the memory buffer allocated for the front segment, an out-of-bounds access occurs, and the content of the memory region beyond this buffer is sent out. This patch fixes the issue by treating only negative values in the result field as errors. Positive values are therefore treated as success in the same way as a zero value. Additionally, a BUG_ON is added to __send_prepared_auth_request() comparing the len parameter to front_alloc_len to prevent sending the message if it exceeds the bounds of the allocation and to make it easier to catch any logic flaws leading to this.", "cve_priority": "high", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46135", "url": "https://ubuntu.com/security/CVE-2026-46135", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: fix race between ICReq handling and queue teardown nvmet_tcp_handle_icreq() updates queue->state after sending an Initialization Connection Response (ICResp), but it does so without serializing against target-side queue teardown. If an NVMe/TCP host sends an Initialization Connection Request (ICReq) and immediately closes the connection, target-side teardown may start in softirq context before io_work drains the already buffered ICReq. In that case, nvmet_tcp_schedule_release_queue() sets queue->state to NVMET_TCP_Q_DISCONNECTING and drops the queue reference under state_lock. If io_work later processes that ICReq, nvmet_tcp_handle_icreq() can still overwrite the state back to NVMET_TCP_Q_LIVE. That defeats the DISCONNECTING-state guard in nvmet_tcp_schedule_release_queue() and allows a later socket state change to re-enter teardown and issue a second kref_put() on an already released queue. The ICResp send failure path has the same problem. If teardown has already moved the queue to DISCONNECTING, a send error can still overwrite the state with NVMET_TCP_Q_FAILED, again reopening the window for a second teardown path to drop the queue reference. Fix this by serializing both post-send state transitions with state_lock and bailing out if teardown has already started. Use -ESHUTDOWN as an internal sentinel for that bail-out path rather than propagating it as a transport error like -ECONNRESET. Keep nvmet_tcp_socket_error() setting rcv_state to NVMET_TCP_RECV_ERR before honoring that sentinel so receive-side parsing stays quiesced until the existing release path completes.", "cve_priority": "critical", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46155", "url": "https://ubuntu.com/security/CVE-2026-46155", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb/client: fix out-of-bounds read in smb2_compound_op() If a server sends a truncated response but a large OutputBufferLength, and terminates the EA list early, check_wsl_eas() returns success without validating that the entire OutputBufferLength fits within iov_len. Then smb2_compound_op() does: memcpy(idata->wsl.eas, data[0], size[0]); Where size[0] is OutputBufferLength. If iov_len is smaller than size[0], memcpy can read beyond the end of the rsp_iov allocation and leak adjacent kernel heap memory.", "cve_priority": "medium", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46115", "url": "https://ubuntu.com/security/CVE-2026-46115", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: block: add pgmap check to biovec_phys_mergeable biovec_phys_mergeable() is used by the request merge, DMA mapping, and integrity merge paths to decide if two physically contiguous bvec segments can be coalesced into one. It currently has no check for whether the segments belong to different dev_pagemaps. When zone device memory is registered in multiple chunks, each chunk gets its own dev_pagemap. A single bio can legitimately contain bvecs from different pgmaps -- iov_iter_extract_bvecs() breaks at pgmap boundaries but the outer loop in bio_iov_iter_get_pages() continues filling the same bio. If such bvecs are physically contiguous, biovec_phys_mergeable() will coalesce them, making it impossible to recover the correct pgmap for the merged segment via page_pgmap(). Add a zone_device_pages_have_same_pgmap() check to prevent merging bvec segments that span different pgmaps.", "cve_priority": "medium", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46243", "url": "https://ubuntu.com/security/CVE-2026-46243", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: reject userspace cifs.spnego descriptions cifs.spnego key descriptions contain authority-bearing fields such as pid, uid, creduid, and upcall_target that cifs.upcall treats as kernel-originating inputs. However, userspace can also create keys of this type through request_key(2) or add_key(2), allowing those fields to be supplied without CIFS origin. Only accept cifs.spnego descriptions while CIFS is using its private spnego_cred to request the key.", "cve_priority": "medium", "cve_public_date": "2026-06-01 17:17:00 UTC" } ], "log": [ "", " * resolute/linux: 7.0.0-27.27 -proposed tracker (LP: #2157114)", "", " * Packaging resync (LP: #1786013)", " - [Packaging] update annotations scripts", "", " * Ubuntu 26.04 linux kernel has non-functional nova-core GPU driver enabled,", " conflicting with nouveau (LP: #2150845)", " - [Config] Disable NOVA_CORE", "", " * CVE-2026-46316", " - KVM: arm64: vgic-its: Drop the translation cache reference only for the", " erased entry", "", " * CVE-2026-46244", " - netfilter: nft_inner: Fix IPv6 inner_thoff desync", "", " * CVE-2026-46137", " - mptcp: pm: ADD_ADDR rtx: allow ID 0", " - mptcp: pm: ADD_ADDR rtx: fix potential data-race", "", " * CVE-2026-46185", " - smb/client: fix out-of-bounds read in symlink_data()", "", " * CVE-2026-46195", " - smb: client: validate dacloffset before building DACL pointers", "", " * CVE-2026-46289", " - lib/scatterlist: fix length calculations in extract_kvec_to_sg", "", " * CVE-2026-46119", " - libceph: Fix slab-out-of-bounds access in auth message processing", "", " * CVE-2026-46135", " - nvmet-tcp: fix race between ICReq handling and queue teardown", "", " * CVE-2026-46155", " - smb/client: fix out-of-bounds read in smb2_compound_op()", "", " * CVE-2026-46115", " - block: add pgmap check to biovec_phys_mergeable", "", " * CVE-2026-46243", " - smb: client: reject userspace cifs.spnego descriptions", "" ], "package": "linux", "version": "7.0.0-27.27", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2157114, 1786013, 2150845 ], "author": "Manuel Diewald ", "date": "Thu, 18 Jun 2026 18:54:56 +0200" }, { "cves": [ { "cve": "CVE-2026-47337", "url": "https://ubuntu.com/security/CVE-2026-47337", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a possible NULL pointer dereference in the handling of AF_INET/AF_INET6 socket mediation. The bug can be triggered by an unprivileged local user. This can lead to a kernel oops.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47334", "url": "https://ubuntu.com/security/CVE-2026-47334", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly sleep while holding a spinlock in notification handling code. The bug can be triggered by an unprivileged local user and can result in kernel panic or deadlock.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47333", "url": "https://ubuntu.com/security/CVE-2026-47333", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which can potentially incorrectly compute the size of an internal buffer, leading to a heap memory out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in invalid data being processed by the AppArmor DFA policy engine.", "cve_priority": "high", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47332", "url": "https://ubuntu.com/security/CVE-2026-47332", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly validate the size of an internal structure, leading to an out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in information disclosure from adjacent slab objects.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47330", "url": "https://ubuntu.com/security/CVE-2026-47330", "cve_description": "Ubuntu Linux 6.8, 7.17 and 7.0 contain AppArmor SAUCE patches which can, under certain circumstances, use an uninitialized variable in notification handling code. The bug can be triggered by an unprivileged local user and can result in the incorrect caching of AppArmor notification responses.", "cve_priority": "low", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47329", "url": "https://ubuntu.com/security/CVE-2026-47329", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches which fail to validate invalid sizes of the name field in AppAmor notification responses. The bug can be triggered by an unprivileged local user and could result in handling of crafted responses.", "cve_priority": "low", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47327", "url": "https://ubuntu.com/security/CVE-2026-47327", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a possible NULL pointer dereference in the handling of AppArmor notifications. The bug can be triggered by an unprivileged local user. This can lead to a kernel oops.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47328", "url": "https://ubuntu.com/security/CVE-2026-47328", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly attempt to free a pointer which was not previously kmalloc()d, while at the same time leaking allocated memory. The bug can be triggered by an unprivileged local user and can result in the corruption of slab metadata and could lead to resource exhaustion.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47326", "url": "https://ubuntu.com/security/CVE-2026-47326", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a memory leak in the handling of big responses to AppArmor notifications. The bug can be triggered by an unprivileged local user. The memory leak could lead to resource exhaustion.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-46300", "url": "https://ubuntu.com/security/CVE-2026-46300", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: skbuff: preserve shared-frag marker during coalescing skb_try_coalesce() can attach paged frags from @from to @to. If @from has SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same externally-owned or page-cache-backed frags, but the shared-frag marker is currently lost. That breaks the invariant relied on by later in-place writers. In particular, ESP input checks skb_has_shared_frag() before deciding whether an uncloned nonlinear skb can skip skb_cow_data(). If TCP receive coalescing has moved shared frags into an unmarked skb, ESP can see skb_has_shared_frag() as false and decrypt in place over page-cache backed frags. Propagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged frags. The tailroom copy path does not need the marker because it copies bytes into @to's linear data rather than transferring frag descriptors.", "cve_priority": "high", "cve_public_date": "2026-05-23 12:17:00 UTC" }, { "cve": "CVE-2026-46333", "url": "https://ubuntu.com/security/CVE-2026-46333", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ptrace: slightly saner 'get_dumpable()' logic The 'dumpability' of a task is fundamentally about the memory image of the task - the concept comes from whether it can core dump or not - and makes no sense when you don't have an associated mm. And almost all users do in fact use it only for the case where the task has a mm pointer. But we have one odd special case: ptrace_may_access() uses 'dumpable' to check various other things entirely independently of the MM (typically explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for threads that no longer have a VM (and maybe never did, like most kernel threads). It's not what this flag was designed for, but it is what it is. The ptrace code does check that the uid/gid matches, so you do have to be uid-0 to see kernel thread details, but this means that the traditional \"drop capabilities\" model doesn't make any difference for this all. Make it all make a *bit* more sense by saying that if you don't have a MM pointer, we'll use a cached \"last dumpability\" flag if the thread ever had a MM (it will be zero for kernel threads since it is never set), and require a proper CAP_SYS_PTRACE capability to override.", "cve_priority": "high", "cve_public_date": "2026-05-15 14:16:00 UTC" }, { "cve": "CVE-2026-43500", "url": "https://ubuntu.com/security/CVE-2026-43500", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE handler in rxrpc_verify_response() copy the skb to a linear one before calling into the security ops only when skb_cloned() is true. An skb that is not cloned but still carries externally-owned paged fragments (e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via __ip_append_data, or a chained skb_has_frag_list()) falls through to the in-place decryption path, which binds the frag pages directly into the AEAD/skcipher SGL via skb_to_sgvec(). Extend the gate to also unshare when skb_has_frag_list() or skb_has_shared_frag() is true. This catches the splice-loopback vector and other externally-shared frag sources while preserving the zero-copy fast path for skbs whose frags are kernel-private (e.g. NIC page_pool RX, GRO). The OOM/trace handling already in place is reused.", "cve_priority": "high", "cve_public_date": "2026-05-11 08:16:00 UTC" }, { "cve": "CVE-2026-43284", "url": "https://ubuntu.com/security/CVE-2026-43284", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place decrypt on shared skb frags MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later paths that may modify packet data can first make a private copy. The IPv4/IPv6 datagram append paths did not set this flag when splicing pages into UDP skbs. That leaves an ESP-in-UDP packet made from shared pipe pages looking like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW fast path for uncloned skbs without a frag_list and decrypts in place over data that is not owned privately by the skb. Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching TCP. Also make ESP input fall back to skb_cow_data() when the flag is present, so ESP does not decrypt externally backed frags in place. Private nonlinear skb frags still use the existing fast path. This intentionally does not change ESP output. In esp_output_head(), the path that appends the ESP trailer to existing skb tailroom without calling skb_cow_data() is not reachable for nonlinear skbs: skb_tailroom() returns zero when skb->data_len is nonzero, while ESP tailen is positive. Thus ESP output will either use the separate destination-frag path or fall back to skb_cow_data().", "cve_priority": "high", "cve_public_date": "2026-05-08 08:16:00 UTC" } ], "log": [ "", " * resolute/linux: 7.0.0-26.26 -proposed tracker (LP: #2154530)", "", " * Packaging resync (LP: #1786013)", " - Revert \"UBUNTU: SAUCE: import Huawei ES3000_V2 (2.1.0.23)\"", " - [Packaging] debian.master/dkms-versions -- remove dkms-versions", " (main/2026.05.18)", "", " * Fix mic mute led on a HP EliteBook 6 G2a platform (LP: #2150065)", " - ALSA: hda/realtek: Add LED fixup for HP EliteBook 6 G2a Laptops", "", " * ov08x40 module mounted upside down on a certain DELL platforms", " (LP: #2146517)", " - SAUCE: media: ipu-bridge: Add DMI quirk for new Dell XPS laptops with", " upside down sensors", " - SAUCE: media: ipu-bridge: Add DMI quirk for Dell 14 laptops with upside", " down sensors", "", " * Support additional 2888x1808@30fps 900MHz for OVTI05C1 camera sensor", " (LP: #2147409)", " - SAUCE: media: ipu-bridge: Add 900MHz for OV05C10", " - SAUCE: platform/x86: int3472: increase handshake delay to 50ms for", " OV05C10", "", " * Support Samsung S5K3J1 sensor for Intel MIPI camera (LP: #2121852)", " - SAUCE: media: ipu-bridge: Support s5k3j1 sensor", "", " * [SRU] ASoC: enable rt1320 speaker amp and DMIC on PTL SoundWire platforms", " (LP: #2150196)", " - ASoC: Intel: soc-acpi-intel-ptl-match: drop rt722 monolithic match", " tables", " - ASoC: SOF: Intel: Add a is_amp flag to fix the wrong name prefix", " - ASoC: sdw_utils: add rt1320 and rt1321 dmic dai in codec_info_list", "", " * powerpc-build in ubuntu_kernel_selftests fails to build due to", " uninitialized value (LP: #2129844)", " - selftests/powerpc: Suppress -Wmaybe-uninitialized with GCC 15", "", " * Ubuntu 26.04 linux kernel has non-functional nova-core GPU driver enabled,", " conflicting with nouveau (LP: #2150845)", " - [Config] Disable DRM_NOVA", "", " * Resolute update: v7.0.6 upstream stable release (LP: #2152558)", " - Linux 7.0.6", " - Upstream stable to v7.0.6", "", " * Resolute update: v7.0.5 upstream stable release (LP: #2152556)", " - Linux 7.0.5", " - Upstream stable to v7.0.5", "", " * Resolute update: v7.0.4 upstream stable release (LP: #2152552)", " - ALSA: usb-audio: stop parsing UAC2 rates at MAX_NR_RATES", " - ALSA: usb-audio: Avoid false E-MU sample-rate notifications", " - ALSA: usb-audio: Fix Audio Advantage Micro II SPDIF switch", " - usb: xhci: Make usb_host_endpoint.hcpriv survive endpoint_disable()", " - usb: chipidea: otg: not wait vbus drop if use role_switch", " - usb: chipidea: core: allow ci_irq_handler() handle both ID and VBUS", " change", " - ALSA: usb-audio: Evaluate packsize caps at the right place", " - LoongArch: Add spectre boundry for syscall dispatch table", " - drm/nouveau: fix u32 overflow in pushbuf reloc bounds check", " - leds: qcom-lpg: Check for array overflow when selecting the high", " resolution", " - greybus: gb-beagleplay: bound bootloader receive buffering", " - greybus: gb-beagleplay: fix sleep in atomic context in hdlc_tx_frames()", " - misc: ibmasm: fix OOB MMIO read in ibmasm_handle_mouse_interrupt()", " - ibmasm: fix OOB reads in command_file_write due to missing size checks", " - ibmasm: fix heap over-read in ibmasm_send_i2o_message()", " - sysfs: attribute_group: Respect is_visible_const() when changing owner", " - driver core: Don't let a device probe until it's ready", " - device property: Make modifications of fwnode \"flags\" thread safe", " - drm/nouveau: fix nvkm_device leak on aperture removal failure", " - rust: dma: remove DMA_ATTR_NO_KERNEL_MAPPING from public attrs", " - kbuild: rust: allow `clippy::uninlined_format_args`", " - fs: afs: revert mmap_prepare() change", " - firmware: google: framebuffer: Do not mark framebuffer as busy", " - lib: test_hmm: evict device pages on file close to avoid use-after-free", " - arm64/mm: Enable batched TLB flush in unmap_hotplug_range()", " - arm64: mm: Fix rodata=full block mapping support for realm guests", " - mm: migrate: requeue destination folio on deferred split queue", " - mm: prevent droppable mappings from being locked", " - mm: fix deferred split queue races during migration", " - ocfs2: split transactions in dio completion to avoid credit exhaustion", " - Input: edt-ft5x06 - fix use-after-free in debugfs teardown", " - zram: do not forget to endio for partial discard requests", " - wifi: rtw88: check for PCI upstream bridge existence", " - wifi: mwifiex: fix use-after-free in mwifiex_adapter_cleanup()", " - vfio: selftests: Fix VLA initialisation in vfio_pci_irq_set()", " - vfio/xe: Add a missing vfio_pci_core_release_dev()", " - vfio/virtio: Convert list_lock from spinlock to mutex", " - vfio/cdx: Serialize VFIO_DEVICE_SET_IRQS with a per-device mutex", " - vfio/cdx: Fix NULL pointer dereference in interrupt trigger path", " - um: drivers: call kernel_strrchr() explicitly in cow_user.c", " - thermal: core: Fix thermal zone governor cleanup issues", " - spi: imx: fix use-after-free on unbind", " - spi: ch341: fix memory leaks on probe failures", " - crypto: algif_aead - snapshot IV for async AEAD requests", " - crypto: pcrypt - Fix handling of MAY_BACKLOG requests", " - dt-bindings: display: ti, am65x-dss: Fix AM62L DSS reg and clock", " constraints", " - of: unittest: fix use-after-free in of_unittest_changeset()", " - of: unittest: fix use-after-free in testdrv_probe()", " - hwmon: (powerz) Fix missing usb_kill_urb() on signal interrupt", " - EDAC/versalnet: Fix device_node leak in mc_probe()", " - PCI: imx6: Skip waiting for L2/L3 Ready on i.MX6SX", " - media: amphion: Fix race between m2m job_abort and device_run", " - ALSA: control: Validate buf_len before strnlen() in", " snd_ctl_elem_init_enum_names()", " - net: caif: clear client service pointer on teardown", " - net: strparser: fix skb_head leak in strp_abort_strp()", " - media: mtk-jpeg: fix use-after-free in release path due to uncancelled", " work", " - crypto: atmel-sha204a - Fix OTP sysfs read and error handling", " - PCI: endpoint: pci-epf-ntb: Remove duplicate resource teardown", " - Revert \"ALSA: usb: Increase volume range that triggers a warning\"", " - phy: qcom: m31-eusb2: clear PLL_EN during init", " - PCI: epf-mhi: Return 0, not remaining timeout, when eDMA ops complete", " - lib/ts_kmp: fix integer overflow in pattern length calculation", " - media: i2c: imx219: Check return value of devm_gpiod_get_optional() in", " imx219_probe()", " - net: qrtr: ns: Fix use-after-free in driver remove()", " - ext2: reject inodes with zero i_nlink and valid mode in ext2_iget()", " - mm/zsmalloc: copy KMSAN metadata in zs_page_migrate()", " - ALSA: aoa: i2sbus: clear stale prepared state", " - ALSA: aoa: i2sbus: fix OF node lifetime handling", " - ALSA: aoa: Skip devices with no codecs in i2sbus_resume()", " - ALSA: ctxfi: Add fallback to default RSR for S/PDIF", " - ALSA: seq_oss: return full count for successful SEQ_FULLSIZE writes", " - erofs: fix the out-of-bounds nameoff handling for trailing dirents", " - ipmi:ssif: Clean up kthread on errors", " - jbd2: fix deadlock in jbd2_journal_cancel_revoke()", " - KVM: selftests: Fix reserved value WRMSR testcase for multi-feature MSRs", " - md/raid10: fix deadlock with check operation and nowait requests", " - media: rc: igorplugusb: heed coherency rules", " - media: rockchip: rkcif: fix off by one bugs", " - media: rockchip: rkcif: comply with minimum number of buffers", " requirement", " - mfd: stpmic1: Attempt system shutdown twice in case PMIC is confused", " - mm/alloc_tag: clear codetag for pages allocated before page_ext", " initialization", " - mm/damon/core: fix damon_call() vs kdamond_fn() exit race", " - mm/damon/core: fix damos_walk() vs kdamond_fn() exit race", " - mm/hugetlb: fix early boot crash on parameters without '=' separator", " - mtd: docg3: fix use-after-free in docg3_release()", " - nvme-pci: add NVME_QUIRK_DISABLE_WRITE_ZEROES for Kingston OM3SGP4", " - nvme: respect NVME_QUIRK_DISABLE_WRITE_ZEROES when wzsl is set", " - parisc: _llseek syscall is only available for 32-bit userspace", " - parisc: Drop ip_fast_csum() inline assembly implementation", " - PCI: cadence: Use cdns_pcie_read_sz() for byte or word read access", " - PCI: imx6: Fix reference clock source selection for i.MX95", " - perf annotate: Use jump__delete when freeing LoongArch jumps", " - RDMA/mana_ib: Disable RX steering on RSS QP destroy", " - remoteproc: xlnx: Only access buffer information if IPI is buffered", " - reset: rzv2h-usb2phy: Keep PHY clock enabled for entire device lifetime", " - sched: Use u64 for bandwidth ratio calculations", " - selftests/mqueue: Fix incorrectly named file", " - landlock: Fix LOG_SUBDOMAINS_OFF inheritance across fork()", " - landlock: Allow TSYNC with LOG_SUBDOMAINS_OFF and fd=-1", " - selftests/landlock: Drain stale audit records on init", " - selftests/landlock: Fix format warning for __u64 in net_test", " - selftests/landlock: Fix snprintf truncation checks in audit helpers", " - selftests/landlock: Skip stale records in audit_match_record()", " - rbd: fix null-ptr-deref when device_add_disk() fails", " - mm/zone_device: do not touch device folio after calling ->folio_free()", " - block: fix zone write plugs refcount handling in", " disk_zone_wplug_schedule_bio_work()", " - io_uring/zcrx: return back two step unregistration", " - io_uring/timeout: check unused sqe fields", " - block: relax pgmap check in bio_add_page for compatible zone device", " pages", " - iio: adc: ti-ads7950: use iio_push_to_buffers_with_ts_unaligned()", " - io_uring/register: fix ring resizing with mixed/large SQEs/CQEs", " - io_uring/zcrx: fix user_struct uaf", " - io_uring/poll: fix signed comparison in io_poll_get_ownership()", " - io_uring/poll: ensure EPOLL_ONESHOT is propagated for EPOLL_URING_WAKE", " - module.lds,codetag: force 0 sh_addr for sections", " - module.lds.S: Fix modules on 32-bit parisc architecture", " - ALSA: core: Fix potential data race at fasync handling", " - ALSA: caiaq: Fix control_put() result and cache rollback", " - ALSA: caiaq: Handle probe errors properly", " - ALSA: 6fire: Fix input volume change detection", " - ALSA: hda/realtek - Add mute LED support for HP Victus 15-fa2xxx", " - ALSA: pcmtest: fix reference leak on failed device registration", " - ALSA: pcmtest: Fix resource leaks in module init error paths", " - iio: adc: ad7768-1: fix one-shot mode data acquisition", " - iio: adc: ad7768-1: remove switch to one-shot mode", " - rxrpc: Fix memory leaks in rxkad_verify_response()", " - rxrpc: Fix rxkad crypto unalignment handling", " - rxrpc: Fix error handling in rxgk_extract_token()", " - rxrpc: Fix re-decryption of RESPONSE packets", " - EDAC/versalnet: Fix memory leak in remove and probe error paths", " - tools/accounting: handle truncated taskstats netlink messages", " - net: txgbe: fix RTNL assertion warning when remove module", " - arm64: dts: marvell: uDPU: add ethernet aliases", " - net: qrtr: ns: Limit the maximum server registration per node", " - net: qrtr: ns: Limit the maximum number of lookups", " - net: qrtr: ns: Free the node during ctrl_cmd_bye()", " - net: qrtr: ns: Limit the total number of nodes", " - net: rds: fix MR cleanup on copy error", " - net: txgbe: fix firmware version check", " - net/smc: avoid early lgr access in smc_clc_wait_msg", " - net: ks8851: Reinstate disabling of BHs around IRQ handler", " - net: bridge: use a stable FDB dst snapshot in RCU readers", " - netconsole: avoid out-of-bounds access on empty string in trim_newline()", " - net: mctp: fix don't require received header reserved bits to be zero", " - net: ks8851: Avoid excess softirq scheduling", " - drm/arcpgu: fix device node leak", " - slub: fix data loss and overflow in krealloc()", " - tracing/fprobe: Reject registration of a registered fprobe before init", " - RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv", " - printf: Compile the kunit test with DISABLE_BRANCH_PROFILING", " DISABLE_BRANCH_PROFILING", " - ipv4: icmp: validate reply type before using icmp_pointers", " - libceph: Prevent potential null-ptr-deref in ceph_handle_auth_reply()", " - spi: fix resource leaks on device setup failure", " - extract-cert: Wrap key_pass with '#ifdef USE_PKCS11_ENGINE'", " - tpm: avoid -Wunused-but-set-variable", " - LoongArch: Make arch_irq_work_has_interrupt() true only if IPI HW exist", " - LoongArch: Show CPU vulnerabilites correctly", " - fbdev: defio: Disconnect deferred I/O from the lifetime of struct", " fb_info", " - power: supply: axp288_charger: Do not cancel work before initializing it", " - hwmon: (isl28022) Fix integer overflow in power calculation on 32-bit", " - hwmon: (powerz) Avoid cacheline sharing for DMA buffer", " - media: rzv2h-ivc: Revise default VBLANK formula", " - media: rzv2h-ivc: Fix AXIRX_VBLANK register write", " - fs: prepare for adding LSM blob to backing_file", " - lsm: add backing_file LSM hooks", " - selinux: fix overlayfs mmap() and mprotect() access checks", " - hwmon: (pt5161l) Fix bugs in pt5161l_read_block_data()", " - randomize_kstack: Maintain kstack_offset per task", " - mmc: block: use single block write in retry", " - mmc: sdhci-of-dwcmshc: Disable clock before DLL configuration", " - arm64: dts: ti: am62-verdin: Enable pullup for eMMC data pins", " - crypto: qat - fix IRQ cleanup on 6xxx probe failure", " - xfs: start gc on zonegc_low_space attribute updates", " - xfs: fix a resource leak in xfs_alloc_buftarg()", " - firmware: google: framebuffer: Do not unregister platform device", " - firmware: exynos-acpm: Drop fake 'const' on handle pointer", " - crypto: talitos - fix SEC1 32k ahash request limitation", " - crypto: talitos - rename first/last to first_desc/last_desc", " - pwm: imx-tpm: Count the number of enabled channels in probe", " - tpm2-sessions: Fix missing tpm_buf_destroy() in tpm2_read_public()", " - tpm: Fix auth session leak in tpm2_get_random() error path", " - tpm: Use kfree_sensitive() to free auth session in tpm_dev_release()", " - tpm: tpm_tis: add error logging for data transfer", " - tpm: tpm_tis: stop transmit if retries are exhausted", " - rtc: ntxec: fix OF node reference imbalance", " - mm/vmalloc: take vmap_purge_lock in shrinker", " - mm/memfd_luo: fix physical address conversion in put_folios cleanup", " - mm/mempolicy: fix memory leaks in weighted_interleave_auto_store()", " - mm/damon/stat: fix memory leak on damon_start() failure in", " damon_stat_start()", " - mm/damon/core: validate damos_quota_goal->nid for", " node_mem_{used,free}_bp", " - mm/damon/core: validate damos_quota_goal->nid for", " node_memcg_{used,free}_bp", " - mm/damon/core: use time_in_range_open() for damos quota window start", " - mm/damon/core: disallow time-quota setting zero esz", " - mm/damon/core: disallow non-power of two min_region_sz on damon_start()", " - userfaultfd: allow registration of ranges below mmap_min_addr", " - LoongArch: KVM: Use CSR_CRMD_PLV in kvm_arch_vcpu_in_kernel()", " - KVM: x86: Defer non-architectural deliver of exception payload to", " userspace read", " - KVM: nSVM: Mark all of vmcb02 dirty when restoring nested state", " - KVM: nSVM: Sync NextRIP to cached vmcb12 after VMRUN of L2", " - KVM: nSVM: Sync interrupt shadow to cached vmcb12 after VMRUN of L2", " - KVM: SVM: Inject #UD for INVLPGA if EFER.SVME=0", " - KVM: SVM: Explicitly mark vmcb01 dirty after modifying VMCB intercepts", " - KVM: nSVM: Ensure AVIC is inhibited when restoring a vCPU to guest mode", " - KVM: nSVM: Always use NextRIP as vmcb02's NextRIP after first L2 VMRUN", " - KVM: nSVM: Delay stuffing L2's current RIP into NextRIP until vCPU run", " - KVM: nSVM: Use vcpu->arch.cr2 when updating vmcb12 on nested #VMEXIT", " - KVM: arm64: Account for RESx bits in __compute_fgt()", " - KVM: nSVM: Avoid clearing VMCB_LBR in vmcb12", " - KVM: nSVM: Delay setting soft IRQ RIP tracking fields until vCPU run", " - KVM: SVM: Switch svm_copy_lbrs() to a macro", " - KVM: SVM: Add missing save/restore handling of LBR MSRs", " - KVM: nSVM: Always inject a #GP if mapping VMCB12 fails on nested VMRUN", " - KVM: nSVM: Refactor checking LBRV enablement in vmcb12 into a helper", " - KVM: nSVM: Refactor writing vmcb12 on nested #VMEXIT as a helper", " - KVM: nSVM: Triple fault if restore host CR3 fails on nested #VMEXIT", " - KVM: nSVM: Triple fault if mapping VMCB12 fails on nested #VMEXIT", " - KVM: nSVM: Clear GIF on nested #VMEXIT(INVALID)", " - KVM: nSVM: Clear EVENTINJ fields in vmcb12 on nested #VMEXIT", " - KVM: nSVM: Clear tracking of L1->L2 NMI and soft IRQ on nested #VMEXIT", " - KVM: nSVM: Add missing consistency check for EFER, CR0, CR4, and CS", " - KVM: nSVM: Drop the non-architectural consistency check for NP_ENABLE", " - KVM: nSVM: Add missing consistency check for nCR3 validity", " - KVM: nSVM: Raise #UD if unhandled VMMCALL isn't intercepted by L1", " - KVM: nSVM: Always intercept VMMCALL when L2 is active", " - ARM: 9472/1: fix race condition on PG_dcache_clean in", " __sync_icache_dcache()", " - ring-buffer: Do not double count the reader_page", " - ext4: fix bounds check in check_xattrs() to prevent out-of-bounds access", " - ext4: fix missing brelse() in ext4_xattr_inode_dec_ref_all()", " - udf: fix partition descriptor append bookkeeping", " - mtd: spi-nor: sst: Fix write enable before AAI sequence", " - mtd: spinand: winbond: Declare the QE bit on W25NxxJW", " - amdgpu/jpeg: fix deepsleep register for jpeg 5_0_0 and 5_0_2", " - md/md-llbitmap: skip reading rdevs that are not in_sync", " - md/md-llbitmap: raise barrier before state machine transition", " - md/raid5: fix soft lockup in retry_aligned_read()", " - md/raid5: validate payload size before accessing journal metadata", " - check-uapi: link into shared objects", " - mm, swap: speed up hibernation allocation and writeout", " - HID: apple: ensure the keyboard backlight is off if suspending", " - inotify: fix watch count leak when fsnotify_add_inode_mark_locked()", " fails", " - x86/cpu: Disable FRED when PTI is forced on", " - x86/shstk: Prevent deadlock during shstk sigreturn", " - wifi: rtl8xxxu: fix potential use of uninitialized value", " - tcp: call sk_data_ready() after listener migration", " - taskstats: set version in TGID exit notifications", " - mptcp: sync the msk->sndbuf at accept() time", " - mfd: core: Preserve OF node when ACPI handle is present", " - 9p: fix access mode flags being ORed instead of replaced", " - Bluetooth: hci_event: fix potential UAF in SSP passkey handlers", " - bus: mhi: host: pci_generic: Switch to async power up to avoid boot", " delays", " - can: ucan: fix devres lifetime", " - crypto: acomp - fix wrong pointer stored by acomp_save_req()", " - crypto: arm64/aes - Fix 32-bit aes_mac_update() arg treated as 64-bit", " - crypto: atmel-aes - Fix 3-page memory leak in atmel_aes_buff_cleanup", " - crypto: atmel-ecc - Release client on allocation failure", " - crypto: hisilicon - Fix dma_unmap_single() direction", " - crypto: ccree - fix a memory leak in cc_mac_digest()", " - crypto: atmel-tdes - fix DMA sync direction", " - crypto: atmel-sha204a - Fix error codes in OTP reads", " - crypto: atmel-sha204a - Fix potential UAF and memory leak in remove path", " - crypto: atmel-sha204a - Fix uninitialized data access on OTP read error", " - crypto: nx - fix bounce buffer leaks in nx842_crypto_{alloc,free}_ctx", " - crypto: nx - fix context leak in nx842_crypto_free_ctx", " - crypto: nx - Fix packed layout in struct nx842_crypto_header", " - dm mirror: fix integer overflow in create_dirty_log()", " - erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap()", " - ceph: fix num_ops off-by-one when crypto allocation fails", " - ceph: only d_add() negative dentries when they are unhashed", " - gtp: disable BH before calling udp_tunnel_xmit_skb()", " - IB/core: Fix zero dmac race in neighbor resolution", " - ktest: Fix the month in the name of the failure directory", " - NFSv4.1: Apply session size limits on clone path", " - ntfs3: add buffer boundary checks to run_unpack()", " - ntfs3: fix integer overflow in run_unpack() volume boundary check", " - rtmutex: Use waiter::task instead of current in remove_waiter()", " - rxgk: Fix potential integer overflow in length check", " - sched_ext: Documentation: Clarify ops.dispatch() role in task lifecycle", " - scsi: sd: fix missing put_disk() when device_add(&disk_dev) fails", " - seg6: fix seg6 lwtunnel output redirect for L2 reduced encap mode", " - perf loongarch: Fix build failure with CONFIG_LIBDW_DWARF_UNWIND", " - iio: frequency: admv1013: add dev variable", " - iio: frequency: admv1013: fix NULL pointer dereference on str", " - wifi: mt76: mt792x: describe USB WFSYS reset with a descriptor", " - wifi: mt76: mt792x: fix mt7925u USB WFSYS reset handling", " - mm: various small mmap_prepare cleanups", " - mm: avoid deadlock when holding rmap on mmap_prepare error", " - mei: me: use PCI_DEVICE_DATA macro", " - mei: me: add nova lake point H DID", " - crypto: authencesn - reject short ahash digests during instance creation", " - driver core: Add kernel-doc for DEV_FLAG_COUNT enum value", " - ALSA: caiaq: Fix potentially leftover ep1_in_urb at error path", " - ALSA: caiaq: Don't abort when no input device is available", " - ipv6: rpl: reserve mac_len headroom when recompressed SRH grows", " - drm/amdgpu: fix zero-size GDS range init on RDNA4", " - drm/imagination: Fix segfault when updating ftrace mask", " - ALSA: caiaq: fix usb_dev refcount leak on probe failure", " - ALSA: aloop: Fix peer runtime UAF during format-change stop", " - vmalloc: fix buffer overflow in vrealloc_node_align()", " - mm/page_alloc: return NULL early from alloc_frozen_pages_nolock() in NMI", " on UP", " - mm/slab: return NULL early from kmalloc_nolock() in NMI on UP", " - net: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels", " - netfilter: reject zero shift in nft_bitwise", " - ipmi:ssif: Remove unnecessary indention", " - ipmi:ssif: NULL thread on error", " - Linux 7.0.4", " - Upstream stable to v7.0.4", "", " * Resolute update: v7.0.3 upstream stable release (LP: #2152550)", " - Buffer overflow in drivers/xen/sys-hypervisor.c", " - xen/privcmd: fix double free via VMA splitting", " - Linux 7.0.3", " - Upstream stable to v7.0.3", "", " * Resolute update: v7.0.2 upstream stable release (LP: #2150553)", " - crypto: authencesn - Fix src offset when decrypting in-place", " - pwm: th1520: fix `CLIPPY=1` warning", " - drm/amdgpu: replace PASID IDR with XArray", " - crypto: krb5enc - fix sleepable flag handling in encrypt dispatch", " - crypto: krb5enc - fix async decrypt skipping hash verification", " - ksmbd: fix use-after-free in __ksmbd_close_fd() via durable scavenger", " - ksmbd: validate owner of durable handle on reconnect", " - scripts: generate_rust_analyzer.py: define scripts", " - scripts/dtc: Remove unused dts_version in dtc-lexer.l", " - fs/ntfs3: validate rec->used in journal-replay file record check", " - f2fs: fix to do sanity check on dcc->discard_cmd_cnt conditionally", " - f2fs: fix UAF caused by decrementing sbi->nr_pages[] in", " f2fs_write_end_io()", " - f2fs: fix to avoid memory leak in f2fs_rename()", " - f2fs: fix to avoid uninit-value access in f2fs_sanity_check_node_footer", " - fuse: reject oversized dirents in page cache", " - fuse: abort on fatal signal during sync init", " - fuse: Check for large folio with SPLICE_F_MOVE", " - fuse: quiet down complaints in fuse_conn_limit_write", " - fuse: fuse_dev_ioctl_clone() should wait for device file to be", " initialized", " - ksmbd: require minimum ACE size in smb_check_perm_dacl()", " - smb: server: fix active_num_conn leak on transport allocation failure", " - smb: client: fix dir separator in SMB1 UNIX mounts", " - smb: server: fix max_connections off-by-one in tcp accept path", " - smb: client: require a full NFS mode SID before reading mode bits", " - smb: client: validate the whole DACL before rewriting it in cifsacl", " - smb: client: fix OOB read in smb2_ioctl_query_info QUERY_INFO path", " - ksmbd: validate response sizes in ipc_validate_msg()", " - ksmbd: validate num_aces and harden ACE walk in smb_inherit_dacl()", " - ksmbd: fix out-of-bounds write in smb2_get_ea() EA alignment", " - ksmbd: use check_add_overflow() to prevent u16 DACL size overflow", " - ksmbd: reset rcount per connection in ksmbd_conn_wait_idle_sess_id()", " - writeback: Fix use after free in inode_switch_wbs_work_fn()", " - f2fs: fix use-after-free of sbi in f2fs_compress_write_end_io()", " - ALSA: usb-audio: apply quirk for MOONDROP JU Jiu", " - ALSA: hda/realtek: Add quirk for Legion S7 15IMH", " - ALSA: caiaq: take a reference on the USB device in create_card()", " - net/packet: fix TOCTOU race on mmap'd vnet_hdr in tpacket_snd()", " - crypto: ccp: Don't attempt to copy CSR to userspace if PSP command", " failed", " - crypto: ccp: Don't attempt to copy PDH cert to userspace if PSP command", " failed", " - crypto: ccp: Don't attempt to copy ID to userspace if PSP command failed", " - rxrpc: Fix missing validation of ticket length in non-XDR key preparsing", " - mshv_vtl: Fix vmemmap_shift exceeding MAX_FOLIO_ORDER", " - Linux 7.0.2", "", " * Resolute update: v7.0.1 upstream stable release (LP: #2150547)", " - Revert \"UBUNTU: SAUCE: cdc-acm: Exclude Exar USB serial ports\"", " - nfc: llcp: add missing return after LLCP_CLOSED checks", " - x86/CPU: Fix FPDSS on Zen1", " - can: raw: fix ro->uniq use-after-free in raw_rcv()", " - i2c: s3c24xx: check the size of the SMBUS message before using it", " - staging: rtl8723bs: initialize le_tmp64 in rtw_BIP_verify()", " - HID: alps: fix NULL pointer dereference in alps_raw_event()", " - HID: core: clamp report_size in s32ton() to avoid undefined shift", " - net: usb: cdc-phonet: fix skb frags[] overflow in rx_complete()", " - NFC: digital: Bounds check NFC-A cascade depth in SDD response handler", " - drm/vc4: platform_get_irq_byname() returns an int", " - bnge: return after auxiliary_device_uninit() in error path", " - ALSA: usx2y: us144mkii: fix NULL deref on missing interface 0", " - ALSA: fireworks: bound device-supplied status before string array lookup", " - fbdev: tdfxfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO", " - usb: gadget: f_ncm: validate minimum block_len in ncm_unwrap_ntb()", " - usb: gadget: f_phonet: fix skb frags[] overflow in pn_rx_complete()", " - usb: gadget: renesas_usb3: validate endpoint index in standard request", " handlers", " - smb: client: fix off-by-8 bounds check in check_wsl_eas()", " - smb: client: fix OOB reads parsing symlink error response", " - ksmbd: validate EaNameLength in smb2_get_ea()", " - ksmbd: require 3 sub-authorities before reading sub_auth[2]", " - ksmbd: fix mechToken leak when SPNEGO decode fails after token alloc", " - smb: client: avoid double-free in smbd_free_send_io() after", " smbd_send_batch_flush()", " - smb: server: avoid double-free in smb_direct_free_sendmsg after", " smb_direct_flush_send_list()", " - usbip: validate number_of_packets in usbip_pack_ret_submit()", " - usb: typec: fusb302: Switch to threaded IRQ handler", " - usb: storage: Expand range of matched versions for VL817 quirks entry", " - USB: cdc-acm: Add quirks for Yoga Book 9 14IAH10 INGENIC touchscreen", " - usb: gadget: f_hid: don't call cdev_init while cdev in use", " - usb: port: add delay after usb_hub_set_port_power()", " - fbdev: udlfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO", " - scripts/gdb/symbols: handle module path parameters", " - scripts: generate_rust_analyzer.py: avoid FD leak", " - wifi: rtw88: fix device leak on probe failure", " - staging: sm750fb: fix division by zero in ps_to_hz()", " - selftests/mm: hmm-tests: don't hardcode THP size to 2MB", " - USB: serial: option: add Telit Cinterion FN990A MBIM composition", " - Docs/admin-guide/mm/damon/reclaim: warn commit_inputs vs param updates", " race", " - Docs/admin-guide/mm/damon/lru_sort: warn commit_inputs vs param updates", " race", " - ALSA: ctxfi: Limit PTP to a single page", " - dcache: Limit the minimal number of bucket to two", " - vfio/xe: Reorganize the init to decouple migration from reset", " - arm64: mm: Handle invalid large leaf mappings correctly", " - media: vidtv: fix NULL pointer dereference in", " vidtv_channel_pmt_match_sections", " - ocfs2: fix possible deadlock between unlink and dio_end_io_write", " - ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY", " - ocfs2: handle invalid dinode in ocfs2_group_extend", " - PCI: endpoint: pci-epf-vntb: Stop cmd_handler work in", " epf_ntb_epc_cleanup", " - PCI: endpoint: pci-epf-vntb: Remove duplicate resource teardown", " - KVM: selftests: Remove duplicate LAUNCH_UPDATE_VMSA call in SEV-ES", " migrate test", " - KVM: SEV: Reject attempts to sync VMSA of an already-launched/encrypted", " vCPU", " - KVM: SEV: Protect *all* of sev_mem_enc_register_region() with kvm->lock", " - KVM: SEV: Disallow LAUNCH_FINISH if vCPUs are actively being created", " - KVM: SEV: Lock all vCPUs when synchronzing VMSAs for SNP launch finish", " - KVM: SEV: Drop WARN on large size for KVM_MEMORY_ENCRYPT_REG_REGION", " - mm: call ->free_folio() directly in folio_unmap_invalidate()", " - checkpatch: add support for Assisted-by tag", " - x86-64: rename misleadingly named '__copy_user_nocache()' function", " - x86: rename and clean up __copy_from_user_inatomic_nocache()", " - x86-64/arm64/powerpc: clean up and rename __copy_from_user_flushcache", " - KVM: x86: Use scratch field in MMIO fragment to hold small write values", " - ASoC: qcom: q6apm: move component registration to unmanaged version", " - mm/kasan: fix double free for kasan pXds", " - mm: blk-cgroup: fix use-after-free in cgwb_release_workfn()", " - media: vidtv: fix nfeeds state corruption on start_streaming failure", " - media: mediatek: vcodec: fix use-after-free in encoder release path", " - media: em28xx: fix use-after-free in em28xx_v4l2_open()", " - hwmon: (powerz) Fix use-after-free on USB disconnect", " - ALSA: 6fire: fix use-after-free on disconnect", " - bcache: fix cached_dev.sb_bio use-after-free and crash", " - wireguard: device: use exit_rtnl callback instead of manual rtnl_lock in", " pre_exit", " - media: as102: fix to not free memory after the device is registered in", " as102_usb_probe()", " - nilfs2: fix NULL i_assoc_inode dereference in", " nilfs_mdt_save_to_shadow_map", " - media: vidtv: fix pass-by-value structs causing MSAN warnings", " - media: hackrf: fix to not free memory after the device is registered in", " hackrf_probe()", " - mm/userfaultfd: fix hugetlb fault mutex hash calculation", " - clockevents: Add missing resets of the next_event_forced flag", " - Linux 7.0.1", "", " * GRO managed-frag use-after-free leading to local privilege escalation", " (LP: #2154172)", " - net: gro: don't merge zcopy skbs", "", " * AppArmor Vulnerabilities (LP: #2151747)", " - SAUCE: apparmor: pass big_resp to handler", " - SAUCE: apparmor: remove redundant kref_init for listener->count", " - SAUCE: apparmor: fix NULL pointer dereference in unpack_pdb", "", " * AppArmor Vulnerabilities (LP: #2151747) // CVE-2026-47337", " - SAUCE: apparmor: fix NULL pointer dereference in bind_map_addr", "", " * AppArmor Vulnerabilities (LP: #2151747) // CVE-2026-47334", " - SAUCE: apparmor: fix sleep prone memory allocation under a spin_lock", "", " * AppArmor Vulnerabilities (LP: #2151747) // CVE-2026-47333", " - SAUCE: apparmor: fix dfa unpacking size of the notification filter", "", " * AppArmor Vulnerabilities (LP: #2151747) // CVE-2026-47332", " - SAUCE: apparmor: fix size check against type instead of pointer", "", " * apparmor: LLVM/clang build failure due to uninitialized variable in", " notify.c (LP: #2148809) // CVE-2026-47330", " - SAUCE: apparmor: initialize variable used in uninitialized context", "", " * AppArmor Vulnerabilities (LP: #2151747) // CVE-2026-47329", " - SAUCE: apparmor: fix name validation bypass on notification", "", " * AppArmor Vulnerabilities (LP: #2151747) // CVE-2026-47327 //", " CVE-2026-47328", " - SAUCE: apparmor: fix glob memory leak after kstrdup", "", " * AppArmor Vulnerabilities (LP: #2151747) // CVE-2026-47326", " - SAUCE: apparmor: fix inverted NULL check after aa_get_buffer", "", " * CVE-2026-46300", " - net: skbuff: preserve shared-frag marker during coalescing", " - net: skbuff: propagate shared-frag marker through frag-transfer helpers", "", " * net/rds: reset op_nents when zerocopy page pin fails (LP: #2153962)", " - net/rds: reset op_nents when zerocopy page pin fails", "", " * CVE-2026-46333", " - ptrace: slightly saner 'get_dumpable()' logic", "", " * CVE-2026-43500", " - rxrpc: Fix conn-level packet handling to unshare RESPONSE packets", " - rxrpc: Fix potential UAF after skb_unshare() failure", " - rxrpc: Fix rxrpc_input_call_event() to only unshare DATA packets", " - rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present", "", " * CVE-2026-43284", " - xfrm: esp: avoid in-place decrypt on shared skb frags", "" ], "package": "linux", "version": "7.0.0-26.26", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2154530, 1786013, 2150065, 2146517, 2147409, 2121852, 2150196, 2129844, 2150845, 2152558, 2152556, 2152552, 2152550, 2150553, 2150547, 2154172, 2151747, 2151747, 2151747, 2151747, 2151747, 2148809, 2151747, 2151747, 2151747, 2153962 ], "author": "Edoardo Canepa ", "date": "Fri, 29 May 2026 03:41:14 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "linux-tools-common", "from_version": { "source_package_name": "linux", "source_package_version": "7.0.0-22.22", "version": "7.0.0-22.22" }, "to_version": { "source_package_name": "linux", "source_package_version": "7.0.0-27.27", "version": "7.0.0-27.27" }, "cves": [ { "cve": "CVE-2026-46316", "url": "https://ubuntu.com/security/CVE-2026-46316", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: vgic-its: Drop the translation cache reference only for the erased entry vgic_its_invalidate_cache() walks the per-ITS translation cache with xa_for_each() and drops the cache's reference on each entry with vgic_put_irq(). It puts the iterated pointer, though, rather than the value returned by xa_erase(). The function is called from contexts that do not exclude one another: the ITS command handlers hold its_lock, the GITS_CTLR write path holds cmd_lock, and the path that clears EnableLPIs in a redistributor's GICR_CTLR holds neither. Two or more of them can drain the same cache concurrently, and if each one observes the same entry, erases it and then puts it, the single reference the cache holds on that entry is dropped more than once. The entry can then be freed while an ITE still maps it. xa_erase() is atomic and returns the previous entry, so put only the entry that this context actually removed. The cache reference is then dropped exactly once per entry even when the invalidations run concurrently, and the behavior is unchanged when only one context runs.", "cve_priority": "medium", "cve_public_date": "2026-06-09 13:16:00 UTC" }, { "cve": "CVE-2026-46244", "url": "https://ubuntu.com/security/CVE-2026-46244", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_inner: Fix IPv6 inner_thoff desync In nft_inner_parse_l2l3(), when processing inner IPv6 packets, ipv6_find_hdr() correctly computes the transport header offset traversing all extension headers, but the result is immediately overwritten with nhoff + sizeof(_ip6h) (40 bytes), which only accounts for the IPv6 base header. This creates a desync between inner_thoff (wrong — points to extension header start) and l4proto (correct — e.g., IPPROTO_TCP), enabling transport header forgery and potential firewall bypass. This issue affects stable versions from Linux 6.2. For comparison, the normal (non-inner) IPv6 path correctly preserves ipv6_find_hdr()'s result. Removing the incorrect overwrite ensures that ipv6_find_hdr()'s calculated transport header offset is preserved, thereby fixing the desynchronization.", "cve_priority": "medium", "cve_public_date": "2026-06-03 18:16:00 UTC" }, { "cve": "CVE-2026-46137", "url": "https://ubuntu.com/security/CVE-2026-46137", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: ADD_ADDR rtx: fix potential data-race This mptcp_pm_add_timer() helper is executed as a timer callback in softirq context. To avoid any data races, the socket lock needs to be held with bh_lock_sock(). If the socket is in use, retry again soon after, similar to what is done with the keepalive timer.", "cve_priority": "medium", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46185", "url": "https://ubuntu.com/security/CVE-2026-46185", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb/client: fix out-of-bounds read in symlink_data() Since smb2_check_message() returns success without length validation for the symlink error response, in symlink_data() it is possible for iov->iov_len to be smaller than sizeof(struct smb2_err_rsp). If the buffer only contains the base SMB2 header (64 bytes), accessing err->ErrorContextCount (at offset 66) or err->ByteCount later in symlink_data() will cause an out-of-bounds read.", "cve_priority": "high", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46195", "url": "https://ubuntu.com/security/CVE-2026-46195", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: validate dacloffset before building DACL pointers parse_sec_desc(), build_sec_desc(), and the chown path in id_mode_to_cifs_acl() all add the server-supplied dacloffset to pntsd before proving a DACL header fits inside the returned security descriptor. On 32-bit builds a malicious server can return dacloffset near U32_MAX, wrap the derived DACL pointer below end_of_acl, and then slip past the later pointer-based bounds checks. build_sec_desc() and id_mode_to_cifs_acl() can then dereference DACL fields from the wrapped pointer in the chmod/chown rewrite paths. Validate dacloffset numerically before building any DACL pointer and reuse the same helper at the three DACL entry points.", "cve_priority": "high", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46289", "url": "https://ubuntu.com/security/CVE-2026-46289", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: lib/scatterlist: fix length calculations in extract_kvec_to_sg Patch series \"Fix bugs in extract_iter_to_sg()\", v3. Fix bugs in the kvec and user variants of extract_iter_to_sg. This series is growing due to useful remarks made by sashiko.dev. The main bugs are: - The length for an sglist entry when extracting from a kvec can exceed the number of bytes in the page. This is obviously not intended. - When extracting a user buffer the sglist is temporarily used as a scratch buffer for extracted page pointers. If the sglist already contains some elements this scratch buffer could overlap with existing entries in the sglist. The series adds test cases to the kunit_iov_iter test that demonstrate all of these bugs. Additionally, there is a memory leak fix for the test itself. The bugs were orignally introduced into kernel v6.3 where the function lived in fs/netfs/iterator.c. It was later moved to lib/scatterlist.c in v6.5. Thus the actual fix is only marked for backports to v6.5+. This patch (of 5): When extracting from a kvec to a scatterlist, do not cross page boundaries. The required length was already calculated but not used as intended. Adjust the copied length if the loop runs out of sglist entries without extracting everything. While there, return immediately from extract_iter_to_sg if there are no sglist entries at all. A subsequent commit will add kunit test cases that demonstrate that the patch is necessary.", "cve_priority": "medium", "cve_public_date": "2026-06-08 17:16:00 UTC" }, { "cve": "CVE-2026-46119", "url": "https://ubuntu.com/security/CVE-2026-46119", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: libceph: Fix slab-out-of-bounds access in auth message processing If a (potentially corrupted) message of type CEPH_MSG_AUTH_REPLY contains a positive value in its result field, it is treated as an error code by ceph_handle_auth_reply() and returned to handle_auth_reply(). Thereafter, an attempt is made to send the preallocated message of type CEPH_MSG_AUTH, where the returned value is interpreted as the size of the front segment to send. If the result value in the message is greater than the size of the memory buffer allocated for the front segment, an out-of-bounds access occurs, and the content of the memory region beyond this buffer is sent out. This patch fixes the issue by treating only negative values in the result field as errors. Positive values are therefore treated as success in the same way as a zero value. Additionally, a BUG_ON is added to __send_prepared_auth_request() comparing the len parameter to front_alloc_len to prevent sending the message if it exceeds the bounds of the allocation and to make it easier to catch any logic flaws leading to this.", "cve_priority": "high", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46135", "url": "https://ubuntu.com/security/CVE-2026-46135", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: fix race between ICReq handling and queue teardown nvmet_tcp_handle_icreq() updates queue->state after sending an Initialization Connection Response (ICResp), but it does so without serializing against target-side queue teardown. If an NVMe/TCP host sends an Initialization Connection Request (ICReq) and immediately closes the connection, target-side teardown may start in softirq context before io_work drains the already buffered ICReq. In that case, nvmet_tcp_schedule_release_queue() sets queue->state to NVMET_TCP_Q_DISCONNECTING and drops the queue reference under state_lock. If io_work later processes that ICReq, nvmet_tcp_handle_icreq() can still overwrite the state back to NVMET_TCP_Q_LIVE. That defeats the DISCONNECTING-state guard in nvmet_tcp_schedule_release_queue() and allows a later socket state change to re-enter teardown and issue a second kref_put() on an already released queue. The ICResp send failure path has the same problem. If teardown has already moved the queue to DISCONNECTING, a send error can still overwrite the state with NVMET_TCP_Q_FAILED, again reopening the window for a second teardown path to drop the queue reference. Fix this by serializing both post-send state transitions with state_lock and bailing out if teardown has already started. Use -ESHUTDOWN as an internal sentinel for that bail-out path rather than propagating it as a transport error like -ECONNRESET. Keep nvmet_tcp_socket_error() setting rcv_state to NVMET_TCP_RECV_ERR before honoring that sentinel so receive-side parsing stays quiesced until the existing release path completes.", "cve_priority": "critical", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46155", "url": "https://ubuntu.com/security/CVE-2026-46155", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb/client: fix out-of-bounds read in smb2_compound_op() If a server sends a truncated response but a large OutputBufferLength, and terminates the EA list early, check_wsl_eas() returns success without validating that the entire OutputBufferLength fits within iov_len. Then smb2_compound_op() does: memcpy(idata->wsl.eas, data[0], size[0]); Where size[0] is OutputBufferLength. If iov_len is smaller than size[0], memcpy can read beyond the end of the rsp_iov allocation and leak adjacent kernel heap memory.", "cve_priority": "medium", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46115", "url": "https://ubuntu.com/security/CVE-2026-46115", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: block: add pgmap check to biovec_phys_mergeable biovec_phys_mergeable() is used by the request merge, DMA mapping, and integrity merge paths to decide if two physically contiguous bvec segments can be coalesced into one. It currently has no check for whether the segments belong to different dev_pagemaps. When zone device memory is registered in multiple chunks, each chunk gets its own dev_pagemap. A single bio can legitimately contain bvecs from different pgmaps -- iov_iter_extract_bvecs() breaks at pgmap boundaries but the outer loop in bio_iov_iter_get_pages() continues filling the same bio. If such bvecs are physically contiguous, biovec_phys_mergeable() will coalesce them, making it impossible to recover the correct pgmap for the merged segment via page_pgmap(). Add a zone_device_pages_have_same_pgmap() check to prevent merging bvec segments that span different pgmaps.", "cve_priority": "medium", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46243", "url": "https://ubuntu.com/security/CVE-2026-46243", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: reject userspace cifs.spnego descriptions cifs.spnego key descriptions contain authority-bearing fields such as pid, uid, creduid, and upcall_target that cifs.upcall treats as kernel-originating inputs. However, userspace can also create keys of this type through request_key(2) or add_key(2), allowing those fields to be supplied without CIFS origin. Only accept cifs.spnego descriptions while CIFS is using its private spnego_cred to request the key.", "cve_priority": "medium", "cve_public_date": "2026-06-01 17:17:00 UTC" }, { "cve": "CVE-2026-47337", "url": "https://ubuntu.com/security/CVE-2026-47337", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a possible NULL pointer dereference in the handling of AF_INET/AF_INET6 socket mediation. The bug can be triggered by an unprivileged local user. This can lead to a kernel oops.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47334", "url": "https://ubuntu.com/security/CVE-2026-47334", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly sleep while holding a spinlock in notification handling code. The bug can be triggered by an unprivileged local user and can result in kernel panic or deadlock.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47333", "url": "https://ubuntu.com/security/CVE-2026-47333", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which can potentially incorrectly compute the size of an internal buffer, leading to a heap memory out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in invalid data being processed by the AppArmor DFA policy engine.", "cve_priority": "high", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47332", "url": "https://ubuntu.com/security/CVE-2026-47332", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly validate the size of an internal structure, leading to an out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in information disclosure from adjacent slab objects.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47330", "url": "https://ubuntu.com/security/CVE-2026-47330", "cve_description": "Ubuntu Linux 6.8, 7.17 and 7.0 contain AppArmor SAUCE patches which can, under certain circumstances, use an uninitialized variable in notification handling code. The bug can be triggered by an unprivileged local user and can result in the incorrect caching of AppArmor notification responses.", "cve_priority": "low", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47329", "url": "https://ubuntu.com/security/CVE-2026-47329", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches which fail to validate invalid sizes of the name field in AppAmor notification responses. The bug can be triggered by an unprivileged local user and could result in handling of crafted responses.", "cve_priority": "low", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47327", "url": "https://ubuntu.com/security/CVE-2026-47327", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a possible NULL pointer dereference in the handling of AppArmor notifications. The bug can be triggered by an unprivileged local user. This can lead to a kernel oops.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47328", "url": "https://ubuntu.com/security/CVE-2026-47328", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly attempt to free a pointer which was not previously kmalloc()d, while at the same time leaking allocated memory. The bug can be triggered by an unprivileged local user and can result in the corruption of slab metadata and could lead to resource exhaustion.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47326", "url": "https://ubuntu.com/security/CVE-2026-47326", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a memory leak in the handling of big responses to AppArmor notifications. The bug can be triggered by an unprivileged local user. The memory leak could lead to resource exhaustion.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-46300", "url": "https://ubuntu.com/security/CVE-2026-46300", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: skbuff: preserve shared-frag marker during coalescing skb_try_coalesce() can attach paged frags from @from to @to. If @from has SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same externally-owned or page-cache-backed frags, but the shared-frag marker is currently lost. That breaks the invariant relied on by later in-place writers. In particular, ESP input checks skb_has_shared_frag() before deciding whether an uncloned nonlinear skb can skip skb_cow_data(). If TCP receive coalescing has moved shared frags into an unmarked skb, ESP can see skb_has_shared_frag() as false and decrypt in place over page-cache backed frags. Propagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged frags. The tailroom copy path does not need the marker because it copies bytes into @to's linear data rather than transferring frag descriptors.", "cve_priority": "high", "cve_public_date": "2026-05-23 12:17:00 UTC" }, { "cve": "CVE-2026-46333", "url": "https://ubuntu.com/security/CVE-2026-46333", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ptrace: slightly saner 'get_dumpable()' logic The 'dumpability' of a task is fundamentally about the memory image of the task - the concept comes from whether it can core dump or not - and makes no sense when you don't have an associated mm. And almost all users do in fact use it only for the case where the task has a mm pointer. But we have one odd special case: ptrace_may_access() uses 'dumpable' to check various other things entirely independently of the MM (typically explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for threads that no longer have a VM (and maybe never did, like most kernel threads). It's not what this flag was designed for, but it is what it is. The ptrace code does check that the uid/gid matches, so you do have to be uid-0 to see kernel thread details, but this means that the traditional \"drop capabilities\" model doesn't make any difference for this all. Make it all make a *bit* more sense by saying that if you don't have a MM pointer, we'll use a cached \"last dumpability\" flag if the thread ever had a MM (it will be zero for kernel threads since it is never set), and require a proper CAP_SYS_PTRACE capability to override.", "cve_priority": "high", "cve_public_date": "2026-05-15 14:16:00 UTC" }, { "cve": "CVE-2026-43500", "url": "https://ubuntu.com/security/CVE-2026-43500", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE handler in rxrpc_verify_response() copy the skb to a linear one before calling into the security ops only when skb_cloned() is true. An skb that is not cloned but still carries externally-owned paged fragments (e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via __ip_append_data, or a chained skb_has_frag_list()) falls through to the in-place decryption path, which binds the frag pages directly into the AEAD/skcipher SGL via skb_to_sgvec(). Extend the gate to also unshare when skb_has_frag_list() or skb_has_shared_frag() is true. This catches the splice-loopback vector and other externally-shared frag sources while preserving the zero-copy fast path for skbs whose frags are kernel-private (e.g. NIC page_pool RX, GRO). The OOM/trace handling already in place is reused.", "cve_priority": "high", "cve_public_date": "2026-05-11 08:16:00 UTC" }, { "cve": "CVE-2026-43284", "url": "https://ubuntu.com/security/CVE-2026-43284", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place decrypt on shared skb frags MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later paths that may modify packet data can first make a private copy. The IPv4/IPv6 datagram append paths did not set this flag when splicing pages into UDP skbs. That leaves an ESP-in-UDP packet made from shared pipe pages looking like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW fast path for uncloned skbs without a frag_list and decrypts in place over data that is not owned privately by the skb. Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching TCP. Also make ESP input fall back to skb_cow_data() when the flag is present, so ESP does not decrypt externally backed frags in place. Private nonlinear skb frags still use the existing fast path. This intentionally does not change ESP output. In esp_output_head(), the path that appends the ESP trailer to existing skb tailroom without calling skb_cow_data() is not reachable for nonlinear skbs: skb_tailroom() returns zero when skb->data_len is nonzero, while ESP tailen is positive. Thus ESP output will either use the separate destination-frag path or fall back to skb_cow_data().", "cve_priority": "high", "cve_public_date": "2026-05-08 08:16:00 UTC" } ], "launchpad_bugs_fixed": [ 2157114, 1786013, 2150845, 2154530, 1786013, 2150065, 2146517, 2147409, 2121852, 2150196, 2129844, 2150845, 2152558, 2152556, 2152552, 2152550, 2150553, 2150547, 2154172, 2151747, 2151747, 2151747, 2151747, 2151747, 2148809, 2151747, 2151747, 2151747, 2153962 ], "changes": [ { "cves": [ { "cve": "CVE-2026-46316", "url": "https://ubuntu.com/security/CVE-2026-46316", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: vgic-its: Drop the translation cache reference only for the erased entry vgic_its_invalidate_cache() walks the per-ITS translation cache with xa_for_each() and drops the cache's reference on each entry with vgic_put_irq(). It puts the iterated pointer, though, rather than the value returned by xa_erase(). The function is called from contexts that do not exclude one another: the ITS command handlers hold its_lock, the GITS_CTLR write path holds cmd_lock, and the path that clears EnableLPIs in a redistributor's GICR_CTLR holds neither. Two or more of them can drain the same cache concurrently, and if each one observes the same entry, erases it and then puts it, the single reference the cache holds on that entry is dropped more than once. The entry can then be freed while an ITE still maps it. xa_erase() is atomic and returns the previous entry, so put only the entry that this context actually removed. The cache reference is then dropped exactly once per entry even when the invalidations run concurrently, and the behavior is unchanged when only one context runs.", "cve_priority": "medium", "cve_public_date": "2026-06-09 13:16:00 UTC" }, { "cve": "CVE-2026-46244", "url": "https://ubuntu.com/security/CVE-2026-46244", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_inner: Fix IPv6 inner_thoff desync In nft_inner_parse_l2l3(), when processing inner IPv6 packets, ipv6_find_hdr() correctly computes the transport header offset traversing all extension headers, but the result is immediately overwritten with nhoff + sizeof(_ip6h) (40 bytes), which only accounts for the IPv6 base header. This creates a desync between inner_thoff (wrong — points to extension header start) and l4proto (correct — e.g., IPPROTO_TCP), enabling transport header forgery and potential firewall bypass. This issue affects stable versions from Linux 6.2. For comparison, the normal (non-inner) IPv6 path correctly preserves ipv6_find_hdr()'s result. Removing the incorrect overwrite ensures that ipv6_find_hdr()'s calculated transport header offset is preserved, thereby fixing the desynchronization.", "cve_priority": "medium", "cve_public_date": "2026-06-03 18:16:00 UTC" }, { "cve": "CVE-2026-46137", "url": "https://ubuntu.com/security/CVE-2026-46137", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: ADD_ADDR rtx: fix potential data-race This mptcp_pm_add_timer() helper is executed as a timer callback in softirq context. To avoid any data races, the socket lock needs to be held with bh_lock_sock(). If the socket is in use, retry again soon after, similar to what is done with the keepalive timer.", "cve_priority": "medium", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46185", "url": "https://ubuntu.com/security/CVE-2026-46185", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb/client: fix out-of-bounds read in symlink_data() Since smb2_check_message() returns success without length validation for the symlink error response, in symlink_data() it is possible for iov->iov_len to be smaller than sizeof(struct smb2_err_rsp). If the buffer only contains the base SMB2 header (64 bytes), accessing err->ErrorContextCount (at offset 66) or err->ByteCount later in symlink_data() will cause an out-of-bounds read.", "cve_priority": "high", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46195", "url": "https://ubuntu.com/security/CVE-2026-46195", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: validate dacloffset before building DACL pointers parse_sec_desc(), build_sec_desc(), and the chown path in id_mode_to_cifs_acl() all add the server-supplied dacloffset to pntsd before proving a DACL header fits inside the returned security descriptor. On 32-bit builds a malicious server can return dacloffset near U32_MAX, wrap the derived DACL pointer below end_of_acl, and then slip past the later pointer-based bounds checks. build_sec_desc() and id_mode_to_cifs_acl() can then dereference DACL fields from the wrapped pointer in the chmod/chown rewrite paths. Validate dacloffset numerically before building any DACL pointer and reuse the same helper at the three DACL entry points.", "cve_priority": "high", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46289", "url": "https://ubuntu.com/security/CVE-2026-46289", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: lib/scatterlist: fix length calculations in extract_kvec_to_sg Patch series \"Fix bugs in extract_iter_to_sg()\", v3. Fix bugs in the kvec and user variants of extract_iter_to_sg. This series is growing due to useful remarks made by sashiko.dev. The main bugs are: - The length for an sglist entry when extracting from a kvec can exceed the number of bytes in the page. This is obviously not intended. - When extracting a user buffer the sglist is temporarily used as a scratch buffer for extracted page pointers. If the sglist already contains some elements this scratch buffer could overlap with existing entries in the sglist. The series adds test cases to the kunit_iov_iter test that demonstrate all of these bugs. Additionally, there is a memory leak fix for the test itself. The bugs were orignally introduced into kernel v6.3 where the function lived in fs/netfs/iterator.c. It was later moved to lib/scatterlist.c in v6.5. Thus the actual fix is only marked for backports to v6.5+. This patch (of 5): When extracting from a kvec to a scatterlist, do not cross page boundaries. The required length was already calculated but not used as intended. Adjust the copied length if the loop runs out of sglist entries without extracting everything. While there, return immediately from extract_iter_to_sg if there are no sglist entries at all. A subsequent commit will add kunit test cases that demonstrate that the patch is necessary.", "cve_priority": "medium", "cve_public_date": "2026-06-08 17:16:00 UTC" }, { "cve": "CVE-2026-46119", "url": "https://ubuntu.com/security/CVE-2026-46119", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: libceph: Fix slab-out-of-bounds access in auth message processing If a (potentially corrupted) message of type CEPH_MSG_AUTH_REPLY contains a positive value in its result field, it is treated as an error code by ceph_handle_auth_reply() and returned to handle_auth_reply(). Thereafter, an attempt is made to send the preallocated message of type CEPH_MSG_AUTH, where the returned value is interpreted as the size of the front segment to send. If the result value in the message is greater than the size of the memory buffer allocated for the front segment, an out-of-bounds access occurs, and the content of the memory region beyond this buffer is sent out. This patch fixes the issue by treating only negative values in the result field as errors. Positive values are therefore treated as success in the same way as a zero value. Additionally, a BUG_ON is added to __send_prepared_auth_request() comparing the len parameter to front_alloc_len to prevent sending the message if it exceeds the bounds of the allocation and to make it easier to catch any logic flaws leading to this.", "cve_priority": "high", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46135", "url": "https://ubuntu.com/security/CVE-2026-46135", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: fix race between ICReq handling and queue teardown nvmet_tcp_handle_icreq() updates queue->state after sending an Initialization Connection Response (ICResp), but it does so without serializing against target-side queue teardown. If an NVMe/TCP host sends an Initialization Connection Request (ICReq) and immediately closes the connection, target-side teardown may start in softirq context before io_work drains the already buffered ICReq. In that case, nvmet_tcp_schedule_release_queue() sets queue->state to NVMET_TCP_Q_DISCONNECTING and drops the queue reference under state_lock. If io_work later processes that ICReq, nvmet_tcp_handle_icreq() can still overwrite the state back to NVMET_TCP_Q_LIVE. That defeats the DISCONNECTING-state guard in nvmet_tcp_schedule_release_queue() and allows a later socket state change to re-enter teardown and issue a second kref_put() on an already released queue. The ICResp send failure path has the same problem. If teardown has already moved the queue to DISCONNECTING, a send error can still overwrite the state with NVMET_TCP_Q_FAILED, again reopening the window for a second teardown path to drop the queue reference. Fix this by serializing both post-send state transitions with state_lock and bailing out if teardown has already started. Use -ESHUTDOWN as an internal sentinel for that bail-out path rather than propagating it as a transport error like -ECONNRESET. Keep nvmet_tcp_socket_error() setting rcv_state to NVMET_TCP_RECV_ERR before honoring that sentinel so receive-side parsing stays quiesced until the existing release path completes.", "cve_priority": "critical", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46155", "url": "https://ubuntu.com/security/CVE-2026-46155", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb/client: fix out-of-bounds read in smb2_compound_op() If a server sends a truncated response but a large OutputBufferLength, and terminates the EA list early, check_wsl_eas() returns success without validating that the entire OutputBufferLength fits within iov_len. Then smb2_compound_op() does: memcpy(idata->wsl.eas, data[0], size[0]); Where size[0] is OutputBufferLength. If iov_len is smaller than size[0], memcpy can read beyond the end of the rsp_iov allocation and leak adjacent kernel heap memory.", "cve_priority": "medium", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46115", "url": "https://ubuntu.com/security/CVE-2026-46115", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: block: add pgmap check to biovec_phys_mergeable biovec_phys_mergeable() is used by the request merge, DMA mapping, and integrity merge paths to decide if two physically contiguous bvec segments can be coalesced into one. It currently has no check for whether the segments belong to different dev_pagemaps. When zone device memory is registered in multiple chunks, each chunk gets its own dev_pagemap. A single bio can legitimately contain bvecs from different pgmaps -- iov_iter_extract_bvecs() breaks at pgmap boundaries but the outer loop in bio_iov_iter_get_pages() continues filling the same bio. If such bvecs are physically contiguous, biovec_phys_mergeable() will coalesce them, making it impossible to recover the correct pgmap for the merged segment via page_pgmap(). Add a zone_device_pages_have_same_pgmap() check to prevent merging bvec segments that span different pgmaps.", "cve_priority": "medium", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46243", "url": "https://ubuntu.com/security/CVE-2026-46243", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: reject userspace cifs.spnego descriptions cifs.spnego key descriptions contain authority-bearing fields such as pid, uid, creduid, and upcall_target that cifs.upcall treats as kernel-originating inputs. However, userspace can also create keys of this type through request_key(2) or add_key(2), allowing those fields to be supplied without CIFS origin. Only accept cifs.spnego descriptions while CIFS is using its private spnego_cred to request the key.", "cve_priority": "medium", "cve_public_date": "2026-06-01 17:17:00 UTC" } ], "log": [ "", " * resolute/linux: 7.0.0-27.27 -proposed tracker (LP: #2157114)", "", " * Packaging resync (LP: #1786013)", " - [Packaging] update annotations scripts", "", " * Ubuntu 26.04 linux kernel has non-functional nova-core GPU driver enabled,", " conflicting with nouveau (LP: #2150845)", " - [Config] Disable NOVA_CORE", "", " * CVE-2026-46316", " - KVM: arm64: vgic-its: Drop the translation cache reference only for the", " erased entry", "", " * CVE-2026-46244", " - netfilter: nft_inner: Fix IPv6 inner_thoff desync", "", " * CVE-2026-46137", " - mptcp: pm: ADD_ADDR rtx: allow ID 0", " - mptcp: pm: ADD_ADDR rtx: fix potential data-race", "", " * CVE-2026-46185", " - smb/client: fix out-of-bounds read in symlink_data()", "", " * CVE-2026-46195", " - smb: client: validate dacloffset before building DACL pointers", "", " * CVE-2026-46289", " - lib/scatterlist: fix length calculations in extract_kvec_to_sg", "", " * CVE-2026-46119", " - libceph: Fix slab-out-of-bounds access in auth message processing", "", " * CVE-2026-46135", " - nvmet-tcp: fix race between ICReq handling and queue teardown", "", " * CVE-2026-46155", " - smb/client: fix out-of-bounds read in smb2_compound_op()", "", " * CVE-2026-46115", " - block: add pgmap check to biovec_phys_mergeable", "", " * CVE-2026-46243", " - smb: client: reject userspace cifs.spnego descriptions", "" ], "package": "linux", "version": "7.0.0-27.27", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2157114, 1786013, 2150845 ], "author": "Manuel Diewald ", "date": "Thu, 18 Jun 2026 18:54:56 +0200" }, { "cves": [ { "cve": "CVE-2026-47337", "url": "https://ubuntu.com/security/CVE-2026-47337", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a possible NULL pointer dereference in the handling of AF_INET/AF_INET6 socket mediation. The bug can be triggered by an unprivileged local user. This can lead to a kernel oops.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47334", "url": "https://ubuntu.com/security/CVE-2026-47334", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly sleep while holding a spinlock in notification handling code. The bug can be triggered by an unprivileged local user and can result in kernel panic or deadlock.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47333", "url": "https://ubuntu.com/security/CVE-2026-47333", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which can potentially incorrectly compute the size of an internal buffer, leading to a heap memory out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in invalid data being processed by the AppArmor DFA policy engine.", "cve_priority": "high", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47332", "url": "https://ubuntu.com/security/CVE-2026-47332", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly validate the size of an internal structure, leading to an out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in information disclosure from adjacent slab objects.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47330", "url": "https://ubuntu.com/security/CVE-2026-47330", "cve_description": "Ubuntu Linux 6.8, 7.17 and 7.0 contain AppArmor SAUCE patches which can, under certain circumstances, use an uninitialized variable in notification handling code. The bug can be triggered by an unprivileged local user and can result in the incorrect caching of AppArmor notification responses.", "cve_priority": "low", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47329", "url": "https://ubuntu.com/security/CVE-2026-47329", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches which fail to validate invalid sizes of the name field in AppAmor notification responses. The bug can be triggered by an unprivileged local user and could result in handling of crafted responses.", "cve_priority": "low", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47327", "url": "https://ubuntu.com/security/CVE-2026-47327", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a possible NULL pointer dereference in the handling of AppArmor notifications. The bug can be triggered by an unprivileged local user. This can lead to a kernel oops.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47328", "url": "https://ubuntu.com/security/CVE-2026-47328", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly attempt to free a pointer which was not previously kmalloc()d, while at the same time leaking allocated memory. The bug can be triggered by an unprivileged local user and can result in the corruption of slab metadata and could lead to resource exhaustion.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47326", "url": "https://ubuntu.com/security/CVE-2026-47326", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a memory leak in the handling of big responses to AppArmor notifications. The bug can be triggered by an unprivileged local user. The memory leak could lead to resource exhaustion.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-46300", "url": "https://ubuntu.com/security/CVE-2026-46300", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: skbuff: preserve shared-frag marker during coalescing skb_try_coalesce() can attach paged frags from @from to @to. If @from has SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same externally-owned or page-cache-backed frags, but the shared-frag marker is currently lost. That breaks the invariant relied on by later in-place writers. In particular, ESP input checks skb_has_shared_frag() before deciding whether an uncloned nonlinear skb can skip skb_cow_data(). If TCP receive coalescing has moved shared frags into an unmarked skb, ESP can see skb_has_shared_frag() as false and decrypt in place over page-cache backed frags. Propagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged frags. The tailroom copy path does not need the marker because it copies bytes into @to's linear data rather than transferring frag descriptors.", "cve_priority": "high", "cve_public_date": "2026-05-23 12:17:00 UTC" }, { "cve": "CVE-2026-46333", "url": "https://ubuntu.com/security/CVE-2026-46333", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ptrace: slightly saner 'get_dumpable()' logic The 'dumpability' of a task is fundamentally about the memory image of the task - the concept comes from whether it can core dump or not - and makes no sense when you don't have an associated mm. And almost all users do in fact use it only for the case where the task has a mm pointer. But we have one odd special case: ptrace_may_access() uses 'dumpable' to check various other things entirely independently of the MM (typically explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for threads that no longer have a VM (and maybe never did, like most kernel threads). It's not what this flag was designed for, but it is what it is. The ptrace code does check that the uid/gid matches, so you do have to be uid-0 to see kernel thread details, but this means that the traditional \"drop capabilities\" model doesn't make any difference for this all. Make it all make a *bit* more sense by saying that if you don't have a MM pointer, we'll use a cached \"last dumpability\" flag if the thread ever had a MM (it will be zero for kernel threads since it is never set), and require a proper CAP_SYS_PTRACE capability to override.", "cve_priority": "high", "cve_public_date": "2026-05-15 14:16:00 UTC" }, { "cve": "CVE-2026-43500", "url": "https://ubuntu.com/security/CVE-2026-43500", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE handler in rxrpc_verify_response() copy the skb to a linear one before calling into the security ops only when skb_cloned() is true. An skb that is not cloned but still carries externally-owned paged fragments (e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via __ip_append_data, or a chained skb_has_frag_list()) falls through to the in-place decryption path, which binds the frag pages directly into the AEAD/skcipher SGL via skb_to_sgvec(). Extend the gate to also unshare when skb_has_frag_list() or skb_has_shared_frag() is true. This catches the splice-loopback vector and other externally-shared frag sources while preserving the zero-copy fast path for skbs whose frags are kernel-private (e.g. NIC page_pool RX, GRO). The OOM/trace handling already in place is reused.", "cve_priority": "high", "cve_public_date": "2026-05-11 08:16:00 UTC" }, { "cve": "CVE-2026-43284", "url": "https://ubuntu.com/security/CVE-2026-43284", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place decrypt on shared skb frags MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later paths that may modify packet data can first make a private copy. The IPv4/IPv6 datagram append paths did not set this flag when splicing pages into UDP skbs. That leaves an ESP-in-UDP packet made from shared pipe pages looking like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW fast path for uncloned skbs without a frag_list and decrypts in place over data that is not owned privately by the skb. Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching TCP. Also make ESP input fall back to skb_cow_data() when the flag is present, so ESP does not decrypt externally backed frags in place. Private nonlinear skb frags still use the existing fast path. This intentionally does not change ESP output. In esp_output_head(), the path that appends the ESP trailer to existing skb tailroom without calling skb_cow_data() is not reachable for nonlinear skbs: skb_tailroom() returns zero when skb->data_len is nonzero, while ESP tailen is positive. Thus ESP output will either use the separate destination-frag path or fall back to skb_cow_data().", "cve_priority": "high", "cve_public_date": "2026-05-08 08:16:00 UTC" } ], "log": [ "", " * resolute/linux: 7.0.0-26.26 -proposed tracker (LP: #2154530)", "", " * Packaging resync (LP: #1786013)", " - Revert \"UBUNTU: SAUCE: import Huawei ES3000_V2 (2.1.0.23)\"", " - [Packaging] debian.master/dkms-versions -- remove dkms-versions", " (main/2026.05.18)", "", " * Fix mic mute led on a HP EliteBook 6 G2a platform (LP: #2150065)", " - ALSA: hda/realtek: Add LED fixup for HP EliteBook 6 G2a Laptops", "", " * ov08x40 module mounted upside down on a certain DELL platforms", " (LP: #2146517)", " - SAUCE: media: ipu-bridge: Add DMI quirk for new Dell XPS laptops with", " upside down sensors", " - SAUCE: media: ipu-bridge: Add DMI quirk for Dell 14 laptops with upside", " down sensors", "", " * Support additional 2888x1808@30fps 900MHz for OVTI05C1 camera sensor", " (LP: #2147409)", " - SAUCE: media: ipu-bridge: Add 900MHz for OV05C10", " - SAUCE: platform/x86: int3472: increase handshake delay to 50ms for", " OV05C10", "", " * Support Samsung S5K3J1 sensor for Intel MIPI camera (LP: #2121852)", " - SAUCE: media: ipu-bridge: Support s5k3j1 sensor", "", " * [SRU] ASoC: enable rt1320 speaker amp and DMIC on PTL SoundWire platforms", " (LP: #2150196)", " - ASoC: Intel: soc-acpi-intel-ptl-match: drop rt722 monolithic match", " tables", " - ASoC: SOF: Intel: Add a is_amp flag to fix the wrong name prefix", " - ASoC: sdw_utils: add rt1320 and rt1321 dmic dai in codec_info_list", "", " * powerpc-build in ubuntu_kernel_selftests fails to build due to", " uninitialized value (LP: #2129844)", " - selftests/powerpc: Suppress -Wmaybe-uninitialized with GCC 15", "", " * Ubuntu 26.04 linux kernel has non-functional nova-core GPU driver enabled,", " conflicting with nouveau (LP: #2150845)", " - [Config] Disable DRM_NOVA", "", " * Resolute update: v7.0.6 upstream stable release (LP: #2152558)", " - Linux 7.0.6", " - Upstream stable to v7.0.6", "", " * Resolute update: v7.0.5 upstream stable release (LP: #2152556)", " - Linux 7.0.5", " - Upstream stable to v7.0.5", "", " * Resolute update: v7.0.4 upstream stable release (LP: #2152552)", " - ALSA: usb-audio: stop parsing UAC2 rates at MAX_NR_RATES", " - ALSA: usb-audio: Avoid false E-MU sample-rate notifications", " - ALSA: usb-audio: Fix Audio Advantage Micro II SPDIF switch", " - usb: xhci: Make usb_host_endpoint.hcpriv survive endpoint_disable()", " - usb: chipidea: otg: not wait vbus drop if use role_switch", " - usb: chipidea: core: allow ci_irq_handler() handle both ID and VBUS", " change", " - ALSA: usb-audio: Evaluate packsize caps at the right place", " - LoongArch: Add spectre boundry for syscall dispatch table", " - drm/nouveau: fix u32 overflow in pushbuf reloc bounds check", " - leds: qcom-lpg: Check for array overflow when selecting the high", " resolution", " - greybus: gb-beagleplay: bound bootloader receive buffering", " - greybus: gb-beagleplay: fix sleep in atomic context in hdlc_tx_frames()", " - misc: ibmasm: fix OOB MMIO read in ibmasm_handle_mouse_interrupt()", " - ibmasm: fix OOB reads in command_file_write due to missing size checks", " - ibmasm: fix heap over-read in ibmasm_send_i2o_message()", " - sysfs: attribute_group: Respect is_visible_const() when changing owner", " - driver core: Don't let a device probe until it's ready", " - device property: Make modifications of fwnode \"flags\" thread safe", " - drm/nouveau: fix nvkm_device leak on aperture removal failure", " - rust: dma: remove DMA_ATTR_NO_KERNEL_MAPPING from public attrs", " - kbuild: rust: allow `clippy::uninlined_format_args`", " - fs: afs: revert mmap_prepare() change", " - firmware: google: framebuffer: Do not mark framebuffer as busy", " - lib: test_hmm: evict device pages on file close to avoid use-after-free", " - arm64/mm: Enable batched TLB flush in unmap_hotplug_range()", " - arm64: mm: Fix rodata=full block mapping support for realm guests", " - mm: migrate: requeue destination folio on deferred split queue", " - mm: prevent droppable mappings from being locked", " - mm: fix deferred split queue races during migration", " - ocfs2: split transactions in dio completion to avoid credit exhaustion", " - Input: edt-ft5x06 - fix use-after-free in debugfs teardown", " - zram: do not forget to endio for partial discard requests", " - wifi: rtw88: check for PCI upstream bridge existence", " - wifi: mwifiex: fix use-after-free in mwifiex_adapter_cleanup()", " - vfio: selftests: Fix VLA initialisation in vfio_pci_irq_set()", " - vfio/xe: Add a missing vfio_pci_core_release_dev()", " - vfio/virtio: Convert list_lock from spinlock to mutex", " - vfio/cdx: Serialize VFIO_DEVICE_SET_IRQS with a per-device mutex", " - vfio/cdx: Fix NULL pointer dereference in interrupt trigger path", " - um: drivers: call kernel_strrchr() explicitly in cow_user.c", " - thermal: core: Fix thermal zone governor cleanup issues", " - spi: imx: fix use-after-free on unbind", " - spi: ch341: fix memory leaks on probe failures", " - crypto: algif_aead - snapshot IV for async AEAD requests", " - crypto: pcrypt - Fix handling of MAY_BACKLOG requests", " - dt-bindings: display: ti, am65x-dss: Fix AM62L DSS reg and clock", " constraints", " - of: unittest: fix use-after-free in of_unittest_changeset()", " - of: unittest: fix use-after-free in testdrv_probe()", " - hwmon: (powerz) Fix missing usb_kill_urb() on signal interrupt", " - EDAC/versalnet: Fix device_node leak in mc_probe()", " - PCI: imx6: Skip waiting for L2/L3 Ready on i.MX6SX", " - media: amphion: Fix race between m2m job_abort and device_run", " - ALSA: control: Validate buf_len before strnlen() in", " snd_ctl_elem_init_enum_names()", " - net: caif: clear client service pointer on teardown", " - net: strparser: fix skb_head leak in strp_abort_strp()", " - media: mtk-jpeg: fix use-after-free in release path due to uncancelled", " work", " - crypto: atmel-sha204a - Fix OTP sysfs read and error handling", " - PCI: endpoint: pci-epf-ntb: Remove duplicate resource teardown", " - Revert \"ALSA: usb: Increase volume range that triggers a warning\"", " - phy: qcom: m31-eusb2: clear PLL_EN during init", " - PCI: epf-mhi: Return 0, not remaining timeout, when eDMA ops complete", " - lib/ts_kmp: fix integer overflow in pattern length calculation", " - media: i2c: imx219: Check return value of devm_gpiod_get_optional() in", " imx219_probe()", " - net: qrtr: ns: Fix use-after-free in driver remove()", " - ext2: reject inodes with zero i_nlink and valid mode in ext2_iget()", " - mm/zsmalloc: copy KMSAN metadata in zs_page_migrate()", " - ALSA: aoa: i2sbus: clear stale prepared state", " - ALSA: aoa: i2sbus: fix OF node lifetime handling", " - ALSA: aoa: Skip devices with no codecs in i2sbus_resume()", " - ALSA: ctxfi: Add fallback to default RSR for S/PDIF", " - ALSA: seq_oss: return full count for successful SEQ_FULLSIZE writes", " - erofs: fix the out-of-bounds nameoff handling for trailing dirents", " - ipmi:ssif: Clean up kthread on errors", " - jbd2: fix deadlock in jbd2_journal_cancel_revoke()", " - KVM: selftests: Fix reserved value WRMSR testcase for multi-feature MSRs", " - md/raid10: fix deadlock with check operation and nowait requests", " - media: rc: igorplugusb: heed coherency rules", " - media: rockchip: rkcif: fix off by one bugs", " - media: rockchip: rkcif: comply with minimum number of buffers", " requirement", " - mfd: stpmic1: Attempt system shutdown twice in case PMIC is confused", " - mm/alloc_tag: clear codetag for pages allocated before page_ext", " initialization", " - mm/damon/core: fix damon_call() vs kdamond_fn() exit race", " - mm/damon/core: fix damos_walk() vs kdamond_fn() exit race", " - mm/hugetlb: fix early boot crash on parameters without '=' separator", " - mtd: docg3: fix use-after-free in docg3_release()", " - nvme-pci: add NVME_QUIRK_DISABLE_WRITE_ZEROES for Kingston OM3SGP4", " - nvme: respect NVME_QUIRK_DISABLE_WRITE_ZEROES when wzsl is set", " - parisc: _llseek syscall is only available for 32-bit userspace", " - parisc: Drop ip_fast_csum() inline assembly implementation", " - PCI: cadence: Use cdns_pcie_read_sz() for byte or word read access", " - PCI: imx6: Fix reference clock source selection for i.MX95", " - perf annotate: Use jump__delete when freeing LoongArch jumps", " - RDMA/mana_ib: Disable RX steering on RSS QP destroy", " - remoteproc: xlnx: Only access buffer information if IPI is buffered", " - reset: rzv2h-usb2phy: Keep PHY clock enabled for entire device lifetime", " - sched: Use u64 for bandwidth ratio calculations", " - selftests/mqueue: Fix incorrectly named file", " - landlock: Fix LOG_SUBDOMAINS_OFF inheritance across fork()", " - landlock: Allow TSYNC with LOG_SUBDOMAINS_OFF and fd=-1", " - selftests/landlock: Drain stale audit records on init", " - selftests/landlock: Fix format warning for __u64 in net_test", " - selftests/landlock: Fix snprintf truncation checks in audit helpers", " - selftests/landlock: Skip stale records in audit_match_record()", " - rbd: fix null-ptr-deref when device_add_disk() fails", " - mm/zone_device: do not touch device folio after calling ->folio_free()", " - block: fix zone write plugs refcount handling in", " disk_zone_wplug_schedule_bio_work()", " - io_uring/zcrx: return back two step unregistration", " - io_uring/timeout: check unused sqe fields", " - block: relax pgmap check in bio_add_page for compatible zone device", " pages", " - iio: adc: ti-ads7950: use iio_push_to_buffers_with_ts_unaligned()", " - io_uring/register: fix ring resizing with mixed/large SQEs/CQEs", " - io_uring/zcrx: fix user_struct uaf", " - io_uring/poll: fix signed comparison in io_poll_get_ownership()", " - io_uring/poll: ensure EPOLL_ONESHOT is propagated for EPOLL_URING_WAKE", " - module.lds,codetag: force 0 sh_addr for sections", " - module.lds.S: Fix modules on 32-bit parisc architecture", " - ALSA: core: Fix potential data race at fasync handling", " - ALSA: caiaq: Fix control_put() result and cache rollback", " - ALSA: caiaq: Handle probe errors properly", " - ALSA: 6fire: Fix input volume change detection", " - ALSA: hda/realtek - Add mute LED support for HP Victus 15-fa2xxx", " - ALSA: pcmtest: fix reference leak on failed device registration", " - ALSA: pcmtest: Fix resource leaks in module init error paths", " - iio: adc: ad7768-1: fix one-shot mode data acquisition", " - iio: adc: ad7768-1: remove switch to one-shot mode", " - rxrpc: Fix memory leaks in rxkad_verify_response()", " - rxrpc: Fix rxkad crypto unalignment handling", " - rxrpc: Fix error handling in rxgk_extract_token()", " - rxrpc: Fix re-decryption of RESPONSE packets", " - EDAC/versalnet: Fix memory leak in remove and probe error paths", " - tools/accounting: handle truncated taskstats netlink messages", " - net: txgbe: fix RTNL assertion warning when remove module", " - arm64: dts: marvell: uDPU: add ethernet aliases", " - net: qrtr: ns: Limit the maximum server registration per node", " - net: qrtr: ns: Limit the maximum number of lookups", " - net: qrtr: ns: Free the node during ctrl_cmd_bye()", " - net: qrtr: ns: Limit the total number of nodes", " - net: rds: fix MR cleanup on copy error", " - net: txgbe: fix firmware version check", " - net/smc: avoid early lgr access in smc_clc_wait_msg", " - net: ks8851: Reinstate disabling of BHs around IRQ handler", " - net: bridge: use a stable FDB dst snapshot in RCU readers", " - netconsole: avoid out-of-bounds access on empty string in trim_newline()", " - net: mctp: fix don't require received header reserved bits to be zero", " - net: ks8851: Avoid excess softirq scheduling", " - drm/arcpgu: fix device node leak", " - slub: fix data loss and overflow in krealloc()", " - tracing/fprobe: Reject registration of a registered fprobe before init", " - RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv", " - printf: Compile the kunit test with DISABLE_BRANCH_PROFILING", " DISABLE_BRANCH_PROFILING", " - ipv4: icmp: validate reply type before using icmp_pointers", " - libceph: Prevent potential null-ptr-deref in ceph_handle_auth_reply()", " - spi: fix resource leaks on device setup failure", " - extract-cert: Wrap key_pass with '#ifdef USE_PKCS11_ENGINE'", " - tpm: avoid -Wunused-but-set-variable", " - LoongArch: Make arch_irq_work_has_interrupt() true only if IPI HW exist", " - LoongArch: Show CPU vulnerabilites correctly", " - fbdev: defio: Disconnect deferred I/O from the lifetime of struct", " fb_info", " - power: supply: axp288_charger: Do not cancel work before initializing it", " - hwmon: (isl28022) Fix integer overflow in power calculation on 32-bit", " - hwmon: (powerz) Avoid cacheline sharing for DMA buffer", " - media: rzv2h-ivc: Revise default VBLANK formula", " - media: rzv2h-ivc: Fix AXIRX_VBLANK register write", " - fs: prepare for adding LSM blob to backing_file", " - lsm: add backing_file LSM hooks", " - selinux: fix overlayfs mmap() and mprotect() access checks", " - hwmon: (pt5161l) Fix bugs in pt5161l_read_block_data()", " - randomize_kstack: Maintain kstack_offset per task", " - mmc: block: use single block write in retry", " - mmc: sdhci-of-dwcmshc: Disable clock before DLL configuration", " - arm64: dts: ti: am62-verdin: Enable pullup for eMMC data pins", " - crypto: qat - fix IRQ cleanup on 6xxx probe failure", " - xfs: start gc on zonegc_low_space attribute updates", " - xfs: fix a resource leak in xfs_alloc_buftarg()", " - firmware: google: framebuffer: Do not unregister platform device", " - firmware: exynos-acpm: Drop fake 'const' on handle pointer", " - crypto: talitos - fix SEC1 32k ahash request limitation", " - crypto: talitos - rename first/last to first_desc/last_desc", " - pwm: imx-tpm: Count the number of enabled channels in probe", " - tpm2-sessions: Fix missing tpm_buf_destroy() in tpm2_read_public()", " - tpm: Fix auth session leak in tpm2_get_random() error path", " - tpm: Use kfree_sensitive() to free auth session in tpm_dev_release()", " - tpm: tpm_tis: add error logging for data transfer", " - tpm: tpm_tis: stop transmit if retries are exhausted", " - rtc: ntxec: fix OF node reference imbalance", " - mm/vmalloc: take vmap_purge_lock in shrinker", " - mm/memfd_luo: fix physical address conversion in put_folios cleanup", " - mm/mempolicy: fix memory leaks in weighted_interleave_auto_store()", " - mm/damon/stat: fix memory leak on damon_start() failure in", " damon_stat_start()", " - mm/damon/core: validate damos_quota_goal->nid for", " node_mem_{used,free}_bp", " - mm/damon/core: validate damos_quota_goal->nid for", " node_memcg_{used,free}_bp", " - mm/damon/core: use time_in_range_open() for damos quota window start", " - mm/damon/core: disallow time-quota setting zero esz", " - mm/damon/core: disallow non-power of two min_region_sz on damon_start()", " - userfaultfd: allow registration of ranges below mmap_min_addr", " - LoongArch: KVM: Use CSR_CRMD_PLV in kvm_arch_vcpu_in_kernel()", " - KVM: x86: Defer non-architectural deliver of exception payload to", " userspace read", " - KVM: nSVM: Mark all of vmcb02 dirty when restoring nested state", " - KVM: nSVM: Sync NextRIP to cached vmcb12 after VMRUN of L2", " - KVM: nSVM: Sync interrupt shadow to cached vmcb12 after VMRUN of L2", " - KVM: SVM: Inject #UD for INVLPGA if EFER.SVME=0", " - KVM: SVM: Explicitly mark vmcb01 dirty after modifying VMCB intercepts", " - KVM: nSVM: Ensure AVIC is inhibited when restoring a vCPU to guest mode", " - KVM: nSVM: Always use NextRIP as vmcb02's NextRIP after first L2 VMRUN", " - KVM: nSVM: Delay stuffing L2's current RIP into NextRIP until vCPU run", " - KVM: nSVM: Use vcpu->arch.cr2 when updating vmcb12 on nested #VMEXIT", " - KVM: arm64: Account for RESx bits in __compute_fgt()", " - KVM: nSVM: Avoid clearing VMCB_LBR in vmcb12", " - KVM: nSVM: Delay setting soft IRQ RIP tracking fields until vCPU run", " - KVM: SVM: Switch svm_copy_lbrs() to a macro", " - KVM: SVM: Add missing save/restore handling of LBR MSRs", " - KVM: nSVM: Always inject a #GP if mapping VMCB12 fails on nested VMRUN", " - KVM: nSVM: Refactor checking LBRV enablement in vmcb12 into a helper", " - KVM: nSVM: Refactor writing vmcb12 on nested #VMEXIT as a helper", " - KVM: nSVM: Triple fault if restore host CR3 fails on nested #VMEXIT", " - KVM: nSVM: Triple fault if mapping VMCB12 fails on nested #VMEXIT", " - KVM: nSVM: Clear GIF on nested #VMEXIT(INVALID)", " - KVM: nSVM: Clear EVENTINJ fields in vmcb12 on nested #VMEXIT", " - KVM: nSVM: Clear tracking of L1->L2 NMI and soft IRQ on nested #VMEXIT", " - KVM: nSVM: Add missing consistency check for EFER, CR0, CR4, and CS", " - KVM: nSVM: Drop the non-architectural consistency check for NP_ENABLE", " - KVM: nSVM: Add missing consistency check for nCR3 validity", " - KVM: nSVM: Raise #UD if unhandled VMMCALL isn't intercepted by L1", " - KVM: nSVM: Always intercept VMMCALL when L2 is active", " - ARM: 9472/1: fix race condition on PG_dcache_clean in", " __sync_icache_dcache()", " - ring-buffer: Do not double count the reader_page", " - ext4: fix bounds check in check_xattrs() to prevent out-of-bounds access", " - ext4: fix missing brelse() in ext4_xattr_inode_dec_ref_all()", " - udf: fix partition descriptor append bookkeeping", " - mtd: spi-nor: sst: Fix write enable before AAI sequence", " - mtd: spinand: winbond: Declare the QE bit on W25NxxJW", " - amdgpu/jpeg: fix deepsleep register for jpeg 5_0_0 and 5_0_2", " - md/md-llbitmap: skip reading rdevs that are not in_sync", " - md/md-llbitmap: raise barrier before state machine transition", " - md/raid5: fix soft lockup in retry_aligned_read()", " - md/raid5: validate payload size before accessing journal metadata", " - check-uapi: link into shared objects", " - mm, swap: speed up hibernation allocation and writeout", " - HID: apple: ensure the keyboard backlight is off if suspending", " - inotify: fix watch count leak when fsnotify_add_inode_mark_locked()", " fails", " - x86/cpu: Disable FRED when PTI is forced on", " - x86/shstk: Prevent deadlock during shstk sigreturn", " - wifi: rtl8xxxu: fix potential use of uninitialized value", " - tcp: call sk_data_ready() after listener migration", " - taskstats: set version in TGID exit notifications", " - mptcp: sync the msk->sndbuf at accept() time", " - mfd: core: Preserve OF node when ACPI handle is present", " - 9p: fix access mode flags being ORed instead of replaced", " - Bluetooth: hci_event: fix potential UAF in SSP passkey handlers", " - bus: mhi: host: pci_generic: Switch to async power up to avoid boot", " delays", " - can: ucan: fix devres lifetime", " - crypto: acomp - fix wrong pointer stored by acomp_save_req()", " - crypto: arm64/aes - Fix 32-bit aes_mac_update() arg treated as 64-bit", " - crypto: atmel-aes - Fix 3-page memory leak in atmel_aes_buff_cleanup", " - crypto: atmel-ecc - Release client on allocation failure", " - crypto: hisilicon - Fix dma_unmap_single() direction", " - crypto: ccree - fix a memory leak in cc_mac_digest()", " - crypto: atmel-tdes - fix DMA sync direction", " - crypto: atmel-sha204a - Fix error codes in OTP reads", " - crypto: atmel-sha204a - Fix potential UAF and memory leak in remove path", " - crypto: atmel-sha204a - Fix uninitialized data access on OTP read error", " - crypto: nx - fix bounce buffer leaks in nx842_crypto_{alloc,free}_ctx", " - crypto: nx - fix context leak in nx842_crypto_free_ctx", " - crypto: nx - Fix packed layout in struct nx842_crypto_header", " - dm mirror: fix integer overflow in create_dirty_log()", " - erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap()", " - ceph: fix num_ops off-by-one when crypto allocation fails", " - ceph: only d_add() negative dentries when they are unhashed", " - gtp: disable BH before calling udp_tunnel_xmit_skb()", " - IB/core: Fix zero dmac race in neighbor resolution", " - ktest: Fix the month in the name of the failure directory", " - NFSv4.1: Apply session size limits on clone path", " - ntfs3: add buffer boundary checks to run_unpack()", " - ntfs3: fix integer overflow in run_unpack() volume boundary check", " - rtmutex: Use waiter::task instead of current in remove_waiter()", " - rxgk: Fix potential integer overflow in length check", " - sched_ext: Documentation: Clarify ops.dispatch() role in task lifecycle", " - scsi: sd: fix missing put_disk() when device_add(&disk_dev) fails", " - seg6: fix seg6 lwtunnel output redirect for L2 reduced encap mode", " - perf loongarch: Fix build failure with CONFIG_LIBDW_DWARF_UNWIND", " - iio: frequency: admv1013: add dev variable", " - iio: frequency: admv1013: fix NULL pointer dereference on str", " - wifi: mt76: mt792x: describe USB WFSYS reset with a descriptor", " - wifi: mt76: mt792x: fix mt7925u USB WFSYS reset handling", " - mm: various small mmap_prepare cleanups", " - mm: avoid deadlock when holding rmap on mmap_prepare error", " - mei: me: use PCI_DEVICE_DATA macro", " - mei: me: add nova lake point H DID", " - crypto: authencesn - reject short ahash digests during instance creation", " - driver core: Add kernel-doc for DEV_FLAG_COUNT enum value", " - ALSA: caiaq: Fix potentially leftover ep1_in_urb at error path", " - ALSA: caiaq: Don't abort when no input device is available", " - ipv6: rpl: reserve mac_len headroom when recompressed SRH grows", " - drm/amdgpu: fix zero-size GDS range init on RDNA4", " - drm/imagination: Fix segfault when updating ftrace mask", " - ALSA: caiaq: fix usb_dev refcount leak on probe failure", " - ALSA: aloop: Fix peer runtime UAF during format-change stop", " - vmalloc: fix buffer overflow in vrealloc_node_align()", " - mm/page_alloc: return NULL early from alloc_frozen_pages_nolock() in NMI", " on UP", " - mm/slab: return NULL early from kmalloc_nolock() in NMI on UP", " - net: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels", " - netfilter: reject zero shift in nft_bitwise", " - ipmi:ssif: Remove unnecessary indention", " - ipmi:ssif: NULL thread on error", " - Linux 7.0.4", " - Upstream stable to v7.0.4", "", " * Resolute update: v7.0.3 upstream stable release (LP: #2152550)", " - Buffer overflow in drivers/xen/sys-hypervisor.c", " - xen/privcmd: fix double free via VMA splitting", " - Linux 7.0.3", " - Upstream stable to v7.0.3", "", " * Resolute update: v7.0.2 upstream stable release (LP: #2150553)", " - crypto: authencesn - Fix src offset when decrypting in-place", " - pwm: th1520: fix `CLIPPY=1` warning", " - drm/amdgpu: replace PASID IDR with XArray", " - crypto: krb5enc - fix sleepable flag handling in encrypt dispatch", " - crypto: krb5enc - fix async decrypt skipping hash verification", " - ksmbd: fix use-after-free in __ksmbd_close_fd() via durable scavenger", " - ksmbd: validate owner of durable handle on reconnect", " - scripts: generate_rust_analyzer.py: define scripts", " - scripts/dtc: Remove unused dts_version in dtc-lexer.l", " - fs/ntfs3: validate rec->used in journal-replay file record check", " - f2fs: fix to do sanity check on dcc->discard_cmd_cnt conditionally", " - f2fs: fix UAF caused by decrementing sbi->nr_pages[] in", " f2fs_write_end_io()", " - f2fs: fix to avoid memory leak in f2fs_rename()", " - f2fs: fix to avoid uninit-value access in f2fs_sanity_check_node_footer", " - fuse: reject oversized dirents in page cache", " - fuse: abort on fatal signal during sync init", " - fuse: Check for large folio with SPLICE_F_MOVE", " - fuse: quiet down complaints in fuse_conn_limit_write", " - fuse: fuse_dev_ioctl_clone() should wait for device file to be", " initialized", " - ksmbd: require minimum ACE size in smb_check_perm_dacl()", " - smb: server: fix active_num_conn leak on transport allocation failure", " - smb: client: fix dir separator in SMB1 UNIX mounts", " - smb: server: fix max_connections off-by-one in tcp accept path", " - smb: client: require a full NFS mode SID before reading mode bits", " - smb: client: validate the whole DACL before rewriting it in cifsacl", " - smb: client: fix OOB read in smb2_ioctl_query_info QUERY_INFO path", " - ksmbd: validate response sizes in ipc_validate_msg()", " - ksmbd: validate num_aces and harden ACE walk in smb_inherit_dacl()", " - ksmbd: fix out-of-bounds write in smb2_get_ea() EA alignment", " - ksmbd: use check_add_overflow() to prevent u16 DACL size overflow", " - ksmbd: reset rcount per connection in ksmbd_conn_wait_idle_sess_id()", " - writeback: Fix use after free in inode_switch_wbs_work_fn()", " - f2fs: fix use-after-free of sbi in f2fs_compress_write_end_io()", " - ALSA: usb-audio: apply quirk for MOONDROP JU Jiu", " - ALSA: hda/realtek: Add quirk for Legion S7 15IMH", " - ALSA: caiaq: take a reference on the USB device in create_card()", " - net/packet: fix TOCTOU race on mmap'd vnet_hdr in tpacket_snd()", " - crypto: ccp: Don't attempt to copy CSR to userspace if PSP command", " failed", " - crypto: ccp: Don't attempt to copy PDH cert to userspace if PSP command", " failed", " - crypto: ccp: Don't attempt to copy ID to userspace if PSP command failed", " - rxrpc: Fix missing validation of ticket length in non-XDR key preparsing", " - mshv_vtl: Fix vmemmap_shift exceeding MAX_FOLIO_ORDER", " - Linux 7.0.2", "", " * Resolute update: v7.0.1 upstream stable release (LP: #2150547)", " - Revert \"UBUNTU: SAUCE: cdc-acm: Exclude Exar USB serial ports\"", " - nfc: llcp: add missing return after LLCP_CLOSED checks", " - x86/CPU: Fix FPDSS on Zen1", " - can: raw: fix ro->uniq use-after-free in raw_rcv()", " - i2c: s3c24xx: check the size of the SMBUS message before using it", " - staging: rtl8723bs: initialize le_tmp64 in rtw_BIP_verify()", " - HID: alps: fix NULL pointer dereference in alps_raw_event()", " - HID: core: clamp report_size in s32ton() to avoid undefined shift", " - net: usb: cdc-phonet: fix skb frags[] overflow in rx_complete()", " - NFC: digital: Bounds check NFC-A cascade depth in SDD response handler", " - drm/vc4: platform_get_irq_byname() returns an int", " - bnge: return after auxiliary_device_uninit() in error path", " - ALSA: usx2y: us144mkii: fix NULL deref on missing interface 0", " - ALSA: fireworks: bound device-supplied status before string array lookup", " - fbdev: tdfxfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO", " - usb: gadget: f_ncm: validate minimum block_len in ncm_unwrap_ntb()", " - usb: gadget: f_phonet: fix skb frags[] overflow in pn_rx_complete()", " - usb: gadget: renesas_usb3: validate endpoint index in standard request", " handlers", " - smb: client: fix off-by-8 bounds check in check_wsl_eas()", " - smb: client: fix OOB reads parsing symlink error response", " - ksmbd: validate EaNameLength in smb2_get_ea()", " - ksmbd: require 3 sub-authorities before reading sub_auth[2]", " - ksmbd: fix mechToken leak when SPNEGO decode fails after token alloc", " - smb: client: avoid double-free in smbd_free_send_io() after", " smbd_send_batch_flush()", " - smb: server: avoid double-free in smb_direct_free_sendmsg after", " smb_direct_flush_send_list()", " - usbip: validate number_of_packets in usbip_pack_ret_submit()", " - usb: typec: fusb302: Switch to threaded IRQ handler", " - usb: storage: Expand range of matched versions for VL817 quirks entry", " - USB: cdc-acm: Add quirks for Yoga Book 9 14IAH10 INGENIC touchscreen", " - usb: gadget: f_hid: don't call cdev_init while cdev in use", " - usb: port: add delay after usb_hub_set_port_power()", " - fbdev: udlfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO", " - scripts/gdb/symbols: handle module path parameters", " - scripts: generate_rust_analyzer.py: avoid FD leak", " - wifi: rtw88: fix device leak on probe failure", " - staging: sm750fb: fix division by zero in ps_to_hz()", " - selftests/mm: hmm-tests: don't hardcode THP size to 2MB", " - USB: serial: option: add Telit Cinterion FN990A MBIM composition", " - Docs/admin-guide/mm/damon/reclaim: warn commit_inputs vs param updates", " race", " - Docs/admin-guide/mm/damon/lru_sort: warn commit_inputs vs param updates", " race", " - ALSA: ctxfi: Limit PTP to a single page", " - dcache: Limit the minimal number of bucket to two", " - vfio/xe: Reorganize the init to decouple migration from reset", " - arm64: mm: Handle invalid large leaf mappings correctly", " - media: vidtv: fix NULL pointer dereference in", " vidtv_channel_pmt_match_sections", " - ocfs2: fix possible deadlock between unlink and dio_end_io_write", " - ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY", " - ocfs2: handle invalid dinode in ocfs2_group_extend", " - PCI: endpoint: pci-epf-vntb: Stop cmd_handler work in", " epf_ntb_epc_cleanup", " - PCI: endpoint: pci-epf-vntb: Remove duplicate resource teardown", " - KVM: selftests: Remove duplicate LAUNCH_UPDATE_VMSA call in SEV-ES", " migrate test", " - KVM: SEV: Reject attempts to sync VMSA of an already-launched/encrypted", " vCPU", " - KVM: SEV: Protect *all* of sev_mem_enc_register_region() with kvm->lock", " - KVM: SEV: Disallow LAUNCH_FINISH if vCPUs are actively being created", " - KVM: SEV: Lock all vCPUs when synchronzing VMSAs for SNP launch finish", " - KVM: SEV: Drop WARN on large size for KVM_MEMORY_ENCRYPT_REG_REGION", " - mm: call ->free_folio() directly in folio_unmap_invalidate()", " - checkpatch: add support for Assisted-by tag", " - x86-64: rename misleadingly named '__copy_user_nocache()' function", " - x86: rename and clean up __copy_from_user_inatomic_nocache()", " - x86-64/arm64/powerpc: clean up and rename __copy_from_user_flushcache", " - KVM: x86: Use scratch field in MMIO fragment to hold small write values", " - ASoC: qcom: q6apm: move component registration to unmanaged version", " - mm/kasan: fix double free for kasan pXds", " - mm: blk-cgroup: fix use-after-free in cgwb_release_workfn()", " - media: vidtv: fix nfeeds state corruption on start_streaming failure", " - media: mediatek: vcodec: fix use-after-free in encoder release path", " - media: em28xx: fix use-after-free in em28xx_v4l2_open()", " - hwmon: (powerz) Fix use-after-free on USB disconnect", " - ALSA: 6fire: fix use-after-free on disconnect", " - bcache: fix cached_dev.sb_bio use-after-free and crash", " - wireguard: device: use exit_rtnl callback instead of manual rtnl_lock in", " pre_exit", " - media: as102: fix to not free memory after the device is registered in", " as102_usb_probe()", " - nilfs2: fix NULL i_assoc_inode dereference in", " nilfs_mdt_save_to_shadow_map", " - media: vidtv: fix pass-by-value structs causing MSAN warnings", " - media: hackrf: fix to not free memory after the device is registered in", " hackrf_probe()", " - mm/userfaultfd: fix hugetlb fault mutex hash calculation", " - clockevents: Add missing resets of the next_event_forced flag", " - Linux 7.0.1", "", " * GRO managed-frag use-after-free leading to local privilege escalation", " (LP: #2154172)", " - net: gro: don't merge zcopy skbs", "", " * AppArmor Vulnerabilities (LP: #2151747)", " - SAUCE: apparmor: pass big_resp to handler", " - SAUCE: apparmor: remove redundant kref_init for listener->count", " - SAUCE: apparmor: fix NULL pointer dereference in unpack_pdb", "", " * AppArmor Vulnerabilities (LP: #2151747) // CVE-2026-47337", " - SAUCE: apparmor: fix NULL pointer dereference in bind_map_addr", "", " * AppArmor Vulnerabilities (LP: #2151747) // CVE-2026-47334", " - SAUCE: apparmor: fix sleep prone memory allocation under a spin_lock", "", " * AppArmor Vulnerabilities (LP: #2151747) // CVE-2026-47333", " - SAUCE: apparmor: fix dfa unpacking size of the notification filter", "", " * AppArmor Vulnerabilities (LP: #2151747) // CVE-2026-47332", " - SAUCE: apparmor: fix size check against type instead of pointer", "", " * apparmor: LLVM/clang build failure due to uninitialized variable in", " notify.c (LP: #2148809) // CVE-2026-47330", " - SAUCE: apparmor: initialize variable used in uninitialized context", "", " * AppArmor Vulnerabilities (LP: #2151747) // CVE-2026-47329", " - SAUCE: apparmor: fix name validation bypass on notification", "", " * AppArmor Vulnerabilities (LP: #2151747) // CVE-2026-47327 //", " CVE-2026-47328", " - SAUCE: apparmor: fix glob memory leak after kstrdup", "", " * AppArmor Vulnerabilities (LP: #2151747) // CVE-2026-47326", " - SAUCE: apparmor: fix inverted NULL check after aa_get_buffer", "", " * CVE-2026-46300", " - net: skbuff: preserve shared-frag marker during coalescing", " - net: skbuff: propagate shared-frag marker through frag-transfer helpers", "", " * net/rds: reset op_nents when zerocopy page pin fails (LP: #2153962)", " - net/rds: reset op_nents when zerocopy page pin fails", "", " * CVE-2026-46333", " - ptrace: slightly saner 'get_dumpable()' logic", "", " * CVE-2026-43500", " - rxrpc: Fix conn-level packet handling to unshare RESPONSE packets", " - rxrpc: Fix potential UAF after skb_unshare() failure", " - rxrpc: Fix rxrpc_input_call_event() to only unshare DATA packets", " - rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present", "", " * CVE-2026-43284", " - xfrm: esp: avoid in-place decrypt on shared skb frags", "" ], "package": "linux", "version": "7.0.0-26.26", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2154530, 1786013, 2150065, 2146517, 2147409, 2121852, 2150196, 2129844, 2150845, 2152558, 2152556, 2152552, 2152550, 2150553, 2150547, 2154172, 2151747, 2151747, 2151747, 2151747, 2151747, 2148809, 2151747, 2151747, 2151747, 2153962 ], "author": "Edoardo Canepa ", "date": "Fri, 29 May 2026 03:41:14 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "linux-virtual", "from_version": { "source_package_name": "linux-meta", "source_package_version": "7.0.0-22.22", "version": "7.0.0-22.22" }, "to_version": { "source_package_name": "linux-meta", "source_package_version": "7.0.0-27.27", "version": "7.0.0-27.27" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Main version: 7.0.0-27.27", "" ], "package": "linux-meta", "version": "7.0.0-27.27", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Manuel Diewald ", "date": "Thu, 18 Jun 2026 19:19:29 +0200" }, { "cves": [], "log": [ "", " * Main version: 7.0.0-26.26", "" ], "package": "linux-meta", "version": "7.0.0-26.26", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Edoardo Canepa ", "date": "Fri, 29 May 2026 03:43:13 +0200" }, { "cves": [], "log": [ "", " * Main version: 7.0.0-23.23", "" ], "package": "linux-meta", "version": "7.0.0-23.23", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Edoardo Canepa ", "date": "Fri, 29 May 2026 02:54:03 +0200" }, { "cves": [], "log": [ "", " * Main version: 7.0.0-21.21", "" ], "package": "linux-meta", "version": "7.0.0-21.21", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Edoardo Canepa ", "date": "Fri, 22 May 2026 21:09:26 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "packagekit", "from_version": { "source_package_name": "packagekit", "source_package_version": "1.3.4-3ubuntu1", "version": "1.3.4-3ubuntu1" }, "to_version": { "source_package_name": "packagekit", "source_package_version": "1.3.4-3ubuntu1.1", "version": "1.3.4-3ubuntu1.1" }, "cves": [], "launchpad_bugs_fixed": [ 2148474 ], "changes": [ { "cves": [], "log": [ "", " * d/p: Honour allow_deps=false when removing packages.", " The PackageKit API allows restricting a RemovePackages transaction to", " prevent removing any dependent packages, but the APT backend was not", " honouring it.", " This could have lead to the accidental removal of system packages when", " trying to uninstall applications from simple PackageKit frontends.", " (LP: #2148474)", "", "" ], "package": "packagekit", "version": "1.3.4-3ubuntu1.1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2148474 ], "author": "Alessandro Astone ", "date": "Tue, 09 Jun 2026 11:47:30 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "perl", "from_version": { "source_package_name": "perl", "source_package_version": "5.40.1-7build1", "version": "5.40.1-7build1" }, "to_version": { "source_package_name": "perl", "source_package_version": "5.40.1-7ubuntu0.1", "version": "5.40.1-7ubuntu0.1" }, "cves": [ { "cve": "CVE-2026-42496", "url": "https://ubuntu.com/security/CVE-2026-42496", "cve_description": "Archive::Tar versions before 3.08 for Perl extract symlinks with attacker controlled targets outside the extraction directory. _make_special_file() passes the tar header's linkname to symlink() without validating it against absolute paths or .. segments. The secure-extract mode check that guards regular file extraction does not cover the symlink target. A subsequent open through the extracted name reads or writes the attacker chosen path.", "cve_priority": "medium", "cve_public_date": "2026-05-26 02:16:00 UTC" }, { "cve": "CVE-2026-8376", "url": "https://ubuntu.com/security/CVE-2026-8376", "cve_description": "Perl versions through 5.43.10 have a heap buffer overflow when compiling regular expressions with a repeated fixed string on 32-bit builds. Perl_study_chunk in regcomp_study.c checked the size of the joined substring buffer in characters rather than bytes. For a quantified fixed substring with a large minimum count, the byte length mincount * l could overflow SSize_t, producing an undersized SvGROW allocation; the subsequent copy writes past the end of the buffer. A caller that compiles an attacker-controlled regular expression on a 32-bit perl build triggers a heap buffer overflow at compile time.", "cve_priority": "medium", "cve_public_date": "2026-05-26 00:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-42496", "url": "https://ubuntu.com/security/CVE-2026-42496", "cve_description": "Archive::Tar versions before 3.08 for Perl extract symlinks with attacker controlled targets outside the extraction directory. _make_special_file() passes the tar header's linkname to symlink() without validating it against absolute paths or .. segments. The secure-extract mode check that guards regular file extraction does not cover the symlink target. A subsequent open through the extracted name reads or writes the attacker chosen path.", "cve_priority": "medium", "cve_public_date": "2026-05-26 02:16:00 UTC" }, { "cve": "CVE-2026-8376", "url": "https://ubuntu.com/security/CVE-2026-8376", "cve_description": "Perl versions through 5.43.10 have a heap buffer overflow when compiling regular expressions with a repeated fixed string on 32-bit builds. Perl_study_chunk in regcomp_study.c checked the size of the joined substring buffer in characters rather than bytes. For a quantified fixed substring with a large minimum count, the byte length mincount * l could overflow SSize_t, producing an undersized SvGROW allocation; the subsequent copy writes past the end of the buffer. A caller that compiles an attacker-controlled regular expression on a 32-bit perl build triggers a heap buffer overflow at compile time.", "cve_priority": "medium", "cve_public_date": "2026-05-26 00:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: path traversal in Archive::Tar symlink/hardlink extraction", " - debian/patches/CVE-2026-42496.patch: validate symlink and hardlink", " targets against absolute paths and directory traversal in", " cpan/Archive-Tar/lib/Archive/Tar.pm", " - CVE-2026-42496", " * SECURITY UPDATE: integer overflow in regular expression compiler", " - debian/patches/CVE-2026-8376_1.patch: add test cases for heap buffer", " overflow via quantified fixed-string regex in t/re/pat_psycho.t", " - debian/patches/CVE-2026-8376_2.patch: add overflow check before", " fixed-string buffer allocation in regcomp.c / regcomp_study.c", " - CVE-2026-8376", "" ], "package": "perl", "version": "5.40.1-7ubuntu0.1", "urgency": "high", "distributions": "resolute-security", "launchpad_bugs_fixed": [], "author": "Chrisa Oikonomou ", "date": "Fri, 12 Jun 2026 16:42:16 +0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "perl-base", "from_version": { "source_package_name": "perl", "source_package_version": "5.40.1-7build1", "version": "5.40.1-7build1" }, "to_version": { "source_package_name": "perl", "source_package_version": "5.40.1-7ubuntu0.1", "version": "5.40.1-7ubuntu0.1" }, "cves": [ { "cve": "CVE-2026-42496", "url": "https://ubuntu.com/security/CVE-2026-42496", "cve_description": "Archive::Tar versions before 3.08 for Perl extract symlinks with attacker controlled targets outside the extraction directory. _make_special_file() passes the tar header's linkname to symlink() without validating it against absolute paths or .. segments. The secure-extract mode check that guards regular file extraction does not cover the symlink target. A subsequent open through the extracted name reads or writes the attacker chosen path.", "cve_priority": "medium", "cve_public_date": "2026-05-26 02:16:00 UTC" }, { "cve": "CVE-2026-8376", "url": "https://ubuntu.com/security/CVE-2026-8376", "cve_description": "Perl versions through 5.43.10 have a heap buffer overflow when compiling regular expressions with a repeated fixed string on 32-bit builds. Perl_study_chunk in regcomp_study.c checked the size of the joined substring buffer in characters rather than bytes. For a quantified fixed substring with a large minimum count, the byte length mincount * l could overflow SSize_t, producing an undersized SvGROW allocation; the subsequent copy writes past the end of the buffer. A caller that compiles an attacker-controlled regular expression on a 32-bit perl build triggers a heap buffer overflow at compile time.", "cve_priority": "medium", "cve_public_date": "2026-05-26 00:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-42496", "url": "https://ubuntu.com/security/CVE-2026-42496", "cve_description": "Archive::Tar versions before 3.08 for Perl extract symlinks with attacker controlled targets outside the extraction directory. _make_special_file() passes the tar header's linkname to symlink() without validating it against absolute paths or .. segments. The secure-extract mode check that guards regular file extraction does not cover the symlink target. A subsequent open through the extracted name reads or writes the attacker chosen path.", "cve_priority": "medium", "cve_public_date": "2026-05-26 02:16:00 UTC" }, { "cve": "CVE-2026-8376", "url": "https://ubuntu.com/security/CVE-2026-8376", "cve_description": "Perl versions through 5.43.10 have a heap buffer overflow when compiling regular expressions with a repeated fixed string on 32-bit builds. Perl_study_chunk in regcomp_study.c checked the size of the joined substring buffer in characters rather than bytes. For a quantified fixed substring with a large minimum count, the byte length mincount * l could overflow SSize_t, producing an undersized SvGROW allocation; the subsequent copy writes past the end of the buffer. A caller that compiles an attacker-controlled regular expression on a 32-bit perl build triggers a heap buffer overflow at compile time.", "cve_priority": "medium", "cve_public_date": "2026-05-26 00:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: path traversal in Archive::Tar symlink/hardlink extraction", " - debian/patches/CVE-2026-42496.patch: validate symlink and hardlink", " targets against absolute paths and directory traversal in", " cpan/Archive-Tar/lib/Archive/Tar.pm", " - CVE-2026-42496", " * SECURITY UPDATE: integer overflow in regular expression compiler", " - debian/patches/CVE-2026-8376_1.patch: add test cases for heap buffer", " overflow via quantified fixed-string regex in t/re/pat_psycho.t", " - debian/patches/CVE-2026-8376_2.patch: add overflow check before", " fixed-string buffer allocation in regcomp.c / regcomp_study.c", " - CVE-2026-8376", "" ], "package": "perl", "version": "5.40.1-7ubuntu0.1", "urgency": "high", "distributions": "resolute-security", "launchpad_bugs_fixed": [], "author": "Chrisa Oikonomou ", "date": "Fri, 12 Jun 2026 16:42:16 +0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "perl-modules-5.40", "from_version": { "source_package_name": "perl", "source_package_version": "5.40.1-7build1", "version": "5.40.1-7build1" }, "to_version": { "source_package_name": "perl", "source_package_version": "5.40.1-7ubuntu0.1", "version": "5.40.1-7ubuntu0.1" }, "cves": [ { "cve": "CVE-2026-42496", "url": "https://ubuntu.com/security/CVE-2026-42496", "cve_description": "Archive::Tar versions before 3.08 for Perl extract symlinks with attacker controlled targets outside the extraction directory. _make_special_file() passes the tar header's linkname to symlink() without validating it against absolute paths or .. segments. The secure-extract mode check that guards regular file extraction does not cover the symlink target. A subsequent open through the extracted name reads or writes the attacker chosen path.", "cve_priority": "medium", "cve_public_date": "2026-05-26 02:16:00 UTC" }, { "cve": "CVE-2026-8376", "url": "https://ubuntu.com/security/CVE-2026-8376", "cve_description": "Perl versions through 5.43.10 have a heap buffer overflow when compiling regular expressions with a repeated fixed string on 32-bit builds. Perl_study_chunk in regcomp_study.c checked the size of the joined substring buffer in characters rather than bytes. For a quantified fixed substring with a large minimum count, the byte length mincount * l could overflow SSize_t, producing an undersized SvGROW allocation; the subsequent copy writes past the end of the buffer. A caller that compiles an attacker-controlled regular expression on a 32-bit perl build triggers a heap buffer overflow at compile time.", "cve_priority": "medium", "cve_public_date": "2026-05-26 00:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-42496", "url": "https://ubuntu.com/security/CVE-2026-42496", "cve_description": "Archive::Tar versions before 3.08 for Perl extract symlinks with attacker controlled targets outside the extraction directory. _make_special_file() passes the tar header's linkname to symlink() without validating it against absolute paths or .. segments. The secure-extract mode check that guards regular file extraction does not cover the symlink target. A subsequent open through the extracted name reads or writes the attacker chosen path.", "cve_priority": "medium", "cve_public_date": "2026-05-26 02:16:00 UTC" }, { "cve": "CVE-2026-8376", "url": "https://ubuntu.com/security/CVE-2026-8376", "cve_description": "Perl versions through 5.43.10 have a heap buffer overflow when compiling regular expressions with a repeated fixed string on 32-bit builds. Perl_study_chunk in regcomp_study.c checked the size of the joined substring buffer in characters rather than bytes. For a quantified fixed substring with a large minimum count, the byte length mincount * l could overflow SSize_t, producing an undersized SvGROW allocation; the subsequent copy writes past the end of the buffer. A caller that compiles an attacker-controlled regular expression on a 32-bit perl build triggers a heap buffer overflow at compile time.", "cve_priority": "medium", "cve_public_date": "2026-05-26 00:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: path traversal in Archive::Tar symlink/hardlink extraction", " - debian/patches/CVE-2026-42496.patch: validate symlink and hardlink", " targets against absolute paths and directory traversal in", " cpan/Archive-Tar/lib/Archive/Tar.pm", " - CVE-2026-42496", " * SECURITY UPDATE: integer overflow in regular expression compiler", " - debian/patches/CVE-2026-8376_1.patch: add test cases for heap buffer", " overflow via quantified fixed-string regex in t/re/pat_psycho.t", " - debian/patches/CVE-2026-8376_2.patch: add overflow check before", " fixed-string buffer allocation in regcomp.c / regcomp_study.c", " - CVE-2026-8376", "" ], "package": "perl", "version": "5.40.1-7ubuntu0.1", "urgency": "high", "distributions": "resolute-security", "launchpad_bugs_fixed": [], "author": "Chrisa Oikonomou ", "date": "Fri, 12 Jun 2026 16:42:16 +0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3-distupgrade", "from_version": { "source_package_name": "ubuntu-release-upgrader", "source_package_version": "1:26.04.18", "version": "1:26.04.18" }, "to_version": { "source_package_name": "ubuntu-release-upgrader", "source_package_version": "1:26.04.22", "version": "1:26.04.22" }, "cves": [], "launchpad_bugs_fixed": [ 2154602, 2154724, 2150319, 2151216 ], "changes": [ { "cves": [], "log": [ "", " [ Carlos Nihelton ]", " * data/release-upgrades: set Prompt=lts for resolute (LP: #2154602)", "", " [ Simon Johnsson ]", " * DistUpgradeQuirks: fix formatting and linting errors (LP: #2154724)", "" ], "package": "ubuntu-release-upgrader", "version": "1:26.04.22", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2154602, 2154724 ], "author": "Carlos Nihelton ", "date": "Fri, 29 May 2026 15:58:15 -0300" }, { "cves": [], "log": [ "", " * DistUpgradeQuirks: Fix log message when installing piboot-try", "" ], "package": "ubuntu-release-upgrader", "version": "1:26.04.21", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Dave Jones ", "date": "Fri, 22 May 2026 17:48:19 +0200" }, { "cves": [], "log": [ "", " * DistUpgradeQuirks: mark libfile-libmagic-perl for install on Noble if", " lintian is installed (LP: #2150319):", " - This fixes a resolver deadlock on systems with a lot of packages", " (such as having ubuntu-desktop installed) as the resolver would increase", " strictness and prefer not to install additional dependencies.", "" ], "package": "ubuntu-release-upgrader", "version": "1:26.04.20", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2150319 ], "author": "Simon Johnsson ", "date": "Mon, 04 May 2026 16:30:48 +0200" }, { "cves": [], "log": [ "", " * DistUpgradeQuirks: On Pi installations, force the installation of", " piboot-try over flash-kernel (LP: #2151216)", " * Use PostDistUpgradeCache for this and the dracut migration on Pi to ease", " upgrade calculation", "" ], "package": "ubuntu-release-upgrader", "version": "1:26.04.19", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2151216 ], "author": "Dave Jones ", "date": "Tue, 05 May 2026 11:58:10 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "sg3-utils", "from_version": { "source_package_name": "sg3-utils", "source_package_version": "1.48-3ubuntu3", "version": "1.48-3ubuntu3" }, "to_version": { "source_package_name": "sg3-utils", "source_package_version": "1.48-3ubuntu3.1", "version": "1.48-3ubuntu3.1" }, "cves": [], "launchpad_bugs_fixed": [ 2152092 ], "changes": [ { "cves": [], "log": [ "", " * d/p/lp2152092-sg_wr_mode-fix-contents-and-cfile=-handling: fix", " command-line argument handling for --contents and --cfile in sg_wr_mode", " (LP: #2152092)", " * d/t/basic-scsi-device:", " - Don't try to install linux-modules-extra anymore.", " - Fix portal cleanup to handle both IPv4 (0.0.0.0) and IPv6 (::0)", " default portal addresses.", " - Use die() instead of bare string on sg_dd commands.", "" ], "package": "sg3-utils", "version": "1.48-3ubuntu3.1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2152092 ], "author": "Guilherme Puida Moreira ", "date": "Thu, 28 May 2026 16:50:21 -0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "sg3-utils-udev", "from_version": { "source_package_name": "sg3-utils", "source_package_version": "1.48-3ubuntu3", "version": "1.48-3ubuntu3" }, "to_version": { "source_package_name": "sg3-utils", "source_package_version": "1.48-3ubuntu3.1", "version": "1.48-3ubuntu3.1" }, "cves": [], "launchpad_bugs_fixed": [ 2152092 ], "changes": [ { "cves": [], "log": [ "", " * d/p/lp2152092-sg_wr_mode-fix-contents-and-cfile=-handling: fix", " command-line argument handling for --contents and --cfile in sg_wr_mode", " (LP: #2152092)", " * d/t/basic-scsi-device:", " - Don't try to install linux-modules-extra anymore.", " - Fix portal cleanup to handle both IPv4 (0.0.0.0) and IPv6 (::0)", " default portal addresses.", " - Use die() instead of bare string on sg_dd commands.", "" ], "package": "sg3-utils", "version": "1.48-3ubuntu3.1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2152092 ], "author": "Guilherme Puida Moreira ", "date": "Thu, 28 May 2026 16:50:21 -0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "tar", "from_version": { "source_package_name": "tar", "source_package_version": "1.35+dfsg-4", "version": "1.35+dfsg-4" }, "to_version": { "source_package_name": "tar", "source_package_version": "1.35+dfsg-4ubuntu0.1", "version": "1.35+dfsg-4ubuntu0.1" }, "cves": [ { "cve": "CVE-2026-5704", "url": "https://ubuntu.com/security/CVE-2026-5704", "cve_description": "A flaw was found in tar. A remote attacker could exploit this vulnerability by crafting a malicious archive, leading to hidden file injection with fully attacker-controlled content. This bypasses pre-extraction inspection mechanisms, potentially allowing an attacker to introduce malicious files onto a system without detection.", "cve_priority": "medium", "cve_public_date": "2026-04-06 16:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-5704", "url": "https://ubuntu.com/security/CVE-2026-5704", "cve_description": "A flaw was found in tar. A remote attacker could exploit this vulnerability by crafting a malicious archive, leading to hidden file injection with fully attacker-controlled content. This bypasses pre-extraction inspection mechanisms, potentially allowing an attacker to introduce malicious files onto a system without detection.", "cve_priority": "medium", "cve_public_date": "2026-04-06 16:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: file injection via crafted archive", " - debian/patches/CVE-2026-5704.patch: always call skip_member() after", " extraction in src/extract.c, fix skim_member() to skip directory data", " in src/list.c, remove conditional skip_member() call from", " purge_directory in src/incremen.c", " - CVE-2026-5704", "" ], "package": "tar", "version": "1.35+dfsg-4ubuntu0.1", "urgency": "medium", "distributions": "resolute-security", "launchpad_bugs_fixed": [], "author": "Leonidas Da Silva Barbosa ", "date": "Fri, 19 Jun 2026 11:01:00 -0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "tmux", "from_version": { "source_package_name": "tmux", "source_package_version": "3.6a-2", "version": "3.6a-2" }, "to_version": { "source_package_name": "tmux", "source_package_version": "3.6a-2ubuntu0.1", "version": "3.6a-2ubuntu0.1" }, "cves": [ { "cve": "CVE-2026-11623", "url": "https://ubuntu.com/security/CVE-2026-11623", "cve_description": "A security vulnerability has been detected in tmux up to 3.6a. Affected is the function image_free of the file image.c. Such manipulation leads to use after free. Local access is required to approach this attack. This attack is characterized by high complexity. The exploitability is told to be difficult. The exploit has been disclosed publicly and may be used. Upgrading to version 3.7-rc is able to address this issue. The name of the patch is fc6d94a9f8a593bd8b7031650802084385d4ee03. The affected component should be upgraded.", "cve_priority": "medium", "cve_public_date": "2026-06-09 05:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-11623", "url": "https://ubuntu.com/security/CVE-2026-11623", "cve_description": "A security vulnerability has been detected in tmux up to 3.6a. Affected is the function image_free of the file image.c. Such manipulation leads to use after free. Local access is required to approach this attack. This attack is characterized by high complexity. The exploitability is told to be difficult. The exploit has been disclosed publicly and may be used. Upgrading to version 3.7-rc is able to address this issue. The name of the patch is fc6d94a9f8a593bd8b7031650802084385d4ee03. The affected component should be upgraded.", "cve_priority": "medium", "cve_public_date": "2026-06-09 05:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: use after free in image_free", " - debian/patches/CVE-2026-11623.patch: Track which list (images or", " saved_images) each image is on so they can be removed from the correct", " list when the total image count is reached in image.c, screen.c, tmux.h.", " - CVE-2026-11623", "" ], "package": "tmux", "version": "3.6a-2ubuntu0.1", "urgency": "medium", "distributions": "resolute-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Sat, 13 Jun 2026 19:25:10 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "ubuntu-release-upgrader-core", "from_version": { "source_package_name": "ubuntu-release-upgrader", "source_package_version": "1:26.04.18", "version": "1:26.04.18" }, "to_version": { "source_package_name": "ubuntu-release-upgrader", "source_package_version": "1:26.04.22", "version": "1:26.04.22" }, "cves": [], "launchpad_bugs_fixed": [ 2154602, 2154724, 2150319, 2151216 ], "changes": [ { "cves": [], "log": [ "", " [ Carlos Nihelton ]", " * data/release-upgrades: set Prompt=lts for resolute (LP: #2154602)", "", " [ Simon Johnsson ]", " * DistUpgradeQuirks: fix formatting and linting errors (LP: #2154724)", "" ], "package": "ubuntu-release-upgrader", "version": "1:26.04.22", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2154602, 2154724 ], "author": "Carlos Nihelton ", "date": "Fri, 29 May 2026 15:58:15 -0300" }, { "cves": [], "log": [ "", " * DistUpgradeQuirks: Fix log message when installing piboot-try", "" ], "package": "ubuntu-release-upgrader", "version": "1:26.04.21", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Dave Jones ", "date": "Fri, 22 May 2026 17:48:19 +0200" }, { "cves": [], "log": [ "", " * DistUpgradeQuirks: mark libfile-libmagic-perl for install on Noble if", " lintian is installed (LP: #2150319):", " - This fixes a resolver deadlock on systems with a lot of packages", " (such as having ubuntu-desktop installed) as the resolver would increase", " strictness and prefer not to install additional dependencies.", "" ], "package": "ubuntu-release-upgrader", "version": "1:26.04.20", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2150319 ], "author": "Simon Johnsson ", "date": "Mon, 04 May 2026 16:30:48 +0200" }, { "cves": [], "log": [ "", " * DistUpgradeQuirks: On Pi installations, force the installation of", " piboot-try over flash-kernel (LP: #2151216)", " * Use PostDistUpgradeCache for this and the dracut migration on Pi to ease", " upgrade calculation", "" ], "package": "ubuntu-release-upgrader", "version": "1:26.04.19", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2151216 ], "author": "Dave Jones ", "date": "Tue, 05 May 2026 11:58:10 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "update-notifier-common", "from_version": { "source_package_name": "update-notifier", "source_package_version": "3.207", "version": "3.207" }, "to_version": { "source_package_name": "update-notifier", "source_package_version": "3.207.1", "version": "3.207.1" }, "cves": [], "launchpad_bugs_fixed": [ 2150568 ], "changes": [ { "cves": [], "log": [ "", " * Add support for also using desktop-security-center as the UI manager.", " Currently only `software-properties-livepatch` is supported, which is", " fine for Noble but not for Resolute onward, because", " `desktop-security-center` snap is used instead. This patch adds", " support for the later, checking for it first and falling back to the", " old `software-properties` code if needed. (LP: #2150568)", "" ], "package": "update-notifier", "version": "3.207.1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2150568 ], "author": "Sergio Costas Rodriguez ", "date": "Wed, 20 May 2026 12:44:00 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "vim", "from_version": { "source_package_name": "vim", "source_package_version": "2:9.1.2141-1ubuntu4.3", "version": "2:9.1.2141-1ubuntu4.3" }, "to_version": { "source_package_name": "vim", "source_package_version": "2:9.1.2141-1ubuntu4.5", "version": "2:9.1.2141-1ubuntu4.5" }, "cves": [ { "cve": "CVE-2026-47162", "url": "https://ubuntu.com/security/CVE-2026-47162", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0495, a Vimscript code injection vulnerability exists in s:NetrwBookHistSave() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when serializing browsed directory paths to the history file ~/.vim/.netrwhist. A directory name derived from the filesystem is interpolated into a single-quoted Vimscript string literal without escaping embedded single quotes, allowing a crafted directory name to break out of the string context and execute arbitrary Vimscript, including shell commands via system() and :!, the next time the history file is sourced. This issue has been patched in version 9.2.0495.", "cve_priority": "medium", "cve_public_date": "2026-06-11 19:16:00 UTC" }, { "cve": "CVE-2026-47167", "url": "https://ubuntu.com/security/CVE-2026-47167", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0496, a code injection vulnerability exists in s:stepmatch() in the cucumber filetype plugin (runtime/ftplugin/cucumber.vim) on Vim builds with +ruby support. Step-definition patterns read from .rb files under the repository's features/*/ or stories/*/ directories are embedded into a Ruby Kernel.eval argument without sufficient escaping, allowing a crafted pattern in an attacker-controlled repository to execute arbitrary Ruby (and through it arbitrary shell commands) when the user invokes a step-jump mapping ([d, ]d). This issue has been patched in version 9.2.0496.", "cve_priority": "medium", "cve_public_date": "2026-06-11 19:16:00 UTC" }, { "cve": "CVE-2026-52858", "url": "https://ubuntu.com/security/CVE-2026-52858", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0561, the Python omni-completion script in python3complete.vim for Vim with the +python3 interpreter enabled (and the legacy pythoncomplete.vim for builds with the +python interpreter) executes the import and from statements found in the current buffer through Python's import machinery. Because the buffer's working directory is on sys.path, opening a hostile .py file with a sibling Python package and invoking omni-completion runs that package's top-level code as the editing user. This issue has been patched in version 9.2.0561.", "cve_priority": "medium", "cve_public_date": "2026-06-11 19:16:00 UTC" }, { "cve": "CVE-2026-52860", "url": "https://ubuntu.com/security/CVE-2026-52860", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0597, Vim's Python omni-completion executes reconstructed function and class definitions from the current buffer with exec() as part of populating the completion dictionary. Python evaluates function default values, parameter annotations, and class base expressions at definition time, so a hostile buffer can execute attacker-controlled Python expressions during omni-completion. The existing g:pythoncomplete_allow_import mitigation (GHSA-52mc-rq6p-rc7c) does not cover this path, because the attacker-controlled code is not a harvested import/from statement. This issue has been patched in version 9.2.0597.", "cve_priority": "medium", "cve_public_date": "2026-06-11 19:16:00 UTC" }, { "cve": "CVE-2026-52859", "url": "https://ubuntu.com/security/CVE-2026-52859", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0565, the update_snapshot() function in src/terminal.c copies the visible terminal screen into the scrollback buffer when a snapshot is taken. For each screen cell it walks the cell's chars[] array with no upper bound, stopping only when it encounters a NUL terminator. When a cell legitimately fills all VTERM_MAX_CHARS_PER_CELL (6) slots — a base character plus five combining marks — the bundled libvterm returns the array without a terminating NUL, so the loop reads past the fixed six-element array and appends the out-of-bounds values to a buffer reserved for only six characters. A program whose output is rendered inside a :terminal window can trigger this with a short byte sequence and no Vim scripting, leading to a crash. This issue has been patched in version 9.2.0565.", "cve_priority": "medium", "cve_public_date": "2026-06-11 19:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * debian/patches/0005-skip-autocmd-test-failing-on-arm64.patch", " - Skip tests failing on arm64", "" ], "package": "vim", "version": "2:9.1.2141-1ubuntu4.5", "urgency": "medium", "distributions": "resolute-security", "launchpad_bugs_fixed": [], "author": "Kyle Kernick ", "date": "Wed, 17 Jun 2026 09:37:36 -0600" }, { "cves": [ { "cve": "CVE-2026-47162", "url": "https://ubuntu.com/security/CVE-2026-47162", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0495, a Vimscript code injection vulnerability exists in s:NetrwBookHistSave() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when serializing browsed directory paths to the history file ~/.vim/.netrwhist. A directory name derived from the filesystem is interpolated into a single-quoted Vimscript string literal without escaping embedded single quotes, allowing a crafted directory name to break out of the string context and execute arbitrary Vimscript, including shell commands via system() and :!, the next time the history file is sourced. This issue has been patched in version 9.2.0495.", "cve_priority": "medium", "cve_public_date": "2026-06-11 19:16:00 UTC" }, { "cve": "CVE-2026-47167", "url": "https://ubuntu.com/security/CVE-2026-47167", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0496, a code injection vulnerability exists in s:stepmatch() in the cucumber filetype plugin (runtime/ftplugin/cucumber.vim) on Vim builds with +ruby support. Step-definition patterns read from .rb files under the repository's features/*/ or stories/*/ directories are embedded into a Ruby Kernel.eval argument without sufficient escaping, allowing a crafted pattern in an attacker-controlled repository to execute arbitrary Ruby (and through it arbitrary shell commands) when the user invokes a step-jump mapping ([d, ]d). This issue has been patched in version 9.2.0496.", "cve_priority": "medium", "cve_public_date": "2026-06-11 19:16:00 UTC" }, { "cve": "CVE-2026-52858", "url": "https://ubuntu.com/security/CVE-2026-52858", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0561, the Python omni-completion script in python3complete.vim for Vim with the +python3 interpreter enabled (and the legacy pythoncomplete.vim for builds with the +python interpreter) executes the import and from statements found in the current buffer through Python's import machinery. Because the buffer's working directory is on sys.path, opening a hostile .py file with a sibling Python package and invoking omni-completion runs that package's top-level code as the editing user. This issue has been patched in version 9.2.0561.", "cve_priority": "medium", "cve_public_date": "2026-06-11 19:16:00 UTC" }, { "cve": "CVE-2026-52860", "url": "https://ubuntu.com/security/CVE-2026-52860", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0597, Vim's Python omni-completion executes reconstructed function and class definitions from the current buffer with exec() as part of populating the completion dictionary. Python evaluates function default values, parameter annotations, and class base expressions at definition time, so a hostile buffer can execute attacker-controlled Python expressions during omni-completion. The existing g:pythoncomplete_allow_import mitigation (GHSA-52mc-rq6p-rc7c) does not cover this path, because the attacker-controlled code is not a harvested import/from statement. This issue has been patched in version 9.2.0597.", "cve_priority": "medium", "cve_public_date": "2026-06-11 19:16:00 UTC" }, { "cve": "CVE-2026-52859", "url": "https://ubuntu.com/security/CVE-2026-52859", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0565, the update_snapshot() function in src/terminal.c copies the visible terminal screen into the scrollback buffer when a snapshot is taken. For each screen cell it walks the cell's chars[] array with no upper bound, stopping only when it encounters a NUL terminator. When a cell legitimately fills all VTERM_MAX_CHARS_PER_CELL (6) slots — a base character plus five combining marks — the bundled libvterm returns the array without a terminating NUL, so the loop reads past the fixed six-element array and appends the out-of-bounds values to a buffer reserved for only six characters. A program whose output is rendered inside a :terminal window can trigger this with a short byte sequence and no Vim scripting, leading to a crash. This issue has been patched in version 9.2.0565.", "cve_priority": "medium", "cve_public_date": "2026-06-11 19:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Code injection via NetrwBookHistSave().", " - debian/patches/CVE-2026-47162.patch: Properly quote the directory name", " in runtime/pack/dist/opt/netrw/autoload/netrw.vim.", " - CVE-2026-47162", " * SECURITY UPDATE: Code Injection in cucumber filetype plugin.", " - debian/patches/CVE-2026-47167.patch: Use rubys Regexp.new() in", " runtime/ftplugin/cucumber.vim.", " - CVE-2026-47167", " * SECURITY UPDATE: Code execution with python3complete.", " - debian/patches/CVE-2026-52858.patch: Disable execution of import/from", " statements in runtime/autoload/python3complete.vim and", " ../pythoncomplete.vim", " - debian/patches/CVE-2026-52860.patch: Strip default expressions and", " annotations in runtime/autoload/python3complete.vim and", " ../pythoncomplete.vim", " - CVE-2026-52858", " - CVE-2026-52860", " * SECURITY UPDATE: Out-of-bounds read in update_snapshot().", " - debian/patches/CVE-2026-52859.patch: Bound loop in update_snapshot() in", " src/terminal.c.", " - CVE-2026-52859", "" ], "package": "vim", "version": "2:9.1.2141-1ubuntu4.4", "urgency": "medium", "distributions": "resolute-security", "launchpad_bugs_fixed": [], "author": "Kyle Kernick ", "date": "Mon, 15 Jun 2026 10:49:29 -0600" } ], "notes": null, "is_version_downgrade": false }, { "name": "vim-common", "from_version": { "source_package_name": "vim", "source_package_version": "2:9.1.2141-1ubuntu4.3", "version": "2:9.1.2141-1ubuntu4.3" }, "to_version": { "source_package_name": "vim", "source_package_version": "2:9.1.2141-1ubuntu4.5", "version": "2:9.1.2141-1ubuntu4.5" }, "cves": [ { "cve": "CVE-2026-47162", "url": "https://ubuntu.com/security/CVE-2026-47162", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0495, a Vimscript code injection vulnerability exists in s:NetrwBookHistSave() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when serializing browsed directory paths to the history file ~/.vim/.netrwhist. A directory name derived from the filesystem is interpolated into a single-quoted Vimscript string literal without escaping embedded single quotes, allowing a crafted directory name to break out of the string context and execute arbitrary Vimscript, including shell commands via system() and :!, the next time the history file is sourced. This issue has been patched in version 9.2.0495.", "cve_priority": "medium", "cve_public_date": "2026-06-11 19:16:00 UTC" }, { "cve": "CVE-2026-47167", "url": "https://ubuntu.com/security/CVE-2026-47167", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0496, a code injection vulnerability exists in s:stepmatch() in the cucumber filetype plugin (runtime/ftplugin/cucumber.vim) on Vim builds with +ruby support. Step-definition patterns read from .rb files under the repository's features/*/ or stories/*/ directories are embedded into a Ruby Kernel.eval argument without sufficient escaping, allowing a crafted pattern in an attacker-controlled repository to execute arbitrary Ruby (and through it arbitrary shell commands) when the user invokes a step-jump mapping ([d, ]d). This issue has been patched in version 9.2.0496.", "cve_priority": "medium", "cve_public_date": "2026-06-11 19:16:00 UTC" }, { "cve": "CVE-2026-52858", "url": "https://ubuntu.com/security/CVE-2026-52858", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0561, the Python omni-completion script in python3complete.vim for Vim with the +python3 interpreter enabled (and the legacy pythoncomplete.vim for builds with the +python interpreter) executes the import and from statements found in the current buffer through Python's import machinery. Because the buffer's working directory is on sys.path, opening a hostile .py file with a sibling Python package and invoking omni-completion runs that package's top-level code as the editing user. This issue has been patched in version 9.2.0561.", "cve_priority": "medium", "cve_public_date": "2026-06-11 19:16:00 UTC" }, { "cve": "CVE-2026-52860", "url": "https://ubuntu.com/security/CVE-2026-52860", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0597, Vim's Python omni-completion executes reconstructed function and class definitions from the current buffer with exec() as part of populating the completion dictionary. Python evaluates function default values, parameter annotations, and class base expressions at definition time, so a hostile buffer can execute attacker-controlled Python expressions during omni-completion. The existing g:pythoncomplete_allow_import mitigation (GHSA-52mc-rq6p-rc7c) does not cover this path, because the attacker-controlled code is not a harvested import/from statement. This issue has been patched in version 9.2.0597.", "cve_priority": "medium", "cve_public_date": "2026-06-11 19:16:00 UTC" }, { "cve": "CVE-2026-52859", "url": "https://ubuntu.com/security/CVE-2026-52859", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0565, the update_snapshot() function in src/terminal.c copies the visible terminal screen into the scrollback buffer when a snapshot is taken. For each screen cell it walks the cell's chars[] array with no upper bound, stopping only when it encounters a NUL terminator. When a cell legitimately fills all VTERM_MAX_CHARS_PER_CELL (6) slots — a base character plus five combining marks — the bundled libvterm returns the array without a terminating NUL, so the loop reads past the fixed six-element array and appends the out-of-bounds values to a buffer reserved for only six characters. A program whose output is rendered inside a :terminal window can trigger this with a short byte sequence and no Vim scripting, leading to a crash. This issue has been patched in version 9.2.0565.", "cve_priority": "medium", "cve_public_date": "2026-06-11 19:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * debian/patches/0005-skip-autocmd-test-failing-on-arm64.patch", " - Skip tests failing on arm64", "" ], "package": "vim", "version": "2:9.1.2141-1ubuntu4.5", "urgency": "medium", "distributions": "resolute-security", "launchpad_bugs_fixed": [], "author": "Kyle Kernick ", "date": "Wed, 17 Jun 2026 09:37:36 -0600" }, { "cves": [ { "cve": "CVE-2026-47162", "url": "https://ubuntu.com/security/CVE-2026-47162", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0495, a Vimscript code injection vulnerability exists in s:NetrwBookHistSave() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when serializing browsed directory paths to the history file ~/.vim/.netrwhist. A directory name derived from the filesystem is interpolated into a single-quoted Vimscript string literal without escaping embedded single quotes, allowing a crafted directory name to break out of the string context and execute arbitrary Vimscript, including shell commands via system() and :!, the next time the history file is sourced. This issue has been patched in version 9.2.0495.", "cve_priority": "medium", "cve_public_date": "2026-06-11 19:16:00 UTC" }, { "cve": "CVE-2026-47167", "url": "https://ubuntu.com/security/CVE-2026-47167", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0496, a code injection vulnerability exists in s:stepmatch() in the cucumber filetype plugin (runtime/ftplugin/cucumber.vim) on Vim builds with +ruby support. Step-definition patterns read from .rb files under the repository's features/*/ or stories/*/ directories are embedded into a Ruby Kernel.eval argument without sufficient escaping, allowing a crafted pattern in an attacker-controlled repository to execute arbitrary Ruby (and through it arbitrary shell commands) when the user invokes a step-jump mapping ([d, ]d). This issue has been patched in version 9.2.0496.", "cve_priority": "medium", "cve_public_date": "2026-06-11 19:16:00 UTC" }, { "cve": "CVE-2026-52858", "url": "https://ubuntu.com/security/CVE-2026-52858", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0561, the Python omni-completion script in python3complete.vim for Vim with the +python3 interpreter enabled (and the legacy pythoncomplete.vim for builds with the +python interpreter) executes the import and from statements found in the current buffer through Python's import machinery. Because the buffer's working directory is on sys.path, opening a hostile .py file with a sibling Python package and invoking omni-completion runs that package's top-level code as the editing user. This issue has been patched in version 9.2.0561.", "cve_priority": "medium", "cve_public_date": "2026-06-11 19:16:00 UTC" }, { "cve": "CVE-2026-52860", "url": "https://ubuntu.com/security/CVE-2026-52860", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0597, Vim's Python omni-completion executes reconstructed function and class definitions from the current buffer with exec() as part of populating the completion dictionary. Python evaluates function default values, parameter annotations, and class base expressions at definition time, so a hostile buffer can execute attacker-controlled Python expressions during omni-completion. The existing g:pythoncomplete_allow_import mitigation (GHSA-52mc-rq6p-rc7c) does not cover this path, because the attacker-controlled code is not a harvested import/from statement. This issue has been patched in version 9.2.0597.", "cve_priority": "medium", "cve_public_date": "2026-06-11 19:16:00 UTC" }, { "cve": "CVE-2026-52859", "url": "https://ubuntu.com/security/CVE-2026-52859", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0565, the update_snapshot() function in src/terminal.c copies the visible terminal screen into the scrollback buffer when a snapshot is taken. For each screen cell it walks the cell's chars[] array with no upper bound, stopping only when it encounters a NUL terminator. When a cell legitimately fills all VTERM_MAX_CHARS_PER_CELL (6) slots — a base character plus five combining marks — the bundled libvterm returns the array without a terminating NUL, so the loop reads past the fixed six-element array and appends the out-of-bounds values to a buffer reserved for only six characters. A program whose output is rendered inside a :terminal window can trigger this with a short byte sequence and no Vim scripting, leading to a crash. This issue has been patched in version 9.2.0565.", "cve_priority": "medium", "cve_public_date": "2026-06-11 19:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Code injection via NetrwBookHistSave().", " - debian/patches/CVE-2026-47162.patch: Properly quote the directory name", " in runtime/pack/dist/opt/netrw/autoload/netrw.vim.", " - CVE-2026-47162", " * SECURITY UPDATE: Code Injection in cucumber filetype plugin.", " - debian/patches/CVE-2026-47167.patch: Use rubys Regexp.new() in", " runtime/ftplugin/cucumber.vim.", " - CVE-2026-47167", " * SECURITY UPDATE: Code execution with python3complete.", " - debian/patches/CVE-2026-52858.patch: Disable execution of import/from", " statements in runtime/autoload/python3complete.vim and", " ../pythoncomplete.vim", " - debian/patches/CVE-2026-52860.patch: Strip default expressions and", " annotations in runtime/autoload/python3complete.vim and", " ../pythoncomplete.vim", " - CVE-2026-52858", " - CVE-2026-52860", " * SECURITY UPDATE: Out-of-bounds read in update_snapshot().", " - debian/patches/CVE-2026-52859.patch: Bound loop in update_snapshot() in", " src/terminal.c.", " - CVE-2026-52859", "" ], "package": "vim", "version": "2:9.1.2141-1ubuntu4.4", "urgency": "medium", "distributions": "resolute-security", "launchpad_bugs_fixed": [], "author": "Kyle Kernick ", "date": "Mon, 15 Jun 2026 10:49:29 -0600" } ], "notes": null, "is_version_downgrade": false }, { "name": "vim-runtime", "from_version": { "source_package_name": "vim", "source_package_version": "2:9.1.2141-1ubuntu4.3", "version": "2:9.1.2141-1ubuntu4.3" }, "to_version": { "source_package_name": "vim", "source_package_version": "2:9.1.2141-1ubuntu4.5", "version": "2:9.1.2141-1ubuntu4.5" }, "cves": [ { "cve": "CVE-2026-47162", "url": "https://ubuntu.com/security/CVE-2026-47162", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0495, a Vimscript code injection vulnerability exists in s:NetrwBookHistSave() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when serializing browsed directory paths to the history file ~/.vim/.netrwhist. A directory name derived from the filesystem is interpolated into a single-quoted Vimscript string literal without escaping embedded single quotes, allowing a crafted directory name to break out of the string context and execute arbitrary Vimscript, including shell commands via system() and :!, the next time the history file is sourced. This issue has been patched in version 9.2.0495.", "cve_priority": "medium", "cve_public_date": "2026-06-11 19:16:00 UTC" }, { "cve": "CVE-2026-47167", "url": "https://ubuntu.com/security/CVE-2026-47167", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0496, a code injection vulnerability exists in s:stepmatch() in the cucumber filetype plugin (runtime/ftplugin/cucumber.vim) on Vim builds with +ruby support. Step-definition patterns read from .rb files under the repository's features/*/ or stories/*/ directories are embedded into a Ruby Kernel.eval argument without sufficient escaping, allowing a crafted pattern in an attacker-controlled repository to execute arbitrary Ruby (and through it arbitrary shell commands) when the user invokes a step-jump mapping ([d, ]d). This issue has been patched in version 9.2.0496.", "cve_priority": "medium", "cve_public_date": "2026-06-11 19:16:00 UTC" }, { "cve": "CVE-2026-52858", "url": "https://ubuntu.com/security/CVE-2026-52858", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0561, the Python omni-completion script in python3complete.vim for Vim with the +python3 interpreter enabled (and the legacy pythoncomplete.vim for builds with the +python interpreter) executes the import and from statements found in the current buffer through Python's import machinery. Because the buffer's working directory is on sys.path, opening a hostile .py file with a sibling Python package and invoking omni-completion runs that package's top-level code as the editing user. This issue has been patched in version 9.2.0561.", "cve_priority": "medium", "cve_public_date": "2026-06-11 19:16:00 UTC" }, { "cve": "CVE-2026-52860", "url": "https://ubuntu.com/security/CVE-2026-52860", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0597, Vim's Python omni-completion executes reconstructed function and class definitions from the current buffer with exec() as part of populating the completion dictionary. Python evaluates function default values, parameter annotations, and class base expressions at definition time, so a hostile buffer can execute attacker-controlled Python expressions during omni-completion. The existing g:pythoncomplete_allow_import mitigation (GHSA-52mc-rq6p-rc7c) does not cover this path, because the attacker-controlled code is not a harvested import/from statement. This issue has been patched in version 9.2.0597.", "cve_priority": "medium", "cve_public_date": "2026-06-11 19:16:00 UTC" }, { "cve": "CVE-2026-52859", "url": "https://ubuntu.com/security/CVE-2026-52859", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0565, the update_snapshot() function in src/terminal.c copies the visible terminal screen into the scrollback buffer when a snapshot is taken. For each screen cell it walks the cell's chars[] array with no upper bound, stopping only when it encounters a NUL terminator. When a cell legitimately fills all VTERM_MAX_CHARS_PER_CELL (6) slots — a base character plus five combining marks — the bundled libvterm returns the array without a terminating NUL, so the loop reads past the fixed six-element array and appends the out-of-bounds values to a buffer reserved for only six characters. A program whose output is rendered inside a :terminal window can trigger this with a short byte sequence and no Vim scripting, leading to a crash. This issue has been patched in version 9.2.0565.", "cve_priority": "medium", "cve_public_date": "2026-06-11 19:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * debian/patches/0005-skip-autocmd-test-failing-on-arm64.patch", " - Skip tests failing on arm64", "" ], "package": "vim", "version": "2:9.1.2141-1ubuntu4.5", "urgency": "medium", "distributions": "resolute-security", "launchpad_bugs_fixed": [], "author": "Kyle Kernick ", "date": "Wed, 17 Jun 2026 09:37:36 -0600" }, { "cves": [ { "cve": "CVE-2026-47162", "url": "https://ubuntu.com/security/CVE-2026-47162", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0495, a Vimscript code injection vulnerability exists in s:NetrwBookHistSave() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when serializing browsed directory paths to the history file ~/.vim/.netrwhist. A directory name derived from the filesystem is interpolated into a single-quoted Vimscript string literal without escaping embedded single quotes, allowing a crafted directory name to break out of the string context and execute arbitrary Vimscript, including shell commands via system() and :!, the next time the history file is sourced. This issue has been patched in version 9.2.0495.", "cve_priority": "medium", "cve_public_date": "2026-06-11 19:16:00 UTC" }, { "cve": "CVE-2026-47167", "url": "https://ubuntu.com/security/CVE-2026-47167", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0496, a code injection vulnerability exists in s:stepmatch() in the cucumber filetype plugin (runtime/ftplugin/cucumber.vim) on Vim builds with +ruby support. Step-definition patterns read from .rb files under the repository's features/*/ or stories/*/ directories are embedded into a Ruby Kernel.eval argument without sufficient escaping, allowing a crafted pattern in an attacker-controlled repository to execute arbitrary Ruby (and through it arbitrary shell commands) when the user invokes a step-jump mapping ([d, ]d). This issue has been patched in version 9.2.0496.", "cve_priority": "medium", "cve_public_date": "2026-06-11 19:16:00 UTC" }, { "cve": "CVE-2026-52858", "url": "https://ubuntu.com/security/CVE-2026-52858", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0561, the Python omni-completion script in python3complete.vim for Vim with the +python3 interpreter enabled (and the legacy pythoncomplete.vim for builds with the +python interpreter) executes the import and from statements found in the current buffer through Python's import machinery. Because the buffer's working directory is on sys.path, opening a hostile .py file with a sibling Python package and invoking omni-completion runs that package's top-level code as the editing user. This issue has been patched in version 9.2.0561.", "cve_priority": "medium", "cve_public_date": "2026-06-11 19:16:00 UTC" }, { "cve": "CVE-2026-52860", "url": "https://ubuntu.com/security/CVE-2026-52860", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0597, Vim's Python omni-completion executes reconstructed function and class definitions from the current buffer with exec() as part of populating the completion dictionary. Python evaluates function default values, parameter annotations, and class base expressions at definition time, so a hostile buffer can execute attacker-controlled Python expressions during omni-completion. The existing g:pythoncomplete_allow_import mitigation (GHSA-52mc-rq6p-rc7c) does not cover this path, because the attacker-controlled code is not a harvested import/from statement. This issue has been patched in version 9.2.0597.", "cve_priority": "medium", "cve_public_date": "2026-06-11 19:16:00 UTC" }, { "cve": "CVE-2026-52859", "url": "https://ubuntu.com/security/CVE-2026-52859", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0565, the update_snapshot() function in src/terminal.c copies the visible terminal screen into the scrollback buffer when a snapshot is taken. For each screen cell it walks the cell's chars[] array with no upper bound, stopping only when it encounters a NUL terminator. When a cell legitimately fills all VTERM_MAX_CHARS_PER_CELL (6) slots — a base character plus five combining marks — the bundled libvterm returns the array without a terminating NUL, so the loop reads past the fixed six-element array and appends the out-of-bounds values to a buffer reserved for only six characters. A program whose output is rendered inside a :terminal window can trigger this with a short byte sequence and no Vim scripting, leading to a crash. This issue has been patched in version 9.2.0565.", "cve_priority": "medium", "cve_public_date": "2026-06-11 19:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Code injection via NetrwBookHistSave().", " - debian/patches/CVE-2026-47162.patch: Properly quote the directory name", " in runtime/pack/dist/opt/netrw/autoload/netrw.vim.", " - CVE-2026-47162", " * SECURITY UPDATE: Code Injection in cucumber filetype plugin.", " - debian/patches/CVE-2026-47167.patch: Use rubys Regexp.new() in", " runtime/ftplugin/cucumber.vim.", " - CVE-2026-47167", " * SECURITY UPDATE: Code execution with python3complete.", " - debian/patches/CVE-2026-52858.patch: Disable execution of import/from", " statements in runtime/autoload/python3complete.vim and", " ../pythoncomplete.vim", " - debian/patches/CVE-2026-52860.patch: Strip default expressions and", " annotations in runtime/autoload/python3complete.vim and", " ../pythoncomplete.vim", " - CVE-2026-52858", " - CVE-2026-52860", " * SECURITY UPDATE: Out-of-bounds read in update_snapshot().", " - debian/patches/CVE-2026-52859.patch: Bound loop in update_snapshot() in", " src/terminal.c.", " - CVE-2026-52859", "" ], "package": "vim", "version": "2:9.1.2141-1ubuntu4.4", "urgency": "medium", "distributions": "resolute-security", "launchpad_bugs_fixed": [], "author": "Kyle Kernick ", "date": "Mon, 15 Jun 2026 10:49:29 -0600" } ], "notes": null, "is_version_downgrade": false }, { "name": "vim-tiny", "from_version": { "source_package_name": "vim", "source_package_version": "2:9.1.2141-1ubuntu4.3", "version": "2:9.1.2141-1ubuntu4.3" }, "to_version": { "source_package_name": "vim", "source_package_version": "2:9.1.2141-1ubuntu4.5", "version": "2:9.1.2141-1ubuntu4.5" }, "cves": [ { "cve": "CVE-2026-47162", "url": "https://ubuntu.com/security/CVE-2026-47162", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0495, a Vimscript code injection vulnerability exists in s:NetrwBookHistSave() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when serializing browsed directory paths to the history file ~/.vim/.netrwhist. A directory name derived from the filesystem is interpolated into a single-quoted Vimscript string literal without escaping embedded single quotes, allowing a crafted directory name to break out of the string context and execute arbitrary Vimscript, including shell commands via system() and :!, the next time the history file is sourced. This issue has been patched in version 9.2.0495.", "cve_priority": "medium", "cve_public_date": "2026-06-11 19:16:00 UTC" }, { "cve": "CVE-2026-47167", "url": "https://ubuntu.com/security/CVE-2026-47167", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0496, a code injection vulnerability exists in s:stepmatch() in the cucumber filetype plugin (runtime/ftplugin/cucumber.vim) on Vim builds with +ruby support. Step-definition patterns read from .rb files under the repository's features/*/ or stories/*/ directories are embedded into a Ruby Kernel.eval argument without sufficient escaping, allowing a crafted pattern in an attacker-controlled repository to execute arbitrary Ruby (and through it arbitrary shell commands) when the user invokes a step-jump mapping ([d, ]d). This issue has been patched in version 9.2.0496.", "cve_priority": "medium", "cve_public_date": "2026-06-11 19:16:00 UTC" }, { "cve": "CVE-2026-52858", "url": "https://ubuntu.com/security/CVE-2026-52858", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0561, the Python omni-completion script in python3complete.vim for Vim with the +python3 interpreter enabled (and the legacy pythoncomplete.vim for builds with the +python interpreter) executes the import and from statements found in the current buffer through Python's import machinery. Because the buffer's working directory is on sys.path, opening a hostile .py file with a sibling Python package and invoking omni-completion runs that package's top-level code as the editing user. This issue has been patched in version 9.2.0561.", "cve_priority": "medium", "cve_public_date": "2026-06-11 19:16:00 UTC" }, { "cve": "CVE-2026-52860", "url": "https://ubuntu.com/security/CVE-2026-52860", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0597, Vim's Python omni-completion executes reconstructed function and class definitions from the current buffer with exec() as part of populating the completion dictionary. Python evaluates function default values, parameter annotations, and class base expressions at definition time, so a hostile buffer can execute attacker-controlled Python expressions during omni-completion. The existing g:pythoncomplete_allow_import mitigation (GHSA-52mc-rq6p-rc7c) does not cover this path, because the attacker-controlled code is not a harvested import/from statement. This issue has been patched in version 9.2.0597.", "cve_priority": "medium", "cve_public_date": "2026-06-11 19:16:00 UTC" }, { "cve": "CVE-2026-52859", "url": "https://ubuntu.com/security/CVE-2026-52859", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0565, the update_snapshot() function in src/terminal.c copies the visible terminal screen into the scrollback buffer when a snapshot is taken. For each screen cell it walks the cell's chars[] array with no upper bound, stopping only when it encounters a NUL terminator. When a cell legitimately fills all VTERM_MAX_CHARS_PER_CELL (6) slots — a base character plus five combining marks — the bundled libvterm returns the array without a terminating NUL, so the loop reads past the fixed six-element array and appends the out-of-bounds values to a buffer reserved for only six characters. A program whose output is rendered inside a :terminal window can trigger this with a short byte sequence and no Vim scripting, leading to a crash. This issue has been patched in version 9.2.0565.", "cve_priority": "medium", "cve_public_date": "2026-06-11 19:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * debian/patches/0005-skip-autocmd-test-failing-on-arm64.patch", " - Skip tests failing on arm64", "" ], "package": "vim", "version": "2:9.1.2141-1ubuntu4.5", "urgency": "medium", "distributions": "resolute-security", "launchpad_bugs_fixed": [], "author": "Kyle Kernick ", "date": "Wed, 17 Jun 2026 09:37:36 -0600" }, { "cves": [ { "cve": "CVE-2026-47162", "url": "https://ubuntu.com/security/CVE-2026-47162", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0495, a Vimscript code injection vulnerability exists in s:NetrwBookHistSave() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when serializing browsed directory paths to the history file ~/.vim/.netrwhist. A directory name derived from the filesystem is interpolated into a single-quoted Vimscript string literal without escaping embedded single quotes, allowing a crafted directory name to break out of the string context and execute arbitrary Vimscript, including shell commands via system() and :!, the next time the history file is sourced. This issue has been patched in version 9.2.0495.", "cve_priority": "medium", "cve_public_date": "2026-06-11 19:16:00 UTC" }, { "cve": "CVE-2026-47167", "url": "https://ubuntu.com/security/CVE-2026-47167", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0496, a code injection vulnerability exists in s:stepmatch() in the cucumber filetype plugin (runtime/ftplugin/cucumber.vim) on Vim builds with +ruby support. Step-definition patterns read from .rb files under the repository's features/*/ or stories/*/ directories are embedded into a Ruby Kernel.eval argument without sufficient escaping, allowing a crafted pattern in an attacker-controlled repository to execute arbitrary Ruby (and through it arbitrary shell commands) when the user invokes a step-jump mapping ([d, ]d). This issue has been patched in version 9.2.0496.", "cve_priority": "medium", "cve_public_date": "2026-06-11 19:16:00 UTC" }, { "cve": "CVE-2026-52858", "url": "https://ubuntu.com/security/CVE-2026-52858", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0561, the Python omni-completion script in python3complete.vim for Vim with the +python3 interpreter enabled (and the legacy pythoncomplete.vim for builds with the +python interpreter) executes the import and from statements found in the current buffer through Python's import machinery. Because the buffer's working directory is on sys.path, opening a hostile .py file with a sibling Python package and invoking omni-completion runs that package's top-level code as the editing user. This issue has been patched in version 9.2.0561.", "cve_priority": "medium", "cve_public_date": "2026-06-11 19:16:00 UTC" }, { "cve": "CVE-2026-52860", "url": "https://ubuntu.com/security/CVE-2026-52860", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0597, Vim's Python omni-completion executes reconstructed function and class definitions from the current buffer with exec() as part of populating the completion dictionary. Python evaluates function default values, parameter annotations, and class base expressions at definition time, so a hostile buffer can execute attacker-controlled Python expressions during omni-completion. The existing g:pythoncomplete_allow_import mitigation (GHSA-52mc-rq6p-rc7c) does not cover this path, because the attacker-controlled code is not a harvested import/from statement. This issue has been patched in version 9.2.0597.", "cve_priority": "medium", "cve_public_date": "2026-06-11 19:16:00 UTC" }, { "cve": "CVE-2026-52859", "url": "https://ubuntu.com/security/CVE-2026-52859", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0565, the update_snapshot() function in src/terminal.c copies the visible terminal screen into the scrollback buffer when a snapshot is taken. For each screen cell it walks the cell's chars[] array with no upper bound, stopping only when it encounters a NUL terminator. When a cell legitimately fills all VTERM_MAX_CHARS_PER_CELL (6) slots — a base character plus five combining marks — the bundled libvterm returns the array without a terminating NUL, so the loop reads past the fixed six-element array and appends the out-of-bounds values to a buffer reserved for only six characters. A program whose output is rendered inside a :terminal window can trigger this with a short byte sequence and no Vim scripting, leading to a crash. This issue has been patched in version 9.2.0565.", "cve_priority": "medium", "cve_public_date": "2026-06-11 19:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Code injection via NetrwBookHistSave().", " - debian/patches/CVE-2026-47162.patch: Properly quote the directory name", " in runtime/pack/dist/opt/netrw/autoload/netrw.vim.", " - CVE-2026-47162", " * SECURITY UPDATE: Code Injection in cucumber filetype plugin.", " - debian/patches/CVE-2026-47167.patch: Use rubys Regexp.new() in", " runtime/ftplugin/cucumber.vim.", " - CVE-2026-47167", " * SECURITY UPDATE: Code execution with python3complete.", " - debian/patches/CVE-2026-52858.patch: Disable execution of import/from", " statements in runtime/autoload/python3complete.vim and", " ../pythoncomplete.vim", " - debian/patches/CVE-2026-52860.patch: Strip default expressions and", " annotations in runtime/autoload/python3complete.vim and", " ../pythoncomplete.vim", " - CVE-2026-52858", " - CVE-2026-52860", " * SECURITY UPDATE: Out-of-bounds read in update_snapshot().", " - debian/patches/CVE-2026-52859.patch: Bound loop in update_snapshot() in", " src/terminal.c.", " - CVE-2026-52859", "" ], "package": "vim", "version": "2:9.1.2141-1ubuntu4.4", "urgency": "medium", "distributions": "resolute-security", "launchpad_bugs_fixed": [], "author": "Kyle Kernick ", "date": "Mon, 15 Jun 2026 10:49:29 -0600" } ], "notes": null, "is_version_downgrade": false }, { "name": "xxd", "from_version": { "source_package_name": "vim", "source_package_version": "2:9.1.2141-1ubuntu4.3", "version": "2:9.1.2141-1ubuntu4.3" }, "to_version": { "source_package_name": "vim", "source_package_version": "2:9.1.2141-1ubuntu4.5", "version": "2:9.1.2141-1ubuntu4.5" }, "cves": [ { "cve": "CVE-2026-47162", "url": "https://ubuntu.com/security/CVE-2026-47162", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0495, a Vimscript code injection vulnerability exists in s:NetrwBookHistSave() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when serializing browsed directory paths to the history file ~/.vim/.netrwhist. A directory name derived from the filesystem is interpolated into a single-quoted Vimscript string literal without escaping embedded single quotes, allowing a crafted directory name to break out of the string context and execute arbitrary Vimscript, including shell commands via system() and :!, the next time the history file is sourced. This issue has been patched in version 9.2.0495.", "cve_priority": "medium", "cve_public_date": "2026-06-11 19:16:00 UTC" }, { "cve": "CVE-2026-47167", "url": "https://ubuntu.com/security/CVE-2026-47167", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0496, a code injection vulnerability exists in s:stepmatch() in the cucumber filetype plugin (runtime/ftplugin/cucumber.vim) on Vim builds with +ruby support. Step-definition patterns read from .rb files under the repository's features/*/ or stories/*/ directories are embedded into a Ruby Kernel.eval argument without sufficient escaping, allowing a crafted pattern in an attacker-controlled repository to execute arbitrary Ruby (and through it arbitrary shell commands) when the user invokes a step-jump mapping ([d, ]d). This issue has been patched in version 9.2.0496.", "cve_priority": "medium", "cve_public_date": "2026-06-11 19:16:00 UTC" }, { "cve": "CVE-2026-52858", "url": "https://ubuntu.com/security/CVE-2026-52858", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0561, the Python omni-completion script in python3complete.vim for Vim with the +python3 interpreter enabled (and the legacy pythoncomplete.vim for builds with the +python interpreter) executes the import and from statements found in the current buffer through Python's import machinery. Because the buffer's working directory is on sys.path, opening a hostile .py file with a sibling Python package and invoking omni-completion runs that package's top-level code as the editing user. This issue has been patched in version 9.2.0561.", "cve_priority": "medium", "cve_public_date": "2026-06-11 19:16:00 UTC" }, { "cve": "CVE-2026-52860", "url": "https://ubuntu.com/security/CVE-2026-52860", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0597, Vim's Python omni-completion executes reconstructed function and class definitions from the current buffer with exec() as part of populating the completion dictionary. Python evaluates function default values, parameter annotations, and class base expressions at definition time, so a hostile buffer can execute attacker-controlled Python expressions during omni-completion. The existing g:pythoncomplete_allow_import mitigation (GHSA-52mc-rq6p-rc7c) does not cover this path, because the attacker-controlled code is not a harvested import/from statement. This issue has been patched in version 9.2.0597.", "cve_priority": "medium", "cve_public_date": "2026-06-11 19:16:00 UTC" }, { "cve": "CVE-2026-52859", "url": "https://ubuntu.com/security/CVE-2026-52859", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0565, the update_snapshot() function in src/terminal.c copies the visible terminal screen into the scrollback buffer when a snapshot is taken. For each screen cell it walks the cell's chars[] array with no upper bound, stopping only when it encounters a NUL terminator. When a cell legitimately fills all VTERM_MAX_CHARS_PER_CELL (6) slots — a base character plus five combining marks — the bundled libvterm returns the array without a terminating NUL, so the loop reads past the fixed six-element array and appends the out-of-bounds values to a buffer reserved for only six characters. A program whose output is rendered inside a :terminal window can trigger this with a short byte sequence and no Vim scripting, leading to a crash. This issue has been patched in version 9.2.0565.", "cve_priority": "medium", "cve_public_date": "2026-06-11 19:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * debian/patches/0005-skip-autocmd-test-failing-on-arm64.patch", " - Skip tests failing on arm64", "" ], "package": "vim", "version": "2:9.1.2141-1ubuntu4.5", "urgency": "medium", "distributions": "resolute-security", "launchpad_bugs_fixed": [], "author": "Kyle Kernick ", "date": "Wed, 17 Jun 2026 09:37:36 -0600" }, { "cves": [ { "cve": "CVE-2026-47162", "url": "https://ubuntu.com/security/CVE-2026-47162", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0495, a Vimscript code injection vulnerability exists in s:NetrwBookHistSave() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when serializing browsed directory paths to the history file ~/.vim/.netrwhist. A directory name derived from the filesystem is interpolated into a single-quoted Vimscript string literal without escaping embedded single quotes, allowing a crafted directory name to break out of the string context and execute arbitrary Vimscript, including shell commands via system() and :!, the next time the history file is sourced. This issue has been patched in version 9.2.0495.", "cve_priority": "medium", "cve_public_date": "2026-06-11 19:16:00 UTC" }, { "cve": "CVE-2026-47167", "url": "https://ubuntu.com/security/CVE-2026-47167", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0496, a code injection vulnerability exists in s:stepmatch() in the cucumber filetype plugin (runtime/ftplugin/cucumber.vim) on Vim builds with +ruby support. Step-definition patterns read from .rb files under the repository's features/*/ or stories/*/ directories are embedded into a Ruby Kernel.eval argument without sufficient escaping, allowing a crafted pattern in an attacker-controlled repository to execute arbitrary Ruby (and through it arbitrary shell commands) when the user invokes a step-jump mapping ([d, ]d). This issue has been patched in version 9.2.0496.", "cve_priority": "medium", "cve_public_date": "2026-06-11 19:16:00 UTC" }, { "cve": "CVE-2026-52858", "url": "https://ubuntu.com/security/CVE-2026-52858", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0561, the Python omni-completion script in python3complete.vim for Vim with the +python3 interpreter enabled (and the legacy pythoncomplete.vim for builds with the +python interpreter) executes the import and from statements found in the current buffer through Python's import machinery. Because the buffer's working directory is on sys.path, opening a hostile .py file with a sibling Python package and invoking omni-completion runs that package's top-level code as the editing user. This issue has been patched in version 9.2.0561.", "cve_priority": "medium", "cve_public_date": "2026-06-11 19:16:00 UTC" }, { "cve": "CVE-2026-52860", "url": "https://ubuntu.com/security/CVE-2026-52860", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0597, Vim's Python omni-completion executes reconstructed function and class definitions from the current buffer with exec() as part of populating the completion dictionary. Python evaluates function default values, parameter annotations, and class base expressions at definition time, so a hostile buffer can execute attacker-controlled Python expressions during omni-completion. The existing g:pythoncomplete_allow_import mitigation (GHSA-52mc-rq6p-rc7c) does not cover this path, because the attacker-controlled code is not a harvested import/from statement. This issue has been patched in version 9.2.0597.", "cve_priority": "medium", "cve_public_date": "2026-06-11 19:16:00 UTC" }, { "cve": "CVE-2026-52859", "url": "https://ubuntu.com/security/CVE-2026-52859", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0565, the update_snapshot() function in src/terminal.c copies the visible terminal screen into the scrollback buffer when a snapshot is taken. For each screen cell it walks the cell's chars[] array with no upper bound, stopping only when it encounters a NUL terminator. When a cell legitimately fills all VTERM_MAX_CHARS_PER_CELL (6) slots — a base character plus five combining marks — the bundled libvterm returns the array without a terminating NUL, so the loop reads past the fixed six-element array and appends the out-of-bounds values to a buffer reserved for only six characters. A program whose output is rendered inside a :terminal window can trigger this with a short byte sequence and no Vim scripting, leading to a crash. This issue has been patched in version 9.2.0565.", "cve_priority": "medium", "cve_public_date": "2026-06-11 19:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Code injection via NetrwBookHistSave().", " - debian/patches/CVE-2026-47162.patch: Properly quote the directory name", " in runtime/pack/dist/opt/netrw/autoload/netrw.vim.", " - CVE-2026-47162", " * SECURITY UPDATE: Code Injection in cucumber filetype plugin.", " - debian/patches/CVE-2026-47167.patch: Use rubys Regexp.new() in", " runtime/ftplugin/cucumber.vim.", " - CVE-2026-47167", " * SECURITY UPDATE: Code execution with python3complete.", " - debian/patches/CVE-2026-52858.patch: Disable execution of import/from", " statements in runtime/autoload/python3complete.vim and", " ../pythoncomplete.vim", " - debian/patches/CVE-2026-52860.patch: Strip default expressions and", " annotations in runtime/autoload/python3complete.vim and", " ../pythoncomplete.vim", " - CVE-2026-52858", " - CVE-2026-52860", " * SECURITY UPDATE: Out-of-bounds read in update_snapshot().", " - debian/patches/CVE-2026-52859.patch: Bound loop in update_snapshot() in", " src/terminal.c.", " - CVE-2026-52859", "" ], "package": "vim", "version": "2:9.1.2141-1ubuntu4.4", "urgency": "medium", "distributions": "resolute-security", "launchpad_bugs_fixed": [], "author": "Kyle Kernick ", "date": "Mon, 15 Jun 2026 10:49:29 -0600" } ], "notes": null, "is_version_downgrade": false } ], "snap": [] }, "added": { "deb": [ { "name": "linux-headers-7.0.0-27", "from_version": { "source_package_name": "linux", "source_package_version": "7.0.0-22.22", "version": null }, "to_version": { "source_package_name": "linux", "source_package_version": "7.0.0-27.27", "version": "7.0.0-27.27" }, "cves": [ { "cve": "CVE-2026-46316", "url": "https://ubuntu.com/security/CVE-2026-46316", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: vgic-its: Drop the translation cache reference only for the erased entry vgic_its_invalidate_cache() walks the per-ITS translation cache with xa_for_each() and drops the cache's reference on each entry with vgic_put_irq(). It puts the iterated pointer, though, rather than the value returned by xa_erase(). The function is called from contexts that do not exclude one another: the ITS command handlers hold its_lock, the GITS_CTLR write path holds cmd_lock, and the path that clears EnableLPIs in a redistributor's GICR_CTLR holds neither. Two or more of them can drain the same cache concurrently, and if each one observes the same entry, erases it and then puts it, the single reference the cache holds on that entry is dropped more than once. The entry can then be freed while an ITE still maps it. xa_erase() is atomic and returns the previous entry, so put only the entry that this context actually removed. The cache reference is then dropped exactly once per entry even when the invalidations run concurrently, and the behavior is unchanged when only one context runs.", "cve_priority": "medium", "cve_public_date": "2026-06-09 13:16:00 UTC" }, { "cve": "CVE-2026-46244", "url": "https://ubuntu.com/security/CVE-2026-46244", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_inner: Fix IPv6 inner_thoff desync In nft_inner_parse_l2l3(), when processing inner IPv6 packets, ipv6_find_hdr() correctly computes the transport header offset traversing all extension headers, but the result is immediately overwritten with nhoff + sizeof(_ip6h) (40 bytes), which only accounts for the IPv6 base header. This creates a desync between inner_thoff (wrong — points to extension header start) and l4proto (correct — e.g., IPPROTO_TCP), enabling transport header forgery and potential firewall bypass. This issue affects stable versions from Linux 6.2. For comparison, the normal (non-inner) IPv6 path correctly preserves ipv6_find_hdr()'s result. Removing the incorrect overwrite ensures that ipv6_find_hdr()'s calculated transport header offset is preserved, thereby fixing the desynchronization.", "cve_priority": "medium", "cve_public_date": "2026-06-03 18:16:00 UTC" }, { "cve": "CVE-2026-46137", "url": "https://ubuntu.com/security/CVE-2026-46137", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: ADD_ADDR rtx: fix potential data-race This mptcp_pm_add_timer() helper is executed as a timer callback in softirq context. To avoid any data races, the socket lock needs to be held with bh_lock_sock(). If the socket is in use, retry again soon after, similar to what is done with the keepalive timer.", "cve_priority": "medium", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46185", "url": "https://ubuntu.com/security/CVE-2026-46185", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb/client: fix out-of-bounds read in symlink_data() Since smb2_check_message() returns success without length validation for the symlink error response, in symlink_data() it is possible for iov->iov_len to be smaller than sizeof(struct smb2_err_rsp). If the buffer only contains the base SMB2 header (64 bytes), accessing err->ErrorContextCount (at offset 66) or err->ByteCount later in symlink_data() will cause an out-of-bounds read.", "cve_priority": "high", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46195", "url": "https://ubuntu.com/security/CVE-2026-46195", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: validate dacloffset before building DACL pointers parse_sec_desc(), build_sec_desc(), and the chown path in id_mode_to_cifs_acl() all add the server-supplied dacloffset to pntsd before proving a DACL header fits inside the returned security descriptor. On 32-bit builds a malicious server can return dacloffset near U32_MAX, wrap the derived DACL pointer below end_of_acl, and then slip past the later pointer-based bounds checks. build_sec_desc() and id_mode_to_cifs_acl() can then dereference DACL fields from the wrapped pointer in the chmod/chown rewrite paths. Validate dacloffset numerically before building any DACL pointer and reuse the same helper at the three DACL entry points.", "cve_priority": "high", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46289", "url": "https://ubuntu.com/security/CVE-2026-46289", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: lib/scatterlist: fix length calculations in extract_kvec_to_sg Patch series \"Fix bugs in extract_iter_to_sg()\", v3. Fix bugs in the kvec and user variants of extract_iter_to_sg. This series is growing due to useful remarks made by sashiko.dev. The main bugs are: - The length for an sglist entry when extracting from a kvec can exceed the number of bytes in the page. This is obviously not intended. - When extracting a user buffer the sglist is temporarily used as a scratch buffer for extracted page pointers. If the sglist already contains some elements this scratch buffer could overlap with existing entries in the sglist. The series adds test cases to the kunit_iov_iter test that demonstrate all of these bugs. Additionally, there is a memory leak fix for the test itself. The bugs were orignally introduced into kernel v6.3 where the function lived in fs/netfs/iterator.c. It was later moved to lib/scatterlist.c in v6.5. Thus the actual fix is only marked for backports to v6.5+. This patch (of 5): When extracting from a kvec to a scatterlist, do not cross page boundaries. The required length was already calculated but not used as intended. Adjust the copied length if the loop runs out of sglist entries without extracting everything. While there, return immediately from extract_iter_to_sg if there are no sglist entries at all. A subsequent commit will add kunit test cases that demonstrate that the patch is necessary.", "cve_priority": "medium", "cve_public_date": "2026-06-08 17:16:00 UTC" }, { "cve": "CVE-2026-46119", "url": "https://ubuntu.com/security/CVE-2026-46119", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: libceph: Fix slab-out-of-bounds access in auth message processing If a (potentially corrupted) message of type CEPH_MSG_AUTH_REPLY contains a positive value in its result field, it is treated as an error code by ceph_handle_auth_reply() and returned to handle_auth_reply(). Thereafter, an attempt is made to send the preallocated message of type CEPH_MSG_AUTH, where the returned value is interpreted as the size of the front segment to send. If the result value in the message is greater than the size of the memory buffer allocated for the front segment, an out-of-bounds access occurs, and the content of the memory region beyond this buffer is sent out. This patch fixes the issue by treating only negative values in the result field as errors. Positive values are therefore treated as success in the same way as a zero value. Additionally, a BUG_ON is added to __send_prepared_auth_request() comparing the len parameter to front_alloc_len to prevent sending the message if it exceeds the bounds of the allocation and to make it easier to catch any logic flaws leading to this.", "cve_priority": "high", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46135", "url": "https://ubuntu.com/security/CVE-2026-46135", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: fix race between ICReq handling and queue teardown nvmet_tcp_handle_icreq() updates queue->state after sending an Initialization Connection Response (ICResp), but it does so without serializing against target-side queue teardown. If an NVMe/TCP host sends an Initialization Connection Request (ICReq) and immediately closes the connection, target-side teardown may start in softirq context before io_work drains the already buffered ICReq. In that case, nvmet_tcp_schedule_release_queue() sets queue->state to NVMET_TCP_Q_DISCONNECTING and drops the queue reference under state_lock. If io_work later processes that ICReq, nvmet_tcp_handle_icreq() can still overwrite the state back to NVMET_TCP_Q_LIVE. That defeats the DISCONNECTING-state guard in nvmet_tcp_schedule_release_queue() and allows a later socket state change to re-enter teardown and issue a second kref_put() on an already released queue. The ICResp send failure path has the same problem. If teardown has already moved the queue to DISCONNECTING, a send error can still overwrite the state with NVMET_TCP_Q_FAILED, again reopening the window for a second teardown path to drop the queue reference. Fix this by serializing both post-send state transitions with state_lock and bailing out if teardown has already started. Use -ESHUTDOWN as an internal sentinel for that bail-out path rather than propagating it as a transport error like -ECONNRESET. Keep nvmet_tcp_socket_error() setting rcv_state to NVMET_TCP_RECV_ERR before honoring that sentinel so receive-side parsing stays quiesced until the existing release path completes.", "cve_priority": "critical", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46155", "url": "https://ubuntu.com/security/CVE-2026-46155", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb/client: fix out-of-bounds read in smb2_compound_op() If a server sends a truncated response but a large OutputBufferLength, and terminates the EA list early, check_wsl_eas() returns success without validating that the entire OutputBufferLength fits within iov_len. Then smb2_compound_op() does: memcpy(idata->wsl.eas, data[0], size[0]); Where size[0] is OutputBufferLength. If iov_len is smaller than size[0], memcpy can read beyond the end of the rsp_iov allocation and leak adjacent kernel heap memory.", "cve_priority": "medium", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46115", "url": "https://ubuntu.com/security/CVE-2026-46115", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: block: add pgmap check to biovec_phys_mergeable biovec_phys_mergeable() is used by the request merge, DMA mapping, and integrity merge paths to decide if two physically contiguous bvec segments can be coalesced into one. It currently has no check for whether the segments belong to different dev_pagemaps. When zone device memory is registered in multiple chunks, each chunk gets its own dev_pagemap. A single bio can legitimately contain bvecs from different pgmaps -- iov_iter_extract_bvecs() breaks at pgmap boundaries but the outer loop in bio_iov_iter_get_pages() continues filling the same bio. If such bvecs are physically contiguous, biovec_phys_mergeable() will coalesce them, making it impossible to recover the correct pgmap for the merged segment via page_pgmap(). Add a zone_device_pages_have_same_pgmap() check to prevent merging bvec segments that span different pgmaps.", "cve_priority": "medium", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46243", "url": "https://ubuntu.com/security/CVE-2026-46243", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: reject userspace cifs.spnego descriptions cifs.spnego key descriptions contain authority-bearing fields such as pid, uid, creduid, and upcall_target that cifs.upcall treats as kernel-originating inputs. However, userspace can also create keys of this type through request_key(2) or add_key(2), allowing those fields to be supplied without CIFS origin. Only accept cifs.spnego descriptions while CIFS is using its private spnego_cred to request the key.", "cve_priority": "medium", "cve_public_date": "2026-06-01 17:17:00 UTC" }, { "cve": "CVE-2026-47337", "url": "https://ubuntu.com/security/CVE-2026-47337", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a possible NULL pointer dereference in the handling of AF_INET/AF_INET6 socket mediation. The bug can be triggered by an unprivileged local user. This can lead to a kernel oops.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47334", "url": "https://ubuntu.com/security/CVE-2026-47334", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly sleep while holding a spinlock in notification handling code. The bug can be triggered by an unprivileged local user and can result in kernel panic or deadlock.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47333", "url": "https://ubuntu.com/security/CVE-2026-47333", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which can potentially incorrectly compute the size of an internal buffer, leading to a heap memory out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in invalid data being processed by the AppArmor DFA policy engine.", "cve_priority": "high", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47332", "url": "https://ubuntu.com/security/CVE-2026-47332", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly validate the size of an internal structure, leading to an out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in information disclosure from adjacent slab objects.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47330", "url": "https://ubuntu.com/security/CVE-2026-47330", "cve_description": "Ubuntu Linux 6.8, 7.17 and 7.0 contain AppArmor SAUCE patches which can, under certain circumstances, use an uninitialized variable in notification handling code. The bug can be triggered by an unprivileged local user and can result in the incorrect caching of AppArmor notification responses.", "cve_priority": "low", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47329", "url": "https://ubuntu.com/security/CVE-2026-47329", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches which fail to validate invalid sizes of the name field in AppAmor notification responses. The bug can be triggered by an unprivileged local user and could result in handling of crafted responses.", "cve_priority": "low", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47327", "url": "https://ubuntu.com/security/CVE-2026-47327", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a possible NULL pointer dereference in the handling of AppArmor notifications. The bug can be triggered by an unprivileged local user. This can lead to a kernel oops.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47328", "url": "https://ubuntu.com/security/CVE-2026-47328", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly attempt to free a pointer which was not previously kmalloc()d, while at the same time leaking allocated memory. The bug can be triggered by an unprivileged local user and can result in the corruption of slab metadata and could lead to resource exhaustion.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47326", "url": "https://ubuntu.com/security/CVE-2026-47326", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a memory leak in the handling of big responses to AppArmor notifications. The bug can be triggered by an unprivileged local user. The memory leak could lead to resource exhaustion.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-46300", "url": "https://ubuntu.com/security/CVE-2026-46300", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: skbuff: preserve shared-frag marker during coalescing skb_try_coalesce() can attach paged frags from @from to @to. If @from has SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same externally-owned or page-cache-backed frags, but the shared-frag marker is currently lost. That breaks the invariant relied on by later in-place writers. In particular, ESP input checks skb_has_shared_frag() before deciding whether an uncloned nonlinear skb can skip skb_cow_data(). If TCP receive coalescing has moved shared frags into an unmarked skb, ESP can see skb_has_shared_frag() as false and decrypt in place over page-cache backed frags. Propagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged frags. The tailroom copy path does not need the marker because it copies bytes into @to's linear data rather than transferring frag descriptors.", "cve_priority": "high", "cve_public_date": "2026-05-23 12:17:00 UTC" }, { "cve": "CVE-2026-46333", "url": "https://ubuntu.com/security/CVE-2026-46333", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ptrace: slightly saner 'get_dumpable()' logic The 'dumpability' of a task is fundamentally about the memory image of the task - the concept comes from whether it can core dump or not - and makes no sense when you don't have an associated mm. And almost all users do in fact use it only for the case where the task has a mm pointer. But we have one odd special case: ptrace_may_access() uses 'dumpable' to check various other things entirely independently of the MM (typically explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for threads that no longer have a VM (and maybe never did, like most kernel threads). It's not what this flag was designed for, but it is what it is. The ptrace code does check that the uid/gid matches, so you do have to be uid-0 to see kernel thread details, but this means that the traditional \"drop capabilities\" model doesn't make any difference for this all. Make it all make a *bit* more sense by saying that if you don't have a MM pointer, we'll use a cached \"last dumpability\" flag if the thread ever had a MM (it will be zero for kernel threads since it is never set), and require a proper CAP_SYS_PTRACE capability to override.", "cve_priority": "high", "cve_public_date": "2026-05-15 14:16:00 UTC" }, { "cve": "CVE-2026-43500", "url": "https://ubuntu.com/security/CVE-2026-43500", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE handler in rxrpc_verify_response() copy the skb to a linear one before calling into the security ops only when skb_cloned() is true. An skb that is not cloned but still carries externally-owned paged fragments (e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via __ip_append_data, or a chained skb_has_frag_list()) falls through to the in-place decryption path, which binds the frag pages directly into the AEAD/skcipher SGL via skb_to_sgvec(). Extend the gate to also unshare when skb_has_frag_list() or skb_has_shared_frag() is true. This catches the splice-loopback vector and other externally-shared frag sources while preserving the zero-copy fast path for skbs whose frags are kernel-private (e.g. NIC page_pool RX, GRO). The OOM/trace handling already in place is reused.", "cve_priority": "high", "cve_public_date": "2026-05-11 08:16:00 UTC" }, { "cve": "CVE-2026-43284", "url": "https://ubuntu.com/security/CVE-2026-43284", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place decrypt on shared skb frags MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later paths that may modify packet data can first make a private copy. The IPv4/IPv6 datagram append paths did not set this flag when splicing pages into UDP skbs. That leaves an ESP-in-UDP packet made from shared pipe pages looking like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW fast path for uncloned skbs without a frag_list and decrypts in place over data that is not owned privately by the skb. Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching TCP. Also make ESP input fall back to skb_cow_data() when the flag is present, so ESP does not decrypt externally backed frags in place. Private nonlinear skb frags still use the existing fast path. This intentionally does not change ESP output. In esp_output_head(), the path that appends the ESP trailer to existing skb tailroom without calling skb_cow_data() is not reachable for nonlinear skbs: skb_tailroom() returns zero when skb->data_len is nonzero, while ESP tailen is positive. Thus ESP output will either use the separate destination-frag path or fall back to skb_cow_data().", "cve_priority": "high", "cve_public_date": "2026-05-08 08:16:00 UTC" } ], "launchpad_bugs_fixed": [ 2157114, 1786013, 2150845, 2154530, 1786013, 2150065, 2146517, 2147409, 2121852, 2150196, 2129844, 2150845, 2152558, 2152556, 2152552, 2152550, 2150553, 2150547, 2154172, 2151747, 2151747, 2151747, 2151747, 2151747, 2148809, 2151747, 2151747, 2151747, 2153962 ], "changes": [ { "cves": [ { "cve": "CVE-2026-46316", "url": "https://ubuntu.com/security/CVE-2026-46316", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: vgic-its: Drop the translation cache reference only for the erased entry vgic_its_invalidate_cache() walks the per-ITS translation cache with xa_for_each() and drops the cache's reference on each entry with vgic_put_irq(). It puts the iterated pointer, though, rather than the value returned by xa_erase(). The function is called from contexts that do not exclude one another: the ITS command handlers hold its_lock, the GITS_CTLR write path holds cmd_lock, and the path that clears EnableLPIs in a redistributor's GICR_CTLR holds neither. Two or more of them can drain the same cache concurrently, and if each one observes the same entry, erases it and then puts it, the single reference the cache holds on that entry is dropped more than once. The entry can then be freed while an ITE still maps it. xa_erase() is atomic and returns the previous entry, so put only the entry that this context actually removed. The cache reference is then dropped exactly once per entry even when the invalidations run concurrently, and the behavior is unchanged when only one context runs.", "cve_priority": "medium", "cve_public_date": "2026-06-09 13:16:00 UTC" }, { "cve": "CVE-2026-46244", "url": "https://ubuntu.com/security/CVE-2026-46244", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_inner: Fix IPv6 inner_thoff desync In nft_inner_parse_l2l3(), when processing inner IPv6 packets, ipv6_find_hdr() correctly computes the transport header offset traversing all extension headers, but the result is immediately overwritten with nhoff + sizeof(_ip6h) (40 bytes), which only accounts for the IPv6 base header. This creates a desync between inner_thoff (wrong — points to extension header start) and l4proto (correct — e.g., IPPROTO_TCP), enabling transport header forgery and potential firewall bypass. This issue affects stable versions from Linux 6.2. For comparison, the normal (non-inner) IPv6 path correctly preserves ipv6_find_hdr()'s result. Removing the incorrect overwrite ensures that ipv6_find_hdr()'s calculated transport header offset is preserved, thereby fixing the desynchronization.", "cve_priority": "medium", "cve_public_date": "2026-06-03 18:16:00 UTC" }, { "cve": "CVE-2026-46137", "url": "https://ubuntu.com/security/CVE-2026-46137", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: ADD_ADDR rtx: fix potential data-race This mptcp_pm_add_timer() helper is executed as a timer callback in softirq context. To avoid any data races, the socket lock needs to be held with bh_lock_sock(). If the socket is in use, retry again soon after, similar to what is done with the keepalive timer.", "cve_priority": "medium", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46185", "url": "https://ubuntu.com/security/CVE-2026-46185", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb/client: fix out-of-bounds read in symlink_data() Since smb2_check_message() returns success without length validation for the symlink error response, in symlink_data() it is possible for iov->iov_len to be smaller than sizeof(struct smb2_err_rsp). If the buffer only contains the base SMB2 header (64 bytes), accessing err->ErrorContextCount (at offset 66) or err->ByteCount later in symlink_data() will cause an out-of-bounds read.", "cve_priority": "high", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46195", "url": "https://ubuntu.com/security/CVE-2026-46195", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: validate dacloffset before building DACL pointers parse_sec_desc(), build_sec_desc(), and the chown path in id_mode_to_cifs_acl() all add the server-supplied dacloffset to pntsd before proving a DACL header fits inside the returned security descriptor. On 32-bit builds a malicious server can return dacloffset near U32_MAX, wrap the derived DACL pointer below end_of_acl, and then slip past the later pointer-based bounds checks. build_sec_desc() and id_mode_to_cifs_acl() can then dereference DACL fields from the wrapped pointer in the chmod/chown rewrite paths. Validate dacloffset numerically before building any DACL pointer and reuse the same helper at the three DACL entry points.", "cve_priority": "high", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46289", "url": "https://ubuntu.com/security/CVE-2026-46289", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: lib/scatterlist: fix length calculations in extract_kvec_to_sg Patch series \"Fix bugs in extract_iter_to_sg()\", v3. Fix bugs in the kvec and user variants of extract_iter_to_sg. This series is growing due to useful remarks made by sashiko.dev. The main bugs are: - The length for an sglist entry when extracting from a kvec can exceed the number of bytes in the page. This is obviously not intended. - When extracting a user buffer the sglist is temporarily used as a scratch buffer for extracted page pointers. If the sglist already contains some elements this scratch buffer could overlap with existing entries in the sglist. The series adds test cases to the kunit_iov_iter test that demonstrate all of these bugs. Additionally, there is a memory leak fix for the test itself. The bugs were orignally introduced into kernel v6.3 where the function lived in fs/netfs/iterator.c. It was later moved to lib/scatterlist.c in v6.5. Thus the actual fix is only marked for backports to v6.5+. This patch (of 5): When extracting from a kvec to a scatterlist, do not cross page boundaries. The required length was already calculated but not used as intended. Adjust the copied length if the loop runs out of sglist entries without extracting everything. While there, return immediately from extract_iter_to_sg if there are no sglist entries at all. A subsequent commit will add kunit test cases that demonstrate that the patch is necessary.", "cve_priority": "medium", "cve_public_date": "2026-06-08 17:16:00 UTC" }, { "cve": "CVE-2026-46119", "url": "https://ubuntu.com/security/CVE-2026-46119", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: libceph: Fix slab-out-of-bounds access in auth message processing If a (potentially corrupted) message of type CEPH_MSG_AUTH_REPLY contains a positive value in its result field, it is treated as an error code by ceph_handle_auth_reply() and returned to handle_auth_reply(). Thereafter, an attempt is made to send the preallocated message of type CEPH_MSG_AUTH, where the returned value is interpreted as the size of the front segment to send. If the result value in the message is greater than the size of the memory buffer allocated for the front segment, an out-of-bounds access occurs, and the content of the memory region beyond this buffer is sent out. This patch fixes the issue by treating only negative values in the result field as errors. Positive values are therefore treated as success in the same way as a zero value. Additionally, a BUG_ON is added to __send_prepared_auth_request() comparing the len parameter to front_alloc_len to prevent sending the message if it exceeds the bounds of the allocation and to make it easier to catch any logic flaws leading to this.", "cve_priority": "high", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46135", "url": "https://ubuntu.com/security/CVE-2026-46135", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: fix race between ICReq handling and queue teardown nvmet_tcp_handle_icreq() updates queue->state after sending an Initialization Connection Response (ICResp), but it does so without serializing against target-side queue teardown. If an NVMe/TCP host sends an Initialization Connection Request (ICReq) and immediately closes the connection, target-side teardown may start in softirq context before io_work drains the already buffered ICReq. In that case, nvmet_tcp_schedule_release_queue() sets queue->state to NVMET_TCP_Q_DISCONNECTING and drops the queue reference under state_lock. If io_work later processes that ICReq, nvmet_tcp_handle_icreq() can still overwrite the state back to NVMET_TCP_Q_LIVE. That defeats the DISCONNECTING-state guard in nvmet_tcp_schedule_release_queue() and allows a later socket state change to re-enter teardown and issue a second kref_put() on an already released queue. The ICResp send failure path has the same problem. If teardown has already moved the queue to DISCONNECTING, a send error can still overwrite the state with NVMET_TCP_Q_FAILED, again reopening the window for a second teardown path to drop the queue reference. Fix this by serializing both post-send state transitions with state_lock and bailing out if teardown has already started. Use -ESHUTDOWN as an internal sentinel for that bail-out path rather than propagating it as a transport error like -ECONNRESET. Keep nvmet_tcp_socket_error() setting rcv_state to NVMET_TCP_RECV_ERR before honoring that sentinel so receive-side parsing stays quiesced until the existing release path completes.", "cve_priority": "critical", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46155", "url": "https://ubuntu.com/security/CVE-2026-46155", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb/client: fix out-of-bounds read in smb2_compound_op() If a server sends a truncated response but a large OutputBufferLength, and terminates the EA list early, check_wsl_eas() returns success without validating that the entire OutputBufferLength fits within iov_len. Then smb2_compound_op() does: memcpy(idata->wsl.eas, data[0], size[0]); Where size[0] is OutputBufferLength. If iov_len is smaller than size[0], memcpy can read beyond the end of the rsp_iov allocation and leak adjacent kernel heap memory.", "cve_priority": "medium", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46115", "url": "https://ubuntu.com/security/CVE-2026-46115", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: block: add pgmap check to biovec_phys_mergeable biovec_phys_mergeable() is used by the request merge, DMA mapping, and integrity merge paths to decide if two physically contiguous bvec segments can be coalesced into one. It currently has no check for whether the segments belong to different dev_pagemaps. When zone device memory is registered in multiple chunks, each chunk gets its own dev_pagemap. A single bio can legitimately contain bvecs from different pgmaps -- iov_iter_extract_bvecs() breaks at pgmap boundaries but the outer loop in bio_iov_iter_get_pages() continues filling the same bio. If such bvecs are physically contiguous, biovec_phys_mergeable() will coalesce them, making it impossible to recover the correct pgmap for the merged segment via page_pgmap(). Add a zone_device_pages_have_same_pgmap() check to prevent merging bvec segments that span different pgmaps.", "cve_priority": "medium", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46243", "url": "https://ubuntu.com/security/CVE-2026-46243", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: reject userspace cifs.spnego descriptions cifs.spnego key descriptions contain authority-bearing fields such as pid, uid, creduid, and upcall_target that cifs.upcall treats as kernel-originating inputs. However, userspace can also create keys of this type through request_key(2) or add_key(2), allowing those fields to be supplied without CIFS origin. Only accept cifs.spnego descriptions while CIFS is using its private spnego_cred to request the key.", "cve_priority": "medium", "cve_public_date": "2026-06-01 17:17:00 UTC" } ], "log": [ "", " * resolute/linux: 7.0.0-27.27 -proposed tracker (LP: #2157114)", "", " * Packaging resync (LP: #1786013)", " - [Packaging] update annotations scripts", "", " * Ubuntu 26.04 linux kernel has non-functional nova-core GPU driver enabled,", " conflicting with nouveau (LP: #2150845)", " - [Config] Disable NOVA_CORE", "", " * CVE-2026-46316", " - KVM: arm64: vgic-its: Drop the translation cache reference only for the", " erased entry", "", " * CVE-2026-46244", " - netfilter: nft_inner: Fix IPv6 inner_thoff desync", "", " * CVE-2026-46137", " - mptcp: pm: ADD_ADDR rtx: allow ID 0", " - mptcp: pm: ADD_ADDR rtx: fix potential data-race", "", " * CVE-2026-46185", " - smb/client: fix out-of-bounds read in symlink_data()", "", " * CVE-2026-46195", " - smb: client: validate dacloffset before building DACL pointers", "", " * CVE-2026-46289", " - lib/scatterlist: fix length calculations in extract_kvec_to_sg", "", " * CVE-2026-46119", " - libceph: Fix slab-out-of-bounds access in auth message processing", "", " * CVE-2026-46135", " - nvmet-tcp: fix race between ICReq handling and queue teardown", "", " * CVE-2026-46155", " - smb/client: fix out-of-bounds read in smb2_compound_op()", "", " * CVE-2026-46115", " - block: add pgmap check to biovec_phys_mergeable", "", " * CVE-2026-46243", " - smb: client: reject userspace cifs.spnego descriptions", "" ], "package": "linux", "version": "7.0.0-27.27", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2157114, 1786013, 2150845 ], "author": "Manuel Diewald ", "date": "Thu, 18 Jun 2026 18:54:56 +0200" }, { "cves": [ { "cve": "CVE-2026-47337", "url": "https://ubuntu.com/security/CVE-2026-47337", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a possible NULL pointer dereference in the handling of AF_INET/AF_INET6 socket mediation. The bug can be triggered by an unprivileged local user. This can lead to a kernel oops.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47334", "url": "https://ubuntu.com/security/CVE-2026-47334", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly sleep while holding a spinlock in notification handling code. The bug can be triggered by an unprivileged local user and can result in kernel panic or deadlock.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47333", "url": "https://ubuntu.com/security/CVE-2026-47333", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which can potentially incorrectly compute the size of an internal buffer, leading to a heap memory out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in invalid data being processed by the AppArmor DFA policy engine.", "cve_priority": "high", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47332", "url": "https://ubuntu.com/security/CVE-2026-47332", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly validate the size of an internal structure, leading to an out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in information disclosure from adjacent slab objects.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47330", "url": "https://ubuntu.com/security/CVE-2026-47330", "cve_description": "Ubuntu Linux 6.8, 7.17 and 7.0 contain AppArmor SAUCE patches which can, under certain circumstances, use an uninitialized variable in notification handling code. The bug can be triggered by an unprivileged local user and can result in the incorrect caching of AppArmor notification responses.", "cve_priority": "low", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47329", "url": "https://ubuntu.com/security/CVE-2026-47329", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches which fail to validate invalid sizes of the name field in AppAmor notification responses. The bug can be triggered by an unprivileged local user and could result in handling of crafted responses.", "cve_priority": "low", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47327", "url": "https://ubuntu.com/security/CVE-2026-47327", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a possible NULL pointer dereference in the handling of AppArmor notifications. The bug can be triggered by an unprivileged local user. This can lead to a kernel oops.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47328", "url": "https://ubuntu.com/security/CVE-2026-47328", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly attempt to free a pointer which was not previously kmalloc()d, while at the same time leaking allocated memory. The bug can be triggered by an unprivileged local user and can result in the corruption of slab metadata and could lead to resource exhaustion.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47326", "url": "https://ubuntu.com/security/CVE-2026-47326", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a memory leak in the handling of big responses to AppArmor notifications. The bug can be triggered by an unprivileged local user. The memory leak could lead to resource exhaustion.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-46300", "url": "https://ubuntu.com/security/CVE-2026-46300", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: skbuff: preserve shared-frag marker during coalescing skb_try_coalesce() can attach paged frags from @from to @to. If @from has SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same externally-owned or page-cache-backed frags, but the shared-frag marker is currently lost. That breaks the invariant relied on by later in-place writers. In particular, ESP input checks skb_has_shared_frag() before deciding whether an uncloned nonlinear skb can skip skb_cow_data(). If TCP receive coalescing has moved shared frags into an unmarked skb, ESP can see skb_has_shared_frag() as false and decrypt in place over page-cache backed frags. Propagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged frags. The tailroom copy path does not need the marker because it copies bytes into @to's linear data rather than transferring frag descriptors.", "cve_priority": "high", "cve_public_date": "2026-05-23 12:17:00 UTC" }, { "cve": "CVE-2026-46333", "url": "https://ubuntu.com/security/CVE-2026-46333", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ptrace: slightly saner 'get_dumpable()' logic The 'dumpability' of a task is fundamentally about the memory image of the task - the concept comes from whether it can core dump or not - and makes no sense when you don't have an associated mm. And almost all users do in fact use it only for the case where the task has a mm pointer. But we have one odd special case: ptrace_may_access() uses 'dumpable' to check various other things entirely independently of the MM (typically explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for threads that no longer have a VM (and maybe never did, like most kernel threads). It's not what this flag was designed for, but it is what it is. The ptrace code does check that the uid/gid matches, so you do have to be uid-0 to see kernel thread details, but this means that the traditional \"drop capabilities\" model doesn't make any difference for this all. Make it all make a *bit* more sense by saying that if you don't have a MM pointer, we'll use a cached \"last dumpability\" flag if the thread ever had a MM (it will be zero for kernel threads since it is never set), and require a proper CAP_SYS_PTRACE capability to override.", "cve_priority": "high", "cve_public_date": "2026-05-15 14:16:00 UTC" }, { "cve": "CVE-2026-43500", "url": "https://ubuntu.com/security/CVE-2026-43500", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE handler in rxrpc_verify_response() copy the skb to a linear one before calling into the security ops only when skb_cloned() is true. An skb that is not cloned but still carries externally-owned paged fragments (e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via __ip_append_data, or a chained skb_has_frag_list()) falls through to the in-place decryption path, which binds the frag pages directly into the AEAD/skcipher SGL via skb_to_sgvec(). Extend the gate to also unshare when skb_has_frag_list() or skb_has_shared_frag() is true. This catches the splice-loopback vector and other externally-shared frag sources while preserving the zero-copy fast path for skbs whose frags are kernel-private (e.g. NIC page_pool RX, GRO). The OOM/trace handling already in place is reused.", "cve_priority": "high", "cve_public_date": "2026-05-11 08:16:00 UTC" }, { "cve": "CVE-2026-43284", "url": "https://ubuntu.com/security/CVE-2026-43284", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place decrypt on shared skb frags MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later paths that may modify packet data can first make a private copy. The IPv4/IPv6 datagram append paths did not set this flag when splicing pages into UDP skbs. That leaves an ESP-in-UDP packet made from shared pipe pages looking like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW fast path for uncloned skbs without a frag_list and decrypts in place over data that is not owned privately by the skb. Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching TCP. Also make ESP input fall back to skb_cow_data() when the flag is present, so ESP does not decrypt externally backed frags in place. Private nonlinear skb frags still use the existing fast path. This intentionally does not change ESP output. In esp_output_head(), the path that appends the ESP trailer to existing skb tailroom without calling skb_cow_data() is not reachable for nonlinear skbs: skb_tailroom() returns zero when skb->data_len is nonzero, while ESP tailen is positive. Thus ESP output will either use the separate destination-frag path or fall back to skb_cow_data().", "cve_priority": "high", "cve_public_date": "2026-05-08 08:16:00 UTC" } ], "log": [ "", " * resolute/linux: 7.0.0-26.26 -proposed tracker (LP: #2154530)", "", " * Packaging resync (LP: #1786013)", " - Revert \"UBUNTU: SAUCE: import Huawei ES3000_V2 (2.1.0.23)\"", " - [Packaging] debian.master/dkms-versions -- remove dkms-versions", " (main/2026.05.18)", "", " * Fix mic mute led on a HP EliteBook 6 G2a platform (LP: #2150065)", " - ALSA: hda/realtek: Add LED fixup for HP EliteBook 6 G2a Laptops", "", " * ov08x40 module mounted upside down on a certain DELL platforms", " (LP: #2146517)", " - SAUCE: media: ipu-bridge: Add DMI quirk for new Dell XPS laptops with", " upside down sensors", " - SAUCE: media: ipu-bridge: Add DMI quirk for Dell 14 laptops with upside", " down sensors", "", " * Support additional 2888x1808@30fps 900MHz for OVTI05C1 camera sensor", " (LP: #2147409)", " - SAUCE: media: ipu-bridge: Add 900MHz for OV05C10", " - SAUCE: platform/x86: int3472: increase handshake delay to 50ms for", " OV05C10", "", " * Support Samsung S5K3J1 sensor for Intel MIPI camera (LP: #2121852)", " - SAUCE: media: ipu-bridge: Support s5k3j1 sensor", "", " * [SRU] ASoC: enable rt1320 speaker amp and DMIC on PTL SoundWire platforms", " (LP: #2150196)", " - ASoC: Intel: soc-acpi-intel-ptl-match: drop rt722 monolithic match", " tables", " - ASoC: SOF: Intel: Add a is_amp flag to fix the wrong name prefix", " - ASoC: sdw_utils: add rt1320 and rt1321 dmic dai in codec_info_list", "", " * powerpc-build in ubuntu_kernel_selftests fails to build due to", " uninitialized value (LP: #2129844)", " - selftests/powerpc: Suppress -Wmaybe-uninitialized with GCC 15", "", " * Ubuntu 26.04 linux kernel has non-functional nova-core GPU driver enabled,", " conflicting with nouveau (LP: #2150845)", " - [Config] Disable DRM_NOVA", "", " * Resolute update: v7.0.6 upstream stable release (LP: #2152558)", " - Linux 7.0.6", " - Upstream stable to v7.0.6", "", " * Resolute update: v7.0.5 upstream stable release (LP: #2152556)", " - Linux 7.0.5", " - Upstream stable to v7.0.5", "", " * Resolute update: v7.0.4 upstream stable release (LP: #2152552)", " - ALSA: usb-audio: stop parsing UAC2 rates at MAX_NR_RATES", " - ALSA: usb-audio: Avoid false E-MU sample-rate notifications", " - ALSA: usb-audio: Fix Audio Advantage Micro II SPDIF switch", " - usb: xhci: Make usb_host_endpoint.hcpriv survive endpoint_disable()", " - usb: chipidea: otg: not wait vbus drop if use role_switch", " - usb: chipidea: core: allow ci_irq_handler() handle both ID and VBUS", " change", " - ALSA: usb-audio: Evaluate packsize caps at the right place", " - LoongArch: Add spectre boundry for syscall dispatch table", " - drm/nouveau: fix u32 overflow in pushbuf reloc bounds check", " - leds: qcom-lpg: Check for array overflow when selecting the high", " resolution", " - greybus: gb-beagleplay: bound bootloader receive buffering", " - greybus: gb-beagleplay: fix sleep in atomic context in hdlc_tx_frames()", " - misc: ibmasm: fix OOB MMIO read in ibmasm_handle_mouse_interrupt()", " - ibmasm: fix OOB reads in command_file_write due to missing size checks", " - ibmasm: fix heap over-read in ibmasm_send_i2o_message()", " - sysfs: attribute_group: Respect is_visible_const() when changing owner", " - driver core: Don't let a device probe until it's ready", " - device property: Make modifications of fwnode \"flags\" thread safe", " - drm/nouveau: fix nvkm_device leak on aperture removal failure", " - rust: dma: remove DMA_ATTR_NO_KERNEL_MAPPING from public attrs", " - kbuild: rust: allow `clippy::uninlined_format_args`", " - fs: afs: revert mmap_prepare() change", " - firmware: google: framebuffer: Do not mark framebuffer as busy", " - lib: test_hmm: evict device pages on file close to avoid use-after-free", " - arm64/mm: Enable batched TLB flush in unmap_hotplug_range()", " - arm64: mm: Fix rodata=full block mapping support for realm guests", " - mm: migrate: requeue destination folio on deferred split queue", " - mm: prevent droppable mappings from being locked", " - mm: fix deferred split queue races during migration", " - ocfs2: split transactions in dio completion to avoid credit exhaustion", " - Input: edt-ft5x06 - fix use-after-free in debugfs teardown", " - zram: do not forget to endio for partial discard requests", " - wifi: rtw88: check for PCI upstream bridge existence", " - wifi: mwifiex: fix use-after-free in mwifiex_adapter_cleanup()", " - vfio: selftests: Fix VLA initialisation in vfio_pci_irq_set()", " - vfio/xe: Add a missing vfio_pci_core_release_dev()", " - vfio/virtio: Convert list_lock from spinlock to mutex", " - vfio/cdx: Serialize VFIO_DEVICE_SET_IRQS with a per-device mutex", " - vfio/cdx: Fix NULL pointer dereference in interrupt trigger path", " - um: drivers: call kernel_strrchr() explicitly in cow_user.c", " - thermal: core: Fix thermal zone governor cleanup issues", " - spi: imx: fix use-after-free on unbind", " - spi: ch341: fix memory leaks on probe failures", " - crypto: algif_aead - snapshot IV for async AEAD requests", " - crypto: pcrypt - Fix handling of MAY_BACKLOG requests", " - dt-bindings: display: ti, am65x-dss: Fix AM62L DSS reg and clock", " constraints", " - of: unittest: fix use-after-free in of_unittest_changeset()", " - of: unittest: fix use-after-free in testdrv_probe()", " - hwmon: (powerz) Fix missing usb_kill_urb() on signal interrupt", " - EDAC/versalnet: Fix device_node leak in mc_probe()", " - PCI: imx6: Skip waiting for L2/L3 Ready on i.MX6SX", " - media: amphion: Fix race between m2m job_abort and device_run", " - ALSA: control: Validate buf_len before strnlen() in", " snd_ctl_elem_init_enum_names()", " - net: caif: clear client service pointer on teardown", " - net: strparser: fix skb_head leak in strp_abort_strp()", " - media: mtk-jpeg: fix use-after-free in release path due to uncancelled", " work", " - crypto: atmel-sha204a - Fix OTP sysfs read and error handling", " - PCI: endpoint: pci-epf-ntb: Remove duplicate resource teardown", " - Revert \"ALSA: usb: Increase volume range that triggers a warning\"", " - phy: qcom: m31-eusb2: clear PLL_EN during init", " - PCI: epf-mhi: Return 0, not remaining timeout, when eDMA ops complete", " - lib/ts_kmp: fix integer overflow in pattern length calculation", " - media: i2c: imx219: Check return value of devm_gpiod_get_optional() in", " imx219_probe()", " - net: qrtr: ns: Fix use-after-free in driver remove()", " - ext2: reject inodes with zero i_nlink and valid mode in ext2_iget()", " - mm/zsmalloc: copy KMSAN metadata in zs_page_migrate()", " - ALSA: aoa: i2sbus: clear stale prepared state", " - ALSA: aoa: i2sbus: fix OF node lifetime handling", " - ALSA: aoa: Skip devices with no codecs in i2sbus_resume()", " - ALSA: ctxfi: Add fallback to default RSR for S/PDIF", " - ALSA: seq_oss: return full count for successful SEQ_FULLSIZE writes", " - erofs: fix the out-of-bounds nameoff handling for trailing dirents", " - ipmi:ssif: Clean up kthread on errors", " - jbd2: fix deadlock in jbd2_journal_cancel_revoke()", " - KVM: selftests: Fix reserved value WRMSR testcase for multi-feature MSRs", " - md/raid10: fix deadlock with check operation and nowait requests", " - media: rc: igorplugusb: heed coherency rules", " - media: rockchip: rkcif: fix off by one bugs", " - media: rockchip: rkcif: comply with minimum number of buffers", " requirement", " - mfd: stpmic1: Attempt system shutdown twice in case PMIC is confused", " - mm/alloc_tag: clear codetag for pages allocated before page_ext", " initialization", " - mm/damon/core: fix damon_call() vs kdamond_fn() exit race", " - mm/damon/core: fix damos_walk() vs kdamond_fn() exit race", " - mm/hugetlb: fix early boot crash on parameters without '=' separator", " - mtd: docg3: fix use-after-free in docg3_release()", " - nvme-pci: add NVME_QUIRK_DISABLE_WRITE_ZEROES for Kingston OM3SGP4", " - nvme: respect NVME_QUIRK_DISABLE_WRITE_ZEROES when wzsl is set", " - parisc: _llseek syscall is only available for 32-bit userspace", " - parisc: Drop ip_fast_csum() inline assembly implementation", " - PCI: cadence: Use cdns_pcie_read_sz() for byte or word read access", " - PCI: imx6: Fix reference clock source selection for i.MX95", " - perf annotate: Use jump__delete when freeing LoongArch jumps", " - RDMA/mana_ib: Disable RX steering on RSS QP destroy", " - remoteproc: xlnx: Only access buffer information if IPI is buffered", " - reset: rzv2h-usb2phy: Keep PHY clock enabled for entire device lifetime", " - sched: Use u64 for bandwidth ratio calculations", " - selftests/mqueue: Fix incorrectly named file", " - landlock: Fix LOG_SUBDOMAINS_OFF inheritance across fork()", " - landlock: Allow TSYNC with LOG_SUBDOMAINS_OFF and fd=-1", " - selftests/landlock: Drain stale audit records on init", " - selftests/landlock: Fix format warning for __u64 in net_test", " - selftests/landlock: Fix snprintf truncation checks in audit helpers", " - selftests/landlock: Skip stale records in audit_match_record()", " - rbd: fix null-ptr-deref when device_add_disk() fails", " - mm/zone_device: do not touch device folio after calling ->folio_free()", " - block: fix zone write plugs refcount handling in", " disk_zone_wplug_schedule_bio_work()", " - io_uring/zcrx: return back two step unregistration", " - io_uring/timeout: check unused sqe fields", " - block: relax pgmap check in bio_add_page for compatible zone device", " pages", " - iio: adc: ti-ads7950: use iio_push_to_buffers_with_ts_unaligned()", " - io_uring/register: fix ring resizing with mixed/large SQEs/CQEs", " - io_uring/zcrx: fix user_struct uaf", " - io_uring/poll: fix signed comparison in io_poll_get_ownership()", " - io_uring/poll: ensure EPOLL_ONESHOT is propagated for EPOLL_URING_WAKE", " - module.lds,codetag: force 0 sh_addr for sections", " - module.lds.S: Fix modules on 32-bit parisc architecture", " - ALSA: core: Fix potential data race at fasync handling", " - ALSA: caiaq: Fix control_put() result and cache rollback", " - ALSA: caiaq: Handle probe errors properly", " - ALSA: 6fire: Fix input volume change detection", " - ALSA: hda/realtek - Add mute LED support for HP Victus 15-fa2xxx", " - ALSA: pcmtest: fix reference leak on failed device registration", " - ALSA: pcmtest: Fix resource leaks in module init error paths", " - iio: adc: ad7768-1: fix one-shot mode data acquisition", " - iio: adc: ad7768-1: remove switch to one-shot mode", " - rxrpc: Fix memory leaks in rxkad_verify_response()", " - rxrpc: Fix rxkad crypto unalignment handling", " - rxrpc: Fix error handling in rxgk_extract_token()", " - rxrpc: Fix re-decryption of RESPONSE packets", " - EDAC/versalnet: Fix memory leak in remove and probe error paths", " - tools/accounting: handle truncated taskstats netlink messages", " - net: txgbe: fix RTNL assertion warning when remove module", " - arm64: dts: marvell: uDPU: add ethernet aliases", " - net: qrtr: ns: Limit the maximum server registration per node", " - net: qrtr: ns: Limit the maximum number of lookups", " - net: qrtr: ns: Free the node during ctrl_cmd_bye()", " - net: qrtr: ns: Limit the total number of nodes", " - net: rds: fix MR cleanup on copy error", " - net: txgbe: fix firmware version check", " - net/smc: avoid early lgr access in smc_clc_wait_msg", " - net: ks8851: Reinstate disabling of BHs around IRQ handler", " - net: bridge: use a stable FDB dst snapshot in RCU readers", " - netconsole: avoid out-of-bounds access on empty string in trim_newline()", " - net: mctp: fix don't require received header reserved bits to be zero", " - net: ks8851: Avoid excess softirq scheduling", " - drm/arcpgu: fix device node leak", " - slub: fix data loss and overflow in krealloc()", " - tracing/fprobe: Reject registration of a registered fprobe before init", " - RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv", " - printf: Compile the kunit test with DISABLE_BRANCH_PROFILING", " DISABLE_BRANCH_PROFILING", " - ipv4: icmp: validate reply type before using icmp_pointers", " - libceph: Prevent potential null-ptr-deref in ceph_handle_auth_reply()", " - spi: fix resource leaks on device setup failure", " - extract-cert: Wrap key_pass with '#ifdef USE_PKCS11_ENGINE'", " - tpm: avoid -Wunused-but-set-variable", " - LoongArch: Make arch_irq_work_has_interrupt() true only if IPI HW exist", " - LoongArch: Show CPU vulnerabilites correctly", " - fbdev: defio: Disconnect deferred I/O from the lifetime of struct", " fb_info", " - power: supply: axp288_charger: Do not cancel work before initializing it", " - hwmon: (isl28022) Fix integer overflow in power calculation on 32-bit", " - hwmon: (powerz) Avoid cacheline sharing for DMA buffer", " - media: rzv2h-ivc: Revise default VBLANK formula", " - media: rzv2h-ivc: Fix AXIRX_VBLANK register write", " - fs: prepare for adding LSM blob to backing_file", " - lsm: add backing_file LSM hooks", " - selinux: fix overlayfs mmap() and mprotect() access checks", " - hwmon: (pt5161l) Fix bugs in pt5161l_read_block_data()", " - randomize_kstack: Maintain kstack_offset per task", " - mmc: block: use single block write in retry", " - mmc: sdhci-of-dwcmshc: Disable clock before DLL configuration", " - arm64: dts: ti: am62-verdin: Enable pullup for eMMC data pins", " - crypto: qat - fix IRQ cleanup on 6xxx probe failure", " - xfs: start gc on zonegc_low_space attribute updates", " - xfs: fix a resource leak in xfs_alloc_buftarg()", " - firmware: google: framebuffer: Do not unregister platform device", " - firmware: exynos-acpm: Drop fake 'const' on handle pointer", " - crypto: talitos - fix SEC1 32k ahash request limitation", " - crypto: talitos - rename first/last to first_desc/last_desc", " - pwm: imx-tpm: Count the number of enabled channels in probe", " - tpm2-sessions: Fix missing tpm_buf_destroy() in tpm2_read_public()", " - tpm: Fix auth session leak in tpm2_get_random() error path", " - tpm: Use kfree_sensitive() to free auth session in tpm_dev_release()", " - tpm: tpm_tis: add error logging for data transfer", " - tpm: tpm_tis: stop transmit if retries are exhausted", " - rtc: ntxec: fix OF node reference imbalance", " - mm/vmalloc: take vmap_purge_lock in shrinker", " - mm/memfd_luo: fix physical address conversion in put_folios cleanup", " - mm/mempolicy: fix memory leaks in weighted_interleave_auto_store()", " - mm/damon/stat: fix memory leak on damon_start() failure in", " damon_stat_start()", " - mm/damon/core: validate damos_quota_goal->nid for", " node_mem_{used,free}_bp", " - mm/damon/core: validate damos_quota_goal->nid for", " node_memcg_{used,free}_bp", " - mm/damon/core: use time_in_range_open() for damos quota window start", " - mm/damon/core: disallow time-quota setting zero esz", " - mm/damon/core: disallow non-power of two min_region_sz on damon_start()", " - userfaultfd: allow registration of ranges below mmap_min_addr", " - LoongArch: KVM: Use CSR_CRMD_PLV in kvm_arch_vcpu_in_kernel()", " - KVM: x86: Defer non-architectural deliver of exception payload to", " userspace read", " - KVM: nSVM: Mark all of vmcb02 dirty when restoring nested state", " - KVM: nSVM: Sync NextRIP to cached vmcb12 after VMRUN of L2", " - KVM: nSVM: Sync interrupt shadow to cached vmcb12 after VMRUN of L2", " - KVM: SVM: Inject #UD for INVLPGA if EFER.SVME=0", " - KVM: SVM: Explicitly mark vmcb01 dirty after modifying VMCB intercepts", " - KVM: nSVM: Ensure AVIC is inhibited when restoring a vCPU to guest mode", " - KVM: nSVM: Always use NextRIP as vmcb02's NextRIP after first L2 VMRUN", " - KVM: nSVM: Delay stuffing L2's current RIP into NextRIP until vCPU run", " - KVM: nSVM: Use vcpu->arch.cr2 when updating vmcb12 on nested #VMEXIT", " - KVM: arm64: Account for RESx bits in __compute_fgt()", " - KVM: nSVM: Avoid clearing VMCB_LBR in vmcb12", " - KVM: nSVM: Delay setting soft IRQ RIP tracking fields until vCPU run", " - KVM: SVM: Switch svm_copy_lbrs() to a macro", " - KVM: SVM: Add missing save/restore handling of LBR MSRs", " - KVM: nSVM: Always inject a #GP if mapping VMCB12 fails on nested VMRUN", " - KVM: nSVM: Refactor checking LBRV enablement in vmcb12 into a helper", " - KVM: nSVM: Refactor writing vmcb12 on nested #VMEXIT as a helper", " - KVM: nSVM: Triple fault if restore host CR3 fails on nested #VMEXIT", " - KVM: nSVM: Triple fault if mapping VMCB12 fails on nested #VMEXIT", " - KVM: nSVM: Clear GIF on nested #VMEXIT(INVALID)", " - KVM: nSVM: Clear EVENTINJ fields in vmcb12 on nested #VMEXIT", " - KVM: nSVM: Clear tracking of L1->L2 NMI and soft IRQ on nested #VMEXIT", " - KVM: nSVM: Add missing consistency check for EFER, CR0, CR4, and CS", " - KVM: nSVM: Drop the non-architectural consistency check for NP_ENABLE", " - KVM: nSVM: Add missing consistency check for nCR3 validity", " - KVM: nSVM: Raise #UD if unhandled VMMCALL isn't intercepted by L1", " - KVM: nSVM: Always intercept VMMCALL when L2 is active", " - ARM: 9472/1: fix race condition on PG_dcache_clean in", " __sync_icache_dcache()", " - ring-buffer: Do not double count the reader_page", " - ext4: fix bounds check in check_xattrs() to prevent out-of-bounds access", " - ext4: fix missing brelse() in ext4_xattr_inode_dec_ref_all()", " - udf: fix partition descriptor append bookkeeping", " - mtd: spi-nor: sst: Fix write enable before AAI sequence", " - mtd: spinand: winbond: Declare the QE bit on W25NxxJW", " - amdgpu/jpeg: fix deepsleep register for jpeg 5_0_0 and 5_0_2", " - md/md-llbitmap: skip reading rdevs that are not in_sync", " - md/md-llbitmap: raise barrier before state machine transition", " - md/raid5: fix soft lockup in retry_aligned_read()", " - md/raid5: validate payload size before accessing journal metadata", " - check-uapi: link into shared objects", " - mm, swap: speed up hibernation allocation and writeout", " - HID: apple: ensure the keyboard backlight is off if suspending", " - inotify: fix watch count leak when fsnotify_add_inode_mark_locked()", " fails", " - x86/cpu: Disable FRED when PTI is forced on", " - x86/shstk: Prevent deadlock during shstk sigreturn", " - wifi: rtl8xxxu: fix potential use of uninitialized value", " - tcp: call sk_data_ready() after listener migration", " - taskstats: set version in TGID exit notifications", " - mptcp: sync the msk->sndbuf at accept() time", " - mfd: core: Preserve OF node when ACPI handle is present", " - 9p: fix access mode flags being ORed instead of replaced", " - Bluetooth: hci_event: fix potential UAF in SSP passkey handlers", " - bus: mhi: host: pci_generic: Switch to async power up to avoid boot", " delays", " - can: ucan: fix devres lifetime", " - crypto: acomp - fix wrong pointer stored by acomp_save_req()", " - crypto: arm64/aes - Fix 32-bit aes_mac_update() arg treated as 64-bit", " - crypto: atmel-aes - Fix 3-page memory leak in atmel_aes_buff_cleanup", " - crypto: atmel-ecc - Release client on allocation failure", " - crypto: hisilicon - Fix dma_unmap_single() direction", " - crypto: ccree - fix a memory leak in cc_mac_digest()", " - crypto: atmel-tdes - fix DMA sync direction", " - crypto: atmel-sha204a - Fix error codes in OTP reads", " - crypto: atmel-sha204a - Fix potential UAF and memory leak in remove path", " - crypto: atmel-sha204a - Fix uninitialized data access on OTP read error", " - crypto: nx - fix bounce buffer leaks in nx842_crypto_{alloc,free}_ctx", " - crypto: nx - fix context leak in nx842_crypto_free_ctx", " - crypto: nx - Fix packed layout in struct nx842_crypto_header", " - dm mirror: fix integer overflow in create_dirty_log()", " - erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap()", " - ceph: fix num_ops off-by-one when crypto allocation fails", " - ceph: only d_add() negative dentries when they are unhashed", " - gtp: disable BH before calling udp_tunnel_xmit_skb()", " - IB/core: Fix zero dmac race in neighbor resolution", " - ktest: Fix the month in the name of the failure directory", " - NFSv4.1: Apply session size limits on clone path", " - ntfs3: add buffer boundary checks to run_unpack()", " - ntfs3: fix integer overflow in run_unpack() volume boundary check", " - rtmutex: Use waiter::task instead of current in remove_waiter()", " - rxgk: Fix potential integer overflow in length check", " - sched_ext: Documentation: Clarify ops.dispatch() role in task lifecycle", " - scsi: sd: fix missing put_disk() when device_add(&disk_dev) fails", " - seg6: fix seg6 lwtunnel output redirect for L2 reduced encap mode", " - perf loongarch: Fix build failure with CONFIG_LIBDW_DWARF_UNWIND", " - iio: frequency: admv1013: add dev variable", " - iio: frequency: admv1013: fix NULL pointer dereference on str", " - wifi: mt76: mt792x: describe USB WFSYS reset with a descriptor", " - wifi: mt76: mt792x: fix mt7925u USB WFSYS reset handling", " - mm: various small mmap_prepare cleanups", " - mm: avoid deadlock when holding rmap on mmap_prepare error", " - mei: me: use PCI_DEVICE_DATA macro", " - mei: me: add nova lake point H DID", " - crypto: authencesn - reject short ahash digests during instance creation", " - driver core: Add kernel-doc for DEV_FLAG_COUNT enum value", " - ALSA: caiaq: Fix potentially leftover ep1_in_urb at error path", " - ALSA: caiaq: Don't abort when no input device is available", " - ipv6: rpl: reserve mac_len headroom when recompressed SRH grows", " - drm/amdgpu: fix zero-size GDS range init on RDNA4", " - drm/imagination: Fix segfault when updating ftrace mask", " - ALSA: caiaq: fix usb_dev refcount leak on probe failure", " - ALSA: aloop: Fix peer runtime UAF during format-change stop", " - vmalloc: fix buffer overflow in vrealloc_node_align()", " - mm/page_alloc: return NULL early from alloc_frozen_pages_nolock() in NMI", " on UP", " - mm/slab: return NULL early from kmalloc_nolock() in NMI on UP", " - net: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels", " - netfilter: reject zero shift in nft_bitwise", " - ipmi:ssif: Remove unnecessary indention", " - ipmi:ssif: NULL thread on error", " - Linux 7.0.4", " - Upstream stable to v7.0.4", "", " * Resolute update: v7.0.3 upstream stable release (LP: #2152550)", " - Buffer overflow in drivers/xen/sys-hypervisor.c", " - xen/privcmd: fix double free via VMA splitting", " - Linux 7.0.3", " - Upstream stable to v7.0.3", "", " * Resolute update: v7.0.2 upstream stable release (LP: #2150553)", " - crypto: authencesn - Fix src offset when decrypting in-place", " - pwm: th1520: fix `CLIPPY=1` warning", " - drm/amdgpu: replace PASID IDR with XArray", " - crypto: krb5enc - fix sleepable flag handling in encrypt dispatch", " - crypto: krb5enc - fix async decrypt skipping hash verification", " - ksmbd: fix use-after-free in __ksmbd_close_fd() via durable scavenger", " - ksmbd: validate owner of durable handle on reconnect", " - scripts: generate_rust_analyzer.py: define scripts", " - scripts/dtc: Remove unused dts_version in dtc-lexer.l", " - fs/ntfs3: validate rec->used in journal-replay file record check", " - f2fs: fix to do sanity check on dcc->discard_cmd_cnt conditionally", " - f2fs: fix UAF caused by decrementing sbi->nr_pages[] in", " f2fs_write_end_io()", " - f2fs: fix to avoid memory leak in f2fs_rename()", " - f2fs: fix to avoid uninit-value access in f2fs_sanity_check_node_footer", " - fuse: reject oversized dirents in page cache", " - fuse: abort on fatal signal during sync init", " - fuse: Check for large folio with SPLICE_F_MOVE", " - fuse: quiet down complaints in fuse_conn_limit_write", " - fuse: fuse_dev_ioctl_clone() should wait for device file to be", " initialized", " - ksmbd: require minimum ACE size in smb_check_perm_dacl()", " - smb: server: fix active_num_conn leak on transport allocation failure", " - smb: client: fix dir separator in SMB1 UNIX mounts", " - smb: server: fix max_connections off-by-one in tcp accept path", " - smb: client: require a full NFS mode SID before reading mode bits", " - smb: client: validate the whole DACL before rewriting it in cifsacl", " - smb: client: fix OOB read in smb2_ioctl_query_info QUERY_INFO path", " - ksmbd: validate response sizes in ipc_validate_msg()", " - ksmbd: validate num_aces and harden ACE walk in smb_inherit_dacl()", " - ksmbd: fix out-of-bounds write in smb2_get_ea() EA alignment", " - ksmbd: use check_add_overflow() to prevent u16 DACL size overflow", " - ksmbd: reset rcount per connection in ksmbd_conn_wait_idle_sess_id()", " - writeback: Fix use after free in inode_switch_wbs_work_fn()", " - f2fs: fix use-after-free of sbi in f2fs_compress_write_end_io()", " - ALSA: usb-audio: apply quirk for MOONDROP JU Jiu", " - ALSA: hda/realtek: Add quirk for Legion S7 15IMH", " - ALSA: caiaq: take a reference on the USB device in create_card()", " - net/packet: fix TOCTOU race on mmap'd vnet_hdr in tpacket_snd()", " - crypto: ccp: Don't attempt to copy CSR to userspace if PSP command", " failed", " - crypto: ccp: Don't attempt to copy PDH cert to userspace if PSP command", " failed", " - crypto: ccp: Don't attempt to copy ID to userspace if PSP command failed", " - rxrpc: Fix missing validation of ticket length in non-XDR key preparsing", " - mshv_vtl: Fix vmemmap_shift exceeding MAX_FOLIO_ORDER", " - Linux 7.0.2", "", " * Resolute update: v7.0.1 upstream stable release (LP: #2150547)", " - Revert \"UBUNTU: SAUCE: cdc-acm: Exclude Exar USB serial ports\"", " - nfc: llcp: add missing return after LLCP_CLOSED checks", " - x86/CPU: Fix FPDSS on Zen1", " - can: raw: fix ro->uniq use-after-free in raw_rcv()", " - i2c: s3c24xx: check the size of the SMBUS message before using it", " - staging: rtl8723bs: initialize le_tmp64 in rtw_BIP_verify()", " - HID: alps: fix NULL pointer dereference in alps_raw_event()", " - HID: core: clamp report_size in s32ton() to avoid undefined shift", " - net: usb: cdc-phonet: fix skb frags[] overflow in rx_complete()", " - NFC: digital: Bounds check NFC-A cascade depth in SDD response handler", " - drm/vc4: platform_get_irq_byname() returns an int", " - bnge: return after auxiliary_device_uninit() in error path", " - ALSA: usx2y: us144mkii: fix NULL deref on missing interface 0", " - ALSA: fireworks: bound device-supplied status before string array lookup", " - fbdev: tdfxfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO", " - usb: gadget: f_ncm: validate minimum block_len in ncm_unwrap_ntb()", " - usb: gadget: f_phonet: fix skb frags[] overflow in pn_rx_complete()", " - usb: gadget: renesas_usb3: validate endpoint index in standard request", " handlers", " - smb: client: fix off-by-8 bounds check in check_wsl_eas()", " - smb: client: fix OOB reads parsing symlink error response", " - ksmbd: validate EaNameLength in smb2_get_ea()", " - ksmbd: require 3 sub-authorities before reading sub_auth[2]", " - ksmbd: fix mechToken leak when SPNEGO decode fails after token alloc", " - smb: client: avoid double-free in smbd_free_send_io() after", " smbd_send_batch_flush()", " - smb: server: avoid double-free in smb_direct_free_sendmsg after", " smb_direct_flush_send_list()", " - usbip: validate number_of_packets in usbip_pack_ret_submit()", " - usb: typec: fusb302: Switch to threaded IRQ handler", " - usb: storage: Expand range of matched versions for VL817 quirks entry", " - USB: cdc-acm: Add quirks for Yoga Book 9 14IAH10 INGENIC touchscreen", " - usb: gadget: f_hid: don't call cdev_init while cdev in use", " - usb: port: add delay after usb_hub_set_port_power()", " - fbdev: udlfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO", " - scripts/gdb/symbols: handle module path parameters", " - scripts: generate_rust_analyzer.py: avoid FD leak", " - wifi: rtw88: fix device leak on probe failure", " - staging: sm750fb: fix division by zero in ps_to_hz()", " - selftests/mm: hmm-tests: don't hardcode THP size to 2MB", " - USB: serial: option: add Telit Cinterion FN990A MBIM composition", " - Docs/admin-guide/mm/damon/reclaim: warn commit_inputs vs param updates", " race", " - Docs/admin-guide/mm/damon/lru_sort: warn commit_inputs vs param updates", " race", " - ALSA: ctxfi: Limit PTP to a single page", " - dcache: Limit the minimal number of bucket to two", " - vfio/xe: Reorganize the init to decouple migration from reset", " - arm64: mm: Handle invalid large leaf mappings correctly", " - media: vidtv: fix NULL pointer dereference in", " vidtv_channel_pmt_match_sections", " - ocfs2: fix possible deadlock between unlink and dio_end_io_write", " - ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY", " - ocfs2: handle invalid dinode in ocfs2_group_extend", " - PCI: endpoint: pci-epf-vntb: Stop cmd_handler work in", " epf_ntb_epc_cleanup", " - PCI: endpoint: pci-epf-vntb: Remove duplicate resource teardown", " - KVM: selftests: Remove duplicate LAUNCH_UPDATE_VMSA call in SEV-ES", " migrate test", " - KVM: SEV: Reject attempts to sync VMSA of an already-launched/encrypted", " vCPU", " - KVM: SEV: Protect *all* of sev_mem_enc_register_region() with kvm->lock", " - KVM: SEV: Disallow LAUNCH_FINISH if vCPUs are actively being created", " - KVM: SEV: Lock all vCPUs when synchronzing VMSAs for SNP launch finish", " - KVM: SEV: Drop WARN on large size for KVM_MEMORY_ENCRYPT_REG_REGION", " - mm: call ->free_folio() directly in folio_unmap_invalidate()", " - checkpatch: add support for Assisted-by tag", " - x86-64: rename misleadingly named '__copy_user_nocache()' function", " - x86: rename and clean up __copy_from_user_inatomic_nocache()", " - x86-64/arm64/powerpc: clean up and rename __copy_from_user_flushcache", " - KVM: x86: Use scratch field in MMIO fragment to hold small write values", " - ASoC: qcom: q6apm: move component registration to unmanaged version", " - mm/kasan: fix double free for kasan pXds", " - mm: blk-cgroup: fix use-after-free in cgwb_release_workfn()", " - media: vidtv: fix nfeeds state corruption on start_streaming failure", " - media: mediatek: vcodec: fix use-after-free in encoder release path", " - media: em28xx: fix use-after-free in em28xx_v4l2_open()", " - hwmon: (powerz) Fix use-after-free on USB disconnect", " - ALSA: 6fire: fix use-after-free on disconnect", " - bcache: fix cached_dev.sb_bio use-after-free and crash", " - wireguard: device: use exit_rtnl callback instead of manual rtnl_lock in", " pre_exit", " - media: as102: fix to not free memory after the device is registered in", " as102_usb_probe()", " - nilfs2: fix NULL i_assoc_inode dereference in", " nilfs_mdt_save_to_shadow_map", " - media: vidtv: fix pass-by-value structs causing MSAN warnings", " - media: hackrf: fix to not free memory after the device is registered in", " hackrf_probe()", " - mm/userfaultfd: fix hugetlb fault mutex hash calculation", " - clockevents: Add missing resets of the next_event_forced flag", " - Linux 7.0.1", "", " * GRO managed-frag use-after-free leading to local privilege escalation", " (LP: #2154172)", " - net: gro: don't merge zcopy skbs", "", " * AppArmor Vulnerabilities (LP: #2151747)", " - SAUCE: apparmor: pass big_resp to handler", " - SAUCE: apparmor: remove redundant kref_init for listener->count", " - SAUCE: apparmor: fix NULL pointer dereference in unpack_pdb", "", " * AppArmor Vulnerabilities (LP: #2151747) // CVE-2026-47337", " - SAUCE: apparmor: fix NULL pointer dereference in bind_map_addr", "", " * AppArmor Vulnerabilities (LP: #2151747) // CVE-2026-47334", " - SAUCE: apparmor: fix sleep prone memory allocation under a spin_lock", "", " * AppArmor Vulnerabilities (LP: #2151747) // CVE-2026-47333", " - SAUCE: apparmor: fix dfa unpacking size of the notification filter", "", " * AppArmor Vulnerabilities (LP: #2151747) // CVE-2026-47332", " - SAUCE: apparmor: fix size check against type instead of pointer", "", " * apparmor: LLVM/clang build failure due to uninitialized variable in", " notify.c (LP: #2148809) // CVE-2026-47330", " - SAUCE: apparmor: initialize variable used in uninitialized context", "", " * AppArmor Vulnerabilities (LP: #2151747) // CVE-2026-47329", " - SAUCE: apparmor: fix name validation bypass on notification", "", " * AppArmor Vulnerabilities (LP: #2151747) // CVE-2026-47327 //", " CVE-2026-47328", " - SAUCE: apparmor: fix glob memory leak after kstrdup", "", " * AppArmor Vulnerabilities (LP: #2151747) // CVE-2026-47326", " - SAUCE: apparmor: fix inverted NULL check after aa_get_buffer", "", " * CVE-2026-46300", " - net: skbuff: preserve shared-frag marker during coalescing", " - net: skbuff: propagate shared-frag marker through frag-transfer helpers", "", " * net/rds: reset op_nents when zerocopy page pin fails (LP: #2153962)", " - net/rds: reset op_nents when zerocopy page pin fails", "", " * CVE-2026-46333", " - ptrace: slightly saner 'get_dumpable()' logic", "", " * CVE-2026-43500", " - rxrpc: Fix conn-level packet handling to unshare RESPONSE packets", " - rxrpc: Fix potential UAF after skb_unshare() failure", " - rxrpc: Fix rxrpc_input_call_event() to only unshare DATA packets", " - rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present", "", " * CVE-2026-43284", " - xfrm: esp: avoid in-place decrypt on shared skb frags", "" ], "package": "linux", "version": "7.0.0-26.26", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2154530, 1786013, 2150065, 2146517, 2147409, 2121852, 2150196, 2129844, 2150845, 2152558, 2152556, 2152552, 2152550, 2150553, 2150547, 2154172, 2151747, 2151747, 2151747, 2151747, 2151747, 2148809, 2151747, 2151747, 2151747, 2153962 ], "author": "Edoardo Canepa ", "date": "Fri, 29 May 2026 03:41:14 +0200" } ], "notes": "linux-headers-7.0.0-27 version '7.0.0-27.27' (source package linux version '7.0.0-27.27') was added. linux-headers-7.0.0-27 version '7.0.0-27.27' has the same source package name, linux, as removed package linux-headers-7.0.0-22. As such we can use the source package version of the removed package, '7.0.0-22.22', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false }, { "name": "linux-headers-7.0.0-27-generic", "from_version": { "source_package_name": "linux", "source_package_version": "7.0.0-22.22", "version": null }, "to_version": { "source_package_name": "linux", "source_package_version": "7.0.0-27.27", "version": "7.0.0-27.27" }, "cves": [ { "cve": "CVE-2026-46316", "url": "https://ubuntu.com/security/CVE-2026-46316", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: vgic-its: Drop the translation cache reference only for the erased entry vgic_its_invalidate_cache() walks the per-ITS translation cache with xa_for_each() and drops the cache's reference on each entry with vgic_put_irq(). It puts the iterated pointer, though, rather than the value returned by xa_erase(). The function is called from contexts that do not exclude one another: the ITS command handlers hold its_lock, the GITS_CTLR write path holds cmd_lock, and the path that clears EnableLPIs in a redistributor's GICR_CTLR holds neither. Two or more of them can drain the same cache concurrently, and if each one observes the same entry, erases it and then puts it, the single reference the cache holds on that entry is dropped more than once. The entry can then be freed while an ITE still maps it. xa_erase() is atomic and returns the previous entry, so put only the entry that this context actually removed. The cache reference is then dropped exactly once per entry even when the invalidations run concurrently, and the behavior is unchanged when only one context runs.", "cve_priority": "medium", "cve_public_date": "2026-06-09 13:16:00 UTC" }, { "cve": "CVE-2026-46244", "url": "https://ubuntu.com/security/CVE-2026-46244", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_inner: Fix IPv6 inner_thoff desync In nft_inner_parse_l2l3(), when processing inner IPv6 packets, ipv6_find_hdr() correctly computes the transport header offset traversing all extension headers, but the result is immediately overwritten with nhoff + sizeof(_ip6h) (40 bytes), which only accounts for the IPv6 base header. This creates a desync between inner_thoff (wrong — points to extension header start) and l4proto (correct — e.g., IPPROTO_TCP), enabling transport header forgery and potential firewall bypass. This issue affects stable versions from Linux 6.2. For comparison, the normal (non-inner) IPv6 path correctly preserves ipv6_find_hdr()'s result. Removing the incorrect overwrite ensures that ipv6_find_hdr()'s calculated transport header offset is preserved, thereby fixing the desynchronization.", "cve_priority": "medium", "cve_public_date": "2026-06-03 18:16:00 UTC" }, { "cve": "CVE-2026-46137", "url": "https://ubuntu.com/security/CVE-2026-46137", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: ADD_ADDR rtx: fix potential data-race This mptcp_pm_add_timer() helper is executed as a timer callback in softirq context. To avoid any data races, the socket lock needs to be held with bh_lock_sock(). If the socket is in use, retry again soon after, similar to what is done with the keepalive timer.", "cve_priority": "medium", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46185", "url": "https://ubuntu.com/security/CVE-2026-46185", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb/client: fix out-of-bounds read in symlink_data() Since smb2_check_message() returns success without length validation for the symlink error response, in symlink_data() it is possible for iov->iov_len to be smaller than sizeof(struct smb2_err_rsp). If the buffer only contains the base SMB2 header (64 bytes), accessing err->ErrorContextCount (at offset 66) or err->ByteCount later in symlink_data() will cause an out-of-bounds read.", "cve_priority": "high", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46195", "url": "https://ubuntu.com/security/CVE-2026-46195", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: validate dacloffset before building DACL pointers parse_sec_desc(), build_sec_desc(), and the chown path in id_mode_to_cifs_acl() all add the server-supplied dacloffset to pntsd before proving a DACL header fits inside the returned security descriptor. On 32-bit builds a malicious server can return dacloffset near U32_MAX, wrap the derived DACL pointer below end_of_acl, and then slip past the later pointer-based bounds checks. build_sec_desc() and id_mode_to_cifs_acl() can then dereference DACL fields from the wrapped pointer in the chmod/chown rewrite paths. Validate dacloffset numerically before building any DACL pointer and reuse the same helper at the three DACL entry points.", "cve_priority": "high", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46289", "url": "https://ubuntu.com/security/CVE-2026-46289", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: lib/scatterlist: fix length calculations in extract_kvec_to_sg Patch series \"Fix bugs in extract_iter_to_sg()\", v3. Fix bugs in the kvec and user variants of extract_iter_to_sg. This series is growing due to useful remarks made by sashiko.dev. The main bugs are: - The length for an sglist entry when extracting from a kvec can exceed the number of bytes in the page. This is obviously not intended. - When extracting a user buffer the sglist is temporarily used as a scratch buffer for extracted page pointers. If the sglist already contains some elements this scratch buffer could overlap with existing entries in the sglist. The series adds test cases to the kunit_iov_iter test that demonstrate all of these bugs. Additionally, there is a memory leak fix for the test itself. The bugs were orignally introduced into kernel v6.3 where the function lived in fs/netfs/iterator.c. It was later moved to lib/scatterlist.c in v6.5. Thus the actual fix is only marked for backports to v6.5+. This patch (of 5): When extracting from a kvec to a scatterlist, do not cross page boundaries. The required length was already calculated but not used as intended. Adjust the copied length if the loop runs out of sglist entries without extracting everything. While there, return immediately from extract_iter_to_sg if there are no sglist entries at all. A subsequent commit will add kunit test cases that demonstrate that the patch is necessary.", "cve_priority": "medium", "cve_public_date": "2026-06-08 17:16:00 UTC" }, { "cve": "CVE-2026-46119", "url": "https://ubuntu.com/security/CVE-2026-46119", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: libceph: Fix slab-out-of-bounds access in auth message processing If a (potentially corrupted) message of type CEPH_MSG_AUTH_REPLY contains a positive value in its result field, it is treated as an error code by ceph_handle_auth_reply() and returned to handle_auth_reply(). Thereafter, an attempt is made to send the preallocated message of type CEPH_MSG_AUTH, where the returned value is interpreted as the size of the front segment to send. If the result value in the message is greater than the size of the memory buffer allocated for the front segment, an out-of-bounds access occurs, and the content of the memory region beyond this buffer is sent out. This patch fixes the issue by treating only negative values in the result field as errors. Positive values are therefore treated as success in the same way as a zero value. Additionally, a BUG_ON is added to __send_prepared_auth_request() comparing the len parameter to front_alloc_len to prevent sending the message if it exceeds the bounds of the allocation and to make it easier to catch any logic flaws leading to this.", "cve_priority": "high", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46135", "url": "https://ubuntu.com/security/CVE-2026-46135", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: fix race between ICReq handling and queue teardown nvmet_tcp_handle_icreq() updates queue->state after sending an Initialization Connection Response (ICResp), but it does so without serializing against target-side queue teardown. If an NVMe/TCP host sends an Initialization Connection Request (ICReq) and immediately closes the connection, target-side teardown may start in softirq context before io_work drains the already buffered ICReq. In that case, nvmet_tcp_schedule_release_queue() sets queue->state to NVMET_TCP_Q_DISCONNECTING and drops the queue reference under state_lock. If io_work later processes that ICReq, nvmet_tcp_handle_icreq() can still overwrite the state back to NVMET_TCP_Q_LIVE. That defeats the DISCONNECTING-state guard in nvmet_tcp_schedule_release_queue() and allows a later socket state change to re-enter teardown and issue a second kref_put() on an already released queue. The ICResp send failure path has the same problem. If teardown has already moved the queue to DISCONNECTING, a send error can still overwrite the state with NVMET_TCP_Q_FAILED, again reopening the window for a second teardown path to drop the queue reference. Fix this by serializing both post-send state transitions with state_lock and bailing out if teardown has already started. Use -ESHUTDOWN as an internal sentinel for that bail-out path rather than propagating it as a transport error like -ECONNRESET. Keep nvmet_tcp_socket_error() setting rcv_state to NVMET_TCP_RECV_ERR before honoring that sentinel so receive-side parsing stays quiesced until the existing release path completes.", "cve_priority": "critical", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46155", "url": "https://ubuntu.com/security/CVE-2026-46155", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb/client: fix out-of-bounds read in smb2_compound_op() If a server sends a truncated response but a large OutputBufferLength, and terminates the EA list early, check_wsl_eas() returns success without validating that the entire OutputBufferLength fits within iov_len. Then smb2_compound_op() does: memcpy(idata->wsl.eas, data[0], size[0]); Where size[0] is OutputBufferLength. If iov_len is smaller than size[0], memcpy can read beyond the end of the rsp_iov allocation and leak adjacent kernel heap memory.", "cve_priority": "medium", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46115", "url": "https://ubuntu.com/security/CVE-2026-46115", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: block: add pgmap check to biovec_phys_mergeable biovec_phys_mergeable() is used by the request merge, DMA mapping, and integrity merge paths to decide if two physically contiguous bvec segments can be coalesced into one. It currently has no check for whether the segments belong to different dev_pagemaps. When zone device memory is registered in multiple chunks, each chunk gets its own dev_pagemap. A single bio can legitimately contain bvecs from different pgmaps -- iov_iter_extract_bvecs() breaks at pgmap boundaries but the outer loop in bio_iov_iter_get_pages() continues filling the same bio. If such bvecs are physically contiguous, biovec_phys_mergeable() will coalesce them, making it impossible to recover the correct pgmap for the merged segment via page_pgmap(). Add a zone_device_pages_have_same_pgmap() check to prevent merging bvec segments that span different pgmaps.", "cve_priority": "medium", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46243", "url": "https://ubuntu.com/security/CVE-2026-46243", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: reject userspace cifs.spnego descriptions cifs.spnego key descriptions contain authority-bearing fields such as pid, uid, creduid, and upcall_target that cifs.upcall treats as kernel-originating inputs. However, userspace can also create keys of this type through request_key(2) or add_key(2), allowing those fields to be supplied without CIFS origin. Only accept cifs.spnego descriptions while CIFS is using its private spnego_cred to request the key.", "cve_priority": "medium", "cve_public_date": "2026-06-01 17:17:00 UTC" }, { "cve": "CVE-2026-47337", "url": "https://ubuntu.com/security/CVE-2026-47337", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a possible NULL pointer dereference in the handling of AF_INET/AF_INET6 socket mediation. The bug can be triggered by an unprivileged local user. This can lead to a kernel oops.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47334", "url": "https://ubuntu.com/security/CVE-2026-47334", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly sleep while holding a spinlock in notification handling code. The bug can be triggered by an unprivileged local user and can result in kernel panic or deadlock.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47333", "url": "https://ubuntu.com/security/CVE-2026-47333", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which can potentially incorrectly compute the size of an internal buffer, leading to a heap memory out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in invalid data being processed by the AppArmor DFA policy engine.", "cve_priority": "high", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47332", "url": "https://ubuntu.com/security/CVE-2026-47332", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly validate the size of an internal structure, leading to an out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in information disclosure from adjacent slab objects.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47330", "url": "https://ubuntu.com/security/CVE-2026-47330", "cve_description": "Ubuntu Linux 6.8, 7.17 and 7.0 contain AppArmor SAUCE patches which can, under certain circumstances, use an uninitialized variable in notification handling code. The bug can be triggered by an unprivileged local user and can result in the incorrect caching of AppArmor notification responses.", "cve_priority": "low", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47329", "url": "https://ubuntu.com/security/CVE-2026-47329", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches which fail to validate invalid sizes of the name field in AppAmor notification responses. The bug can be triggered by an unprivileged local user and could result in handling of crafted responses.", "cve_priority": "low", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47327", "url": "https://ubuntu.com/security/CVE-2026-47327", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a possible NULL pointer dereference in the handling of AppArmor notifications. The bug can be triggered by an unprivileged local user. This can lead to a kernel oops.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47328", "url": "https://ubuntu.com/security/CVE-2026-47328", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly attempt to free a pointer which was not previously kmalloc()d, while at the same time leaking allocated memory. The bug can be triggered by an unprivileged local user and can result in the corruption of slab metadata and could lead to resource exhaustion.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47326", "url": "https://ubuntu.com/security/CVE-2026-47326", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a memory leak in the handling of big responses to AppArmor notifications. The bug can be triggered by an unprivileged local user. The memory leak could lead to resource exhaustion.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-46300", "url": "https://ubuntu.com/security/CVE-2026-46300", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: skbuff: preserve shared-frag marker during coalescing skb_try_coalesce() can attach paged frags from @from to @to. If @from has SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same externally-owned or page-cache-backed frags, but the shared-frag marker is currently lost. That breaks the invariant relied on by later in-place writers. In particular, ESP input checks skb_has_shared_frag() before deciding whether an uncloned nonlinear skb can skip skb_cow_data(). If TCP receive coalescing has moved shared frags into an unmarked skb, ESP can see skb_has_shared_frag() as false and decrypt in place over page-cache backed frags. Propagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged frags. The tailroom copy path does not need the marker because it copies bytes into @to's linear data rather than transferring frag descriptors.", "cve_priority": "high", "cve_public_date": "2026-05-23 12:17:00 UTC" }, { "cve": "CVE-2026-46333", "url": "https://ubuntu.com/security/CVE-2026-46333", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ptrace: slightly saner 'get_dumpable()' logic The 'dumpability' of a task is fundamentally about the memory image of the task - the concept comes from whether it can core dump or not - and makes no sense when you don't have an associated mm. And almost all users do in fact use it only for the case where the task has a mm pointer. But we have one odd special case: ptrace_may_access() uses 'dumpable' to check various other things entirely independently of the MM (typically explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for threads that no longer have a VM (and maybe never did, like most kernel threads). It's not what this flag was designed for, but it is what it is. The ptrace code does check that the uid/gid matches, so you do have to be uid-0 to see kernel thread details, but this means that the traditional \"drop capabilities\" model doesn't make any difference for this all. Make it all make a *bit* more sense by saying that if you don't have a MM pointer, we'll use a cached \"last dumpability\" flag if the thread ever had a MM (it will be zero for kernel threads since it is never set), and require a proper CAP_SYS_PTRACE capability to override.", "cve_priority": "high", "cve_public_date": "2026-05-15 14:16:00 UTC" }, { "cve": "CVE-2026-43500", "url": "https://ubuntu.com/security/CVE-2026-43500", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE handler in rxrpc_verify_response() copy the skb to a linear one before calling into the security ops only when skb_cloned() is true. An skb that is not cloned but still carries externally-owned paged fragments (e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via __ip_append_data, or a chained skb_has_frag_list()) falls through to the in-place decryption path, which binds the frag pages directly into the AEAD/skcipher SGL via skb_to_sgvec(). Extend the gate to also unshare when skb_has_frag_list() or skb_has_shared_frag() is true. This catches the splice-loopback vector and other externally-shared frag sources while preserving the zero-copy fast path for skbs whose frags are kernel-private (e.g. NIC page_pool RX, GRO). The OOM/trace handling already in place is reused.", "cve_priority": "high", "cve_public_date": "2026-05-11 08:16:00 UTC" }, { "cve": "CVE-2026-43284", "url": "https://ubuntu.com/security/CVE-2026-43284", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place decrypt on shared skb frags MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later paths that may modify packet data can first make a private copy. The IPv4/IPv6 datagram append paths did not set this flag when splicing pages into UDP skbs. That leaves an ESP-in-UDP packet made from shared pipe pages looking like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW fast path for uncloned skbs without a frag_list and decrypts in place over data that is not owned privately by the skb. Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching TCP. Also make ESP input fall back to skb_cow_data() when the flag is present, so ESP does not decrypt externally backed frags in place. Private nonlinear skb frags still use the existing fast path. This intentionally does not change ESP output. In esp_output_head(), the path that appends the ESP trailer to existing skb tailroom without calling skb_cow_data() is not reachable for nonlinear skbs: skb_tailroom() returns zero when skb->data_len is nonzero, while ESP tailen is positive. Thus ESP output will either use the separate destination-frag path or fall back to skb_cow_data().", "cve_priority": "high", "cve_public_date": "2026-05-08 08:16:00 UTC" } ], "launchpad_bugs_fixed": [ 2157114, 1786013, 2150845, 2154530, 1786013, 2150065, 2146517, 2147409, 2121852, 2150196, 2129844, 2150845, 2152558, 2152556, 2152552, 2152550, 2150553, 2150547, 2154172, 2151747, 2151747, 2151747, 2151747, 2151747, 2148809, 2151747, 2151747, 2151747, 2153962 ], "changes": [ { "cves": [ { "cve": "CVE-2026-46316", "url": "https://ubuntu.com/security/CVE-2026-46316", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: vgic-its: Drop the translation cache reference only for the erased entry vgic_its_invalidate_cache() walks the per-ITS translation cache with xa_for_each() and drops the cache's reference on each entry with vgic_put_irq(). It puts the iterated pointer, though, rather than the value returned by xa_erase(). The function is called from contexts that do not exclude one another: the ITS command handlers hold its_lock, the GITS_CTLR write path holds cmd_lock, and the path that clears EnableLPIs in a redistributor's GICR_CTLR holds neither. Two or more of them can drain the same cache concurrently, and if each one observes the same entry, erases it and then puts it, the single reference the cache holds on that entry is dropped more than once. The entry can then be freed while an ITE still maps it. xa_erase() is atomic and returns the previous entry, so put only the entry that this context actually removed. The cache reference is then dropped exactly once per entry even when the invalidations run concurrently, and the behavior is unchanged when only one context runs.", "cve_priority": "medium", "cve_public_date": "2026-06-09 13:16:00 UTC" }, { "cve": "CVE-2026-46244", "url": "https://ubuntu.com/security/CVE-2026-46244", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_inner: Fix IPv6 inner_thoff desync In nft_inner_parse_l2l3(), when processing inner IPv6 packets, ipv6_find_hdr() correctly computes the transport header offset traversing all extension headers, but the result is immediately overwritten with nhoff + sizeof(_ip6h) (40 bytes), which only accounts for the IPv6 base header. This creates a desync between inner_thoff (wrong — points to extension header start) and l4proto (correct — e.g., IPPROTO_TCP), enabling transport header forgery and potential firewall bypass. This issue affects stable versions from Linux 6.2. For comparison, the normal (non-inner) IPv6 path correctly preserves ipv6_find_hdr()'s result. Removing the incorrect overwrite ensures that ipv6_find_hdr()'s calculated transport header offset is preserved, thereby fixing the desynchronization.", "cve_priority": "medium", "cve_public_date": "2026-06-03 18:16:00 UTC" }, { "cve": "CVE-2026-46137", "url": "https://ubuntu.com/security/CVE-2026-46137", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: ADD_ADDR rtx: fix potential data-race This mptcp_pm_add_timer() helper is executed as a timer callback in softirq context. To avoid any data races, the socket lock needs to be held with bh_lock_sock(). If the socket is in use, retry again soon after, similar to what is done with the keepalive timer.", "cve_priority": "medium", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46185", "url": "https://ubuntu.com/security/CVE-2026-46185", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb/client: fix out-of-bounds read in symlink_data() Since smb2_check_message() returns success without length validation for the symlink error response, in symlink_data() it is possible for iov->iov_len to be smaller than sizeof(struct smb2_err_rsp). If the buffer only contains the base SMB2 header (64 bytes), accessing err->ErrorContextCount (at offset 66) or err->ByteCount later in symlink_data() will cause an out-of-bounds read.", "cve_priority": "high", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46195", "url": "https://ubuntu.com/security/CVE-2026-46195", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: validate dacloffset before building DACL pointers parse_sec_desc(), build_sec_desc(), and the chown path in id_mode_to_cifs_acl() all add the server-supplied dacloffset to pntsd before proving a DACL header fits inside the returned security descriptor. On 32-bit builds a malicious server can return dacloffset near U32_MAX, wrap the derived DACL pointer below end_of_acl, and then slip past the later pointer-based bounds checks. build_sec_desc() and id_mode_to_cifs_acl() can then dereference DACL fields from the wrapped pointer in the chmod/chown rewrite paths. Validate dacloffset numerically before building any DACL pointer and reuse the same helper at the three DACL entry points.", "cve_priority": "high", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46289", "url": "https://ubuntu.com/security/CVE-2026-46289", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: lib/scatterlist: fix length calculations in extract_kvec_to_sg Patch series \"Fix bugs in extract_iter_to_sg()\", v3. Fix bugs in the kvec and user variants of extract_iter_to_sg. This series is growing due to useful remarks made by sashiko.dev. The main bugs are: - The length for an sglist entry when extracting from a kvec can exceed the number of bytes in the page. This is obviously not intended. - When extracting a user buffer the sglist is temporarily used as a scratch buffer for extracted page pointers. If the sglist already contains some elements this scratch buffer could overlap with existing entries in the sglist. The series adds test cases to the kunit_iov_iter test that demonstrate all of these bugs. Additionally, there is a memory leak fix for the test itself. The bugs were orignally introduced into kernel v6.3 where the function lived in fs/netfs/iterator.c. It was later moved to lib/scatterlist.c in v6.5. Thus the actual fix is only marked for backports to v6.5+. This patch (of 5): When extracting from a kvec to a scatterlist, do not cross page boundaries. The required length was already calculated but not used as intended. Adjust the copied length if the loop runs out of sglist entries without extracting everything. While there, return immediately from extract_iter_to_sg if there are no sglist entries at all. A subsequent commit will add kunit test cases that demonstrate that the patch is necessary.", "cve_priority": "medium", "cve_public_date": "2026-06-08 17:16:00 UTC" }, { "cve": "CVE-2026-46119", "url": "https://ubuntu.com/security/CVE-2026-46119", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: libceph: Fix slab-out-of-bounds access in auth message processing If a (potentially corrupted) message of type CEPH_MSG_AUTH_REPLY contains a positive value in its result field, it is treated as an error code by ceph_handle_auth_reply() and returned to handle_auth_reply(). Thereafter, an attempt is made to send the preallocated message of type CEPH_MSG_AUTH, where the returned value is interpreted as the size of the front segment to send. If the result value in the message is greater than the size of the memory buffer allocated for the front segment, an out-of-bounds access occurs, and the content of the memory region beyond this buffer is sent out. This patch fixes the issue by treating only negative values in the result field as errors. Positive values are therefore treated as success in the same way as a zero value. Additionally, a BUG_ON is added to __send_prepared_auth_request() comparing the len parameter to front_alloc_len to prevent sending the message if it exceeds the bounds of the allocation and to make it easier to catch any logic flaws leading to this.", "cve_priority": "high", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46135", "url": "https://ubuntu.com/security/CVE-2026-46135", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: fix race between ICReq handling and queue teardown nvmet_tcp_handle_icreq() updates queue->state after sending an Initialization Connection Response (ICResp), but it does so without serializing against target-side queue teardown. If an NVMe/TCP host sends an Initialization Connection Request (ICReq) and immediately closes the connection, target-side teardown may start in softirq context before io_work drains the already buffered ICReq. In that case, nvmet_tcp_schedule_release_queue() sets queue->state to NVMET_TCP_Q_DISCONNECTING and drops the queue reference under state_lock. If io_work later processes that ICReq, nvmet_tcp_handle_icreq() can still overwrite the state back to NVMET_TCP_Q_LIVE. That defeats the DISCONNECTING-state guard in nvmet_tcp_schedule_release_queue() and allows a later socket state change to re-enter teardown and issue a second kref_put() on an already released queue. The ICResp send failure path has the same problem. If teardown has already moved the queue to DISCONNECTING, a send error can still overwrite the state with NVMET_TCP_Q_FAILED, again reopening the window for a second teardown path to drop the queue reference. Fix this by serializing both post-send state transitions with state_lock and bailing out if teardown has already started. Use -ESHUTDOWN as an internal sentinel for that bail-out path rather than propagating it as a transport error like -ECONNRESET. Keep nvmet_tcp_socket_error() setting rcv_state to NVMET_TCP_RECV_ERR before honoring that sentinel so receive-side parsing stays quiesced until the existing release path completes.", "cve_priority": "critical", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46155", "url": "https://ubuntu.com/security/CVE-2026-46155", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb/client: fix out-of-bounds read in smb2_compound_op() If a server sends a truncated response but a large OutputBufferLength, and terminates the EA list early, check_wsl_eas() returns success without validating that the entire OutputBufferLength fits within iov_len. Then smb2_compound_op() does: memcpy(idata->wsl.eas, data[0], size[0]); Where size[0] is OutputBufferLength. If iov_len is smaller than size[0], memcpy can read beyond the end of the rsp_iov allocation and leak adjacent kernel heap memory.", "cve_priority": "medium", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46115", "url": "https://ubuntu.com/security/CVE-2026-46115", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: block: add pgmap check to biovec_phys_mergeable biovec_phys_mergeable() is used by the request merge, DMA mapping, and integrity merge paths to decide if two physically contiguous bvec segments can be coalesced into one. It currently has no check for whether the segments belong to different dev_pagemaps. When zone device memory is registered in multiple chunks, each chunk gets its own dev_pagemap. A single bio can legitimately contain bvecs from different pgmaps -- iov_iter_extract_bvecs() breaks at pgmap boundaries but the outer loop in bio_iov_iter_get_pages() continues filling the same bio. If such bvecs are physically contiguous, biovec_phys_mergeable() will coalesce them, making it impossible to recover the correct pgmap for the merged segment via page_pgmap(). Add a zone_device_pages_have_same_pgmap() check to prevent merging bvec segments that span different pgmaps.", "cve_priority": "medium", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46243", "url": "https://ubuntu.com/security/CVE-2026-46243", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: reject userspace cifs.spnego descriptions cifs.spnego key descriptions contain authority-bearing fields such as pid, uid, creduid, and upcall_target that cifs.upcall treats as kernel-originating inputs. However, userspace can also create keys of this type through request_key(2) or add_key(2), allowing those fields to be supplied without CIFS origin. Only accept cifs.spnego descriptions while CIFS is using its private spnego_cred to request the key.", "cve_priority": "medium", "cve_public_date": "2026-06-01 17:17:00 UTC" } ], "log": [ "", " * resolute/linux: 7.0.0-27.27 -proposed tracker (LP: #2157114)", "", " * Packaging resync (LP: #1786013)", " - [Packaging] update annotations scripts", "", " * Ubuntu 26.04 linux kernel has non-functional nova-core GPU driver enabled,", " conflicting with nouveau (LP: #2150845)", " - [Config] Disable NOVA_CORE", "", " * CVE-2026-46316", " - KVM: arm64: vgic-its: Drop the translation cache reference only for the", " erased entry", "", " * CVE-2026-46244", " - netfilter: nft_inner: Fix IPv6 inner_thoff desync", "", " * CVE-2026-46137", " - mptcp: pm: ADD_ADDR rtx: allow ID 0", " - mptcp: pm: ADD_ADDR rtx: fix potential data-race", "", " * CVE-2026-46185", " - smb/client: fix out-of-bounds read in symlink_data()", "", " * CVE-2026-46195", " - smb: client: validate dacloffset before building DACL pointers", "", " * CVE-2026-46289", " - lib/scatterlist: fix length calculations in extract_kvec_to_sg", "", " * CVE-2026-46119", " - libceph: Fix slab-out-of-bounds access in auth message processing", "", " * CVE-2026-46135", " - nvmet-tcp: fix race between ICReq handling and queue teardown", "", " * CVE-2026-46155", " - smb/client: fix out-of-bounds read in smb2_compound_op()", "", " * CVE-2026-46115", " - block: add pgmap check to biovec_phys_mergeable", "", " * CVE-2026-46243", " - smb: client: reject userspace cifs.spnego descriptions", "" ], "package": "linux", "version": "7.0.0-27.27", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2157114, 1786013, 2150845 ], "author": "Manuel Diewald ", "date": "Thu, 18 Jun 2026 18:54:56 +0200" }, { "cves": [ { "cve": "CVE-2026-47337", "url": "https://ubuntu.com/security/CVE-2026-47337", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a possible NULL pointer dereference in the handling of AF_INET/AF_INET6 socket mediation. The bug can be triggered by an unprivileged local user. This can lead to a kernel oops.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47334", "url": "https://ubuntu.com/security/CVE-2026-47334", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly sleep while holding a spinlock in notification handling code. The bug can be triggered by an unprivileged local user and can result in kernel panic or deadlock.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47333", "url": "https://ubuntu.com/security/CVE-2026-47333", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which can potentially incorrectly compute the size of an internal buffer, leading to a heap memory out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in invalid data being processed by the AppArmor DFA policy engine.", "cve_priority": "high", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47332", "url": "https://ubuntu.com/security/CVE-2026-47332", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly validate the size of an internal structure, leading to an out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in information disclosure from adjacent slab objects.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47330", "url": "https://ubuntu.com/security/CVE-2026-47330", "cve_description": "Ubuntu Linux 6.8, 7.17 and 7.0 contain AppArmor SAUCE patches which can, under certain circumstances, use an uninitialized variable in notification handling code. The bug can be triggered by an unprivileged local user and can result in the incorrect caching of AppArmor notification responses.", "cve_priority": "low", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47329", "url": "https://ubuntu.com/security/CVE-2026-47329", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches which fail to validate invalid sizes of the name field in AppAmor notification responses. The bug can be triggered by an unprivileged local user and could result in handling of crafted responses.", "cve_priority": "low", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47327", "url": "https://ubuntu.com/security/CVE-2026-47327", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a possible NULL pointer dereference in the handling of AppArmor notifications. The bug can be triggered by an unprivileged local user. This can lead to a kernel oops.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47328", "url": "https://ubuntu.com/security/CVE-2026-47328", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly attempt to free a pointer which was not previously kmalloc()d, while at the same time leaking allocated memory. The bug can be triggered by an unprivileged local user and can result in the corruption of slab metadata and could lead to resource exhaustion.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47326", "url": "https://ubuntu.com/security/CVE-2026-47326", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a memory leak in the handling of big responses to AppArmor notifications. The bug can be triggered by an unprivileged local user. The memory leak could lead to resource exhaustion.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-46300", "url": "https://ubuntu.com/security/CVE-2026-46300", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: skbuff: preserve shared-frag marker during coalescing skb_try_coalesce() can attach paged frags from @from to @to. If @from has SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same externally-owned or page-cache-backed frags, but the shared-frag marker is currently lost. That breaks the invariant relied on by later in-place writers. In particular, ESP input checks skb_has_shared_frag() before deciding whether an uncloned nonlinear skb can skip skb_cow_data(). If TCP receive coalescing has moved shared frags into an unmarked skb, ESP can see skb_has_shared_frag() as false and decrypt in place over page-cache backed frags. Propagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged frags. The tailroom copy path does not need the marker because it copies bytes into @to's linear data rather than transferring frag descriptors.", "cve_priority": "high", "cve_public_date": "2026-05-23 12:17:00 UTC" }, { "cve": "CVE-2026-46333", "url": "https://ubuntu.com/security/CVE-2026-46333", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ptrace: slightly saner 'get_dumpable()' logic The 'dumpability' of a task is fundamentally about the memory image of the task - the concept comes from whether it can core dump or not - and makes no sense when you don't have an associated mm. And almost all users do in fact use it only for the case where the task has a mm pointer. But we have one odd special case: ptrace_may_access() uses 'dumpable' to check various other things entirely independently of the MM (typically explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for threads that no longer have a VM (and maybe never did, like most kernel threads). It's not what this flag was designed for, but it is what it is. The ptrace code does check that the uid/gid matches, so you do have to be uid-0 to see kernel thread details, but this means that the traditional \"drop capabilities\" model doesn't make any difference for this all. Make it all make a *bit* more sense by saying that if you don't have a MM pointer, we'll use a cached \"last dumpability\" flag if the thread ever had a MM (it will be zero for kernel threads since it is never set), and require a proper CAP_SYS_PTRACE capability to override.", "cve_priority": "high", "cve_public_date": "2026-05-15 14:16:00 UTC" }, { "cve": "CVE-2026-43500", "url": "https://ubuntu.com/security/CVE-2026-43500", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE handler in rxrpc_verify_response() copy the skb to a linear one before calling into the security ops only when skb_cloned() is true. An skb that is not cloned but still carries externally-owned paged fragments (e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via __ip_append_data, or a chained skb_has_frag_list()) falls through to the in-place decryption path, which binds the frag pages directly into the AEAD/skcipher SGL via skb_to_sgvec(). Extend the gate to also unshare when skb_has_frag_list() or skb_has_shared_frag() is true. This catches the splice-loopback vector and other externally-shared frag sources while preserving the zero-copy fast path for skbs whose frags are kernel-private (e.g. NIC page_pool RX, GRO). The OOM/trace handling already in place is reused.", "cve_priority": "high", "cve_public_date": "2026-05-11 08:16:00 UTC" }, { "cve": "CVE-2026-43284", "url": "https://ubuntu.com/security/CVE-2026-43284", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place decrypt on shared skb frags MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later paths that may modify packet data can first make a private copy. The IPv4/IPv6 datagram append paths did not set this flag when splicing pages into UDP skbs. That leaves an ESP-in-UDP packet made from shared pipe pages looking like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW fast path for uncloned skbs without a frag_list and decrypts in place over data that is not owned privately by the skb. Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching TCP. Also make ESP input fall back to skb_cow_data() when the flag is present, so ESP does not decrypt externally backed frags in place. Private nonlinear skb frags still use the existing fast path. This intentionally does not change ESP output. In esp_output_head(), the path that appends the ESP trailer to existing skb tailroom without calling skb_cow_data() is not reachable for nonlinear skbs: skb_tailroom() returns zero when skb->data_len is nonzero, while ESP tailen is positive. Thus ESP output will either use the separate destination-frag path or fall back to skb_cow_data().", "cve_priority": "high", "cve_public_date": "2026-05-08 08:16:00 UTC" } ], "log": [ "", " * resolute/linux: 7.0.0-26.26 -proposed tracker (LP: #2154530)", "", " * Packaging resync (LP: #1786013)", " - Revert \"UBUNTU: SAUCE: import Huawei ES3000_V2 (2.1.0.23)\"", " - [Packaging] debian.master/dkms-versions -- remove dkms-versions", " (main/2026.05.18)", "", " * Fix mic mute led on a HP EliteBook 6 G2a platform (LP: #2150065)", " - ALSA: hda/realtek: Add LED fixup for HP EliteBook 6 G2a Laptops", "", " * ov08x40 module mounted upside down on a certain DELL platforms", " (LP: #2146517)", " - SAUCE: media: ipu-bridge: Add DMI quirk for new Dell XPS laptops with", " upside down sensors", " - SAUCE: media: ipu-bridge: Add DMI quirk for Dell 14 laptops with upside", " down sensors", "", " * Support additional 2888x1808@30fps 900MHz for OVTI05C1 camera sensor", " (LP: #2147409)", " - SAUCE: media: ipu-bridge: Add 900MHz for OV05C10", " - SAUCE: platform/x86: int3472: increase handshake delay to 50ms for", " OV05C10", "", " * Support Samsung S5K3J1 sensor for Intel MIPI camera (LP: #2121852)", " - SAUCE: media: ipu-bridge: Support s5k3j1 sensor", "", " * [SRU] ASoC: enable rt1320 speaker amp and DMIC on PTL SoundWire platforms", " (LP: #2150196)", " - ASoC: Intel: soc-acpi-intel-ptl-match: drop rt722 monolithic match", " tables", " - ASoC: SOF: Intel: Add a is_amp flag to fix the wrong name prefix", " - ASoC: sdw_utils: add rt1320 and rt1321 dmic dai in codec_info_list", "", " * powerpc-build in ubuntu_kernel_selftests fails to build due to", " uninitialized value (LP: #2129844)", " - selftests/powerpc: Suppress -Wmaybe-uninitialized with GCC 15", "", " * Ubuntu 26.04 linux kernel has non-functional nova-core GPU driver enabled,", " conflicting with nouveau (LP: #2150845)", " - [Config] Disable DRM_NOVA", "", " * Resolute update: v7.0.6 upstream stable release (LP: #2152558)", " - Linux 7.0.6", " - Upstream stable to v7.0.6", "", " * Resolute update: v7.0.5 upstream stable release (LP: #2152556)", " - Linux 7.0.5", " - Upstream stable to v7.0.5", "", " * Resolute update: v7.0.4 upstream stable release (LP: #2152552)", " - ALSA: usb-audio: stop parsing UAC2 rates at MAX_NR_RATES", " - ALSA: usb-audio: Avoid false E-MU sample-rate notifications", " - ALSA: usb-audio: Fix Audio Advantage Micro II SPDIF switch", " - usb: xhci: Make usb_host_endpoint.hcpriv survive endpoint_disable()", " - usb: chipidea: otg: not wait vbus drop if use role_switch", " - usb: chipidea: core: allow ci_irq_handler() handle both ID and VBUS", " change", " - ALSA: usb-audio: Evaluate packsize caps at the right place", " - LoongArch: Add spectre boundry for syscall dispatch table", " - drm/nouveau: fix u32 overflow in pushbuf reloc bounds check", " - leds: qcom-lpg: Check for array overflow when selecting the high", " resolution", " - greybus: gb-beagleplay: bound bootloader receive buffering", " - greybus: gb-beagleplay: fix sleep in atomic context in hdlc_tx_frames()", " - misc: ibmasm: fix OOB MMIO read in ibmasm_handle_mouse_interrupt()", " - ibmasm: fix OOB reads in command_file_write due to missing size checks", " - ibmasm: fix heap over-read in ibmasm_send_i2o_message()", " - sysfs: attribute_group: Respect is_visible_const() when changing owner", " - driver core: Don't let a device probe until it's ready", " - device property: Make modifications of fwnode \"flags\" thread safe", " - drm/nouveau: fix nvkm_device leak on aperture removal failure", " - rust: dma: remove DMA_ATTR_NO_KERNEL_MAPPING from public attrs", " - kbuild: rust: allow `clippy::uninlined_format_args`", " - fs: afs: revert mmap_prepare() change", " - firmware: google: framebuffer: Do not mark framebuffer as busy", " - lib: test_hmm: evict device pages on file close to avoid use-after-free", " - arm64/mm: Enable batched TLB flush in unmap_hotplug_range()", " - arm64: mm: Fix rodata=full block mapping support for realm guests", " - mm: migrate: requeue destination folio on deferred split queue", " - mm: prevent droppable mappings from being locked", " - mm: fix deferred split queue races during migration", " - ocfs2: split transactions in dio completion to avoid credit exhaustion", " - Input: edt-ft5x06 - fix use-after-free in debugfs teardown", " - zram: do not forget to endio for partial discard requests", " - wifi: rtw88: check for PCI upstream bridge existence", " - wifi: mwifiex: fix use-after-free in mwifiex_adapter_cleanup()", " - vfio: selftests: Fix VLA initialisation in vfio_pci_irq_set()", " - vfio/xe: Add a missing vfio_pci_core_release_dev()", " - vfio/virtio: Convert list_lock from spinlock to mutex", " - vfio/cdx: Serialize VFIO_DEVICE_SET_IRQS with a per-device mutex", " - vfio/cdx: Fix NULL pointer dereference in interrupt trigger path", " - um: drivers: call kernel_strrchr() explicitly in cow_user.c", " - thermal: core: Fix thermal zone governor cleanup issues", " - spi: imx: fix use-after-free on unbind", " - spi: ch341: fix memory leaks on probe failures", " - crypto: algif_aead - snapshot IV for async AEAD requests", " - crypto: pcrypt - Fix handling of MAY_BACKLOG requests", " - dt-bindings: display: ti, am65x-dss: Fix AM62L DSS reg and clock", " constraints", " - of: unittest: fix use-after-free in of_unittest_changeset()", " - of: unittest: fix use-after-free in testdrv_probe()", " - hwmon: (powerz) Fix missing usb_kill_urb() on signal interrupt", " - EDAC/versalnet: Fix device_node leak in mc_probe()", " - PCI: imx6: Skip waiting for L2/L3 Ready on i.MX6SX", " - media: amphion: Fix race between m2m job_abort and device_run", " - ALSA: control: Validate buf_len before strnlen() in", " snd_ctl_elem_init_enum_names()", " - net: caif: clear client service pointer on teardown", " - net: strparser: fix skb_head leak in strp_abort_strp()", " - media: mtk-jpeg: fix use-after-free in release path due to uncancelled", " work", " - crypto: atmel-sha204a - Fix OTP sysfs read and error handling", " - PCI: endpoint: pci-epf-ntb: Remove duplicate resource teardown", " - Revert \"ALSA: usb: Increase volume range that triggers a warning\"", " - phy: qcom: m31-eusb2: clear PLL_EN during init", " - PCI: epf-mhi: Return 0, not remaining timeout, when eDMA ops complete", " - lib/ts_kmp: fix integer overflow in pattern length calculation", " - media: i2c: imx219: Check return value of devm_gpiod_get_optional() in", " imx219_probe()", " - net: qrtr: ns: Fix use-after-free in driver remove()", " - ext2: reject inodes with zero i_nlink and valid mode in ext2_iget()", " - mm/zsmalloc: copy KMSAN metadata in zs_page_migrate()", " - ALSA: aoa: i2sbus: clear stale prepared state", " - ALSA: aoa: i2sbus: fix OF node lifetime handling", " - ALSA: aoa: Skip devices with no codecs in i2sbus_resume()", " - ALSA: ctxfi: Add fallback to default RSR for S/PDIF", " - ALSA: seq_oss: return full count for successful SEQ_FULLSIZE writes", " - erofs: fix the out-of-bounds nameoff handling for trailing dirents", " - ipmi:ssif: Clean up kthread on errors", " - jbd2: fix deadlock in jbd2_journal_cancel_revoke()", " - KVM: selftests: Fix reserved value WRMSR testcase for multi-feature MSRs", " - md/raid10: fix deadlock with check operation and nowait requests", " - media: rc: igorplugusb: heed coherency rules", " - media: rockchip: rkcif: fix off by one bugs", " - media: rockchip: rkcif: comply with minimum number of buffers", " requirement", " - mfd: stpmic1: Attempt system shutdown twice in case PMIC is confused", " - mm/alloc_tag: clear codetag for pages allocated before page_ext", " initialization", " - mm/damon/core: fix damon_call() vs kdamond_fn() exit race", " - mm/damon/core: fix damos_walk() vs kdamond_fn() exit race", " - mm/hugetlb: fix early boot crash on parameters without '=' separator", " - mtd: docg3: fix use-after-free in docg3_release()", " - nvme-pci: add NVME_QUIRK_DISABLE_WRITE_ZEROES for Kingston OM3SGP4", " - nvme: respect NVME_QUIRK_DISABLE_WRITE_ZEROES when wzsl is set", " - parisc: _llseek syscall is only available for 32-bit userspace", " - parisc: Drop ip_fast_csum() inline assembly implementation", " - PCI: cadence: Use cdns_pcie_read_sz() for byte or word read access", " - PCI: imx6: Fix reference clock source selection for i.MX95", " - perf annotate: Use jump__delete when freeing LoongArch jumps", " - RDMA/mana_ib: Disable RX steering on RSS QP destroy", " - remoteproc: xlnx: Only access buffer information if IPI is buffered", " - reset: rzv2h-usb2phy: Keep PHY clock enabled for entire device lifetime", " - sched: Use u64 for bandwidth ratio calculations", " - selftests/mqueue: Fix incorrectly named file", " - landlock: Fix LOG_SUBDOMAINS_OFF inheritance across fork()", " - landlock: Allow TSYNC with LOG_SUBDOMAINS_OFF and fd=-1", " - selftests/landlock: Drain stale audit records on init", " - selftests/landlock: Fix format warning for __u64 in net_test", " - selftests/landlock: Fix snprintf truncation checks in audit helpers", " - selftests/landlock: Skip stale records in audit_match_record()", " - rbd: fix null-ptr-deref when device_add_disk() fails", " - mm/zone_device: do not touch device folio after calling ->folio_free()", " - block: fix zone write plugs refcount handling in", " disk_zone_wplug_schedule_bio_work()", " - io_uring/zcrx: return back two step unregistration", " - io_uring/timeout: check unused sqe fields", " - block: relax pgmap check in bio_add_page for compatible zone device", " pages", " - iio: adc: ti-ads7950: use iio_push_to_buffers_with_ts_unaligned()", " - io_uring/register: fix ring resizing with mixed/large SQEs/CQEs", " - io_uring/zcrx: fix user_struct uaf", " - io_uring/poll: fix signed comparison in io_poll_get_ownership()", " - io_uring/poll: ensure EPOLL_ONESHOT is propagated for EPOLL_URING_WAKE", " - module.lds,codetag: force 0 sh_addr for sections", " - module.lds.S: Fix modules on 32-bit parisc architecture", " - ALSA: core: Fix potential data race at fasync handling", " - ALSA: caiaq: Fix control_put() result and cache rollback", " - ALSA: caiaq: Handle probe errors properly", " - ALSA: 6fire: Fix input volume change detection", " - ALSA: hda/realtek - Add mute LED support for HP Victus 15-fa2xxx", " - ALSA: pcmtest: fix reference leak on failed device registration", " - ALSA: pcmtest: Fix resource leaks in module init error paths", " - iio: adc: ad7768-1: fix one-shot mode data acquisition", " - iio: adc: ad7768-1: remove switch to one-shot mode", " - rxrpc: Fix memory leaks in rxkad_verify_response()", " - rxrpc: Fix rxkad crypto unalignment handling", " - rxrpc: Fix error handling in rxgk_extract_token()", " - rxrpc: Fix re-decryption of RESPONSE packets", " - EDAC/versalnet: Fix memory leak in remove and probe error paths", " - tools/accounting: handle truncated taskstats netlink messages", " - net: txgbe: fix RTNL assertion warning when remove module", " - arm64: dts: marvell: uDPU: add ethernet aliases", " - net: qrtr: ns: Limit the maximum server registration per node", " - net: qrtr: ns: Limit the maximum number of lookups", " - net: qrtr: ns: Free the node during ctrl_cmd_bye()", " - net: qrtr: ns: Limit the total number of nodes", " - net: rds: fix MR cleanup on copy error", " - net: txgbe: fix firmware version check", " - net/smc: avoid early lgr access in smc_clc_wait_msg", " - net: ks8851: Reinstate disabling of BHs around IRQ handler", " - net: bridge: use a stable FDB dst snapshot in RCU readers", " - netconsole: avoid out-of-bounds access on empty string in trim_newline()", " - net: mctp: fix don't require received header reserved bits to be zero", " - net: ks8851: Avoid excess softirq scheduling", " - drm/arcpgu: fix device node leak", " - slub: fix data loss and overflow in krealloc()", " - tracing/fprobe: Reject registration of a registered fprobe before init", " - RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv", " - printf: Compile the kunit test with DISABLE_BRANCH_PROFILING", " DISABLE_BRANCH_PROFILING", " - ipv4: icmp: validate reply type before using icmp_pointers", " - libceph: Prevent potential null-ptr-deref in ceph_handle_auth_reply()", " - spi: fix resource leaks on device setup failure", " - extract-cert: Wrap key_pass with '#ifdef USE_PKCS11_ENGINE'", " - tpm: avoid -Wunused-but-set-variable", " - LoongArch: Make arch_irq_work_has_interrupt() true only if IPI HW exist", " - LoongArch: Show CPU vulnerabilites correctly", " - fbdev: defio: Disconnect deferred I/O from the lifetime of struct", " fb_info", " - power: supply: axp288_charger: Do not cancel work before initializing it", " - hwmon: (isl28022) Fix integer overflow in power calculation on 32-bit", " - hwmon: (powerz) Avoid cacheline sharing for DMA buffer", " - media: rzv2h-ivc: Revise default VBLANK formula", " - media: rzv2h-ivc: Fix AXIRX_VBLANK register write", " - fs: prepare for adding LSM blob to backing_file", " - lsm: add backing_file LSM hooks", " - selinux: fix overlayfs mmap() and mprotect() access checks", " - hwmon: (pt5161l) Fix bugs in pt5161l_read_block_data()", " - randomize_kstack: Maintain kstack_offset per task", " - mmc: block: use single block write in retry", " - mmc: sdhci-of-dwcmshc: Disable clock before DLL configuration", " - arm64: dts: ti: am62-verdin: Enable pullup for eMMC data pins", " - crypto: qat - fix IRQ cleanup on 6xxx probe failure", " - xfs: start gc on zonegc_low_space attribute updates", " - xfs: fix a resource leak in xfs_alloc_buftarg()", " - firmware: google: framebuffer: Do not unregister platform device", " - firmware: exynos-acpm: Drop fake 'const' on handle pointer", " - crypto: talitos - fix SEC1 32k ahash request limitation", " - crypto: talitos - rename first/last to first_desc/last_desc", " - pwm: imx-tpm: Count the number of enabled channels in probe", " - tpm2-sessions: Fix missing tpm_buf_destroy() in tpm2_read_public()", " - tpm: Fix auth session leak in tpm2_get_random() error path", " - tpm: Use kfree_sensitive() to free auth session in tpm_dev_release()", " - tpm: tpm_tis: add error logging for data transfer", " - tpm: tpm_tis: stop transmit if retries are exhausted", " - rtc: ntxec: fix OF node reference imbalance", " - mm/vmalloc: take vmap_purge_lock in shrinker", " - mm/memfd_luo: fix physical address conversion in put_folios cleanup", " - mm/mempolicy: fix memory leaks in weighted_interleave_auto_store()", " - mm/damon/stat: fix memory leak on damon_start() failure in", " damon_stat_start()", " - mm/damon/core: validate damos_quota_goal->nid for", " node_mem_{used,free}_bp", " - mm/damon/core: validate damos_quota_goal->nid for", " node_memcg_{used,free}_bp", " - mm/damon/core: use time_in_range_open() for damos quota window start", " - mm/damon/core: disallow time-quota setting zero esz", " - mm/damon/core: disallow non-power of two min_region_sz on damon_start()", " - userfaultfd: allow registration of ranges below mmap_min_addr", " - LoongArch: KVM: Use CSR_CRMD_PLV in kvm_arch_vcpu_in_kernel()", " - KVM: x86: Defer non-architectural deliver of exception payload to", " userspace read", " - KVM: nSVM: Mark all of vmcb02 dirty when restoring nested state", " - KVM: nSVM: Sync NextRIP to cached vmcb12 after VMRUN of L2", " - KVM: nSVM: Sync interrupt shadow to cached vmcb12 after VMRUN of L2", " - KVM: SVM: Inject #UD for INVLPGA if EFER.SVME=0", " - KVM: SVM: Explicitly mark vmcb01 dirty after modifying VMCB intercepts", " - KVM: nSVM: Ensure AVIC is inhibited when restoring a vCPU to guest mode", " - KVM: nSVM: Always use NextRIP as vmcb02's NextRIP after first L2 VMRUN", " - KVM: nSVM: Delay stuffing L2's current RIP into NextRIP until vCPU run", " - KVM: nSVM: Use vcpu->arch.cr2 when updating vmcb12 on nested #VMEXIT", " - KVM: arm64: Account for RESx bits in __compute_fgt()", " - KVM: nSVM: Avoid clearing VMCB_LBR in vmcb12", " - KVM: nSVM: Delay setting soft IRQ RIP tracking fields until vCPU run", " - KVM: SVM: Switch svm_copy_lbrs() to a macro", " - KVM: SVM: Add missing save/restore handling of LBR MSRs", " - KVM: nSVM: Always inject a #GP if mapping VMCB12 fails on nested VMRUN", " - KVM: nSVM: Refactor checking LBRV enablement in vmcb12 into a helper", " - KVM: nSVM: Refactor writing vmcb12 on nested #VMEXIT as a helper", " - KVM: nSVM: Triple fault if restore host CR3 fails on nested #VMEXIT", " - KVM: nSVM: Triple fault if mapping VMCB12 fails on nested #VMEXIT", " - KVM: nSVM: Clear GIF on nested #VMEXIT(INVALID)", " - KVM: nSVM: Clear EVENTINJ fields in vmcb12 on nested #VMEXIT", " - KVM: nSVM: Clear tracking of L1->L2 NMI and soft IRQ on nested #VMEXIT", " - KVM: nSVM: Add missing consistency check for EFER, CR0, CR4, and CS", " - KVM: nSVM: Drop the non-architectural consistency check for NP_ENABLE", " - KVM: nSVM: Add missing consistency check for nCR3 validity", " - KVM: nSVM: Raise #UD if unhandled VMMCALL isn't intercepted by L1", " - KVM: nSVM: Always intercept VMMCALL when L2 is active", " - ARM: 9472/1: fix race condition on PG_dcache_clean in", " __sync_icache_dcache()", " - ring-buffer: Do not double count the reader_page", " - ext4: fix bounds check in check_xattrs() to prevent out-of-bounds access", " - ext4: fix missing brelse() in ext4_xattr_inode_dec_ref_all()", " - udf: fix partition descriptor append bookkeeping", " - mtd: spi-nor: sst: Fix write enable before AAI sequence", " - mtd: spinand: winbond: Declare the QE bit on W25NxxJW", " - amdgpu/jpeg: fix deepsleep register for jpeg 5_0_0 and 5_0_2", " - md/md-llbitmap: skip reading rdevs that are not in_sync", " - md/md-llbitmap: raise barrier before state machine transition", " - md/raid5: fix soft lockup in retry_aligned_read()", " - md/raid5: validate payload size before accessing journal metadata", " - check-uapi: link into shared objects", " - mm, swap: speed up hibernation allocation and writeout", " - HID: apple: ensure the keyboard backlight is off if suspending", " - inotify: fix watch count leak when fsnotify_add_inode_mark_locked()", " fails", " - x86/cpu: Disable FRED when PTI is forced on", " - x86/shstk: Prevent deadlock during shstk sigreturn", " - wifi: rtl8xxxu: fix potential use of uninitialized value", " - tcp: call sk_data_ready() after listener migration", " - taskstats: set version in TGID exit notifications", " - mptcp: sync the msk->sndbuf at accept() time", " - mfd: core: Preserve OF node when ACPI handle is present", " - 9p: fix access mode flags being ORed instead of replaced", " - Bluetooth: hci_event: fix potential UAF in SSP passkey handlers", " - bus: mhi: host: pci_generic: Switch to async power up to avoid boot", " delays", " - can: ucan: fix devres lifetime", " - crypto: acomp - fix wrong pointer stored by acomp_save_req()", " - crypto: arm64/aes - Fix 32-bit aes_mac_update() arg treated as 64-bit", " - crypto: atmel-aes - Fix 3-page memory leak in atmel_aes_buff_cleanup", " - crypto: atmel-ecc - Release client on allocation failure", " - crypto: hisilicon - Fix dma_unmap_single() direction", " - crypto: ccree - fix a memory leak in cc_mac_digest()", " - crypto: atmel-tdes - fix DMA sync direction", " - crypto: atmel-sha204a - Fix error codes in OTP reads", " - crypto: atmel-sha204a - Fix potential UAF and memory leak in remove path", " - crypto: atmel-sha204a - Fix uninitialized data access on OTP read error", " - crypto: nx - fix bounce buffer leaks in nx842_crypto_{alloc,free}_ctx", " - crypto: nx - fix context leak in nx842_crypto_free_ctx", " - crypto: nx - Fix packed layout in struct nx842_crypto_header", " - dm mirror: fix integer overflow in create_dirty_log()", " - erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap()", " - ceph: fix num_ops off-by-one when crypto allocation fails", " - ceph: only d_add() negative dentries when they are unhashed", " - gtp: disable BH before calling udp_tunnel_xmit_skb()", " - IB/core: Fix zero dmac race in neighbor resolution", " - ktest: Fix the month in the name of the failure directory", " - NFSv4.1: Apply session size limits on clone path", " - ntfs3: add buffer boundary checks to run_unpack()", " - ntfs3: fix integer overflow in run_unpack() volume boundary check", " - rtmutex: Use waiter::task instead of current in remove_waiter()", " - rxgk: Fix potential integer overflow in length check", " - sched_ext: Documentation: Clarify ops.dispatch() role in task lifecycle", " - scsi: sd: fix missing put_disk() when device_add(&disk_dev) fails", " - seg6: fix seg6 lwtunnel output redirect for L2 reduced encap mode", " - perf loongarch: Fix build failure with CONFIG_LIBDW_DWARF_UNWIND", " - iio: frequency: admv1013: add dev variable", " - iio: frequency: admv1013: fix NULL pointer dereference on str", " - wifi: mt76: mt792x: describe USB WFSYS reset with a descriptor", " - wifi: mt76: mt792x: fix mt7925u USB WFSYS reset handling", " - mm: various small mmap_prepare cleanups", " - mm: avoid deadlock when holding rmap on mmap_prepare error", " - mei: me: use PCI_DEVICE_DATA macro", " - mei: me: add nova lake point H DID", " - crypto: authencesn - reject short ahash digests during instance creation", " - driver core: Add kernel-doc for DEV_FLAG_COUNT enum value", " - ALSA: caiaq: Fix potentially leftover ep1_in_urb at error path", " - ALSA: caiaq: Don't abort when no input device is available", " - ipv6: rpl: reserve mac_len headroom when recompressed SRH grows", " - drm/amdgpu: fix zero-size GDS range init on RDNA4", " - drm/imagination: Fix segfault when updating ftrace mask", " - ALSA: caiaq: fix usb_dev refcount leak on probe failure", " - ALSA: aloop: Fix peer runtime UAF during format-change stop", " - vmalloc: fix buffer overflow in vrealloc_node_align()", " - mm/page_alloc: return NULL early from alloc_frozen_pages_nolock() in NMI", " on UP", " - mm/slab: return NULL early from kmalloc_nolock() in NMI on UP", " - net: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels", " - netfilter: reject zero shift in nft_bitwise", " - ipmi:ssif: Remove unnecessary indention", " - ipmi:ssif: NULL thread on error", " - Linux 7.0.4", " - Upstream stable to v7.0.4", "", " * Resolute update: v7.0.3 upstream stable release (LP: #2152550)", " - Buffer overflow in drivers/xen/sys-hypervisor.c", " - xen/privcmd: fix double free via VMA splitting", " - Linux 7.0.3", " - Upstream stable to v7.0.3", "", " * Resolute update: v7.0.2 upstream stable release (LP: #2150553)", " - crypto: authencesn - Fix src offset when decrypting in-place", " - pwm: th1520: fix `CLIPPY=1` warning", " - drm/amdgpu: replace PASID IDR with XArray", " - crypto: krb5enc - fix sleepable flag handling in encrypt dispatch", " - crypto: krb5enc - fix async decrypt skipping hash verification", " - ksmbd: fix use-after-free in __ksmbd_close_fd() via durable scavenger", " - ksmbd: validate owner of durable handle on reconnect", " - scripts: generate_rust_analyzer.py: define scripts", " - scripts/dtc: Remove unused dts_version in dtc-lexer.l", " - fs/ntfs3: validate rec->used in journal-replay file record check", " - f2fs: fix to do sanity check on dcc->discard_cmd_cnt conditionally", " - f2fs: fix UAF caused by decrementing sbi->nr_pages[] in", " f2fs_write_end_io()", " - f2fs: fix to avoid memory leak in f2fs_rename()", " - f2fs: fix to avoid uninit-value access in f2fs_sanity_check_node_footer", " - fuse: reject oversized dirents in page cache", " - fuse: abort on fatal signal during sync init", " - fuse: Check for large folio with SPLICE_F_MOVE", " - fuse: quiet down complaints in fuse_conn_limit_write", " - fuse: fuse_dev_ioctl_clone() should wait for device file to be", " initialized", " - ksmbd: require minimum ACE size in smb_check_perm_dacl()", " - smb: server: fix active_num_conn leak on transport allocation failure", " - smb: client: fix dir separator in SMB1 UNIX mounts", " - smb: server: fix max_connections off-by-one in tcp accept path", " - smb: client: require a full NFS mode SID before reading mode bits", " - smb: client: validate the whole DACL before rewriting it in cifsacl", " - smb: client: fix OOB read in smb2_ioctl_query_info QUERY_INFO path", " - ksmbd: validate response sizes in ipc_validate_msg()", " - ksmbd: validate num_aces and harden ACE walk in smb_inherit_dacl()", " - ksmbd: fix out-of-bounds write in smb2_get_ea() EA alignment", " - ksmbd: use check_add_overflow() to prevent u16 DACL size overflow", " - ksmbd: reset rcount per connection in ksmbd_conn_wait_idle_sess_id()", " - writeback: Fix use after free in inode_switch_wbs_work_fn()", " - f2fs: fix use-after-free of sbi in f2fs_compress_write_end_io()", " - ALSA: usb-audio: apply quirk for MOONDROP JU Jiu", " - ALSA: hda/realtek: Add quirk for Legion S7 15IMH", " - ALSA: caiaq: take a reference on the USB device in create_card()", " - net/packet: fix TOCTOU race on mmap'd vnet_hdr in tpacket_snd()", " - crypto: ccp: Don't attempt to copy CSR to userspace if PSP command", " failed", " - crypto: ccp: Don't attempt to copy PDH cert to userspace if PSP command", " failed", " - crypto: ccp: Don't attempt to copy ID to userspace if PSP command failed", " - rxrpc: Fix missing validation of ticket length in non-XDR key preparsing", " - mshv_vtl: Fix vmemmap_shift exceeding MAX_FOLIO_ORDER", " - Linux 7.0.2", "", " * Resolute update: v7.0.1 upstream stable release (LP: #2150547)", " - Revert \"UBUNTU: SAUCE: cdc-acm: Exclude Exar USB serial ports\"", " - nfc: llcp: add missing return after LLCP_CLOSED checks", " - x86/CPU: Fix FPDSS on Zen1", " - can: raw: fix ro->uniq use-after-free in raw_rcv()", " - i2c: s3c24xx: check the size of the SMBUS message before using it", " - staging: rtl8723bs: initialize le_tmp64 in rtw_BIP_verify()", " - HID: alps: fix NULL pointer dereference in alps_raw_event()", " - HID: core: clamp report_size in s32ton() to avoid undefined shift", " - net: usb: cdc-phonet: fix skb frags[] overflow in rx_complete()", " - NFC: digital: Bounds check NFC-A cascade depth in SDD response handler", " - drm/vc4: platform_get_irq_byname() returns an int", " - bnge: return after auxiliary_device_uninit() in error path", " - ALSA: usx2y: us144mkii: fix NULL deref on missing interface 0", " - ALSA: fireworks: bound device-supplied status before string array lookup", " - fbdev: tdfxfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO", " - usb: gadget: f_ncm: validate minimum block_len in ncm_unwrap_ntb()", " - usb: gadget: f_phonet: fix skb frags[] overflow in pn_rx_complete()", " - usb: gadget: renesas_usb3: validate endpoint index in standard request", " handlers", " - smb: client: fix off-by-8 bounds check in check_wsl_eas()", " - smb: client: fix OOB reads parsing symlink error response", " - ksmbd: validate EaNameLength in smb2_get_ea()", " - ksmbd: require 3 sub-authorities before reading sub_auth[2]", " - ksmbd: fix mechToken leak when SPNEGO decode fails after token alloc", " - smb: client: avoid double-free in smbd_free_send_io() after", " smbd_send_batch_flush()", " - smb: server: avoid double-free in smb_direct_free_sendmsg after", " smb_direct_flush_send_list()", " - usbip: validate number_of_packets in usbip_pack_ret_submit()", " - usb: typec: fusb302: Switch to threaded IRQ handler", " - usb: storage: Expand range of matched versions for VL817 quirks entry", " - USB: cdc-acm: Add quirks for Yoga Book 9 14IAH10 INGENIC touchscreen", " - usb: gadget: f_hid: don't call cdev_init while cdev in use", " - usb: port: add delay after usb_hub_set_port_power()", " - fbdev: udlfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO", " - scripts/gdb/symbols: handle module path parameters", " - scripts: generate_rust_analyzer.py: avoid FD leak", " - wifi: rtw88: fix device leak on probe failure", " - staging: sm750fb: fix division by zero in ps_to_hz()", " - selftests/mm: hmm-tests: don't hardcode THP size to 2MB", " - USB: serial: option: add Telit Cinterion FN990A MBIM composition", " - Docs/admin-guide/mm/damon/reclaim: warn commit_inputs vs param updates", " race", " - Docs/admin-guide/mm/damon/lru_sort: warn commit_inputs vs param updates", " race", " - ALSA: ctxfi: Limit PTP to a single page", " - dcache: Limit the minimal number of bucket to two", " - vfio/xe: Reorganize the init to decouple migration from reset", " - arm64: mm: Handle invalid large leaf mappings correctly", " - media: vidtv: fix NULL pointer dereference in", " vidtv_channel_pmt_match_sections", " - ocfs2: fix possible deadlock between unlink and dio_end_io_write", " - ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY", " - ocfs2: handle invalid dinode in ocfs2_group_extend", " - PCI: endpoint: pci-epf-vntb: Stop cmd_handler work in", " epf_ntb_epc_cleanup", " - PCI: endpoint: pci-epf-vntb: Remove duplicate resource teardown", " - KVM: selftests: Remove duplicate LAUNCH_UPDATE_VMSA call in SEV-ES", " migrate test", " - KVM: SEV: Reject attempts to sync VMSA of an already-launched/encrypted", " vCPU", " - KVM: SEV: Protect *all* of sev_mem_enc_register_region() with kvm->lock", " - KVM: SEV: Disallow LAUNCH_FINISH if vCPUs are actively being created", " - KVM: SEV: Lock all vCPUs when synchronzing VMSAs for SNP launch finish", " - KVM: SEV: Drop WARN on large size for KVM_MEMORY_ENCRYPT_REG_REGION", " - mm: call ->free_folio() directly in folio_unmap_invalidate()", " - checkpatch: add support for Assisted-by tag", " - x86-64: rename misleadingly named '__copy_user_nocache()' function", " - x86: rename and clean up __copy_from_user_inatomic_nocache()", " - x86-64/arm64/powerpc: clean up and rename __copy_from_user_flushcache", " - KVM: x86: Use scratch field in MMIO fragment to hold small write values", " - ASoC: qcom: q6apm: move component registration to unmanaged version", " - mm/kasan: fix double free for kasan pXds", " - mm: blk-cgroup: fix use-after-free in cgwb_release_workfn()", " - media: vidtv: fix nfeeds state corruption on start_streaming failure", " - media: mediatek: vcodec: fix use-after-free in encoder release path", " - media: em28xx: fix use-after-free in em28xx_v4l2_open()", " - hwmon: (powerz) Fix use-after-free on USB disconnect", " - ALSA: 6fire: fix use-after-free on disconnect", " - bcache: fix cached_dev.sb_bio use-after-free and crash", " - wireguard: device: use exit_rtnl callback instead of manual rtnl_lock in", " pre_exit", " - media: as102: fix to not free memory after the device is registered in", " as102_usb_probe()", " - nilfs2: fix NULL i_assoc_inode dereference in", " nilfs_mdt_save_to_shadow_map", " - media: vidtv: fix pass-by-value structs causing MSAN warnings", " - media: hackrf: fix to not free memory after the device is registered in", " hackrf_probe()", " - mm/userfaultfd: fix hugetlb fault mutex hash calculation", " - clockevents: Add missing resets of the next_event_forced flag", " - Linux 7.0.1", "", " * GRO managed-frag use-after-free leading to local privilege escalation", " (LP: #2154172)", " - net: gro: don't merge zcopy skbs", "", " * AppArmor Vulnerabilities (LP: #2151747)", " - SAUCE: apparmor: pass big_resp to handler", " - SAUCE: apparmor: remove redundant kref_init for listener->count", " - SAUCE: apparmor: fix NULL pointer dereference in unpack_pdb", "", " * AppArmor Vulnerabilities (LP: #2151747) // CVE-2026-47337", " - SAUCE: apparmor: fix NULL pointer dereference in bind_map_addr", "", " * AppArmor Vulnerabilities (LP: #2151747) // CVE-2026-47334", " - SAUCE: apparmor: fix sleep prone memory allocation under a spin_lock", "", " * AppArmor Vulnerabilities (LP: #2151747) // CVE-2026-47333", " - SAUCE: apparmor: fix dfa unpacking size of the notification filter", "", " * AppArmor Vulnerabilities (LP: #2151747) // CVE-2026-47332", " - SAUCE: apparmor: fix size check against type instead of pointer", "", " * apparmor: LLVM/clang build failure due to uninitialized variable in", " notify.c (LP: #2148809) // CVE-2026-47330", " - SAUCE: apparmor: initialize variable used in uninitialized context", "", " * AppArmor Vulnerabilities (LP: #2151747) // CVE-2026-47329", " - SAUCE: apparmor: fix name validation bypass on notification", "", " * AppArmor Vulnerabilities (LP: #2151747) // CVE-2026-47327 //", " CVE-2026-47328", " - SAUCE: apparmor: fix glob memory leak after kstrdup", "", " * AppArmor Vulnerabilities (LP: #2151747) // CVE-2026-47326", " - SAUCE: apparmor: fix inverted NULL check after aa_get_buffer", "", " * CVE-2026-46300", " - net: skbuff: preserve shared-frag marker during coalescing", " - net: skbuff: propagate shared-frag marker through frag-transfer helpers", "", " * net/rds: reset op_nents when zerocopy page pin fails (LP: #2153962)", " - net/rds: reset op_nents when zerocopy page pin fails", "", " * CVE-2026-46333", " - ptrace: slightly saner 'get_dumpable()' logic", "", " * CVE-2026-43500", " - rxrpc: Fix conn-level packet handling to unshare RESPONSE packets", " - rxrpc: Fix potential UAF after skb_unshare() failure", " - rxrpc: Fix rxrpc_input_call_event() to only unshare DATA packets", " - rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present", "", " * CVE-2026-43284", " - xfrm: esp: avoid in-place decrypt on shared skb frags", "" ], "package": "linux", "version": "7.0.0-26.26", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2154530, 1786013, 2150065, 2146517, 2147409, 2121852, 2150196, 2129844, 2150845, 2152558, 2152556, 2152552, 2152550, 2150553, 2150547, 2154172, 2151747, 2151747, 2151747, 2151747, 2151747, 2148809, 2151747, 2151747, 2151747, 2153962 ], "author": "Edoardo Canepa ", "date": "Fri, 29 May 2026 03:41:14 +0200" } ], "notes": "linux-headers-7.0.0-27-generic version '7.0.0-27.27' (source package linux version '7.0.0-27.27') was added. linux-headers-7.0.0-27-generic version '7.0.0-27.27' has the same source package name, linux, as removed package linux-headers-7.0.0-22. As such we can use the source package version of the removed package, '7.0.0-22.22', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false }, { "name": "linux-image-7.0.0-27-generic", "from_version": { "source_package_name": "linux", "source_package_version": "7.0.0-22.22", "version": null }, "to_version": { "source_package_name": "linux", "source_package_version": "7.0.0-27.27", "version": "7.0.0-27.27" }, "cves": [ { "cve": "CVE-2026-46316", "url": "https://ubuntu.com/security/CVE-2026-46316", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: vgic-its: Drop the translation cache reference only for the erased entry vgic_its_invalidate_cache() walks the per-ITS translation cache with xa_for_each() and drops the cache's reference on each entry with vgic_put_irq(). It puts the iterated pointer, though, rather than the value returned by xa_erase(). The function is called from contexts that do not exclude one another: the ITS command handlers hold its_lock, the GITS_CTLR write path holds cmd_lock, and the path that clears EnableLPIs in a redistributor's GICR_CTLR holds neither. Two or more of them can drain the same cache concurrently, and if each one observes the same entry, erases it and then puts it, the single reference the cache holds on that entry is dropped more than once. The entry can then be freed while an ITE still maps it. xa_erase() is atomic and returns the previous entry, so put only the entry that this context actually removed. The cache reference is then dropped exactly once per entry even when the invalidations run concurrently, and the behavior is unchanged when only one context runs.", "cve_priority": "medium", "cve_public_date": "2026-06-09 13:16:00 UTC" }, { "cve": "CVE-2026-46244", "url": "https://ubuntu.com/security/CVE-2026-46244", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_inner: Fix IPv6 inner_thoff desync In nft_inner_parse_l2l3(), when processing inner IPv6 packets, ipv6_find_hdr() correctly computes the transport header offset traversing all extension headers, but the result is immediately overwritten with nhoff + sizeof(_ip6h) (40 bytes), which only accounts for the IPv6 base header. This creates a desync between inner_thoff (wrong — points to extension header start) and l4proto (correct — e.g., IPPROTO_TCP), enabling transport header forgery and potential firewall bypass. This issue affects stable versions from Linux 6.2. For comparison, the normal (non-inner) IPv6 path correctly preserves ipv6_find_hdr()'s result. Removing the incorrect overwrite ensures that ipv6_find_hdr()'s calculated transport header offset is preserved, thereby fixing the desynchronization.", "cve_priority": "medium", "cve_public_date": "2026-06-03 18:16:00 UTC" }, { "cve": "CVE-2026-46137", "url": "https://ubuntu.com/security/CVE-2026-46137", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: ADD_ADDR rtx: fix potential data-race This mptcp_pm_add_timer() helper is executed as a timer callback in softirq context. To avoid any data races, the socket lock needs to be held with bh_lock_sock(). If the socket is in use, retry again soon after, similar to what is done with the keepalive timer.", "cve_priority": "medium", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46185", "url": "https://ubuntu.com/security/CVE-2026-46185", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb/client: fix out-of-bounds read in symlink_data() Since smb2_check_message() returns success without length validation for the symlink error response, in symlink_data() it is possible for iov->iov_len to be smaller than sizeof(struct smb2_err_rsp). If the buffer only contains the base SMB2 header (64 bytes), accessing err->ErrorContextCount (at offset 66) or err->ByteCount later in symlink_data() will cause an out-of-bounds read.", "cve_priority": "high", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46195", "url": "https://ubuntu.com/security/CVE-2026-46195", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: validate dacloffset before building DACL pointers parse_sec_desc(), build_sec_desc(), and the chown path in id_mode_to_cifs_acl() all add the server-supplied dacloffset to pntsd before proving a DACL header fits inside the returned security descriptor. On 32-bit builds a malicious server can return dacloffset near U32_MAX, wrap the derived DACL pointer below end_of_acl, and then slip past the later pointer-based bounds checks. build_sec_desc() and id_mode_to_cifs_acl() can then dereference DACL fields from the wrapped pointer in the chmod/chown rewrite paths. Validate dacloffset numerically before building any DACL pointer and reuse the same helper at the three DACL entry points.", "cve_priority": "high", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46289", "url": "https://ubuntu.com/security/CVE-2026-46289", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: lib/scatterlist: fix length calculations in extract_kvec_to_sg Patch series \"Fix bugs in extract_iter_to_sg()\", v3. Fix bugs in the kvec and user variants of extract_iter_to_sg. This series is growing due to useful remarks made by sashiko.dev. The main bugs are: - The length for an sglist entry when extracting from a kvec can exceed the number of bytes in the page. This is obviously not intended. - When extracting a user buffer the sglist is temporarily used as a scratch buffer for extracted page pointers. If the sglist already contains some elements this scratch buffer could overlap with existing entries in the sglist. The series adds test cases to the kunit_iov_iter test that demonstrate all of these bugs. Additionally, there is a memory leak fix for the test itself. The bugs were orignally introduced into kernel v6.3 where the function lived in fs/netfs/iterator.c. It was later moved to lib/scatterlist.c in v6.5. Thus the actual fix is only marked for backports to v6.5+. This patch (of 5): When extracting from a kvec to a scatterlist, do not cross page boundaries. The required length was already calculated but not used as intended. Adjust the copied length if the loop runs out of sglist entries without extracting everything. While there, return immediately from extract_iter_to_sg if there are no sglist entries at all. A subsequent commit will add kunit test cases that demonstrate that the patch is necessary.", "cve_priority": "medium", "cve_public_date": "2026-06-08 17:16:00 UTC" }, { "cve": "CVE-2026-46119", "url": "https://ubuntu.com/security/CVE-2026-46119", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: libceph: Fix slab-out-of-bounds access in auth message processing If a (potentially corrupted) message of type CEPH_MSG_AUTH_REPLY contains a positive value in its result field, it is treated as an error code by ceph_handle_auth_reply() and returned to handle_auth_reply(). Thereafter, an attempt is made to send the preallocated message of type CEPH_MSG_AUTH, where the returned value is interpreted as the size of the front segment to send. If the result value in the message is greater than the size of the memory buffer allocated for the front segment, an out-of-bounds access occurs, and the content of the memory region beyond this buffer is sent out. This patch fixes the issue by treating only negative values in the result field as errors. Positive values are therefore treated as success in the same way as a zero value. Additionally, a BUG_ON is added to __send_prepared_auth_request() comparing the len parameter to front_alloc_len to prevent sending the message if it exceeds the bounds of the allocation and to make it easier to catch any logic flaws leading to this.", "cve_priority": "high", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46135", "url": "https://ubuntu.com/security/CVE-2026-46135", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: fix race between ICReq handling and queue teardown nvmet_tcp_handle_icreq() updates queue->state after sending an Initialization Connection Response (ICResp), but it does so without serializing against target-side queue teardown. If an NVMe/TCP host sends an Initialization Connection Request (ICReq) and immediately closes the connection, target-side teardown may start in softirq context before io_work drains the already buffered ICReq. In that case, nvmet_tcp_schedule_release_queue() sets queue->state to NVMET_TCP_Q_DISCONNECTING and drops the queue reference under state_lock. If io_work later processes that ICReq, nvmet_tcp_handle_icreq() can still overwrite the state back to NVMET_TCP_Q_LIVE. That defeats the DISCONNECTING-state guard in nvmet_tcp_schedule_release_queue() and allows a later socket state change to re-enter teardown and issue a second kref_put() on an already released queue. The ICResp send failure path has the same problem. If teardown has already moved the queue to DISCONNECTING, a send error can still overwrite the state with NVMET_TCP_Q_FAILED, again reopening the window for a second teardown path to drop the queue reference. Fix this by serializing both post-send state transitions with state_lock and bailing out if teardown has already started. Use -ESHUTDOWN as an internal sentinel for that bail-out path rather than propagating it as a transport error like -ECONNRESET. Keep nvmet_tcp_socket_error() setting rcv_state to NVMET_TCP_RECV_ERR before honoring that sentinel so receive-side parsing stays quiesced until the existing release path completes.", "cve_priority": "critical", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46155", "url": "https://ubuntu.com/security/CVE-2026-46155", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb/client: fix out-of-bounds read in smb2_compound_op() If a server sends a truncated response but a large OutputBufferLength, and terminates the EA list early, check_wsl_eas() returns success without validating that the entire OutputBufferLength fits within iov_len. Then smb2_compound_op() does: memcpy(idata->wsl.eas, data[0], size[0]); Where size[0] is OutputBufferLength. If iov_len is smaller than size[0], memcpy can read beyond the end of the rsp_iov allocation and leak adjacent kernel heap memory.", "cve_priority": "medium", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46115", "url": "https://ubuntu.com/security/CVE-2026-46115", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: block: add pgmap check to biovec_phys_mergeable biovec_phys_mergeable() is used by the request merge, DMA mapping, and integrity merge paths to decide if two physically contiguous bvec segments can be coalesced into one. It currently has no check for whether the segments belong to different dev_pagemaps. When zone device memory is registered in multiple chunks, each chunk gets its own dev_pagemap. A single bio can legitimately contain bvecs from different pgmaps -- iov_iter_extract_bvecs() breaks at pgmap boundaries but the outer loop in bio_iov_iter_get_pages() continues filling the same bio. If such bvecs are physically contiguous, biovec_phys_mergeable() will coalesce them, making it impossible to recover the correct pgmap for the merged segment via page_pgmap(). Add a zone_device_pages_have_same_pgmap() check to prevent merging bvec segments that span different pgmaps.", "cve_priority": "medium", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46243", "url": "https://ubuntu.com/security/CVE-2026-46243", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: reject userspace cifs.spnego descriptions cifs.spnego key descriptions contain authority-bearing fields such as pid, uid, creduid, and upcall_target that cifs.upcall treats as kernel-originating inputs. However, userspace can also create keys of this type through request_key(2) or add_key(2), allowing those fields to be supplied without CIFS origin. Only accept cifs.spnego descriptions while CIFS is using its private spnego_cred to request the key.", "cve_priority": "medium", "cve_public_date": "2026-06-01 17:17:00 UTC" }, { "cve": "CVE-2026-47337", "url": "https://ubuntu.com/security/CVE-2026-47337", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a possible NULL pointer dereference in the handling of AF_INET/AF_INET6 socket mediation. The bug can be triggered by an unprivileged local user. This can lead to a kernel oops.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47334", "url": "https://ubuntu.com/security/CVE-2026-47334", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly sleep while holding a spinlock in notification handling code. The bug can be triggered by an unprivileged local user and can result in kernel panic or deadlock.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47333", "url": "https://ubuntu.com/security/CVE-2026-47333", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which can potentially incorrectly compute the size of an internal buffer, leading to a heap memory out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in invalid data being processed by the AppArmor DFA policy engine.", "cve_priority": "high", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47332", "url": "https://ubuntu.com/security/CVE-2026-47332", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly validate the size of an internal structure, leading to an out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in information disclosure from adjacent slab objects.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47330", "url": "https://ubuntu.com/security/CVE-2026-47330", "cve_description": "Ubuntu Linux 6.8, 7.17 and 7.0 contain AppArmor SAUCE patches which can, under certain circumstances, use an uninitialized variable in notification handling code. The bug can be triggered by an unprivileged local user and can result in the incorrect caching of AppArmor notification responses.", "cve_priority": "low", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47329", "url": "https://ubuntu.com/security/CVE-2026-47329", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches which fail to validate invalid sizes of the name field in AppAmor notification responses. The bug can be triggered by an unprivileged local user and could result in handling of crafted responses.", "cve_priority": "low", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47327", "url": "https://ubuntu.com/security/CVE-2026-47327", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a possible NULL pointer dereference in the handling of AppArmor notifications. The bug can be triggered by an unprivileged local user. This can lead to a kernel oops.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47328", "url": "https://ubuntu.com/security/CVE-2026-47328", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly attempt to free a pointer which was not previously kmalloc()d, while at the same time leaking allocated memory. The bug can be triggered by an unprivileged local user and can result in the corruption of slab metadata and could lead to resource exhaustion.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47326", "url": "https://ubuntu.com/security/CVE-2026-47326", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a memory leak in the handling of big responses to AppArmor notifications. The bug can be triggered by an unprivileged local user. The memory leak could lead to resource exhaustion.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-46300", "url": "https://ubuntu.com/security/CVE-2026-46300", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: skbuff: preserve shared-frag marker during coalescing skb_try_coalesce() can attach paged frags from @from to @to. If @from has SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same externally-owned or page-cache-backed frags, but the shared-frag marker is currently lost. That breaks the invariant relied on by later in-place writers. In particular, ESP input checks skb_has_shared_frag() before deciding whether an uncloned nonlinear skb can skip skb_cow_data(). If TCP receive coalescing has moved shared frags into an unmarked skb, ESP can see skb_has_shared_frag() as false and decrypt in place over page-cache backed frags. Propagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged frags. The tailroom copy path does not need the marker because it copies bytes into @to's linear data rather than transferring frag descriptors.", "cve_priority": "high", "cve_public_date": "2026-05-23 12:17:00 UTC" }, { "cve": "CVE-2026-46333", "url": "https://ubuntu.com/security/CVE-2026-46333", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ptrace: slightly saner 'get_dumpable()' logic The 'dumpability' of a task is fundamentally about the memory image of the task - the concept comes from whether it can core dump or not - and makes no sense when you don't have an associated mm. And almost all users do in fact use it only for the case where the task has a mm pointer. But we have one odd special case: ptrace_may_access() uses 'dumpable' to check various other things entirely independently of the MM (typically explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for threads that no longer have a VM (and maybe never did, like most kernel threads). It's not what this flag was designed for, but it is what it is. The ptrace code does check that the uid/gid matches, so you do have to be uid-0 to see kernel thread details, but this means that the traditional \"drop capabilities\" model doesn't make any difference for this all. Make it all make a *bit* more sense by saying that if you don't have a MM pointer, we'll use a cached \"last dumpability\" flag if the thread ever had a MM (it will be zero for kernel threads since it is never set), and require a proper CAP_SYS_PTRACE capability to override.", "cve_priority": "high", "cve_public_date": "2026-05-15 14:16:00 UTC" }, { "cve": "CVE-2026-43500", "url": "https://ubuntu.com/security/CVE-2026-43500", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE handler in rxrpc_verify_response() copy the skb to a linear one before calling into the security ops only when skb_cloned() is true. An skb that is not cloned but still carries externally-owned paged fragments (e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via __ip_append_data, or a chained skb_has_frag_list()) falls through to the in-place decryption path, which binds the frag pages directly into the AEAD/skcipher SGL via skb_to_sgvec(). Extend the gate to also unshare when skb_has_frag_list() or skb_has_shared_frag() is true. This catches the splice-loopback vector and other externally-shared frag sources while preserving the zero-copy fast path for skbs whose frags are kernel-private (e.g. NIC page_pool RX, GRO). The OOM/trace handling already in place is reused.", "cve_priority": "high", "cve_public_date": "2026-05-11 08:16:00 UTC" }, { "cve": "CVE-2026-43284", "url": "https://ubuntu.com/security/CVE-2026-43284", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place decrypt on shared skb frags MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later paths that may modify packet data can first make a private copy. The IPv4/IPv6 datagram append paths did not set this flag when splicing pages into UDP skbs. That leaves an ESP-in-UDP packet made from shared pipe pages looking like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW fast path for uncloned skbs without a frag_list and decrypts in place over data that is not owned privately by the skb. Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching TCP. Also make ESP input fall back to skb_cow_data() when the flag is present, so ESP does not decrypt externally backed frags in place. Private nonlinear skb frags still use the existing fast path. This intentionally does not change ESP output. In esp_output_head(), the path that appends the ESP trailer to existing skb tailroom without calling skb_cow_data() is not reachable for nonlinear skbs: skb_tailroom() returns zero when skb->data_len is nonzero, while ESP tailen is positive. Thus ESP output will either use the separate destination-frag path or fall back to skb_cow_data().", "cve_priority": "high", "cve_public_date": "2026-05-08 08:16:00 UTC" } ], "launchpad_bugs_fixed": [ 2157114, 1786013, 2150845, 2154530, 1786013, 2150065, 2146517, 2147409, 2121852, 2150196, 2129844, 2150845, 2152558, 2152556, 2152552, 2152550, 2150553, 2150547, 2154172, 2151747, 2151747, 2151747, 2151747, 2151747, 2148809, 2151747, 2151747, 2151747, 2153962 ], "changes": [ { "cves": [ { "cve": "CVE-2026-46316", "url": "https://ubuntu.com/security/CVE-2026-46316", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: vgic-its: Drop the translation cache reference only for the erased entry vgic_its_invalidate_cache() walks the per-ITS translation cache with xa_for_each() and drops the cache's reference on each entry with vgic_put_irq(). It puts the iterated pointer, though, rather than the value returned by xa_erase(). The function is called from contexts that do not exclude one another: the ITS command handlers hold its_lock, the GITS_CTLR write path holds cmd_lock, and the path that clears EnableLPIs in a redistributor's GICR_CTLR holds neither. Two or more of them can drain the same cache concurrently, and if each one observes the same entry, erases it and then puts it, the single reference the cache holds on that entry is dropped more than once. The entry can then be freed while an ITE still maps it. xa_erase() is atomic and returns the previous entry, so put only the entry that this context actually removed. The cache reference is then dropped exactly once per entry even when the invalidations run concurrently, and the behavior is unchanged when only one context runs.", "cve_priority": "medium", "cve_public_date": "2026-06-09 13:16:00 UTC" }, { "cve": "CVE-2026-46244", "url": "https://ubuntu.com/security/CVE-2026-46244", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_inner: Fix IPv6 inner_thoff desync In nft_inner_parse_l2l3(), when processing inner IPv6 packets, ipv6_find_hdr() correctly computes the transport header offset traversing all extension headers, but the result is immediately overwritten with nhoff + sizeof(_ip6h) (40 bytes), which only accounts for the IPv6 base header. This creates a desync between inner_thoff (wrong — points to extension header start) and l4proto (correct — e.g., IPPROTO_TCP), enabling transport header forgery and potential firewall bypass. This issue affects stable versions from Linux 6.2. For comparison, the normal (non-inner) IPv6 path correctly preserves ipv6_find_hdr()'s result. Removing the incorrect overwrite ensures that ipv6_find_hdr()'s calculated transport header offset is preserved, thereby fixing the desynchronization.", "cve_priority": "medium", "cve_public_date": "2026-06-03 18:16:00 UTC" }, { "cve": "CVE-2026-46137", "url": "https://ubuntu.com/security/CVE-2026-46137", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: ADD_ADDR rtx: fix potential data-race This mptcp_pm_add_timer() helper is executed as a timer callback in softirq context. To avoid any data races, the socket lock needs to be held with bh_lock_sock(). If the socket is in use, retry again soon after, similar to what is done with the keepalive timer.", "cve_priority": "medium", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46185", "url": "https://ubuntu.com/security/CVE-2026-46185", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb/client: fix out-of-bounds read in symlink_data() Since smb2_check_message() returns success without length validation for the symlink error response, in symlink_data() it is possible for iov->iov_len to be smaller than sizeof(struct smb2_err_rsp). If the buffer only contains the base SMB2 header (64 bytes), accessing err->ErrorContextCount (at offset 66) or err->ByteCount later in symlink_data() will cause an out-of-bounds read.", "cve_priority": "high", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46195", "url": "https://ubuntu.com/security/CVE-2026-46195", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: validate dacloffset before building DACL pointers parse_sec_desc(), build_sec_desc(), and the chown path in id_mode_to_cifs_acl() all add the server-supplied dacloffset to pntsd before proving a DACL header fits inside the returned security descriptor. On 32-bit builds a malicious server can return dacloffset near U32_MAX, wrap the derived DACL pointer below end_of_acl, and then slip past the later pointer-based bounds checks. build_sec_desc() and id_mode_to_cifs_acl() can then dereference DACL fields from the wrapped pointer in the chmod/chown rewrite paths. Validate dacloffset numerically before building any DACL pointer and reuse the same helper at the three DACL entry points.", "cve_priority": "high", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46289", "url": "https://ubuntu.com/security/CVE-2026-46289", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: lib/scatterlist: fix length calculations in extract_kvec_to_sg Patch series \"Fix bugs in extract_iter_to_sg()\", v3. Fix bugs in the kvec and user variants of extract_iter_to_sg. This series is growing due to useful remarks made by sashiko.dev. The main bugs are: - The length for an sglist entry when extracting from a kvec can exceed the number of bytes in the page. This is obviously not intended. - When extracting a user buffer the sglist is temporarily used as a scratch buffer for extracted page pointers. If the sglist already contains some elements this scratch buffer could overlap with existing entries in the sglist. The series adds test cases to the kunit_iov_iter test that demonstrate all of these bugs. Additionally, there is a memory leak fix for the test itself. The bugs were orignally introduced into kernel v6.3 where the function lived in fs/netfs/iterator.c. It was later moved to lib/scatterlist.c in v6.5. Thus the actual fix is only marked for backports to v6.5+. This patch (of 5): When extracting from a kvec to a scatterlist, do not cross page boundaries. The required length was already calculated but not used as intended. Adjust the copied length if the loop runs out of sglist entries without extracting everything. While there, return immediately from extract_iter_to_sg if there are no sglist entries at all. A subsequent commit will add kunit test cases that demonstrate that the patch is necessary.", "cve_priority": "medium", "cve_public_date": "2026-06-08 17:16:00 UTC" }, { "cve": "CVE-2026-46119", "url": "https://ubuntu.com/security/CVE-2026-46119", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: libceph: Fix slab-out-of-bounds access in auth message processing If a (potentially corrupted) message of type CEPH_MSG_AUTH_REPLY contains a positive value in its result field, it is treated as an error code by ceph_handle_auth_reply() and returned to handle_auth_reply(). Thereafter, an attempt is made to send the preallocated message of type CEPH_MSG_AUTH, where the returned value is interpreted as the size of the front segment to send. If the result value in the message is greater than the size of the memory buffer allocated for the front segment, an out-of-bounds access occurs, and the content of the memory region beyond this buffer is sent out. This patch fixes the issue by treating only negative values in the result field as errors. Positive values are therefore treated as success in the same way as a zero value. Additionally, a BUG_ON is added to __send_prepared_auth_request() comparing the len parameter to front_alloc_len to prevent sending the message if it exceeds the bounds of the allocation and to make it easier to catch any logic flaws leading to this.", "cve_priority": "high", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46135", "url": "https://ubuntu.com/security/CVE-2026-46135", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: fix race between ICReq handling and queue teardown nvmet_tcp_handle_icreq() updates queue->state after sending an Initialization Connection Response (ICResp), but it does so without serializing against target-side queue teardown. If an NVMe/TCP host sends an Initialization Connection Request (ICReq) and immediately closes the connection, target-side teardown may start in softirq context before io_work drains the already buffered ICReq. In that case, nvmet_tcp_schedule_release_queue() sets queue->state to NVMET_TCP_Q_DISCONNECTING and drops the queue reference under state_lock. If io_work later processes that ICReq, nvmet_tcp_handle_icreq() can still overwrite the state back to NVMET_TCP_Q_LIVE. That defeats the DISCONNECTING-state guard in nvmet_tcp_schedule_release_queue() and allows a later socket state change to re-enter teardown and issue a second kref_put() on an already released queue. The ICResp send failure path has the same problem. If teardown has already moved the queue to DISCONNECTING, a send error can still overwrite the state with NVMET_TCP_Q_FAILED, again reopening the window for a second teardown path to drop the queue reference. Fix this by serializing both post-send state transitions with state_lock and bailing out if teardown has already started. Use -ESHUTDOWN as an internal sentinel for that bail-out path rather than propagating it as a transport error like -ECONNRESET. Keep nvmet_tcp_socket_error() setting rcv_state to NVMET_TCP_RECV_ERR before honoring that sentinel so receive-side parsing stays quiesced until the existing release path completes.", "cve_priority": "critical", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46155", "url": "https://ubuntu.com/security/CVE-2026-46155", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb/client: fix out-of-bounds read in smb2_compound_op() If a server sends a truncated response but a large OutputBufferLength, and terminates the EA list early, check_wsl_eas() returns success without validating that the entire OutputBufferLength fits within iov_len. Then smb2_compound_op() does: memcpy(idata->wsl.eas, data[0], size[0]); Where size[0] is OutputBufferLength. If iov_len is smaller than size[0], memcpy can read beyond the end of the rsp_iov allocation and leak adjacent kernel heap memory.", "cve_priority": "medium", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46115", "url": "https://ubuntu.com/security/CVE-2026-46115", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: block: add pgmap check to biovec_phys_mergeable biovec_phys_mergeable() is used by the request merge, DMA mapping, and integrity merge paths to decide if two physically contiguous bvec segments can be coalesced into one. It currently has no check for whether the segments belong to different dev_pagemaps. When zone device memory is registered in multiple chunks, each chunk gets its own dev_pagemap. A single bio can legitimately contain bvecs from different pgmaps -- iov_iter_extract_bvecs() breaks at pgmap boundaries but the outer loop in bio_iov_iter_get_pages() continues filling the same bio. If such bvecs are physically contiguous, biovec_phys_mergeable() will coalesce them, making it impossible to recover the correct pgmap for the merged segment via page_pgmap(). Add a zone_device_pages_have_same_pgmap() check to prevent merging bvec segments that span different pgmaps.", "cve_priority": "medium", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46243", "url": "https://ubuntu.com/security/CVE-2026-46243", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: reject userspace cifs.spnego descriptions cifs.spnego key descriptions contain authority-bearing fields such as pid, uid, creduid, and upcall_target that cifs.upcall treats as kernel-originating inputs. However, userspace can also create keys of this type through request_key(2) or add_key(2), allowing those fields to be supplied without CIFS origin. Only accept cifs.spnego descriptions while CIFS is using its private spnego_cred to request the key.", "cve_priority": "medium", "cve_public_date": "2026-06-01 17:17:00 UTC" } ], "log": [ "", " * resolute/linux: 7.0.0-27.27 -proposed tracker (LP: #2157114)", "", " * Packaging resync (LP: #1786013)", " - [Packaging] update annotations scripts", "", " * Ubuntu 26.04 linux kernel has non-functional nova-core GPU driver enabled,", " conflicting with nouveau (LP: #2150845)", " - [Config] Disable NOVA_CORE", "", " * CVE-2026-46316", " - KVM: arm64: vgic-its: Drop the translation cache reference only for the", " erased entry", "", " * CVE-2026-46244", " - netfilter: nft_inner: Fix IPv6 inner_thoff desync", "", " * CVE-2026-46137", " - mptcp: pm: ADD_ADDR rtx: allow ID 0", " - mptcp: pm: ADD_ADDR rtx: fix potential data-race", "", " * CVE-2026-46185", " - smb/client: fix out-of-bounds read in symlink_data()", "", " * CVE-2026-46195", " - smb: client: validate dacloffset before building DACL pointers", "", " * CVE-2026-46289", " - lib/scatterlist: fix length calculations in extract_kvec_to_sg", "", " * CVE-2026-46119", " - libceph: Fix slab-out-of-bounds access in auth message processing", "", " * CVE-2026-46135", " - nvmet-tcp: fix race between ICReq handling and queue teardown", "", " * CVE-2026-46155", " - smb/client: fix out-of-bounds read in smb2_compound_op()", "", " * CVE-2026-46115", " - block: add pgmap check to biovec_phys_mergeable", "", " * CVE-2026-46243", " - smb: client: reject userspace cifs.spnego descriptions", "" ], "package": "linux", "version": "7.0.0-27.27", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2157114, 1786013, 2150845 ], "author": "Manuel Diewald ", "date": "Thu, 18 Jun 2026 18:54:56 +0200" }, { "cves": [ { "cve": "CVE-2026-47337", "url": "https://ubuntu.com/security/CVE-2026-47337", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a possible NULL pointer dereference in the handling of AF_INET/AF_INET6 socket mediation. The bug can be triggered by an unprivileged local user. This can lead to a kernel oops.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47334", "url": "https://ubuntu.com/security/CVE-2026-47334", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly sleep while holding a spinlock in notification handling code. The bug can be triggered by an unprivileged local user and can result in kernel panic or deadlock.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47333", "url": "https://ubuntu.com/security/CVE-2026-47333", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which can potentially incorrectly compute the size of an internal buffer, leading to a heap memory out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in invalid data being processed by the AppArmor DFA policy engine.", "cve_priority": "high", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47332", "url": "https://ubuntu.com/security/CVE-2026-47332", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly validate the size of an internal structure, leading to an out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in information disclosure from adjacent slab objects.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47330", "url": "https://ubuntu.com/security/CVE-2026-47330", "cve_description": "Ubuntu Linux 6.8, 7.17 and 7.0 contain AppArmor SAUCE patches which can, under certain circumstances, use an uninitialized variable in notification handling code. The bug can be triggered by an unprivileged local user and can result in the incorrect caching of AppArmor notification responses.", "cve_priority": "low", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47329", "url": "https://ubuntu.com/security/CVE-2026-47329", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches which fail to validate invalid sizes of the name field in AppAmor notification responses. The bug can be triggered by an unprivileged local user and could result in handling of crafted responses.", "cve_priority": "low", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47327", "url": "https://ubuntu.com/security/CVE-2026-47327", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a possible NULL pointer dereference in the handling of AppArmor notifications. The bug can be triggered by an unprivileged local user. This can lead to a kernel oops.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47328", "url": "https://ubuntu.com/security/CVE-2026-47328", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly attempt to free a pointer which was not previously kmalloc()d, while at the same time leaking allocated memory. The bug can be triggered by an unprivileged local user and can result in the corruption of slab metadata and could lead to resource exhaustion.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47326", "url": "https://ubuntu.com/security/CVE-2026-47326", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a memory leak in the handling of big responses to AppArmor notifications. The bug can be triggered by an unprivileged local user. The memory leak could lead to resource exhaustion.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-46300", "url": "https://ubuntu.com/security/CVE-2026-46300", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: skbuff: preserve shared-frag marker during coalescing skb_try_coalesce() can attach paged frags from @from to @to. If @from has SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same externally-owned or page-cache-backed frags, but the shared-frag marker is currently lost. That breaks the invariant relied on by later in-place writers. In particular, ESP input checks skb_has_shared_frag() before deciding whether an uncloned nonlinear skb can skip skb_cow_data(). If TCP receive coalescing has moved shared frags into an unmarked skb, ESP can see skb_has_shared_frag() as false and decrypt in place over page-cache backed frags. Propagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged frags. The tailroom copy path does not need the marker because it copies bytes into @to's linear data rather than transferring frag descriptors.", "cve_priority": "high", "cve_public_date": "2026-05-23 12:17:00 UTC" }, { "cve": "CVE-2026-46333", "url": "https://ubuntu.com/security/CVE-2026-46333", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ptrace: slightly saner 'get_dumpable()' logic The 'dumpability' of a task is fundamentally about the memory image of the task - the concept comes from whether it can core dump or not - and makes no sense when you don't have an associated mm. And almost all users do in fact use it only for the case where the task has a mm pointer. But we have one odd special case: ptrace_may_access() uses 'dumpable' to check various other things entirely independently of the MM (typically explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for threads that no longer have a VM (and maybe never did, like most kernel threads). It's not what this flag was designed for, but it is what it is. The ptrace code does check that the uid/gid matches, so you do have to be uid-0 to see kernel thread details, but this means that the traditional \"drop capabilities\" model doesn't make any difference for this all. Make it all make a *bit* more sense by saying that if you don't have a MM pointer, we'll use a cached \"last dumpability\" flag if the thread ever had a MM (it will be zero for kernel threads since it is never set), and require a proper CAP_SYS_PTRACE capability to override.", "cve_priority": "high", "cve_public_date": "2026-05-15 14:16:00 UTC" }, { "cve": "CVE-2026-43500", "url": "https://ubuntu.com/security/CVE-2026-43500", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE handler in rxrpc_verify_response() copy the skb to a linear one before calling into the security ops only when skb_cloned() is true. An skb that is not cloned but still carries externally-owned paged fragments (e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via __ip_append_data, or a chained skb_has_frag_list()) falls through to the in-place decryption path, which binds the frag pages directly into the AEAD/skcipher SGL via skb_to_sgvec(). Extend the gate to also unshare when skb_has_frag_list() or skb_has_shared_frag() is true. This catches the splice-loopback vector and other externally-shared frag sources while preserving the zero-copy fast path for skbs whose frags are kernel-private (e.g. NIC page_pool RX, GRO). The OOM/trace handling already in place is reused.", "cve_priority": "high", "cve_public_date": "2026-05-11 08:16:00 UTC" }, { "cve": "CVE-2026-43284", "url": "https://ubuntu.com/security/CVE-2026-43284", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place decrypt on shared skb frags MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later paths that may modify packet data can first make a private copy. The IPv4/IPv6 datagram append paths did not set this flag when splicing pages into UDP skbs. That leaves an ESP-in-UDP packet made from shared pipe pages looking like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW fast path for uncloned skbs without a frag_list and decrypts in place over data that is not owned privately by the skb. Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching TCP. Also make ESP input fall back to skb_cow_data() when the flag is present, so ESP does not decrypt externally backed frags in place. Private nonlinear skb frags still use the existing fast path. This intentionally does not change ESP output. In esp_output_head(), the path that appends the ESP trailer to existing skb tailroom without calling skb_cow_data() is not reachable for nonlinear skbs: skb_tailroom() returns zero when skb->data_len is nonzero, while ESP tailen is positive. Thus ESP output will either use the separate destination-frag path or fall back to skb_cow_data().", "cve_priority": "high", "cve_public_date": "2026-05-08 08:16:00 UTC" } ], "log": [ "", " * resolute/linux: 7.0.0-26.26 -proposed tracker (LP: #2154530)", "", " * Packaging resync (LP: #1786013)", " - Revert \"UBUNTU: SAUCE: import Huawei ES3000_V2 (2.1.0.23)\"", " - [Packaging] debian.master/dkms-versions -- remove dkms-versions", " (main/2026.05.18)", "", " * Fix mic mute led on a HP EliteBook 6 G2a platform (LP: #2150065)", " - ALSA: hda/realtek: Add LED fixup for HP EliteBook 6 G2a Laptops", "", " * ov08x40 module mounted upside down on a certain DELL platforms", " (LP: #2146517)", " - SAUCE: media: ipu-bridge: Add DMI quirk for new Dell XPS laptops with", " upside down sensors", " - SAUCE: media: ipu-bridge: Add DMI quirk for Dell 14 laptops with upside", " down sensors", "", " * Support additional 2888x1808@30fps 900MHz for OVTI05C1 camera sensor", " (LP: #2147409)", " - SAUCE: media: ipu-bridge: Add 900MHz for OV05C10", " - SAUCE: platform/x86: int3472: increase handshake delay to 50ms for", " OV05C10", "", " * Support Samsung S5K3J1 sensor for Intel MIPI camera (LP: #2121852)", " - SAUCE: media: ipu-bridge: Support s5k3j1 sensor", "", " * [SRU] ASoC: enable rt1320 speaker amp and DMIC on PTL SoundWire platforms", " (LP: #2150196)", " - ASoC: Intel: soc-acpi-intel-ptl-match: drop rt722 monolithic match", " tables", " - ASoC: SOF: Intel: Add a is_amp flag to fix the wrong name prefix", " - ASoC: sdw_utils: add rt1320 and rt1321 dmic dai in codec_info_list", "", " * powerpc-build in ubuntu_kernel_selftests fails to build due to", " uninitialized value (LP: #2129844)", " - selftests/powerpc: Suppress -Wmaybe-uninitialized with GCC 15", "", " * Ubuntu 26.04 linux kernel has non-functional nova-core GPU driver enabled,", " conflicting with nouveau (LP: #2150845)", " - [Config] Disable DRM_NOVA", "", " * Resolute update: v7.0.6 upstream stable release (LP: #2152558)", " - Linux 7.0.6", " - Upstream stable to v7.0.6", "", " * Resolute update: v7.0.5 upstream stable release (LP: #2152556)", " - Linux 7.0.5", " - Upstream stable to v7.0.5", "", " * Resolute update: v7.0.4 upstream stable release (LP: #2152552)", " - ALSA: usb-audio: stop parsing UAC2 rates at MAX_NR_RATES", " - ALSA: usb-audio: Avoid false E-MU sample-rate notifications", " - ALSA: usb-audio: Fix Audio Advantage Micro II SPDIF switch", " - usb: xhci: Make usb_host_endpoint.hcpriv survive endpoint_disable()", " - usb: chipidea: otg: not wait vbus drop if use role_switch", " - usb: chipidea: core: allow ci_irq_handler() handle both ID and VBUS", " change", " - ALSA: usb-audio: Evaluate packsize caps at the right place", " - LoongArch: Add spectre boundry for syscall dispatch table", " - drm/nouveau: fix u32 overflow in pushbuf reloc bounds check", " - leds: qcom-lpg: Check for array overflow when selecting the high", " resolution", " - greybus: gb-beagleplay: bound bootloader receive buffering", " - greybus: gb-beagleplay: fix sleep in atomic context in hdlc_tx_frames()", " - misc: ibmasm: fix OOB MMIO read in ibmasm_handle_mouse_interrupt()", " - ibmasm: fix OOB reads in command_file_write due to missing size checks", " - ibmasm: fix heap over-read in ibmasm_send_i2o_message()", " - sysfs: attribute_group: Respect is_visible_const() when changing owner", " - driver core: Don't let a device probe until it's ready", " - device property: Make modifications of fwnode \"flags\" thread safe", " - drm/nouveau: fix nvkm_device leak on aperture removal failure", " - rust: dma: remove DMA_ATTR_NO_KERNEL_MAPPING from public attrs", " - kbuild: rust: allow `clippy::uninlined_format_args`", " - fs: afs: revert mmap_prepare() change", " - firmware: google: framebuffer: Do not mark framebuffer as busy", " - lib: test_hmm: evict device pages on file close to avoid use-after-free", " - arm64/mm: Enable batched TLB flush in unmap_hotplug_range()", " - arm64: mm: Fix rodata=full block mapping support for realm guests", " - mm: migrate: requeue destination folio on deferred split queue", " - mm: prevent droppable mappings from being locked", " - mm: fix deferred split queue races during migration", " - ocfs2: split transactions in dio completion to avoid credit exhaustion", " - Input: edt-ft5x06 - fix use-after-free in debugfs teardown", " - zram: do not forget to endio for partial discard requests", " - wifi: rtw88: check for PCI upstream bridge existence", " - wifi: mwifiex: fix use-after-free in mwifiex_adapter_cleanup()", " - vfio: selftests: Fix VLA initialisation in vfio_pci_irq_set()", " - vfio/xe: Add a missing vfio_pci_core_release_dev()", " - vfio/virtio: Convert list_lock from spinlock to mutex", " - vfio/cdx: Serialize VFIO_DEVICE_SET_IRQS with a per-device mutex", " - vfio/cdx: Fix NULL pointer dereference in interrupt trigger path", " - um: drivers: call kernel_strrchr() explicitly in cow_user.c", " - thermal: core: Fix thermal zone governor cleanup issues", " - spi: imx: fix use-after-free on unbind", " - spi: ch341: fix memory leaks on probe failures", " - crypto: algif_aead - snapshot IV for async AEAD requests", " - crypto: pcrypt - Fix handling of MAY_BACKLOG requests", " - dt-bindings: display: ti, am65x-dss: Fix AM62L DSS reg and clock", " constraints", " - of: unittest: fix use-after-free in of_unittest_changeset()", " - of: unittest: fix use-after-free in testdrv_probe()", " - hwmon: (powerz) Fix missing usb_kill_urb() on signal interrupt", " - EDAC/versalnet: Fix device_node leak in mc_probe()", " - PCI: imx6: Skip waiting for L2/L3 Ready on i.MX6SX", " - media: amphion: Fix race between m2m job_abort and device_run", " - ALSA: control: Validate buf_len before strnlen() in", " snd_ctl_elem_init_enum_names()", " - net: caif: clear client service pointer on teardown", " - net: strparser: fix skb_head leak in strp_abort_strp()", " - media: mtk-jpeg: fix use-after-free in release path due to uncancelled", " work", " - crypto: atmel-sha204a - Fix OTP sysfs read and error handling", " - PCI: endpoint: pci-epf-ntb: Remove duplicate resource teardown", " - Revert \"ALSA: usb: Increase volume range that triggers a warning\"", " - phy: qcom: m31-eusb2: clear PLL_EN during init", " - PCI: epf-mhi: Return 0, not remaining timeout, when eDMA ops complete", " - lib/ts_kmp: fix integer overflow in pattern length calculation", " - media: i2c: imx219: Check return value of devm_gpiod_get_optional() in", " imx219_probe()", " - net: qrtr: ns: Fix use-after-free in driver remove()", " - ext2: reject inodes with zero i_nlink and valid mode in ext2_iget()", " - mm/zsmalloc: copy KMSAN metadata in zs_page_migrate()", " - ALSA: aoa: i2sbus: clear stale prepared state", " - ALSA: aoa: i2sbus: fix OF node lifetime handling", " - ALSA: aoa: Skip devices with no codecs in i2sbus_resume()", " - ALSA: ctxfi: Add fallback to default RSR for S/PDIF", " - ALSA: seq_oss: return full count for successful SEQ_FULLSIZE writes", " - erofs: fix the out-of-bounds nameoff handling for trailing dirents", " - ipmi:ssif: Clean up kthread on errors", " - jbd2: fix deadlock in jbd2_journal_cancel_revoke()", " - KVM: selftests: Fix reserved value WRMSR testcase for multi-feature MSRs", " - md/raid10: fix deadlock with check operation and nowait requests", " - media: rc: igorplugusb: heed coherency rules", " - media: rockchip: rkcif: fix off by one bugs", " - media: rockchip: rkcif: comply with minimum number of buffers", " requirement", " - mfd: stpmic1: Attempt system shutdown twice in case PMIC is confused", " - mm/alloc_tag: clear codetag for pages allocated before page_ext", " initialization", " - mm/damon/core: fix damon_call() vs kdamond_fn() exit race", " - mm/damon/core: fix damos_walk() vs kdamond_fn() exit race", " - mm/hugetlb: fix early boot crash on parameters without '=' separator", " - mtd: docg3: fix use-after-free in docg3_release()", " - nvme-pci: add NVME_QUIRK_DISABLE_WRITE_ZEROES for Kingston OM3SGP4", " - nvme: respect NVME_QUIRK_DISABLE_WRITE_ZEROES when wzsl is set", " - parisc: _llseek syscall is only available for 32-bit userspace", " - parisc: Drop ip_fast_csum() inline assembly implementation", " - PCI: cadence: Use cdns_pcie_read_sz() for byte or word read access", " - PCI: imx6: Fix reference clock source selection for i.MX95", " - perf annotate: Use jump__delete when freeing LoongArch jumps", " - RDMA/mana_ib: Disable RX steering on RSS QP destroy", " - remoteproc: xlnx: Only access buffer information if IPI is buffered", " - reset: rzv2h-usb2phy: Keep PHY clock enabled for entire device lifetime", " - sched: Use u64 for bandwidth ratio calculations", " - selftests/mqueue: Fix incorrectly named file", " - landlock: Fix LOG_SUBDOMAINS_OFF inheritance across fork()", " - landlock: Allow TSYNC with LOG_SUBDOMAINS_OFF and fd=-1", " - selftests/landlock: Drain stale audit records on init", " - selftests/landlock: Fix format warning for __u64 in net_test", " - selftests/landlock: Fix snprintf truncation checks in audit helpers", " - selftests/landlock: Skip stale records in audit_match_record()", " - rbd: fix null-ptr-deref when device_add_disk() fails", " - mm/zone_device: do not touch device folio after calling ->folio_free()", " - block: fix zone write plugs refcount handling in", " disk_zone_wplug_schedule_bio_work()", " - io_uring/zcrx: return back two step unregistration", " - io_uring/timeout: check unused sqe fields", " - block: relax pgmap check in bio_add_page for compatible zone device", " pages", " - iio: adc: ti-ads7950: use iio_push_to_buffers_with_ts_unaligned()", " - io_uring/register: fix ring resizing with mixed/large SQEs/CQEs", " - io_uring/zcrx: fix user_struct uaf", " - io_uring/poll: fix signed comparison in io_poll_get_ownership()", " - io_uring/poll: ensure EPOLL_ONESHOT is propagated for EPOLL_URING_WAKE", " - module.lds,codetag: force 0 sh_addr for sections", " - module.lds.S: Fix modules on 32-bit parisc architecture", " - ALSA: core: Fix potential data race at fasync handling", " - ALSA: caiaq: Fix control_put() result and cache rollback", " - ALSA: caiaq: Handle probe errors properly", " - ALSA: 6fire: Fix input volume change detection", " - ALSA: hda/realtek - Add mute LED support for HP Victus 15-fa2xxx", " - ALSA: pcmtest: fix reference leak on failed device registration", " - ALSA: pcmtest: Fix resource leaks in module init error paths", " - iio: adc: ad7768-1: fix one-shot mode data acquisition", " - iio: adc: ad7768-1: remove switch to one-shot mode", " - rxrpc: Fix memory leaks in rxkad_verify_response()", " - rxrpc: Fix rxkad crypto unalignment handling", " - rxrpc: Fix error handling in rxgk_extract_token()", " - rxrpc: Fix re-decryption of RESPONSE packets", " - EDAC/versalnet: Fix memory leak in remove and probe error paths", " - tools/accounting: handle truncated taskstats netlink messages", " - net: txgbe: fix RTNL assertion warning when remove module", " - arm64: dts: marvell: uDPU: add ethernet aliases", " - net: qrtr: ns: Limit the maximum server registration per node", " - net: qrtr: ns: Limit the maximum number of lookups", " - net: qrtr: ns: Free the node during ctrl_cmd_bye()", " - net: qrtr: ns: Limit the total number of nodes", " - net: rds: fix MR cleanup on copy error", " - net: txgbe: fix firmware version check", " - net/smc: avoid early lgr access in smc_clc_wait_msg", " - net: ks8851: Reinstate disabling of BHs around IRQ handler", " - net: bridge: use a stable FDB dst snapshot in RCU readers", " - netconsole: avoid out-of-bounds access on empty string in trim_newline()", " - net: mctp: fix don't require received header reserved bits to be zero", " - net: ks8851: Avoid excess softirq scheduling", " - drm/arcpgu: fix device node leak", " - slub: fix data loss and overflow in krealloc()", " - tracing/fprobe: Reject registration of a registered fprobe before init", " - RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv", " - printf: Compile the kunit test with DISABLE_BRANCH_PROFILING", " DISABLE_BRANCH_PROFILING", " - ipv4: icmp: validate reply type before using icmp_pointers", " - libceph: Prevent potential null-ptr-deref in ceph_handle_auth_reply()", " - spi: fix resource leaks on device setup failure", " - extract-cert: Wrap key_pass with '#ifdef USE_PKCS11_ENGINE'", " - tpm: avoid -Wunused-but-set-variable", " - LoongArch: Make arch_irq_work_has_interrupt() true only if IPI HW exist", " - LoongArch: Show CPU vulnerabilites correctly", " - fbdev: defio: Disconnect deferred I/O from the lifetime of struct", " fb_info", " - power: supply: axp288_charger: Do not cancel work before initializing it", " - hwmon: (isl28022) Fix integer overflow in power calculation on 32-bit", " - hwmon: (powerz) Avoid cacheline sharing for DMA buffer", " - media: rzv2h-ivc: Revise default VBLANK formula", " - media: rzv2h-ivc: Fix AXIRX_VBLANK register write", " - fs: prepare for adding LSM blob to backing_file", " - lsm: add backing_file LSM hooks", " - selinux: fix overlayfs mmap() and mprotect() access checks", " - hwmon: (pt5161l) Fix bugs in pt5161l_read_block_data()", " - randomize_kstack: Maintain kstack_offset per task", " - mmc: block: use single block write in retry", " - mmc: sdhci-of-dwcmshc: Disable clock before DLL configuration", " - arm64: dts: ti: am62-verdin: Enable pullup for eMMC data pins", " - crypto: qat - fix IRQ cleanup on 6xxx probe failure", " - xfs: start gc on zonegc_low_space attribute updates", " - xfs: fix a resource leak in xfs_alloc_buftarg()", " - firmware: google: framebuffer: Do not unregister platform device", " - firmware: exynos-acpm: Drop fake 'const' on handle pointer", " - crypto: talitos - fix SEC1 32k ahash request limitation", " - crypto: talitos - rename first/last to first_desc/last_desc", " - pwm: imx-tpm: Count the number of enabled channels in probe", " - tpm2-sessions: Fix missing tpm_buf_destroy() in tpm2_read_public()", " - tpm: Fix auth session leak in tpm2_get_random() error path", " - tpm: Use kfree_sensitive() to free auth session in tpm_dev_release()", " - tpm: tpm_tis: add error logging for data transfer", " - tpm: tpm_tis: stop transmit if retries are exhausted", " - rtc: ntxec: fix OF node reference imbalance", " - mm/vmalloc: take vmap_purge_lock in shrinker", " - mm/memfd_luo: fix physical address conversion in put_folios cleanup", " - mm/mempolicy: fix memory leaks in weighted_interleave_auto_store()", " - mm/damon/stat: fix memory leak on damon_start() failure in", " damon_stat_start()", " - mm/damon/core: validate damos_quota_goal->nid for", " node_mem_{used,free}_bp", " - mm/damon/core: validate damos_quota_goal->nid for", " node_memcg_{used,free}_bp", " - mm/damon/core: use time_in_range_open() for damos quota window start", " - mm/damon/core: disallow time-quota setting zero esz", " - mm/damon/core: disallow non-power of two min_region_sz on damon_start()", " - userfaultfd: allow registration of ranges below mmap_min_addr", " - LoongArch: KVM: Use CSR_CRMD_PLV in kvm_arch_vcpu_in_kernel()", " - KVM: x86: Defer non-architectural deliver of exception payload to", " userspace read", " - KVM: nSVM: Mark all of vmcb02 dirty when restoring nested state", " - KVM: nSVM: Sync NextRIP to cached vmcb12 after VMRUN of L2", " - KVM: nSVM: Sync interrupt shadow to cached vmcb12 after VMRUN of L2", " - KVM: SVM: Inject #UD for INVLPGA if EFER.SVME=0", " - KVM: SVM: Explicitly mark vmcb01 dirty after modifying VMCB intercepts", " - KVM: nSVM: Ensure AVIC is inhibited when restoring a vCPU to guest mode", " - KVM: nSVM: Always use NextRIP as vmcb02's NextRIP after first L2 VMRUN", " - KVM: nSVM: Delay stuffing L2's current RIP into NextRIP until vCPU run", " - KVM: nSVM: Use vcpu->arch.cr2 when updating vmcb12 on nested #VMEXIT", " - KVM: arm64: Account for RESx bits in __compute_fgt()", " - KVM: nSVM: Avoid clearing VMCB_LBR in vmcb12", " - KVM: nSVM: Delay setting soft IRQ RIP tracking fields until vCPU run", " - KVM: SVM: Switch svm_copy_lbrs() to a macro", " - KVM: SVM: Add missing save/restore handling of LBR MSRs", " - KVM: nSVM: Always inject a #GP if mapping VMCB12 fails on nested VMRUN", " - KVM: nSVM: Refactor checking LBRV enablement in vmcb12 into a helper", " - KVM: nSVM: Refactor writing vmcb12 on nested #VMEXIT as a helper", " - KVM: nSVM: Triple fault if restore host CR3 fails on nested #VMEXIT", " - KVM: nSVM: Triple fault if mapping VMCB12 fails on nested #VMEXIT", " - KVM: nSVM: Clear GIF on nested #VMEXIT(INVALID)", " - KVM: nSVM: Clear EVENTINJ fields in vmcb12 on nested #VMEXIT", " - KVM: nSVM: Clear tracking of L1->L2 NMI and soft IRQ on nested #VMEXIT", " - KVM: nSVM: Add missing consistency check for EFER, CR0, CR4, and CS", " - KVM: nSVM: Drop the non-architectural consistency check for NP_ENABLE", " - KVM: nSVM: Add missing consistency check for nCR3 validity", " - KVM: nSVM: Raise #UD if unhandled VMMCALL isn't intercepted by L1", " - KVM: nSVM: Always intercept VMMCALL when L2 is active", " - ARM: 9472/1: fix race condition on PG_dcache_clean in", " __sync_icache_dcache()", " - ring-buffer: Do not double count the reader_page", " - ext4: fix bounds check in check_xattrs() to prevent out-of-bounds access", " - ext4: fix missing brelse() in ext4_xattr_inode_dec_ref_all()", " - udf: fix partition descriptor append bookkeeping", " - mtd: spi-nor: sst: Fix write enable before AAI sequence", " - mtd: spinand: winbond: Declare the QE bit on W25NxxJW", " - amdgpu/jpeg: fix deepsleep register for jpeg 5_0_0 and 5_0_2", " - md/md-llbitmap: skip reading rdevs that are not in_sync", " - md/md-llbitmap: raise barrier before state machine transition", " - md/raid5: fix soft lockup in retry_aligned_read()", " - md/raid5: validate payload size before accessing journal metadata", " - check-uapi: link into shared objects", " - mm, swap: speed up hibernation allocation and writeout", " - HID: apple: ensure the keyboard backlight is off if suspending", " - inotify: fix watch count leak when fsnotify_add_inode_mark_locked()", " fails", " - x86/cpu: Disable FRED when PTI is forced on", " - x86/shstk: Prevent deadlock during shstk sigreturn", " - wifi: rtl8xxxu: fix potential use of uninitialized value", " - tcp: call sk_data_ready() after listener migration", " - taskstats: set version in TGID exit notifications", " - mptcp: sync the msk->sndbuf at accept() time", " - mfd: core: Preserve OF node when ACPI handle is present", " - 9p: fix access mode flags being ORed instead of replaced", " - Bluetooth: hci_event: fix potential UAF in SSP passkey handlers", " - bus: mhi: host: pci_generic: Switch to async power up to avoid boot", " delays", " - can: ucan: fix devres lifetime", " - crypto: acomp - fix wrong pointer stored by acomp_save_req()", " - crypto: arm64/aes - Fix 32-bit aes_mac_update() arg treated as 64-bit", " - crypto: atmel-aes - Fix 3-page memory leak in atmel_aes_buff_cleanup", " - crypto: atmel-ecc - Release client on allocation failure", " - crypto: hisilicon - Fix dma_unmap_single() direction", " - crypto: ccree - fix a memory leak in cc_mac_digest()", " - crypto: atmel-tdes - fix DMA sync direction", " - crypto: atmel-sha204a - Fix error codes in OTP reads", " - crypto: atmel-sha204a - Fix potential UAF and memory leak in remove path", " - crypto: atmel-sha204a - Fix uninitialized data access on OTP read error", " - crypto: nx - fix bounce buffer leaks in nx842_crypto_{alloc,free}_ctx", " - crypto: nx - fix context leak in nx842_crypto_free_ctx", " - crypto: nx - Fix packed layout in struct nx842_crypto_header", " - dm mirror: fix integer overflow in create_dirty_log()", " - erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap()", " - ceph: fix num_ops off-by-one when crypto allocation fails", " - ceph: only d_add() negative dentries when they are unhashed", " - gtp: disable BH before calling udp_tunnel_xmit_skb()", " - IB/core: Fix zero dmac race in neighbor resolution", " - ktest: Fix the month in the name of the failure directory", " - NFSv4.1: Apply session size limits on clone path", " - ntfs3: add buffer boundary checks to run_unpack()", " - ntfs3: fix integer overflow in run_unpack() volume boundary check", " - rtmutex: Use waiter::task instead of current in remove_waiter()", " - rxgk: Fix potential integer overflow in length check", " - sched_ext: Documentation: Clarify ops.dispatch() role in task lifecycle", " - scsi: sd: fix missing put_disk() when device_add(&disk_dev) fails", " - seg6: fix seg6 lwtunnel output redirect for L2 reduced encap mode", " - perf loongarch: Fix build failure with CONFIG_LIBDW_DWARF_UNWIND", " - iio: frequency: admv1013: add dev variable", " - iio: frequency: admv1013: fix NULL pointer dereference on str", " - wifi: mt76: mt792x: describe USB WFSYS reset with a descriptor", " - wifi: mt76: mt792x: fix mt7925u USB WFSYS reset handling", " - mm: various small mmap_prepare cleanups", " - mm: avoid deadlock when holding rmap on mmap_prepare error", " - mei: me: use PCI_DEVICE_DATA macro", " - mei: me: add nova lake point H DID", " - crypto: authencesn - reject short ahash digests during instance creation", " - driver core: Add kernel-doc for DEV_FLAG_COUNT enum value", " - ALSA: caiaq: Fix potentially leftover ep1_in_urb at error path", " - ALSA: caiaq: Don't abort when no input device is available", " - ipv6: rpl: reserve mac_len headroom when recompressed SRH grows", " - drm/amdgpu: fix zero-size GDS range init on RDNA4", " - drm/imagination: Fix segfault when updating ftrace mask", " - ALSA: caiaq: fix usb_dev refcount leak on probe failure", " - ALSA: aloop: Fix peer runtime UAF during format-change stop", " - vmalloc: fix buffer overflow in vrealloc_node_align()", " - mm/page_alloc: return NULL early from alloc_frozen_pages_nolock() in NMI", " on UP", " - mm/slab: return NULL early from kmalloc_nolock() in NMI on UP", " - net: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels", " - netfilter: reject zero shift in nft_bitwise", " - ipmi:ssif: Remove unnecessary indention", " - ipmi:ssif: NULL thread on error", " - Linux 7.0.4", " - Upstream stable to v7.0.4", "", " * Resolute update: v7.0.3 upstream stable release (LP: #2152550)", " - Buffer overflow in drivers/xen/sys-hypervisor.c", " - xen/privcmd: fix double free via VMA splitting", " - Linux 7.0.3", " - Upstream stable to v7.0.3", "", " * Resolute update: v7.0.2 upstream stable release (LP: #2150553)", " - crypto: authencesn - Fix src offset when decrypting in-place", " - pwm: th1520: fix `CLIPPY=1` warning", " - drm/amdgpu: replace PASID IDR with XArray", " - crypto: krb5enc - fix sleepable flag handling in encrypt dispatch", " - crypto: krb5enc - fix async decrypt skipping hash verification", " - ksmbd: fix use-after-free in __ksmbd_close_fd() via durable scavenger", " - ksmbd: validate owner of durable handle on reconnect", " - scripts: generate_rust_analyzer.py: define scripts", " - scripts/dtc: Remove unused dts_version in dtc-lexer.l", " - fs/ntfs3: validate rec->used in journal-replay file record check", " - f2fs: fix to do sanity check on dcc->discard_cmd_cnt conditionally", " - f2fs: fix UAF caused by decrementing sbi->nr_pages[] in", " f2fs_write_end_io()", " - f2fs: fix to avoid memory leak in f2fs_rename()", " - f2fs: fix to avoid uninit-value access in f2fs_sanity_check_node_footer", " - fuse: reject oversized dirents in page cache", " - fuse: abort on fatal signal during sync init", " - fuse: Check for large folio with SPLICE_F_MOVE", " - fuse: quiet down complaints in fuse_conn_limit_write", " - fuse: fuse_dev_ioctl_clone() should wait for device file to be", " initialized", " - ksmbd: require minimum ACE size in smb_check_perm_dacl()", " - smb: server: fix active_num_conn leak on transport allocation failure", " - smb: client: fix dir separator in SMB1 UNIX mounts", " - smb: server: fix max_connections off-by-one in tcp accept path", " - smb: client: require a full NFS mode SID before reading mode bits", " - smb: client: validate the whole DACL before rewriting it in cifsacl", " - smb: client: fix OOB read in smb2_ioctl_query_info QUERY_INFO path", " - ksmbd: validate response sizes in ipc_validate_msg()", " - ksmbd: validate num_aces and harden ACE walk in smb_inherit_dacl()", " - ksmbd: fix out-of-bounds write in smb2_get_ea() EA alignment", " - ksmbd: use check_add_overflow() to prevent u16 DACL size overflow", " - ksmbd: reset rcount per connection in ksmbd_conn_wait_idle_sess_id()", " - writeback: Fix use after free in inode_switch_wbs_work_fn()", " - f2fs: fix use-after-free of sbi in f2fs_compress_write_end_io()", " - ALSA: usb-audio: apply quirk for MOONDROP JU Jiu", " - ALSA: hda/realtek: Add quirk for Legion S7 15IMH", " - ALSA: caiaq: take a reference on the USB device in create_card()", " - net/packet: fix TOCTOU race on mmap'd vnet_hdr in tpacket_snd()", " - crypto: ccp: Don't attempt to copy CSR to userspace if PSP command", " failed", " - crypto: ccp: Don't attempt to copy PDH cert to userspace if PSP command", " failed", " - crypto: ccp: Don't attempt to copy ID to userspace if PSP command failed", " - rxrpc: Fix missing validation of ticket length in non-XDR key preparsing", " - mshv_vtl: Fix vmemmap_shift exceeding MAX_FOLIO_ORDER", " - Linux 7.0.2", "", " * Resolute update: v7.0.1 upstream stable release (LP: #2150547)", " - Revert \"UBUNTU: SAUCE: cdc-acm: Exclude Exar USB serial ports\"", " - nfc: llcp: add missing return after LLCP_CLOSED checks", " - x86/CPU: Fix FPDSS on Zen1", " - can: raw: fix ro->uniq use-after-free in raw_rcv()", " - i2c: s3c24xx: check the size of the SMBUS message before using it", " - staging: rtl8723bs: initialize le_tmp64 in rtw_BIP_verify()", " - HID: alps: fix NULL pointer dereference in alps_raw_event()", " - HID: core: clamp report_size in s32ton() to avoid undefined shift", " - net: usb: cdc-phonet: fix skb frags[] overflow in rx_complete()", " - NFC: digital: Bounds check NFC-A cascade depth in SDD response handler", " - drm/vc4: platform_get_irq_byname() returns an int", " - bnge: return after auxiliary_device_uninit() in error path", " - ALSA: usx2y: us144mkii: fix NULL deref on missing interface 0", " - ALSA: fireworks: bound device-supplied status before string array lookup", " - fbdev: tdfxfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO", " - usb: gadget: f_ncm: validate minimum block_len in ncm_unwrap_ntb()", " - usb: gadget: f_phonet: fix skb frags[] overflow in pn_rx_complete()", " - usb: gadget: renesas_usb3: validate endpoint index in standard request", " handlers", " - smb: client: fix off-by-8 bounds check in check_wsl_eas()", " - smb: client: fix OOB reads parsing symlink error response", " - ksmbd: validate EaNameLength in smb2_get_ea()", " - ksmbd: require 3 sub-authorities before reading sub_auth[2]", " - ksmbd: fix mechToken leak when SPNEGO decode fails after token alloc", " - smb: client: avoid double-free in smbd_free_send_io() after", " smbd_send_batch_flush()", " - smb: server: avoid double-free in smb_direct_free_sendmsg after", " smb_direct_flush_send_list()", " - usbip: validate number_of_packets in usbip_pack_ret_submit()", " - usb: typec: fusb302: Switch to threaded IRQ handler", " - usb: storage: Expand range of matched versions for VL817 quirks entry", " - USB: cdc-acm: Add quirks for Yoga Book 9 14IAH10 INGENIC touchscreen", " - usb: gadget: f_hid: don't call cdev_init while cdev in use", " - usb: port: add delay after usb_hub_set_port_power()", " - fbdev: udlfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO", " - scripts/gdb/symbols: handle module path parameters", " - scripts: generate_rust_analyzer.py: avoid FD leak", " - wifi: rtw88: fix device leak on probe failure", " - staging: sm750fb: fix division by zero in ps_to_hz()", " - selftests/mm: hmm-tests: don't hardcode THP size to 2MB", " - USB: serial: option: add Telit Cinterion FN990A MBIM composition", " - Docs/admin-guide/mm/damon/reclaim: warn commit_inputs vs param updates", " race", " - Docs/admin-guide/mm/damon/lru_sort: warn commit_inputs vs param updates", " race", " - ALSA: ctxfi: Limit PTP to a single page", " - dcache: Limit the minimal number of bucket to two", " - vfio/xe: Reorganize the init to decouple migration from reset", " - arm64: mm: Handle invalid large leaf mappings correctly", " - media: vidtv: fix NULL pointer dereference in", " vidtv_channel_pmt_match_sections", " - ocfs2: fix possible deadlock between unlink and dio_end_io_write", " - ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY", " - ocfs2: handle invalid dinode in ocfs2_group_extend", " - PCI: endpoint: pci-epf-vntb: Stop cmd_handler work in", " epf_ntb_epc_cleanup", " - PCI: endpoint: pci-epf-vntb: Remove duplicate resource teardown", " - KVM: selftests: Remove duplicate LAUNCH_UPDATE_VMSA call in SEV-ES", " migrate test", " - KVM: SEV: Reject attempts to sync VMSA of an already-launched/encrypted", " vCPU", " - KVM: SEV: Protect *all* of sev_mem_enc_register_region() with kvm->lock", " - KVM: SEV: Disallow LAUNCH_FINISH if vCPUs are actively being created", " - KVM: SEV: Lock all vCPUs when synchronzing VMSAs for SNP launch finish", " - KVM: SEV: Drop WARN on large size for KVM_MEMORY_ENCRYPT_REG_REGION", " - mm: call ->free_folio() directly in folio_unmap_invalidate()", " - checkpatch: add support for Assisted-by tag", " - x86-64: rename misleadingly named '__copy_user_nocache()' function", " - x86: rename and clean up __copy_from_user_inatomic_nocache()", " - x86-64/arm64/powerpc: clean up and rename __copy_from_user_flushcache", " - KVM: x86: Use scratch field in MMIO fragment to hold small write values", " - ASoC: qcom: q6apm: move component registration to unmanaged version", " - mm/kasan: fix double free for kasan pXds", " - mm: blk-cgroup: fix use-after-free in cgwb_release_workfn()", " - media: vidtv: fix nfeeds state corruption on start_streaming failure", " - media: mediatek: vcodec: fix use-after-free in encoder release path", " - media: em28xx: fix use-after-free in em28xx_v4l2_open()", " - hwmon: (powerz) Fix use-after-free on USB disconnect", " - ALSA: 6fire: fix use-after-free on disconnect", " - bcache: fix cached_dev.sb_bio use-after-free and crash", " - wireguard: device: use exit_rtnl callback instead of manual rtnl_lock in", " pre_exit", " - media: as102: fix to not free memory after the device is registered in", " as102_usb_probe()", " - nilfs2: fix NULL i_assoc_inode dereference in", " nilfs_mdt_save_to_shadow_map", " - media: vidtv: fix pass-by-value structs causing MSAN warnings", " - media: hackrf: fix to not free memory after the device is registered in", " hackrf_probe()", " - mm/userfaultfd: fix hugetlb fault mutex hash calculation", " - clockevents: Add missing resets of the next_event_forced flag", " - Linux 7.0.1", "", " * GRO managed-frag use-after-free leading to local privilege escalation", " (LP: #2154172)", " - net: gro: don't merge zcopy skbs", "", " * AppArmor Vulnerabilities (LP: #2151747)", " - SAUCE: apparmor: pass big_resp to handler", " - SAUCE: apparmor: remove redundant kref_init for listener->count", " - SAUCE: apparmor: fix NULL pointer dereference in unpack_pdb", "", " * AppArmor Vulnerabilities (LP: #2151747) // CVE-2026-47337", " - SAUCE: apparmor: fix NULL pointer dereference in bind_map_addr", "", " * AppArmor Vulnerabilities (LP: #2151747) // CVE-2026-47334", " - SAUCE: apparmor: fix sleep prone memory allocation under a spin_lock", "", " * AppArmor Vulnerabilities (LP: #2151747) // CVE-2026-47333", " - SAUCE: apparmor: fix dfa unpacking size of the notification filter", "", " * AppArmor Vulnerabilities (LP: #2151747) // CVE-2026-47332", " - SAUCE: apparmor: fix size check against type instead of pointer", "", " * apparmor: LLVM/clang build failure due to uninitialized variable in", " notify.c (LP: #2148809) // CVE-2026-47330", " - SAUCE: apparmor: initialize variable used in uninitialized context", "", " * AppArmor Vulnerabilities (LP: #2151747) // CVE-2026-47329", " - SAUCE: apparmor: fix name validation bypass on notification", "", " * AppArmor Vulnerabilities (LP: #2151747) // CVE-2026-47327 //", " CVE-2026-47328", " - SAUCE: apparmor: fix glob memory leak after kstrdup", "", " * AppArmor Vulnerabilities (LP: #2151747) // CVE-2026-47326", " - SAUCE: apparmor: fix inverted NULL check after aa_get_buffer", "", " * CVE-2026-46300", " - net: skbuff: preserve shared-frag marker during coalescing", " - net: skbuff: propagate shared-frag marker through frag-transfer helpers", "", " * net/rds: reset op_nents when zerocopy page pin fails (LP: #2153962)", " - net/rds: reset op_nents when zerocopy page pin fails", "", " * CVE-2026-46333", " - ptrace: slightly saner 'get_dumpable()' logic", "", " * CVE-2026-43500", " - rxrpc: Fix conn-level packet handling to unshare RESPONSE packets", " - rxrpc: Fix potential UAF after skb_unshare() failure", " - rxrpc: Fix rxrpc_input_call_event() to only unshare DATA packets", " - rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present", "", " * CVE-2026-43284", " - xfrm: esp: avoid in-place decrypt on shared skb frags", "" ], "package": "linux", "version": "7.0.0-26.26", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2154530, 1786013, 2150065, 2146517, 2147409, 2121852, 2150196, 2129844, 2150845, 2152558, 2152556, 2152552, 2152550, 2150553, 2150547, 2154172, 2151747, 2151747, 2151747, 2151747, 2151747, 2148809, 2151747, 2151747, 2151747, 2153962 ], "author": "Edoardo Canepa ", "date": "Fri, 29 May 2026 03:41:14 +0200" } ], "notes": "linux-image-7.0.0-27-generic version '7.0.0-27.27' (source package linux version '7.0.0-27.27') was added. linux-image-7.0.0-27-generic version '7.0.0-27.27' has the same source package name, linux, as removed package linux-headers-7.0.0-22. As such we can use the source package version of the removed package, '7.0.0-22.22', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false }, { "name": "linux-main-modules-zfs-7.0.0-27-generic", "from_version": { "source_package_name": "linux-main-signed", "source_package_version": "7.0.0-22.22", "version": null }, "to_version": { "source_package_name": "linux-main-signed", "source_package_version": "7.0.0-27.27", "version": "7.0.0-27.27" }, "cves": [], "launchpad_bugs_fixed": [ 1786013, 1786013, 1786013, 1786013 ], "changes": [ { "cves": [], "log": [ "", " * Main version: 7.0.0-27.27", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/tracking-bug -- resync from main package", "" ], "package": "linux-main-signed", "version": "7.0.0-27.27", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 1786013 ], "author": "Manuel Diewald ", "date": "Thu, 18 Jun 2026 19:20:01 +0200" }, { "cves": [], "log": [ "", " * Main version: 7.0.0-26.26", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/tracking-bug -- resync from main package", "" ], "package": "linux-main-signed", "version": "7.0.0-26.26", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 1786013 ], "author": "Edoardo Canepa ", "date": "Fri, 29 May 2026 03:44:06 +0200" }, { "cves": [], "log": [ "", " * Main version: 7.0.0-23.23", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/tracking-bug -- resync from main package", "" ], "package": "linux-main-signed", "version": "7.0.0-23.23", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 1786013 ], "author": "Edoardo Canepa ", "date": "Fri, 29 May 2026 02:54:42 +0200" }, { "cves": [], "log": [ "", " * Main version: 7.0.0-21.21", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/tracking-bug -- resync from main package", "" ], "package": "linux-main-signed", "version": "7.0.0-21.21", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 1786013 ], "author": "Edoardo Canepa ", "date": "Fri, 22 May 2026 21:10:27 +0200" } ], "notes": "linux-main-modules-zfs-7.0.0-27-generic version '7.0.0-27.27' (source package linux-main-signed version '7.0.0-27.27') was added. linux-main-modules-zfs-7.0.0-27-generic version '7.0.0-27.27' has the same source package name, linux-main-signed, as removed package linux-main-modules-zfs-7.0.0-22-generic. As such we can use the source package version of the removed package, '7.0.0-22.22', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false }, { "name": "linux-modules-7.0.0-27-generic", "from_version": { "source_package_name": "linux", "source_package_version": "7.0.0-22.22", "version": null }, "to_version": { "source_package_name": "linux", "source_package_version": "7.0.0-27.27", "version": "7.0.0-27.27" }, "cves": [ { "cve": "CVE-2026-46316", "url": "https://ubuntu.com/security/CVE-2026-46316", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: vgic-its: Drop the translation cache reference only for the erased entry vgic_its_invalidate_cache() walks the per-ITS translation cache with xa_for_each() and drops the cache's reference on each entry with vgic_put_irq(). It puts the iterated pointer, though, rather than the value returned by xa_erase(). The function is called from contexts that do not exclude one another: the ITS command handlers hold its_lock, the GITS_CTLR write path holds cmd_lock, and the path that clears EnableLPIs in a redistributor's GICR_CTLR holds neither. Two or more of them can drain the same cache concurrently, and if each one observes the same entry, erases it and then puts it, the single reference the cache holds on that entry is dropped more than once. The entry can then be freed while an ITE still maps it. xa_erase() is atomic and returns the previous entry, so put only the entry that this context actually removed. The cache reference is then dropped exactly once per entry even when the invalidations run concurrently, and the behavior is unchanged when only one context runs.", "cve_priority": "medium", "cve_public_date": "2026-06-09 13:16:00 UTC" }, { "cve": "CVE-2026-46244", "url": "https://ubuntu.com/security/CVE-2026-46244", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_inner: Fix IPv6 inner_thoff desync In nft_inner_parse_l2l3(), when processing inner IPv6 packets, ipv6_find_hdr() correctly computes the transport header offset traversing all extension headers, but the result is immediately overwritten with nhoff + sizeof(_ip6h) (40 bytes), which only accounts for the IPv6 base header. This creates a desync between inner_thoff (wrong — points to extension header start) and l4proto (correct — e.g., IPPROTO_TCP), enabling transport header forgery and potential firewall bypass. This issue affects stable versions from Linux 6.2. For comparison, the normal (non-inner) IPv6 path correctly preserves ipv6_find_hdr()'s result. Removing the incorrect overwrite ensures that ipv6_find_hdr()'s calculated transport header offset is preserved, thereby fixing the desynchronization.", "cve_priority": "medium", "cve_public_date": "2026-06-03 18:16:00 UTC" }, { "cve": "CVE-2026-46137", "url": "https://ubuntu.com/security/CVE-2026-46137", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: ADD_ADDR rtx: fix potential data-race This mptcp_pm_add_timer() helper is executed as a timer callback in softirq context. To avoid any data races, the socket lock needs to be held with bh_lock_sock(). If the socket is in use, retry again soon after, similar to what is done with the keepalive timer.", "cve_priority": "medium", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46185", "url": "https://ubuntu.com/security/CVE-2026-46185", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb/client: fix out-of-bounds read in symlink_data() Since smb2_check_message() returns success without length validation for the symlink error response, in symlink_data() it is possible for iov->iov_len to be smaller than sizeof(struct smb2_err_rsp). If the buffer only contains the base SMB2 header (64 bytes), accessing err->ErrorContextCount (at offset 66) or err->ByteCount later in symlink_data() will cause an out-of-bounds read.", "cve_priority": "high", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46195", "url": "https://ubuntu.com/security/CVE-2026-46195", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: validate dacloffset before building DACL pointers parse_sec_desc(), build_sec_desc(), and the chown path in id_mode_to_cifs_acl() all add the server-supplied dacloffset to pntsd before proving a DACL header fits inside the returned security descriptor. On 32-bit builds a malicious server can return dacloffset near U32_MAX, wrap the derived DACL pointer below end_of_acl, and then slip past the later pointer-based bounds checks. build_sec_desc() and id_mode_to_cifs_acl() can then dereference DACL fields from the wrapped pointer in the chmod/chown rewrite paths. Validate dacloffset numerically before building any DACL pointer and reuse the same helper at the three DACL entry points.", "cve_priority": "high", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46289", "url": "https://ubuntu.com/security/CVE-2026-46289", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: lib/scatterlist: fix length calculations in extract_kvec_to_sg Patch series \"Fix bugs in extract_iter_to_sg()\", v3. Fix bugs in the kvec and user variants of extract_iter_to_sg. This series is growing due to useful remarks made by sashiko.dev. The main bugs are: - The length for an sglist entry when extracting from a kvec can exceed the number of bytes in the page. This is obviously not intended. - When extracting a user buffer the sglist is temporarily used as a scratch buffer for extracted page pointers. If the sglist already contains some elements this scratch buffer could overlap with existing entries in the sglist. The series adds test cases to the kunit_iov_iter test that demonstrate all of these bugs. Additionally, there is a memory leak fix for the test itself. The bugs were orignally introduced into kernel v6.3 where the function lived in fs/netfs/iterator.c. It was later moved to lib/scatterlist.c in v6.5. Thus the actual fix is only marked for backports to v6.5+. This patch (of 5): When extracting from a kvec to a scatterlist, do not cross page boundaries. The required length was already calculated but not used as intended. Adjust the copied length if the loop runs out of sglist entries without extracting everything. While there, return immediately from extract_iter_to_sg if there are no sglist entries at all. A subsequent commit will add kunit test cases that demonstrate that the patch is necessary.", "cve_priority": "medium", "cve_public_date": "2026-06-08 17:16:00 UTC" }, { "cve": "CVE-2026-46119", "url": "https://ubuntu.com/security/CVE-2026-46119", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: libceph: Fix slab-out-of-bounds access in auth message processing If a (potentially corrupted) message of type CEPH_MSG_AUTH_REPLY contains a positive value in its result field, it is treated as an error code by ceph_handle_auth_reply() and returned to handle_auth_reply(). Thereafter, an attempt is made to send the preallocated message of type CEPH_MSG_AUTH, where the returned value is interpreted as the size of the front segment to send. If the result value in the message is greater than the size of the memory buffer allocated for the front segment, an out-of-bounds access occurs, and the content of the memory region beyond this buffer is sent out. This patch fixes the issue by treating only negative values in the result field as errors. Positive values are therefore treated as success in the same way as a zero value. Additionally, a BUG_ON is added to __send_prepared_auth_request() comparing the len parameter to front_alloc_len to prevent sending the message if it exceeds the bounds of the allocation and to make it easier to catch any logic flaws leading to this.", "cve_priority": "high", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46135", "url": "https://ubuntu.com/security/CVE-2026-46135", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: fix race between ICReq handling and queue teardown nvmet_tcp_handle_icreq() updates queue->state after sending an Initialization Connection Response (ICResp), but it does so without serializing against target-side queue teardown. If an NVMe/TCP host sends an Initialization Connection Request (ICReq) and immediately closes the connection, target-side teardown may start in softirq context before io_work drains the already buffered ICReq. In that case, nvmet_tcp_schedule_release_queue() sets queue->state to NVMET_TCP_Q_DISCONNECTING and drops the queue reference under state_lock. If io_work later processes that ICReq, nvmet_tcp_handle_icreq() can still overwrite the state back to NVMET_TCP_Q_LIVE. That defeats the DISCONNECTING-state guard in nvmet_tcp_schedule_release_queue() and allows a later socket state change to re-enter teardown and issue a second kref_put() on an already released queue. The ICResp send failure path has the same problem. If teardown has already moved the queue to DISCONNECTING, a send error can still overwrite the state with NVMET_TCP_Q_FAILED, again reopening the window for a second teardown path to drop the queue reference. Fix this by serializing both post-send state transitions with state_lock and bailing out if teardown has already started. Use -ESHUTDOWN as an internal sentinel for that bail-out path rather than propagating it as a transport error like -ECONNRESET. Keep nvmet_tcp_socket_error() setting rcv_state to NVMET_TCP_RECV_ERR before honoring that sentinel so receive-side parsing stays quiesced until the existing release path completes.", "cve_priority": "critical", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46155", "url": "https://ubuntu.com/security/CVE-2026-46155", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb/client: fix out-of-bounds read in smb2_compound_op() If a server sends a truncated response but a large OutputBufferLength, and terminates the EA list early, check_wsl_eas() returns success without validating that the entire OutputBufferLength fits within iov_len. Then smb2_compound_op() does: memcpy(idata->wsl.eas, data[0], size[0]); Where size[0] is OutputBufferLength. If iov_len is smaller than size[0], memcpy can read beyond the end of the rsp_iov allocation and leak adjacent kernel heap memory.", "cve_priority": "medium", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46115", "url": "https://ubuntu.com/security/CVE-2026-46115", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: block: add pgmap check to biovec_phys_mergeable biovec_phys_mergeable() is used by the request merge, DMA mapping, and integrity merge paths to decide if two physically contiguous bvec segments can be coalesced into one. It currently has no check for whether the segments belong to different dev_pagemaps. When zone device memory is registered in multiple chunks, each chunk gets its own dev_pagemap. A single bio can legitimately contain bvecs from different pgmaps -- iov_iter_extract_bvecs() breaks at pgmap boundaries but the outer loop in bio_iov_iter_get_pages() continues filling the same bio. If such bvecs are physically contiguous, biovec_phys_mergeable() will coalesce them, making it impossible to recover the correct pgmap for the merged segment via page_pgmap(). Add a zone_device_pages_have_same_pgmap() check to prevent merging bvec segments that span different pgmaps.", "cve_priority": "medium", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46243", "url": "https://ubuntu.com/security/CVE-2026-46243", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: reject userspace cifs.spnego descriptions cifs.spnego key descriptions contain authority-bearing fields such as pid, uid, creduid, and upcall_target that cifs.upcall treats as kernel-originating inputs. However, userspace can also create keys of this type through request_key(2) or add_key(2), allowing those fields to be supplied without CIFS origin. Only accept cifs.spnego descriptions while CIFS is using its private spnego_cred to request the key.", "cve_priority": "medium", "cve_public_date": "2026-06-01 17:17:00 UTC" }, { "cve": "CVE-2026-47337", "url": "https://ubuntu.com/security/CVE-2026-47337", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a possible NULL pointer dereference in the handling of AF_INET/AF_INET6 socket mediation. The bug can be triggered by an unprivileged local user. This can lead to a kernel oops.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47334", "url": "https://ubuntu.com/security/CVE-2026-47334", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly sleep while holding a spinlock in notification handling code. The bug can be triggered by an unprivileged local user and can result in kernel panic or deadlock.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47333", "url": "https://ubuntu.com/security/CVE-2026-47333", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which can potentially incorrectly compute the size of an internal buffer, leading to a heap memory out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in invalid data being processed by the AppArmor DFA policy engine.", "cve_priority": "high", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47332", "url": "https://ubuntu.com/security/CVE-2026-47332", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly validate the size of an internal structure, leading to an out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in information disclosure from adjacent slab objects.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47330", "url": "https://ubuntu.com/security/CVE-2026-47330", "cve_description": "Ubuntu Linux 6.8, 7.17 and 7.0 contain AppArmor SAUCE patches which can, under certain circumstances, use an uninitialized variable in notification handling code. The bug can be triggered by an unprivileged local user and can result in the incorrect caching of AppArmor notification responses.", "cve_priority": "low", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47329", "url": "https://ubuntu.com/security/CVE-2026-47329", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches which fail to validate invalid sizes of the name field in AppAmor notification responses. The bug can be triggered by an unprivileged local user and could result in handling of crafted responses.", "cve_priority": "low", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47327", "url": "https://ubuntu.com/security/CVE-2026-47327", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a possible NULL pointer dereference in the handling of AppArmor notifications. The bug can be triggered by an unprivileged local user. This can lead to a kernel oops.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47328", "url": "https://ubuntu.com/security/CVE-2026-47328", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly attempt to free a pointer which was not previously kmalloc()d, while at the same time leaking allocated memory. The bug can be triggered by an unprivileged local user and can result in the corruption of slab metadata and could lead to resource exhaustion.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47326", "url": "https://ubuntu.com/security/CVE-2026-47326", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a memory leak in the handling of big responses to AppArmor notifications. The bug can be triggered by an unprivileged local user. The memory leak could lead to resource exhaustion.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-46300", "url": "https://ubuntu.com/security/CVE-2026-46300", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: skbuff: preserve shared-frag marker during coalescing skb_try_coalesce() can attach paged frags from @from to @to. If @from has SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same externally-owned or page-cache-backed frags, but the shared-frag marker is currently lost. That breaks the invariant relied on by later in-place writers. In particular, ESP input checks skb_has_shared_frag() before deciding whether an uncloned nonlinear skb can skip skb_cow_data(). If TCP receive coalescing has moved shared frags into an unmarked skb, ESP can see skb_has_shared_frag() as false and decrypt in place over page-cache backed frags. Propagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged frags. The tailroom copy path does not need the marker because it copies bytes into @to's linear data rather than transferring frag descriptors.", "cve_priority": "high", "cve_public_date": "2026-05-23 12:17:00 UTC" }, { "cve": "CVE-2026-46333", "url": "https://ubuntu.com/security/CVE-2026-46333", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ptrace: slightly saner 'get_dumpable()' logic The 'dumpability' of a task is fundamentally about the memory image of the task - the concept comes from whether it can core dump or not - and makes no sense when you don't have an associated mm. And almost all users do in fact use it only for the case where the task has a mm pointer. But we have one odd special case: ptrace_may_access() uses 'dumpable' to check various other things entirely independently of the MM (typically explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for threads that no longer have a VM (and maybe never did, like most kernel threads). It's not what this flag was designed for, but it is what it is. The ptrace code does check that the uid/gid matches, so you do have to be uid-0 to see kernel thread details, but this means that the traditional \"drop capabilities\" model doesn't make any difference for this all. Make it all make a *bit* more sense by saying that if you don't have a MM pointer, we'll use a cached \"last dumpability\" flag if the thread ever had a MM (it will be zero for kernel threads since it is never set), and require a proper CAP_SYS_PTRACE capability to override.", "cve_priority": "high", "cve_public_date": "2026-05-15 14:16:00 UTC" }, { "cve": "CVE-2026-43500", "url": "https://ubuntu.com/security/CVE-2026-43500", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE handler in rxrpc_verify_response() copy the skb to a linear one before calling into the security ops only when skb_cloned() is true. An skb that is not cloned but still carries externally-owned paged fragments (e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via __ip_append_data, or a chained skb_has_frag_list()) falls through to the in-place decryption path, which binds the frag pages directly into the AEAD/skcipher SGL via skb_to_sgvec(). Extend the gate to also unshare when skb_has_frag_list() or skb_has_shared_frag() is true. This catches the splice-loopback vector and other externally-shared frag sources while preserving the zero-copy fast path for skbs whose frags are kernel-private (e.g. NIC page_pool RX, GRO). The OOM/trace handling already in place is reused.", "cve_priority": "high", "cve_public_date": "2026-05-11 08:16:00 UTC" }, { "cve": "CVE-2026-43284", "url": "https://ubuntu.com/security/CVE-2026-43284", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place decrypt on shared skb frags MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later paths that may modify packet data can first make a private copy. The IPv4/IPv6 datagram append paths did not set this flag when splicing pages into UDP skbs. That leaves an ESP-in-UDP packet made from shared pipe pages looking like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW fast path for uncloned skbs without a frag_list and decrypts in place over data that is not owned privately by the skb. Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching TCP. Also make ESP input fall back to skb_cow_data() when the flag is present, so ESP does not decrypt externally backed frags in place. Private nonlinear skb frags still use the existing fast path. This intentionally does not change ESP output. In esp_output_head(), the path that appends the ESP trailer to existing skb tailroom without calling skb_cow_data() is not reachable for nonlinear skbs: skb_tailroom() returns zero when skb->data_len is nonzero, while ESP tailen is positive. Thus ESP output will either use the separate destination-frag path or fall back to skb_cow_data().", "cve_priority": "high", "cve_public_date": "2026-05-08 08:16:00 UTC" } ], "launchpad_bugs_fixed": [ 2157114, 1786013, 2150845, 2154530, 1786013, 2150065, 2146517, 2147409, 2121852, 2150196, 2129844, 2150845, 2152558, 2152556, 2152552, 2152550, 2150553, 2150547, 2154172, 2151747, 2151747, 2151747, 2151747, 2151747, 2148809, 2151747, 2151747, 2151747, 2153962 ], "changes": [ { "cves": [ { "cve": "CVE-2026-46316", "url": "https://ubuntu.com/security/CVE-2026-46316", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: vgic-its: Drop the translation cache reference only for the erased entry vgic_its_invalidate_cache() walks the per-ITS translation cache with xa_for_each() and drops the cache's reference on each entry with vgic_put_irq(). It puts the iterated pointer, though, rather than the value returned by xa_erase(). The function is called from contexts that do not exclude one another: the ITS command handlers hold its_lock, the GITS_CTLR write path holds cmd_lock, and the path that clears EnableLPIs in a redistributor's GICR_CTLR holds neither. Two or more of them can drain the same cache concurrently, and if each one observes the same entry, erases it and then puts it, the single reference the cache holds on that entry is dropped more than once. The entry can then be freed while an ITE still maps it. xa_erase() is atomic and returns the previous entry, so put only the entry that this context actually removed. The cache reference is then dropped exactly once per entry even when the invalidations run concurrently, and the behavior is unchanged when only one context runs.", "cve_priority": "medium", "cve_public_date": "2026-06-09 13:16:00 UTC" }, { "cve": "CVE-2026-46244", "url": "https://ubuntu.com/security/CVE-2026-46244", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_inner: Fix IPv6 inner_thoff desync In nft_inner_parse_l2l3(), when processing inner IPv6 packets, ipv6_find_hdr() correctly computes the transport header offset traversing all extension headers, but the result is immediately overwritten with nhoff + sizeof(_ip6h) (40 bytes), which only accounts for the IPv6 base header. This creates a desync between inner_thoff (wrong — points to extension header start) and l4proto (correct — e.g., IPPROTO_TCP), enabling transport header forgery and potential firewall bypass. This issue affects stable versions from Linux 6.2. For comparison, the normal (non-inner) IPv6 path correctly preserves ipv6_find_hdr()'s result. Removing the incorrect overwrite ensures that ipv6_find_hdr()'s calculated transport header offset is preserved, thereby fixing the desynchronization.", "cve_priority": "medium", "cve_public_date": "2026-06-03 18:16:00 UTC" }, { "cve": "CVE-2026-46137", "url": "https://ubuntu.com/security/CVE-2026-46137", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: ADD_ADDR rtx: fix potential data-race This mptcp_pm_add_timer() helper is executed as a timer callback in softirq context. To avoid any data races, the socket lock needs to be held with bh_lock_sock(). If the socket is in use, retry again soon after, similar to what is done with the keepalive timer.", "cve_priority": "medium", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46185", "url": "https://ubuntu.com/security/CVE-2026-46185", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb/client: fix out-of-bounds read in symlink_data() Since smb2_check_message() returns success without length validation for the symlink error response, in symlink_data() it is possible for iov->iov_len to be smaller than sizeof(struct smb2_err_rsp). If the buffer only contains the base SMB2 header (64 bytes), accessing err->ErrorContextCount (at offset 66) or err->ByteCount later in symlink_data() will cause an out-of-bounds read.", "cve_priority": "high", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46195", "url": "https://ubuntu.com/security/CVE-2026-46195", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: validate dacloffset before building DACL pointers parse_sec_desc(), build_sec_desc(), and the chown path in id_mode_to_cifs_acl() all add the server-supplied dacloffset to pntsd before proving a DACL header fits inside the returned security descriptor. On 32-bit builds a malicious server can return dacloffset near U32_MAX, wrap the derived DACL pointer below end_of_acl, and then slip past the later pointer-based bounds checks. build_sec_desc() and id_mode_to_cifs_acl() can then dereference DACL fields from the wrapped pointer in the chmod/chown rewrite paths. Validate dacloffset numerically before building any DACL pointer and reuse the same helper at the three DACL entry points.", "cve_priority": "high", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46289", "url": "https://ubuntu.com/security/CVE-2026-46289", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: lib/scatterlist: fix length calculations in extract_kvec_to_sg Patch series \"Fix bugs in extract_iter_to_sg()\", v3. Fix bugs in the kvec and user variants of extract_iter_to_sg. This series is growing due to useful remarks made by sashiko.dev. The main bugs are: - The length for an sglist entry when extracting from a kvec can exceed the number of bytes in the page. This is obviously not intended. - When extracting a user buffer the sglist is temporarily used as a scratch buffer for extracted page pointers. If the sglist already contains some elements this scratch buffer could overlap with existing entries in the sglist. The series adds test cases to the kunit_iov_iter test that demonstrate all of these bugs. Additionally, there is a memory leak fix for the test itself. The bugs were orignally introduced into kernel v6.3 where the function lived in fs/netfs/iterator.c. It was later moved to lib/scatterlist.c in v6.5. Thus the actual fix is only marked for backports to v6.5+. This patch (of 5): When extracting from a kvec to a scatterlist, do not cross page boundaries. The required length was already calculated but not used as intended. Adjust the copied length if the loop runs out of sglist entries without extracting everything. While there, return immediately from extract_iter_to_sg if there are no sglist entries at all. A subsequent commit will add kunit test cases that demonstrate that the patch is necessary.", "cve_priority": "medium", "cve_public_date": "2026-06-08 17:16:00 UTC" }, { "cve": "CVE-2026-46119", "url": "https://ubuntu.com/security/CVE-2026-46119", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: libceph: Fix slab-out-of-bounds access in auth message processing If a (potentially corrupted) message of type CEPH_MSG_AUTH_REPLY contains a positive value in its result field, it is treated as an error code by ceph_handle_auth_reply() and returned to handle_auth_reply(). Thereafter, an attempt is made to send the preallocated message of type CEPH_MSG_AUTH, where the returned value is interpreted as the size of the front segment to send. If the result value in the message is greater than the size of the memory buffer allocated for the front segment, an out-of-bounds access occurs, and the content of the memory region beyond this buffer is sent out. This patch fixes the issue by treating only negative values in the result field as errors. Positive values are therefore treated as success in the same way as a zero value. Additionally, a BUG_ON is added to __send_prepared_auth_request() comparing the len parameter to front_alloc_len to prevent sending the message if it exceeds the bounds of the allocation and to make it easier to catch any logic flaws leading to this.", "cve_priority": "high", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46135", "url": "https://ubuntu.com/security/CVE-2026-46135", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: fix race between ICReq handling and queue teardown nvmet_tcp_handle_icreq() updates queue->state after sending an Initialization Connection Response (ICResp), but it does so without serializing against target-side queue teardown. If an NVMe/TCP host sends an Initialization Connection Request (ICReq) and immediately closes the connection, target-side teardown may start in softirq context before io_work drains the already buffered ICReq. In that case, nvmet_tcp_schedule_release_queue() sets queue->state to NVMET_TCP_Q_DISCONNECTING and drops the queue reference under state_lock. If io_work later processes that ICReq, nvmet_tcp_handle_icreq() can still overwrite the state back to NVMET_TCP_Q_LIVE. That defeats the DISCONNECTING-state guard in nvmet_tcp_schedule_release_queue() and allows a later socket state change to re-enter teardown and issue a second kref_put() on an already released queue. The ICResp send failure path has the same problem. If teardown has already moved the queue to DISCONNECTING, a send error can still overwrite the state with NVMET_TCP_Q_FAILED, again reopening the window for a second teardown path to drop the queue reference. Fix this by serializing both post-send state transitions with state_lock and bailing out if teardown has already started. Use -ESHUTDOWN as an internal sentinel for that bail-out path rather than propagating it as a transport error like -ECONNRESET. Keep nvmet_tcp_socket_error() setting rcv_state to NVMET_TCP_RECV_ERR before honoring that sentinel so receive-side parsing stays quiesced until the existing release path completes.", "cve_priority": "critical", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46155", "url": "https://ubuntu.com/security/CVE-2026-46155", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb/client: fix out-of-bounds read in smb2_compound_op() If a server sends a truncated response but a large OutputBufferLength, and terminates the EA list early, check_wsl_eas() returns success without validating that the entire OutputBufferLength fits within iov_len. Then smb2_compound_op() does: memcpy(idata->wsl.eas, data[0], size[0]); Where size[0] is OutputBufferLength. If iov_len is smaller than size[0], memcpy can read beyond the end of the rsp_iov allocation and leak adjacent kernel heap memory.", "cve_priority": "medium", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46115", "url": "https://ubuntu.com/security/CVE-2026-46115", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: block: add pgmap check to biovec_phys_mergeable biovec_phys_mergeable() is used by the request merge, DMA mapping, and integrity merge paths to decide if two physically contiguous bvec segments can be coalesced into one. It currently has no check for whether the segments belong to different dev_pagemaps. When zone device memory is registered in multiple chunks, each chunk gets its own dev_pagemap. A single bio can legitimately contain bvecs from different pgmaps -- iov_iter_extract_bvecs() breaks at pgmap boundaries but the outer loop in bio_iov_iter_get_pages() continues filling the same bio. If such bvecs are physically contiguous, biovec_phys_mergeable() will coalesce them, making it impossible to recover the correct pgmap for the merged segment via page_pgmap(). Add a zone_device_pages_have_same_pgmap() check to prevent merging bvec segments that span different pgmaps.", "cve_priority": "medium", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46243", "url": "https://ubuntu.com/security/CVE-2026-46243", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: reject userspace cifs.spnego descriptions cifs.spnego key descriptions contain authority-bearing fields such as pid, uid, creduid, and upcall_target that cifs.upcall treats as kernel-originating inputs. However, userspace can also create keys of this type through request_key(2) or add_key(2), allowing those fields to be supplied without CIFS origin. Only accept cifs.spnego descriptions while CIFS is using its private spnego_cred to request the key.", "cve_priority": "medium", "cve_public_date": "2026-06-01 17:17:00 UTC" } ], "log": [ "", " * resolute/linux: 7.0.0-27.27 -proposed tracker (LP: #2157114)", "", " * Packaging resync (LP: #1786013)", " - [Packaging] update annotations scripts", "", " * Ubuntu 26.04 linux kernel has non-functional nova-core GPU driver enabled,", " conflicting with nouveau (LP: #2150845)", " - [Config] Disable NOVA_CORE", "", " * CVE-2026-46316", " - KVM: arm64: vgic-its: Drop the translation cache reference only for the", " erased entry", "", " * CVE-2026-46244", " - netfilter: nft_inner: Fix IPv6 inner_thoff desync", "", " * CVE-2026-46137", " - mptcp: pm: ADD_ADDR rtx: allow ID 0", " - mptcp: pm: ADD_ADDR rtx: fix potential data-race", "", " * CVE-2026-46185", " - smb/client: fix out-of-bounds read in symlink_data()", "", " * CVE-2026-46195", " - smb: client: validate dacloffset before building DACL pointers", "", " * CVE-2026-46289", " - lib/scatterlist: fix length calculations in extract_kvec_to_sg", "", " * CVE-2026-46119", " - libceph: Fix slab-out-of-bounds access in auth message processing", "", " * CVE-2026-46135", " - nvmet-tcp: fix race between ICReq handling and queue teardown", "", " * CVE-2026-46155", " - smb/client: fix out-of-bounds read in smb2_compound_op()", "", " * CVE-2026-46115", " - block: add pgmap check to biovec_phys_mergeable", "", " * CVE-2026-46243", " - smb: client: reject userspace cifs.spnego descriptions", "" ], "package": "linux", "version": "7.0.0-27.27", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2157114, 1786013, 2150845 ], "author": "Manuel Diewald ", "date": "Thu, 18 Jun 2026 18:54:56 +0200" }, { "cves": [ { "cve": "CVE-2026-47337", "url": "https://ubuntu.com/security/CVE-2026-47337", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a possible NULL pointer dereference in the handling of AF_INET/AF_INET6 socket mediation. The bug can be triggered by an unprivileged local user. This can lead to a kernel oops.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47334", "url": "https://ubuntu.com/security/CVE-2026-47334", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly sleep while holding a spinlock in notification handling code. The bug can be triggered by an unprivileged local user and can result in kernel panic or deadlock.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47333", "url": "https://ubuntu.com/security/CVE-2026-47333", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which can potentially incorrectly compute the size of an internal buffer, leading to a heap memory out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in invalid data being processed by the AppArmor DFA policy engine.", "cve_priority": "high", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47332", "url": "https://ubuntu.com/security/CVE-2026-47332", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly validate the size of an internal structure, leading to an out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in information disclosure from adjacent slab objects.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47330", "url": "https://ubuntu.com/security/CVE-2026-47330", "cve_description": "Ubuntu Linux 6.8, 7.17 and 7.0 contain AppArmor SAUCE patches which can, under certain circumstances, use an uninitialized variable in notification handling code. The bug can be triggered by an unprivileged local user and can result in the incorrect caching of AppArmor notification responses.", "cve_priority": "low", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47329", "url": "https://ubuntu.com/security/CVE-2026-47329", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches which fail to validate invalid sizes of the name field in AppAmor notification responses. The bug can be triggered by an unprivileged local user and could result in handling of crafted responses.", "cve_priority": "low", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47327", "url": "https://ubuntu.com/security/CVE-2026-47327", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a possible NULL pointer dereference in the handling of AppArmor notifications. The bug can be triggered by an unprivileged local user. This can lead to a kernel oops.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47328", "url": "https://ubuntu.com/security/CVE-2026-47328", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly attempt to free a pointer which was not previously kmalloc()d, while at the same time leaking allocated memory. The bug can be triggered by an unprivileged local user and can result in the corruption of slab metadata and could lead to resource exhaustion.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47326", "url": "https://ubuntu.com/security/CVE-2026-47326", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a memory leak in the handling of big responses to AppArmor notifications. The bug can be triggered by an unprivileged local user. The memory leak could lead to resource exhaustion.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-46300", "url": "https://ubuntu.com/security/CVE-2026-46300", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: skbuff: preserve shared-frag marker during coalescing skb_try_coalesce() can attach paged frags from @from to @to. If @from has SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same externally-owned or page-cache-backed frags, but the shared-frag marker is currently lost. That breaks the invariant relied on by later in-place writers. In particular, ESP input checks skb_has_shared_frag() before deciding whether an uncloned nonlinear skb can skip skb_cow_data(). If TCP receive coalescing has moved shared frags into an unmarked skb, ESP can see skb_has_shared_frag() as false and decrypt in place over page-cache backed frags. Propagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged frags. The tailroom copy path does not need the marker because it copies bytes into @to's linear data rather than transferring frag descriptors.", "cve_priority": "high", "cve_public_date": "2026-05-23 12:17:00 UTC" }, { "cve": "CVE-2026-46333", "url": "https://ubuntu.com/security/CVE-2026-46333", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ptrace: slightly saner 'get_dumpable()' logic The 'dumpability' of a task is fundamentally about the memory image of the task - the concept comes from whether it can core dump or not - and makes no sense when you don't have an associated mm. And almost all users do in fact use it only for the case where the task has a mm pointer. But we have one odd special case: ptrace_may_access() uses 'dumpable' to check various other things entirely independently of the MM (typically explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for threads that no longer have a VM (and maybe never did, like most kernel threads). It's not what this flag was designed for, but it is what it is. The ptrace code does check that the uid/gid matches, so you do have to be uid-0 to see kernel thread details, but this means that the traditional \"drop capabilities\" model doesn't make any difference for this all. Make it all make a *bit* more sense by saying that if you don't have a MM pointer, we'll use a cached \"last dumpability\" flag if the thread ever had a MM (it will be zero for kernel threads since it is never set), and require a proper CAP_SYS_PTRACE capability to override.", "cve_priority": "high", "cve_public_date": "2026-05-15 14:16:00 UTC" }, { "cve": "CVE-2026-43500", "url": "https://ubuntu.com/security/CVE-2026-43500", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE handler in rxrpc_verify_response() copy the skb to a linear one before calling into the security ops only when skb_cloned() is true. An skb that is not cloned but still carries externally-owned paged fragments (e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via __ip_append_data, or a chained skb_has_frag_list()) falls through to the in-place decryption path, which binds the frag pages directly into the AEAD/skcipher SGL via skb_to_sgvec(). Extend the gate to also unshare when skb_has_frag_list() or skb_has_shared_frag() is true. This catches the splice-loopback vector and other externally-shared frag sources while preserving the zero-copy fast path for skbs whose frags are kernel-private (e.g. NIC page_pool RX, GRO). The OOM/trace handling already in place is reused.", "cve_priority": "high", "cve_public_date": "2026-05-11 08:16:00 UTC" }, { "cve": "CVE-2026-43284", "url": "https://ubuntu.com/security/CVE-2026-43284", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place decrypt on shared skb frags MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later paths that may modify packet data can first make a private copy. The IPv4/IPv6 datagram append paths did not set this flag when splicing pages into UDP skbs. That leaves an ESP-in-UDP packet made from shared pipe pages looking like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW fast path for uncloned skbs without a frag_list and decrypts in place over data that is not owned privately by the skb. Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching TCP. Also make ESP input fall back to skb_cow_data() when the flag is present, so ESP does not decrypt externally backed frags in place. Private nonlinear skb frags still use the existing fast path. This intentionally does not change ESP output. In esp_output_head(), the path that appends the ESP trailer to existing skb tailroom without calling skb_cow_data() is not reachable for nonlinear skbs: skb_tailroom() returns zero when skb->data_len is nonzero, while ESP tailen is positive. Thus ESP output will either use the separate destination-frag path or fall back to skb_cow_data().", "cve_priority": "high", "cve_public_date": "2026-05-08 08:16:00 UTC" } ], "log": [ "", " * resolute/linux: 7.0.0-26.26 -proposed tracker (LP: #2154530)", "", " * Packaging resync (LP: #1786013)", " - Revert \"UBUNTU: SAUCE: import Huawei ES3000_V2 (2.1.0.23)\"", " - [Packaging] debian.master/dkms-versions -- remove dkms-versions", " (main/2026.05.18)", "", " * Fix mic mute led on a HP EliteBook 6 G2a platform (LP: #2150065)", " - ALSA: hda/realtek: Add LED fixup for HP EliteBook 6 G2a Laptops", "", " * ov08x40 module mounted upside down on a certain DELL platforms", " (LP: #2146517)", " - SAUCE: media: ipu-bridge: Add DMI quirk for new Dell XPS laptops with", " upside down sensors", " - SAUCE: media: ipu-bridge: Add DMI quirk for Dell 14 laptops with upside", " down sensors", "", " * Support additional 2888x1808@30fps 900MHz for OVTI05C1 camera sensor", " (LP: #2147409)", " - SAUCE: media: ipu-bridge: Add 900MHz for OV05C10", " - SAUCE: platform/x86: int3472: increase handshake delay to 50ms for", " OV05C10", "", " * Support Samsung S5K3J1 sensor for Intel MIPI camera (LP: #2121852)", " - SAUCE: media: ipu-bridge: Support s5k3j1 sensor", "", " * [SRU] ASoC: enable rt1320 speaker amp and DMIC on PTL SoundWire platforms", " (LP: #2150196)", " - ASoC: Intel: soc-acpi-intel-ptl-match: drop rt722 monolithic match", " tables", " - ASoC: SOF: Intel: Add a is_amp flag to fix the wrong name prefix", " - ASoC: sdw_utils: add rt1320 and rt1321 dmic dai in codec_info_list", "", " * powerpc-build in ubuntu_kernel_selftests fails to build due to", " uninitialized value (LP: #2129844)", " - selftests/powerpc: Suppress -Wmaybe-uninitialized with GCC 15", "", " * Ubuntu 26.04 linux kernel has non-functional nova-core GPU driver enabled,", " conflicting with nouveau (LP: #2150845)", " - [Config] Disable DRM_NOVA", "", " * Resolute update: v7.0.6 upstream stable release (LP: #2152558)", " - Linux 7.0.6", " - Upstream stable to v7.0.6", "", " * Resolute update: v7.0.5 upstream stable release (LP: #2152556)", " - Linux 7.0.5", " - Upstream stable to v7.0.5", "", " * Resolute update: v7.0.4 upstream stable release (LP: #2152552)", " - ALSA: usb-audio: stop parsing UAC2 rates at MAX_NR_RATES", " - ALSA: usb-audio: Avoid false E-MU sample-rate notifications", " - ALSA: usb-audio: Fix Audio Advantage Micro II SPDIF switch", " - usb: xhci: Make usb_host_endpoint.hcpriv survive endpoint_disable()", " - usb: chipidea: otg: not wait vbus drop if use role_switch", " - usb: chipidea: core: allow ci_irq_handler() handle both ID and VBUS", " change", " - ALSA: usb-audio: Evaluate packsize caps at the right place", " - LoongArch: Add spectre boundry for syscall dispatch table", " - drm/nouveau: fix u32 overflow in pushbuf reloc bounds check", " - leds: qcom-lpg: Check for array overflow when selecting the high", " resolution", " - greybus: gb-beagleplay: bound bootloader receive buffering", " - greybus: gb-beagleplay: fix sleep in atomic context in hdlc_tx_frames()", " - misc: ibmasm: fix OOB MMIO read in ibmasm_handle_mouse_interrupt()", " - ibmasm: fix OOB reads in command_file_write due to missing size checks", " - ibmasm: fix heap over-read in ibmasm_send_i2o_message()", " - sysfs: attribute_group: Respect is_visible_const() when changing owner", " - driver core: Don't let a device probe until it's ready", " - device property: Make modifications of fwnode \"flags\" thread safe", " - drm/nouveau: fix nvkm_device leak on aperture removal failure", " - rust: dma: remove DMA_ATTR_NO_KERNEL_MAPPING from public attrs", " - kbuild: rust: allow `clippy::uninlined_format_args`", " - fs: afs: revert mmap_prepare() change", " - firmware: google: framebuffer: Do not mark framebuffer as busy", " - lib: test_hmm: evict device pages on file close to avoid use-after-free", " - arm64/mm: Enable batched TLB flush in unmap_hotplug_range()", " - arm64: mm: Fix rodata=full block mapping support for realm guests", " - mm: migrate: requeue destination folio on deferred split queue", " - mm: prevent droppable mappings from being locked", " - mm: fix deferred split queue races during migration", " - ocfs2: split transactions in dio completion to avoid credit exhaustion", " - Input: edt-ft5x06 - fix use-after-free in debugfs teardown", " - zram: do not forget to endio for partial discard requests", " - wifi: rtw88: check for PCI upstream bridge existence", " - wifi: mwifiex: fix use-after-free in mwifiex_adapter_cleanup()", " - vfio: selftests: Fix VLA initialisation in vfio_pci_irq_set()", " - vfio/xe: Add a missing vfio_pci_core_release_dev()", " - vfio/virtio: Convert list_lock from spinlock to mutex", " - vfio/cdx: Serialize VFIO_DEVICE_SET_IRQS with a per-device mutex", " - vfio/cdx: Fix NULL pointer dereference in interrupt trigger path", " - um: drivers: call kernel_strrchr() explicitly in cow_user.c", " - thermal: core: Fix thermal zone governor cleanup issues", " - spi: imx: fix use-after-free on unbind", " - spi: ch341: fix memory leaks on probe failures", " - crypto: algif_aead - snapshot IV for async AEAD requests", " - crypto: pcrypt - Fix handling of MAY_BACKLOG requests", " - dt-bindings: display: ti, am65x-dss: Fix AM62L DSS reg and clock", " constraints", " - of: unittest: fix use-after-free in of_unittest_changeset()", " - of: unittest: fix use-after-free in testdrv_probe()", " - hwmon: (powerz) Fix missing usb_kill_urb() on signal interrupt", " - EDAC/versalnet: Fix device_node leak in mc_probe()", " - PCI: imx6: Skip waiting for L2/L3 Ready on i.MX6SX", " - media: amphion: Fix race between m2m job_abort and device_run", " - ALSA: control: Validate buf_len before strnlen() in", " snd_ctl_elem_init_enum_names()", " - net: caif: clear client service pointer on teardown", " - net: strparser: fix skb_head leak in strp_abort_strp()", " - media: mtk-jpeg: fix use-after-free in release path due to uncancelled", " work", " - crypto: atmel-sha204a - Fix OTP sysfs read and error handling", " - PCI: endpoint: pci-epf-ntb: Remove duplicate resource teardown", " - Revert \"ALSA: usb: Increase volume range that triggers a warning\"", " - phy: qcom: m31-eusb2: clear PLL_EN during init", " - PCI: epf-mhi: Return 0, not remaining timeout, when eDMA ops complete", " - lib/ts_kmp: fix integer overflow in pattern length calculation", " - media: i2c: imx219: Check return value of devm_gpiod_get_optional() in", " imx219_probe()", " - net: qrtr: ns: Fix use-after-free in driver remove()", " - ext2: reject inodes with zero i_nlink and valid mode in ext2_iget()", " - mm/zsmalloc: copy KMSAN metadata in zs_page_migrate()", " - ALSA: aoa: i2sbus: clear stale prepared state", " - ALSA: aoa: i2sbus: fix OF node lifetime handling", " - ALSA: aoa: Skip devices with no codecs in i2sbus_resume()", " - ALSA: ctxfi: Add fallback to default RSR for S/PDIF", " - ALSA: seq_oss: return full count for successful SEQ_FULLSIZE writes", " - erofs: fix the out-of-bounds nameoff handling for trailing dirents", " - ipmi:ssif: Clean up kthread on errors", " - jbd2: fix deadlock in jbd2_journal_cancel_revoke()", " - KVM: selftests: Fix reserved value WRMSR testcase for multi-feature MSRs", " - md/raid10: fix deadlock with check operation and nowait requests", " - media: rc: igorplugusb: heed coherency rules", " - media: rockchip: rkcif: fix off by one bugs", " - media: rockchip: rkcif: comply with minimum number of buffers", " requirement", " - mfd: stpmic1: Attempt system shutdown twice in case PMIC is confused", " - mm/alloc_tag: clear codetag for pages allocated before page_ext", " initialization", " - mm/damon/core: fix damon_call() vs kdamond_fn() exit race", " - mm/damon/core: fix damos_walk() vs kdamond_fn() exit race", " - mm/hugetlb: fix early boot crash on parameters without '=' separator", " - mtd: docg3: fix use-after-free in docg3_release()", " - nvme-pci: add NVME_QUIRK_DISABLE_WRITE_ZEROES for Kingston OM3SGP4", " - nvme: respect NVME_QUIRK_DISABLE_WRITE_ZEROES when wzsl is set", " - parisc: _llseek syscall is only available for 32-bit userspace", " - parisc: Drop ip_fast_csum() inline assembly implementation", " - PCI: cadence: Use cdns_pcie_read_sz() for byte or word read access", " - PCI: imx6: Fix reference clock source selection for i.MX95", " - perf annotate: Use jump__delete when freeing LoongArch jumps", " - RDMA/mana_ib: Disable RX steering on RSS QP destroy", " - remoteproc: xlnx: Only access buffer information if IPI is buffered", " - reset: rzv2h-usb2phy: Keep PHY clock enabled for entire device lifetime", " - sched: Use u64 for bandwidth ratio calculations", " - selftests/mqueue: Fix incorrectly named file", " - landlock: Fix LOG_SUBDOMAINS_OFF inheritance across fork()", " - landlock: Allow TSYNC with LOG_SUBDOMAINS_OFF and fd=-1", " - selftests/landlock: Drain stale audit records on init", " - selftests/landlock: Fix format warning for __u64 in net_test", " - selftests/landlock: Fix snprintf truncation checks in audit helpers", " - selftests/landlock: Skip stale records in audit_match_record()", " - rbd: fix null-ptr-deref when device_add_disk() fails", " - mm/zone_device: do not touch device folio after calling ->folio_free()", " - block: fix zone write plugs refcount handling in", " disk_zone_wplug_schedule_bio_work()", " - io_uring/zcrx: return back two step unregistration", " - io_uring/timeout: check unused sqe fields", " - block: relax pgmap check in bio_add_page for compatible zone device", " pages", " - iio: adc: ti-ads7950: use iio_push_to_buffers_with_ts_unaligned()", " - io_uring/register: fix ring resizing with mixed/large SQEs/CQEs", " - io_uring/zcrx: fix user_struct uaf", " - io_uring/poll: fix signed comparison in io_poll_get_ownership()", " - io_uring/poll: ensure EPOLL_ONESHOT is propagated for EPOLL_URING_WAKE", " - module.lds,codetag: force 0 sh_addr for sections", " - module.lds.S: Fix modules on 32-bit parisc architecture", " - ALSA: core: Fix potential data race at fasync handling", " - ALSA: caiaq: Fix control_put() result and cache rollback", " - ALSA: caiaq: Handle probe errors properly", " - ALSA: 6fire: Fix input volume change detection", " - ALSA: hda/realtek - Add mute LED support for HP Victus 15-fa2xxx", " - ALSA: pcmtest: fix reference leak on failed device registration", " - ALSA: pcmtest: Fix resource leaks in module init error paths", " - iio: adc: ad7768-1: fix one-shot mode data acquisition", " - iio: adc: ad7768-1: remove switch to one-shot mode", " - rxrpc: Fix memory leaks in rxkad_verify_response()", " - rxrpc: Fix rxkad crypto unalignment handling", " - rxrpc: Fix error handling in rxgk_extract_token()", " - rxrpc: Fix re-decryption of RESPONSE packets", " - EDAC/versalnet: Fix memory leak in remove and probe error paths", " - tools/accounting: handle truncated taskstats netlink messages", " - net: txgbe: fix RTNL assertion warning when remove module", " - arm64: dts: marvell: uDPU: add ethernet aliases", " - net: qrtr: ns: Limit the maximum server registration per node", " - net: qrtr: ns: Limit the maximum number of lookups", " - net: qrtr: ns: Free the node during ctrl_cmd_bye()", " - net: qrtr: ns: Limit the total number of nodes", " - net: rds: fix MR cleanup on copy error", " - net: txgbe: fix firmware version check", " - net/smc: avoid early lgr access in smc_clc_wait_msg", " - net: ks8851: Reinstate disabling of BHs around IRQ handler", " - net: bridge: use a stable FDB dst snapshot in RCU readers", " - netconsole: avoid out-of-bounds access on empty string in trim_newline()", " - net: mctp: fix don't require received header reserved bits to be zero", " - net: ks8851: Avoid excess softirq scheduling", " - drm/arcpgu: fix device node leak", " - slub: fix data loss and overflow in krealloc()", " - tracing/fprobe: Reject registration of a registered fprobe before init", " - RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv", " - printf: Compile the kunit test with DISABLE_BRANCH_PROFILING", " DISABLE_BRANCH_PROFILING", " - ipv4: icmp: validate reply type before using icmp_pointers", " - libceph: Prevent potential null-ptr-deref in ceph_handle_auth_reply()", " - spi: fix resource leaks on device setup failure", " - extract-cert: Wrap key_pass with '#ifdef USE_PKCS11_ENGINE'", " - tpm: avoid -Wunused-but-set-variable", " - LoongArch: Make arch_irq_work_has_interrupt() true only if IPI HW exist", " - LoongArch: Show CPU vulnerabilites correctly", " - fbdev: defio: Disconnect deferred I/O from the lifetime of struct", " fb_info", " - power: supply: axp288_charger: Do not cancel work before initializing it", " - hwmon: (isl28022) Fix integer overflow in power calculation on 32-bit", " - hwmon: (powerz) Avoid cacheline sharing for DMA buffer", " - media: rzv2h-ivc: Revise default VBLANK formula", " - media: rzv2h-ivc: Fix AXIRX_VBLANK register write", " - fs: prepare for adding LSM blob to backing_file", " - lsm: add backing_file LSM hooks", " - selinux: fix overlayfs mmap() and mprotect() access checks", " - hwmon: (pt5161l) Fix bugs in pt5161l_read_block_data()", " - randomize_kstack: Maintain kstack_offset per task", " - mmc: block: use single block write in retry", " - mmc: sdhci-of-dwcmshc: Disable clock before DLL configuration", " - arm64: dts: ti: am62-verdin: Enable pullup for eMMC data pins", " - crypto: qat - fix IRQ cleanup on 6xxx probe failure", " - xfs: start gc on zonegc_low_space attribute updates", " - xfs: fix a resource leak in xfs_alloc_buftarg()", " - firmware: google: framebuffer: Do not unregister platform device", " - firmware: exynos-acpm: Drop fake 'const' on handle pointer", " - crypto: talitos - fix SEC1 32k ahash request limitation", " - crypto: talitos - rename first/last to first_desc/last_desc", " - pwm: imx-tpm: Count the number of enabled channels in probe", " - tpm2-sessions: Fix missing tpm_buf_destroy() in tpm2_read_public()", " - tpm: Fix auth session leak in tpm2_get_random() error path", " - tpm: Use kfree_sensitive() to free auth session in tpm_dev_release()", " - tpm: tpm_tis: add error logging for data transfer", " - tpm: tpm_tis: stop transmit if retries are exhausted", " - rtc: ntxec: fix OF node reference imbalance", " - mm/vmalloc: take vmap_purge_lock in shrinker", " - mm/memfd_luo: fix physical address conversion in put_folios cleanup", " - mm/mempolicy: fix memory leaks in weighted_interleave_auto_store()", " - mm/damon/stat: fix memory leak on damon_start() failure in", " damon_stat_start()", " - mm/damon/core: validate damos_quota_goal->nid for", " node_mem_{used,free}_bp", " - mm/damon/core: validate damos_quota_goal->nid for", " node_memcg_{used,free}_bp", " - mm/damon/core: use time_in_range_open() for damos quota window start", " - mm/damon/core: disallow time-quota setting zero esz", " - mm/damon/core: disallow non-power of two min_region_sz on damon_start()", " - userfaultfd: allow registration of ranges below mmap_min_addr", " - LoongArch: KVM: Use CSR_CRMD_PLV in kvm_arch_vcpu_in_kernel()", " - KVM: x86: Defer non-architectural deliver of exception payload to", " userspace read", " - KVM: nSVM: Mark all of vmcb02 dirty when restoring nested state", " - KVM: nSVM: Sync NextRIP to cached vmcb12 after VMRUN of L2", " - KVM: nSVM: Sync interrupt shadow to cached vmcb12 after VMRUN of L2", " - KVM: SVM: Inject #UD for INVLPGA if EFER.SVME=0", " - KVM: SVM: Explicitly mark vmcb01 dirty after modifying VMCB intercepts", " - KVM: nSVM: Ensure AVIC is inhibited when restoring a vCPU to guest mode", " - KVM: nSVM: Always use NextRIP as vmcb02's NextRIP after first L2 VMRUN", " - KVM: nSVM: Delay stuffing L2's current RIP into NextRIP until vCPU run", " - KVM: nSVM: Use vcpu->arch.cr2 when updating vmcb12 on nested #VMEXIT", " - KVM: arm64: Account for RESx bits in __compute_fgt()", " - KVM: nSVM: Avoid clearing VMCB_LBR in vmcb12", " - KVM: nSVM: Delay setting soft IRQ RIP tracking fields until vCPU run", " - KVM: SVM: Switch svm_copy_lbrs() to a macro", " - KVM: SVM: Add missing save/restore handling of LBR MSRs", " - KVM: nSVM: Always inject a #GP if mapping VMCB12 fails on nested VMRUN", " - KVM: nSVM: Refactor checking LBRV enablement in vmcb12 into a helper", " - KVM: nSVM: Refactor writing vmcb12 on nested #VMEXIT as a helper", " - KVM: nSVM: Triple fault if restore host CR3 fails on nested #VMEXIT", " - KVM: nSVM: Triple fault if mapping VMCB12 fails on nested #VMEXIT", " - KVM: nSVM: Clear GIF on nested #VMEXIT(INVALID)", " - KVM: nSVM: Clear EVENTINJ fields in vmcb12 on nested #VMEXIT", " - KVM: nSVM: Clear tracking of L1->L2 NMI and soft IRQ on nested #VMEXIT", " - KVM: nSVM: Add missing consistency check for EFER, CR0, CR4, and CS", " - KVM: nSVM: Drop the non-architectural consistency check for NP_ENABLE", " - KVM: nSVM: Add missing consistency check for nCR3 validity", " - KVM: nSVM: Raise #UD if unhandled VMMCALL isn't intercepted by L1", " - KVM: nSVM: Always intercept VMMCALL when L2 is active", " - ARM: 9472/1: fix race condition on PG_dcache_clean in", " __sync_icache_dcache()", " - ring-buffer: Do not double count the reader_page", " - ext4: fix bounds check in check_xattrs() to prevent out-of-bounds access", " - ext4: fix missing brelse() in ext4_xattr_inode_dec_ref_all()", " - udf: fix partition descriptor append bookkeeping", " - mtd: spi-nor: sst: Fix write enable before AAI sequence", " - mtd: spinand: winbond: Declare the QE bit on W25NxxJW", " - amdgpu/jpeg: fix deepsleep register for jpeg 5_0_0 and 5_0_2", " - md/md-llbitmap: skip reading rdevs that are not in_sync", " - md/md-llbitmap: raise barrier before state machine transition", " - md/raid5: fix soft lockup in retry_aligned_read()", " - md/raid5: validate payload size before accessing journal metadata", " - check-uapi: link into shared objects", " - mm, swap: speed up hibernation allocation and writeout", " - HID: apple: ensure the keyboard backlight is off if suspending", " - inotify: fix watch count leak when fsnotify_add_inode_mark_locked()", " fails", " - x86/cpu: Disable FRED when PTI is forced on", " - x86/shstk: Prevent deadlock during shstk sigreturn", " - wifi: rtl8xxxu: fix potential use of uninitialized value", " - tcp: call sk_data_ready() after listener migration", " - taskstats: set version in TGID exit notifications", " - mptcp: sync the msk->sndbuf at accept() time", " - mfd: core: Preserve OF node when ACPI handle is present", " - 9p: fix access mode flags being ORed instead of replaced", " - Bluetooth: hci_event: fix potential UAF in SSP passkey handlers", " - bus: mhi: host: pci_generic: Switch to async power up to avoid boot", " delays", " - can: ucan: fix devres lifetime", " - crypto: acomp - fix wrong pointer stored by acomp_save_req()", " - crypto: arm64/aes - Fix 32-bit aes_mac_update() arg treated as 64-bit", " - crypto: atmel-aes - Fix 3-page memory leak in atmel_aes_buff_cleanup", " - crypto: atmel-ecc - Release client on allocation failure", " - crypto: hisilicon - Fix dma_unmap_single() direction", " - crypto: ccree - fix a memory leak in cc_mac_digest()", " - crypto: atmel-tdes - fix DMA sync direction", " - crypto: atmel-sha204a - Fix error codes in OTP reads", " - crypto: atmel-sha204a - Fix potential UAF and memory leak in remove path", " - crypto: atmel-sha204a - Fix uninitialized data access on OTP read error", " - crypto: nx - fix bounce buffer leaks in nx842_crypto_{alloc,free}_ctx", " - crypto: nx - fix context leak in nx842_crypto_free_ctx", " - crypto: nx - Fix packed layout in struct nx842_crypto_header", " - dm mirror: fix integer overflow in create_dirty_log()", " - erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap()", " - ceph: fix num_ops off-by-one when crypto allocation fails", " - ceph: only d_add() negative dentries when they are unhashed", " - gtp: disable BH before calling udp_tunnel_xmit_skb()", " - IB/core: Fix zero dmac race in neighbor resolution", " - ktest: Fix the month in the name of the failure directory", " - NFSv4.1: Apply session size limits on clone path", " - ntfs3: add buffer boundary checks to run_unpack()", " - ntfs3: fix integer overflow in run_unpack() volume boundary check", " - rtmutex: Use waiter::task instead of current in remove_waiter()", " - rxgk: Fix potential integer overflow in length check", " - sched_ext: Documentation: Clarify ops.dispatch() role in task lifecycle", " - scsi: sd: fix missing put_disk() when device_add(&disk_dev) fails", " - seg6: fix seg6 lwtunnel output redirect for L2 reduced encap mode", " - perf loongarch: Fix build failure with CONFIG_LIBDW_DWARF_UNWIND", " - iio: frequency: admv1013: add dev variable", " - iio: frequency: admv1013: fix NULL pointer dereference on str", " - wifi: mt76: mt792x: describe USB WFSYS reset with a descriptor", " - wifi: mt76: mt792x: fix mt7925u USB WFSYS reset handling", " - mm: various small mmap_prepare cleanups", " - mm: avoid deadlock when holding rmap on mmap_prepare error", " - mei: me: use PCI_DEVICE_DATA macro", " - mei: me: add nova lake point H DID", " - crypto: authencesn - reject short ahash digests during instance creation", " - driver core: Add kernel-doc for DEV_FLAG_COUNT enum value", " - ALSA: caiaq: Fix potentially leftover ep1_in_urb at error path", " - ALSA: caiaq: Don't abort when no input device is available", " - ipv6: rpl: reserve mac_len headroom when recompressed SRH grows", " - drm/amdgpu: fix zero-size GDS range init on RDNA4", " - drm/imagination: Fix segfault when updating ftrace mask", " - ALSA: caiaq: fix usb_dev refcount leak on probe failure", " - ALSA: aloop: Fix peer runtime UAF during format-change stop", " - vmalloc: fix buffer overflow in vrealloc_node_align()", " - mm/page_alloc: return NULL early from alloc_frozen_pages_nolock() in NMI", " on UP", " - mm/slab: return NULL early from kmalloc_nolock() in NMI on UP", " - net: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels", " - netfilter: reject zero shift in nft_bitwise", " - ipmi:ssif: Remove unnecessary indention", " - ipmi:ssif: NULL thread on error", " - Linux 7.0.4", " - Upstream stable to v7.0.4", "", " * Resolute update: v7.0.3 upstream stable release (LP: #2152550)", " - Buffer overflow in drivers/xen/sys-hypervisor.c", " - xen/privcmd: fix double free via VMA splitting", " - Linux 7.0.3", " - Upstream stable to v7.0.3", "", " * Resolute update: v7.0.2 upstream stable release (LP: #2150553)", " - crypto: authencesn - Fix src offset when decrypting in-place", " - pwm: th1520: fix `CLIPPY=1` warning", " - drm/amdgpu: replace PASID IDR with XArray", " - crypto: krb5enc - fix sleepable flag handling in encrypt dispatch", " - crypto: krb5enc - fix async decrypt skipping hash verification", " - ksmbd: fix use-after-free in __ksmbd_close_fd() via durable scavenger", " - ksmbd: validate owner of durable handle on reconnect", " - scripts: generate_rust_analyzer.py: define scripts", " - scripts/dtc: Remove unused dts_version in dtc-lexer.l", " - fs/ntfs3: validate rec->used in journal-replay file record check", " - f2fs: fix to do sanity check on dcc->discard_cmd_cnt conditionally", " - f2fs: fix UAF caused by decrementing sbi->nr_pages[] in", " f2fs_write_end_io()", " - f2fs: fix to avoid memory leak in f2fs_rename()", " - f2fs: fix to avoid uninit-value access in f2fs_sanity_check_node_footer", " - fuse: reject oversized dirents in page cache", " - fuse: abort on fatal signal during sync init", " - fuse: Check for large folio with SPLICE_F_MOVE", " - fuse: quiet down complaints in fuse_conn_limit_write", " - fuse: fuse_dev_ioctl_clone() should wait for device file to be", " initialized", " - ksmbd: require minimum ACE size in smb_check_perm_dacl()", " - smb: server: fix active_num_conn leak on transport allocation failure", " - smb: client: fix dir separator in SMB1 UNIX mounts", " - smb: server: fix max_connections off-by-one in tcp accept path", " - smb: client: require a full NFS mode SID before reading mode bits", " - smb: client: validate the whole DACL before rewriting it in cifsacl", " - smb: client: fix OOB read in smb2_ioctl_query_info QUERY_INFO path", " - ksmbd: validate response sizes in ipc_validate_msg()", " - ksmbd: validate num_aces and harden ACE walk in smb_inherit_dacl()", " - ksmbd: fix out-of-bounds write in smb2_get_ea() EA alignment", " - ksmbd: use check_add_overflow() to prevent u16 DACL size overflow", " - ksmbd: reset rcount per connection in ksmbd_conn_wait_idle_sess_id()", " - writeback: Fix use after free in inode_switch_wbs_work_fn()", " - f2fs: fix use-after-free of sbi in f2fs_compress_write_end_io()", " - ALSA: usb-audio: apply quirk for MOONDROP JU Jiu", " - ALSA: hda/realtek: Add quirk for Legion S7 15IMH", " - ALSA: caiaq: take a reference on the USB device in create_card()", " - net/packet: fix TOCTOU race on mmap'd vnet_hdr in tpacket_snd()", " - crypto: ccp: Don't attempt to copy CSR to userspace if PSP command", " failed", " - crypto: ccp: Don't attempt to copy PDH cert to userspace if PSP command", " failed", " - crypto: ccp: Don't attempt to copy ID to userspace if PSP command failed", " - rxrpc: Fix missing validation of ticket length in non-XDR key preparsing", " - mshv_vtl: Fix vmemmap_shift exceeding MAX_FOLIO_ORDER", " - Linux 7.0.2", "", " * Resolute update: v7.0.1 upstream stable release (LP: #2150547)", " - Revert \"UBUNTU: SAUCE: cdc-acm: Exclude Exar USB serial ports\"", " - nfc: llcp: add missing return after LLCP_CLOSED checks", " - x86/CPU: Fix FPDSS on Zen1", " - can: raw: fix ro->uniq use-after-free in raw_rcv()", " - i2c: s3c24xx: check the size of the SMBUS message before using it", " - staging: rtl8723bs: initialize le_tmp64 in rtw_BIP_verify()", " - HID: alps: fix NULL pointer dereference in alps_raw_event()", " - HID: core: clamp report_size in s32ton() to avoid undefined shift", " - net: usb: cdc-phonet: fix skb frags[] overflow in rx_complete()", " - NFC: digital: Bounds check NFC-A cascade depth in SDD response handler", " - drm/vc4: platform_get_irq_byname() returns an int", " - bnge: return after auxiliary_device_uninit() in error path", " - ALSA: usx2y: us144mkii: fix NULL deref on missing interface 0", " - ALSA: fireworks: bound device-supplied status before string array lookup", " - fbdev: tdfxfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO", " - usb: gadget: f_ncm: validate minimum block_len in ncm_unwrap_ntb()", " - usb: gadget: f_phonet: fix skb frags[] overflow in pn_rx_complete()", " - usb: gadget: renesas_usb3: validate endpoint index in standard request", " handlers", " - smb: client: fix off-by-8 bounds check in check_wsl_eas()", " - smb: client: fix OOB reads parsing symlink error response", " - ksmbd: validate EaNameLength in smb2_get_ea()", " - ksmbd: require 3 sub-authorities before reading sub_auth[2]", " - ksmbd: fix mechToken leak when SPNEGO decode fails after token alloc", " - smb: client: avoid double-free in smbd_free_send_io() after", " smbd_send_batch_flush()", " - smb: server: avoid double-free in smb_direct_free_sendmsg after", " smb_direct_flush_send_list()", " - usbip: validate number_of_packets in usbip_pack_ret_submit()", " - usb: typec: fusb302: Switch to threaded IRQ handler", " - usb: storage: Expand range of matched versions for VL817 quirks entry", " - USB: cdc-acm: Add quirks for Yoga Book 9 14IAH10 INGENIC touchscreen", " - usb: gadget: f_hid: don't call cdev_init while cdev in use", " - usb: port: add delay after usb_hub_set_port_power()", " - fbdev: udlfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO", " - scripts/gdb/symbols: handle module path parameters", " - scripts: generate_rust_analyzer.py: avoid FD leak", " - wifi: rtw88: fix device leak on probe failure", " - staging: sm750fb: fix division by zero in ps_to_hz()", " - selftests/mm: hmm-tests: don't hardcode THP size to 2MB", " - USB: serial: option: add Telit Cinterion FN990A MBIM composition", " - Docs/admin-guide/mm/damon/reclaim: warn commit_inputs vs param updates", " race", " - Docs/admin-guide/mm/damon/lru_sort: warn commit_inputs vs param updates", " race", " - ALSA: ctxfi: Limit PTP to a single page", " - dcache: Limit the minimal number of bucket to two", " - vfio/xe: Reorganize the init to decouple migration from reset", " - arm64: mm: Handle invalid large leaf mappings correctly", " - media: vidtv: fix NULL pointer dereference in", " vidtv_channel_pmt_match_sections", " - ocfs2: fix possible deadlock between unlink and dio_end_io_write", " - ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY", " - ocfs2: handle invalid dinode in ocfs2_group_extend", " - PCI: endpoint: pci-epf-vntb: Stop cmd_handler work in", " epf_ntb_epc_cleanup", " - PCI: endpoint: pci-epf-vntb: Remove duplicate resource teardown", " - KVM: selftests: Remove duplicate LAUNCH_UPDATE_VMSA call in SEV-ES", " migrate test", " - KVM: SEV: Reject attempts to sync VMSA of an already-launched/encrypted", " vCPU", " - KVM: SEV: Protect *all* of sev_mem_enc_register_region() with kvm->lock", " - KVM: SEV: Disallow LAUNCH_FINISH if vCPUs are actively being created", " - KVM: SEV: Lock all vCPUs when synchronzing VMSAs for SNP launch finish", " - KVM: SEV: Drop WARN on large size for KVM_MEMORY_ENCRYPT_REG_REGION", " - mm: call ->free_folio() directly in folio_unmap_invalidate()", " - checkpatch: add support for Assisted-by tag", " - x86-64: rename misleadingly named '__copy_user_nocache()' function", " - x86: rename and clean up __copy_from_user_inatomic_nocache()", " - x86-64/arm64/powerpc: clean up and rename __copy_from_user_flushcache", " - KVM: x86: Use scratch field in MMIO fragment to hold small write values", " - ASoC: qcom: q6apm: move component registration to unmanaged version", " - mm/kasan: fix double free for kasan pXds", " - mm: blk-cgroup: fix use-after-free in cgwb_release_workfn()", " - media: vidtv: fix nfeeds state corruption on start_streaming failure", " - media: mediatek: vcodec: fix use-after-free in encoder release path", " - media: em28xx: fix use-after-free in em28xx_v4l2_open()", " - hwmon: (powerz) Fix use-after-free on USB disconnect", " - ALSA: 6fire: fix use-after-free on disconnect", " - bcache: fix cached_dev.sb_bio use-after-free and crash", " - wireguard: device: use exit_rtnl callback instead of manual rtnl_lock in", " pre_exit", " - media: as102: fix to not free memory after the device is registered in", " as102_usb_probe()", " - nilfs2: fix NULL i_assoc_inode dereference in", " nilfs_mdt_save_to_shadow_map", " - media: vidtv: fix pass-by-value structs causing MSAN warnings", " - media: hackrf: fix to not free memory after the device is registered in", " hackrf_probe()", " - mm/userfaultfd: fix hugetlb fault mutex hash calculation", " - clockevents: Add missing resets of the next_event_forced flag", " - Linux 7.0.1", "", " * GRO managed-frag use-after-free leading to local privilege escalation", " (LP: #2154172)", " - net: gro: don't merge zcopy skbs", "", " * AppArmor Vulnerabilities (LP: #2151747)", " - SAUCE: apparmor: pass big_resp to handler", " - SAUCE: apparmor: remove redundant kref_init for listener->count", " - SAUCE: apparmor: fix NULL pointer dereference in unpack_pdb", "", " * AppArmor Vulnerabilities (LP: #2151747) // CVE-2026-47337", " - SAUCE: apparmor: fix NULL pointer dereference in bind_map_addr", "", " * AppArmor Vulnerabilities (LP: #2151747) // CVE-2026-47334", " - SAUCE: apparmor: fix sleep prone memory allocation under a spin_lock", "", " * AppArmor Vulnerabilities (LP: #2151747) // CVE-2026-47333", " - SAUCE: apparmor: fix dfa unpacking size of the notification filter", "", " * AppArmor Vulnerabilities (LP: #2151747) // CVE-2026-47332", " - SAUCE: apparmor: fix size check against type instead of pointer", "", " * apparmor: LLVM/clang build failure due to uninitialized variable in", " notify.c (LP: #2148809) // CVE-2026-47330", " - SAUCE: apparmor: initialize variable used in uninitialized context", "", " * AppArmor Vulnerabilities (LP: #2151747) // CVE-2026-47329", " - SAUCE: apparmor: fix name validation bypass on notification", "", " * AppArmor Vulnerabilities (LP: #2151747) // CVE-2026-47327 //", " CVE-2026-47328", " - SAUCE: apparmor: fix glob memory leak after kstrdup", "", " * AppArmor Vulnerabilities (LP: #2151747) // CVE-2026-47326", " - SAUCE: apparmor: fix inverted NULL check after aa_get_buffer", "", " * CVE-2026-46300", " - net: skbuff: preserve shared-frag marker during coalescing", " - net: skbuff: propagate shared-frag marker through frag-transfer helpers", "", " * net/rds: reset op_nents when zerocopy page pin fails (LP: #2153962)", " - net/rds: reset op_nents when zerocopy page pin fails", "", " * CVE-2026-46333", " - ptrace: slightly saner 'get_dumpable()' logic", "", " * CVE-2026-43500", " - rxrpc: Fix conn-level packet handling to unshare RESPONSE packets", " - rxrpc: Fix potential UAF after skb_unshare() failure", " - rxrpc: Fix rxrpc_input_call_event() to only unshare DATA packets", " - rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present", "", " * CVE-2026-43284", " - xfrm: esp: avoid in-place decrypt on shared skb frags", "" ], "package": "linux", "version": "7.0.0-26.26", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2154530, 1786013, 2150065, 2146517, 2147409, 2121852, 2150196, 2129844, 2150845, 2152558, 2152556, 2152552, 2152550, 2150553, 2150547, 2154172, 2151747, 2151747, 2151747, 2151747, 2151747, 2148809, 2151747, 2151747, 2151747, 2153962 ], "author": "Edoardo Canepa ", "date": "Fri, 29 May 2026 03:41:14 +0200" } ], "notes": "linux-modules-7.0.0-27-generic version '7.0.0-27.27' (source package linux version '7.0.0-27.27') was added. linux-modules-7.0.0-27-generic version '7.0.0-27.27' has the same source package name, linux, as removed package linux-headers-7.0.0-22. As such we can use the source package version of the removed package, '7.0.0-22.22', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false }, { "name": "linux-tools-7.0.0-27", "from_version": { "source_package_name": "linux", "source_package_version": "7.0.0-22.22", "version": null }, "to_version": { "source_package_name": "linux", "source_package_version": "7.0.0-27.27", "version": "7.0.0-27.27" }, "cves": [ { "cve": "CVE-2026-46316", "url": "https://ubuntu.com/security/CVE-2026-46316", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: vgic-its: Drop the translation cache reference only for the erased entry vgic_its_invalidate_cache() walks the per-ITS translation cache with xa_for_each() and drops the cache's reference on each entry with vgic_put_irq(). It puts the iterated pointer, though, rather than the value returned by xa_erase(). The function is called from contexts that do not exclude one another: the ITS command handlers hold its_lock, the GITS_CTLR write path holds cmd_lock, and the path that clears EnableLPIs in a redistributor's GICR_CTLR holds neither. Two or more of them can drain the same cache concurrently, and if each one observes the same entry, erases it and then puts it, the single reference the cache holds on that entry is dropped more than once. The entry can then be freed while an ITE still maps it. xa_erase() is atomic and returns the previous entry, so put only the entry that this context actually removed. The cache reference is then dropped exactly once per entry even when the invalidations run concurrently, and the behavior is unchanged when only one context runs.", "cve_priority": "medium", "cve_public_date": "2026-06-09 13:16:00 UTC" }, { "cve": "CVE-2026-46244", "url": "https://ubuntu.com/security/CVE-2026-46244", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_inner: Fix IPv6 inner_thoff desync In nft_inner_parse_l2l3(), when processing inner IPv6 packets, ipv6_find_hdr() correctly computes the transport header offset traversing all extension headers, but the result is immediately overwritten with nhoff + sizeof(_ip6h) (40 bytes), which only accounts for the IPv6 base header. This creates a desync between inner_thoff (wrong — points to extension header start) and l4proto (correct — e.g., IPPROTO_TCP), enabling transport header forgery and potential firewall bypass. This issue affects stable versions from Linux 6.2. For comparison, the normal (non-inner) IPv6 path correctly preserves ipv6_find_hdr()'s result. Removing the incorrect overwrite ensures that ipv6_find_hdr()'s calculated transport header offset is preserved, thereby fixing the desynchronization.", "cve_priority": "medium", "cve_public_date": "2026-06-03 18:16:00 UTC" }, { "cve": "CVE-2026-46137", "url": "https://ubuntu.com/security/CVE-2026-46137", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: ADD_ADDR rtx: fix potential data-race This mptcp_pm_add_timer() helper is executed as a timer callback in softirq context. To avoid any data races, the socket lock needs to be held with bh_lock_sock(). If the socket is in use, retry again soon after, similar to what is done with the keepalive timer.", "cve_priority": "medium", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46185", "url": "https://ubuntu.com/security/CVE-2026-46185", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb/client: fix out-of-bounds read in symlink_data() Since smb2_check_message() returns success without length validation for the symlink error response, in symlink_data() it is possible for iov->iov_len to be smaller than sizeof(struct smb2_err_rsp). If the buffer only contains the base SMB2 header (64 bytes), accessing err->ErrorContextCount (at offset 66) or err->ByteCount later in symlink_data() will cause an out-of-bounds read.", "cve_priority": "high", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46195", "url": "https://ubuntu.com/security/CVE-2026-46195", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: validate dacloffset before building DACL pointers parse_sec_desc(), build_sec_desc(), and the chown path in id_mode_to_cifs_acl() all add the server-supplied dacloffset to pntsd before proving a DACL header fits inside the returned security descriptor. On 32-bit builds a malicious server can return dacloffset near U32_MAX, wrap the derived DACL pointer below end_of_acl, and then slip past the later pointer-based bounds checks. build_sec_desc() and id_mode_to_cifs_acl() can then dereference DACL fields from the wrapped pointer in the chmod/chown rewrite paths. Validate dacloffset numerically before building any DACL pointer and reuse the same helper at the three DACL entry points.", "cve_priority": "high", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46289", "url": "https://ubuntu.com/security/CVE-2026-46289", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: lib/scatterlist: fix length calculations in extract_kvec_to_sg Patch series \"Fix bugs in extract_iter_to_sg()\", v3. Fix bugs in the kvec and user variants of extract_iter_to_sg. This series is growing due to useful remarks made by sashiko.dev. The main bugs are: - The length for an sglist entry when extracting from a kvec can exceed the number of bytes in the page. This is obviously not intended. - When extracting a user buffer the sglist is temporarily used as a scratch buffer for extracted page pointers. If the sglist already contains some elements this scratch buffer could overlap with existing entries in the sglist. The series adds test cases to the kunit_iov_iter test that demonstrate all of these bugs. Additionally, there is a memory leak fix for the test itself. The bugs were orignally introduced into kernel v6.3 where the function lived in fs/netfs/iterator.c. It was later moved to lib/scatterlist.c in v6.5. Thus the actual fix is only marked for backports to v6.5+. This patch (of 5): When extracting from a kvec to a scatterlist, do not cross page boundaries. The required length was already calculated but not used as intended. Adjust the copied length if the loop runs out of sglist entries without extracting everything. While there, return immediately from extract_iter_to_sg if there are no sglist entries at all. A subsequent commit will add kunit test cases that demonstrate that the patch is necessary.", "cve_priority": "medium", "cve_public_date": "2026-06-08 17:16:00 UTC" }, { "cve": "CVE-2026-46119", "url": "https://ubuntu.com/security/CVE-2026-46119", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: libceph: Fix slab-out-of-bounds access in auth message processing If a (potentially corrupted) message of type CEPH_MSG_AUTH_REPLY contains a positive value in its result field, it is treated as an error code by ceph_handle_auth_reply() and returned to handle_auth_reply(). Thereafter, an attempt is made to send the preallocated message of type CEPH_MSG_AUTH, where the returned value is interpreted as the size of the front segment to send. If the result value in the message is greater than the size of the memory buffer allocated for the front segment, an out-of-bounds access occurs, and the content of the memory region beyond this buffer is sent out. This patch fixes the issue by treating only negative values in the result field as errors. Positive values are therefore treated as success in the same way as a zero value. Additionally, a BUG_ON is added to __send_prepared_auth_request() comparing the len parameter to front_alloc_len to prevent sending the message if it exceeds the bounds of the allocation and to make it easier to catch any logic flaws leading to this.", "cve_priority": "high", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46135", "url": "https://ubuntu.com/security/CVE-2026-46135", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: fix race between ICReq handling and queue teardown nvmet_tcp_handle_icreq() updates queue->state after sending an Initialization Connection Response (ICResp), but it does so without serializing against target-side queue teardown. If an NVMe/TCP host sends an Initialization Connection Request (ICReq) and immediately closes the connection, target-side teardown may start in softirq context before io_work drains the already buffered ICReq. In that case, nvmet_tcp_schedule_release_queue() sets queue->state to NVMET_TCP_Q_DISCONNECTING and drops the queue reference under state_lock. If io_work later processes that ICReq, nvmet_tcp_handle_icreq() can still overwrite the state back to NVMET_TCP_Q_LIVE. That defeats the DISCONNECTING-state guard in nvmet_tcp_schedule_release_queue() and allows a later socket state change to re-enter teardown and issue a second kref_put() on an already released queue. The ICResp send failure path has the same problem. If teardown has already moved the queue to DISCONNECTING, a send error can still overwrite the state with NVMET_TCP_Q_FAILED, again reopening the window for a second teardown path to drop the queue reference. Fix this by serializing both post-send state transitions with state_lock and bailing out if teardown has already started. Use -ESHUTDOWN as an internal sentinel for that bail-out path rather than propagating it as a transport error like -ECONNRESET. Keep nvmet_tcp_socket_error() setting rcv_state to NVMET_TCP_RECV_ERR before honoring that sentinel so receive-side parsing stays quiesced until the existing release path completes.", "cve_priority": "critical", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46155", "url": "https://ubuntu.com/security/CVE-2026-46155", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb/client: fix out-of-bounds read in smb2_compound_op() If a server sends a truncated response but a large OutputBufferLength, and terminates the EA list early, check_wsl_eas() returns success without validating that the entire OutputBufferLength fits within iov_len. Then smb2_compound_op() does: memcpy(idata->wsl.eas, data[0], size[0]); Where size[0] is OutputBufferLength. If iov_len is smaller than size[0], memcpy can read beyond the end of the rsp_iov allocation and leak adjacent kernel heap memory.", "cve_priority": "medium", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46115", "url": "https://ubuntu.com/security/CVE-2026-46115", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: block: add pgmap check to biovec_phys_mergeable biovec_phys_mergeable() is used by the request merge, DMA mapping, and integrity merge paths to decide if two physically contiguous bvec segments can be coalesced into one. It currently has no check for whether the segments belong to different dev_pagemaps. When zone device memory is registered in multiple chunks, each chunk gets its own dev_pagemap. A single bio can legitimately contain bvecs from different pgmaps -- iov_iter_extract_bvecs() breaks at pgmap boundaries but the outer loop in bio_iov_iter_get_pages() continues filling the same bio. If such bvecs are physically contiguous, biovec_phys_mergeable() will coalesce them, making it impossible to recover the correct pgmap for the merged segment via page_pgmap(). Add a zone_device_pages_have_same_pgmap() check to prevent merging bvec segments that span different pgmaps.", "cve_priority": "medium", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46243", "url": "https://ubuntu.com/security/CVE-2026-46243", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: reject userspace cifs.spnego descriptions cifs.spnego key descriptions contain authority-bearing fields such as pid, uid, creduid, and upcall_target that cifs.upcall treats as kernel-originating inputs. However, userspace can also create keys of this type through request_key(2) or add_key(2), allowing those fields to be supplied without CIFS origin. Only accept cifs.spnego descriptions while CIFS is using its private spnego_cred to request the key.", "cve_priority": "medium", "cve_public_date": "2026-06-01 17:17:00 UTC" }, { "cve": "CVE-2026-47337", "url": "https://ubuntu.com/security/CVE-2026-47337", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a possible NULL pointer dereference in the handling of AF_INET/AF_INET6 socket mediation. The bug can be triggered by an unprivileged local user. This can lead to a kernel oops.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47334", "url": "https://ubuntu.com/security/CVE-2026-47334", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly sleep while holding a spinlock in notification handling code. The bug can be triggered by an unprivileged local user and can result in kernel panic or deadlock.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47333", "url": "https://ubuntu.com/security/CVE-2026-47333", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which can potentially incorrectly compute the size of an internal buffer, leading to a heap memory out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in invalid data being processed by the AppArmor DFA policy engine.", "cve_priority": "high", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47332", "url": "https://ubuntu.com/security/CVE-2026-47332", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly validate the size of an internal structure, leading to an out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in information disclosure from adjacent slab objects.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47330", "url": "https://ubuntu.com/security/CVE-2026-47330", "cve_description": "Ubuntu Linux 6.8, 7.17 and 7.0 contain AppArmor SAUCE patches which can, under certain circumstances, use an uninitialized variable in notification handling code. The bug can be triggered by an unprivileged local user and can result in the incorrect caching of AppArmor notification responses.", "cve_priority": "low", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47329", "url": "https://ubuntu.com/security/CVE-2026-47329", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches which fail to validate invalid sizes of the name field in AppAmor notification responses. The bug can be triggered by an unprivileged local user and could result in handling of crafted responses.", "cve_priority": "low", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47327", "url": "https://ubuntu.com/security/CVE-2026-47327", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a possible NULL pointer dereference in the handling of AppArmor notifications. The bug can be triggered by an unprivileged local user. This can lead to a kernel oops.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47328", "url": "https://ubuntu.com/security/CVE-2026-47328", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly attempt to free a pointer which was not previously kmalloc()d, while at the same time leaking allocated memory. The bug can be triggered by an unprivileged local user and can result in the corruption of slab metadata and could lead to resource exhaustion.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47326", "url": "https://ubuntu.com/security/CVE-2026-47326", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a memory leak in the handling of big responses to AppArmor notifications. The bug can be triggered by an unprivileged local user. The memory leak could lead to resource exhaustion.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-46300", "url": "https://ubuntu.com/security/CVE-2026-46300", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: skbuff: preserve shared-frag marker during coalescing skb_try_coalesce() can attach paged frags from @from to @to. If @from has SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same externally-owned or page-cache-backed frags, but the shared-frag marker is currently lost. That breaks the invariant relied on by later in-place writers. In particular, ESP input checks skb_has_shared_frag() before deciding whether an uncloned nonlinear skb can skip skb_cow_data(). If TCP receive coalescing has moved shared frags into an unmarked skb, ESP can see skb_has_shared_frag() as false and decrypt in place over page-cache backed frags. Propagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged frags. The tailroom copy path does not need the marker because it copies bytes into @to's linear data rather than transferring frag descriptors.", "cve_priority": "high", "cve_public_date": "2026-05-23 12:17:00 UTC" }, { "cve": "CVE-2026-46333", "url": "https://ubuntu.com/security/CVE-2026-46333", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ptrace: slightly saner 'get_dumpable()' logic The 'dumpability' of a task is fundamentally about the memory image of the task - the concept comes from whether it can core dump or not - and makes no sense when you don't have an associated mm. And almost all users do in fact use it only for the case where the task has a mm pointer. But we have one odd special case: ptrace_may_access() uses 'dumpable' to check various other things entirely independently of the MM (typically explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for threads that no longer have a VM (and maybe never did, like most kernel threads). It's not what this flag was designed for, but it is what it is. The ptrace code does check that the uid/gid matches, so you do have to be uid-0 to see kernel thread details, but this means that the traditional \"drop capabilities\" model doesn't make any difference for this all. Make it all make a *bit* more sense by saying that if you don't have a MM pointer, we'll use a cached \"last dumpability\" flag if the thread ever had a MM (it will be zero for kernel threads since it is never set), and require a proper CAP_SYS_PTRACE capability to override.", "cve_priority": "high", "cve_public_date": "2026-05-15 14:16:00 UTC" }, { "cve": "CVE-2026-43500", "url": "https://ubuntu.com/security/CVE-2026-43500", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE handler in rxrpc_verify_response() copy the skb to a linear one before calling into the security ops only when skb_cloned() is true. An skb that is not cloned but still carries externally-owned paged fragments (e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via __ip_append_data, or a chained skb_has_frag_list()) falls through to the in-place decryption path, which binds the frag pages directly into the AEAD/skcipher SGL via skb_to_sgvec(). Extend the gate to also unshare when skb_has_frag_list() or skb_has_shared_frag() is true. This catches the splice-loopback vector and other externally-shared frag sources while preserving the zero-copy fast path for skbs whose frags are kernel-private (e.g. NIC page_pool RX, GRO). The OOM/trace handling already in place is reused.", "cve_priority": "high", "cve_public_date": "2026-05-11 08:16:00 UTC" }, { "cve": "CVE-2026-43284", "url": "https://ubuntu.com/security/CVE-2026-43284", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place decrypt on shared skb frags MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later paths that may modify packet data can first make a private copy. The IPv4/IPv6 datagram append paths did not set this flag when splicing pages into UDP skbs. That leaves an ESP-in-UDP packet made from shared pipe pages looking like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW fast path for uncloned skbs without a frag_list and decrypts in place over data that is not owned privately by the skb. Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching TCP. Also make ESP input fall back to skb_cow_data() when the flag is present, so ESP does not decrypt externally backed frags in place. Private nonlinear skb frags still use the existing fast path. This intentionally does not change ESP output. In esp_output_head(), the path that appends the ESP trailer to existing skb tailroom without calling skb_cow_data() is not reachable for nonlinear skbs: skb_tailroom() returns zero when skb->data_len is nonzero, while ESP tailen is positive. Thus ESP output will either use the separate destination-frag path or fall back to skb_cow_data().", "cve_priority": "high", "cve_public_date": "2026-05-08 08:16:00 UTC" } ], "launchpad_bugs_fixed": [ 2157114, 1786013, 2150845, 2154530, 1786013, 2150065, 2146517, 2147409, 2121852, 2150196, 2129844, 2150845, 2152558, 2152556, 2152552, 2152550, 2150553, 2150547, 2154172, 2151747, 2151747, 2151747, 2151747, 2151747, 2148809, 2151747, 2151747, 2151747, 2153962 ], "changes": [ { "cves": [ { "cve": "CVE-2026-46316", "url": "https://ubuntu.com/security/CVE-2026-46316", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: vgic-its: Drop the translation cache reference only for the erased entry vgic_its_invalidate_cache() walks the per-ITS translation cache with xa_for_each() and drops the cache's reference on each entry with vgic_put_irq(). It puts the iterated pointer, though, rather than the value returned by xa_erase(). The function is called from contexts that do not exclude one another: the ITS command handlers hold its_lock, the GITS_CTLR write path holds cmd_lock, and the path that clears EnableLPIs in a redistributor's GICR_CTLR holds neither. Two or more of them can drain the same cache concurrently, and if each one observes the same entry, erases it and then puts it, the single reference the cache holds on that entry is dropped more than once. The entry can then be freed while an ITE still maps it. xa_erase() is atomic and returns the previous entry, so put only the entry that this context actually removed. The cache reference is then dropped exactly once per entry even when the invalidations run concurrently, and the behavior is unchanged when only one context runs.", "cve_priority": "medium", "cve_public_date": "2026-06-09 13:16:00 UTC" }, { "cve": "CVE-2026-46244", "url": "https://ubuntu.com/security/CVE-2026-46244", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_inner: Fix IPv6 inner_thoff desync In nft_inner_parse_l2l3(), when processing inner IPv6 packets, ipv6_find_hdr() correctly computes the transport header offset traversing all extension headers, but the result is immediately overwritten with nhoff + sizeof(_ip6h) (40 bytes), which only accounts for the IPv6 base header. This creates a desync between inner_thoff (wrong — points to extension header start) and l4proto (correct — e.g., IPPROTO_TCP), enabling transport header forgery and potential firewall bypass. This issue affects stable versions from Linux 6.2. For comparison, the normal (non-inner) IPv6 path correctly preserves ipv6_find_hdr()'s result. Removing the incorrect overwrite ensures that ipv6_find_hdr()'s calculated transport header offset is preserved, thereby fixing the desynchronization.", "cve_priority": "medium", "cve_public_date": "2026-06-03 18:16:00 UTC" }, { "cve": "CVE-2026-46137", "url": "https://ubuntu.com/security/CVE-2026-46137", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: ADD_ADDR rtx: fix potential data-race This mptcp_pm_add_timer() helper is executed as a timer callback in softirq context. To avoid any data races, the socket lock needs to be held with bh_lock_sock(). If the socket is in use, retry again soon after, similar to what is done with the keepalive timer.", "cve_priority": "medium", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46185", "url": "https://ubuntu.com/security/CVE-2026-46185", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb/client: fix out-of-bounds read in symlink_data() Since smb2_check_message() returns success without length validation for the symlink error response, in symlink_data() it is possible for iov->iov_len to be smaller than sizeof(struct smb2_err_rsp). If the buffer only contains the base SMB2 header (64 bytes), accessing err->ErrorContextCount (at offset 66) or err->ByteCount later in symlink_data() will cause an out-of-bounds read.", "cve_priority": "high", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46195", "url": "https://ubuntu.com/security/CVE-2026-46195", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: validate dacloffset before building DACL pointers parse_sec_desc(), build_sec_desc(), and the chown path in id_mode_to_cifs_acl() all add the server-supplied dacloffset to pntsd before proving a DACL header fits inside the returned security descriptor. On 32-bit builds a malicious server can return dacloffset near U32_MAX, wrap the derived DACL pointer below end_of_acl, and then slip past the later pointer-based bounds checks. build_sec_desc() and id_mode_to_cifs_acl() can then dereference DACL fields from the wrapped pointer in the chmod/chown rewrite paths. Validate dacloffset numerically before building any DACL pointer and reuse the same helper at the three DACL entry points.", "cve_priority": "high", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46289", "url": "https://ubuntu.com/security/CVE-2026-46289", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: lib/scatterlist: fix length calculations in extract_kvec_to_sg Patch series \"Fix bugs in extract_iter_to_sg()\", v3. Fix bugs in the kvec and user variants of extract_iter_to_sg. This series is growing due to useful remarks made by sashiko.dev. The main bugs are: - The length for an sglist entry when extracting from a kvec can exceed the number of bytes in the page. This is obviously not intended. - When extracting a user buffer the sglist is temporarily used as a scratch buffer for extracted page pointers. If the sglist already contains some elements this scratch buffer could overlap with existing entries in the sglist. The series adds test cases to the kunit_iov_iter test that demonstrate all of these bugs. Additionally, there is a memory leak fix for the test itself. The bugs were orignally introduced into kernel v6.3 where the function lived in fs/netfs/iterator.c. It was later moved to lib/scatterlist.c in v6.5. Thus the actual fix is only marked for backports to v6.5+. This patch (of 5): When extracting from a kvec to a scatterlist, do not cross page boundaries. The required length was already calculated but not used as intended. Adjust the copied length if the loop runs out of sglist entries without extracting everything. While there, return immediately from extract_iter_to_sg if there are no sglist entries at all. A subsequent commit will add kunit test cases that demonstrate that the patch is necessary.", "cve_priority": "medium", "cve_public_date": "2026-06-08 17:16:00 UTC" }, { "cve": "CVE-2026-46119", "url": "https://ubuntu.com/security/CVE-2026-46119", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: libceph: Fix slab-out-of-bounds access in auth message processing If a (potentially corrupted) message of type CEPH_MSG_AUTH_REPLY contains a positive value in its result field, it is treated as an error code by ceph_handle_auth_reply() and returned to handle_auth_reply(). Thereafter, an attempt is made to send the preallocated message of type CEPH_MSG_AUTH, where the returned value is interpreted as the size of the front segment to send. If the result value in the message is greater than the size of the memory buffer allocated for the front segment, an out-of-bounds access occurs, and the content of the memory region beyond this buffer is sent out. This patch fixes the issue by treating only negative values in the result field as errors. Positive values are therefore treated as success in the same way as a zero value. Additionally, a BUG_ON is added to __send_prepared_auth_request() comparing the len parameter to front_alloc_len to prevent sending the message if it exceeds the bounds of the allocation and to make it easier to catch any logic flaws leading to this.", "cve_priority": "high", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46135", "url": "https://ubuntu.com/security/CVE-2026-46135", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: fix race between ICReq handling and queue teardown nvmet_tcp_handle_icreq() updates queue->state after sending an Initialization Connection Response (ICResp), but it does so without serializing against target-side queue teardown. If an NVMe/TCP host sends an Initialization Connection Request (ICReq) and immediately closes the connection, target-side teardown may start in softirq context before io_work drains the already buffered ICReq. In that case, nvmet_tcp_schedule_release_queue() sets queue->state to NVMET_TCP_Q_DISCONNECTING and drops the queue reference under state_lock. If io_work later processes that ICReq, nvmet_tcp_handle_icreq() can still overwrite the state back to NVMET_TCP_Q_LIVE. That defeats the DISCONNECTING-state guard in nvmet_tcp_schedule_release_queue() and allows a later socket state change to re-enter teardown and issue a second kref_put() on an already released queue. The ICResp send failure path has the same problem. If teardown has already moved the queue to DISCONNECTING, a send error can still overwrite the state with NVMET_TCP_Q_FAILED, again reopening the window for a second teardown path to drop the queue reference. Fix this by serializing both post-send state transitions with state_lock and bailing out if teardown has already started. Use -ESHUTDOWN as an internal sentinel for that bail-out path rather than propagating it as a transport error like -ECONNRESET. Keep nvmet_tcp_socket_error() setting rcv_state to NVMET_TCP_RECV_ERR before honoring that sentinel so receive-side parsing stays quiesced until the existing release path completes.", "cve_priority": "critical", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46155", "url": "https://ubuntu.com/security/CVE-2026-46155", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb/client: fix out-of-bounds read in smb2_compound_op() If a server sends a truncated response but a large OutputBufferLength, and terminates the EA list early, check_wsl_eas() returns success without validating that the entire OutputBufferLength fits within iov_len. Then smb2_compound_op() does: memcpy(idata->wsl.eas, data[0], size[0]); Where size[0] is OutputBufferLength. If iov_len is smaller than size[0], memcpy can read beyond the end of the rsp_iov allocation and leak adjacent kernel heap memory.", "cve_priority": "medium", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46115", "url": "https://ubuntu.com/security/CVE-2026-46115", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: block: add pgmap check to biovec_phys_mergeable biovec_phys_mergeable() is used by the request merge, DMA mapping, and integrity merge paths to decide if two physically contiguous bvec segments can be coalesced into one. It currently has no check for whether the segments belong to different dev_pagemaps. When zone device memory is registered in multiple chunks, each chunk gets its own dev_pagemap. A single bio can legitimately contain bvecs from different pgmaps -- iov_iter_extract_bvecs() breaks at pgmap boundaries but the outer loop in bio_iov_iter_get_pages() continues filling the same bio. If such bvecs are physically contiguous, biovec_phys_mergeable() will coalesce them, making it impossible to recover the correct pgmap for the merged segment via page_pgmap(). Add a zone_device_pages_have_same_pgmap() check to prevent merging bvec segments that span different pgmaps.", "cve_priority": "medium", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46243", "url": "https://ubuntu.com/security/CVE-2026-46243", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: reject userspace cifs.spnego descriptions cifs.spnego key descriptions contain authority-bearing fields such as pid, uid, creduid, and upcall_target that cifs.upcall treats as kernel-originating inputs. However, userspace can also create keys of this type through request_key(2) or add_key(2), allowing those fields to be supplied without CIFS origin. Only accept cifs.spnego descriptions while CIFS is using its private spnego_cred to request the key.", "cve_priority": "medium", "cve_public_date": "2026-06-01 17:17:00 UTC" } ], "log": [ "", " * resolute/linux: 7.0.0-27.27 -proposed tracker (LP: #2157114)", "", " * Packaging resync (LP: #1786013)", " - [Packaging] update annotations scripts", "", " * Ubuntu 26.04 linux kernel has non-functional nova-core GPU driver enabled,", " conflicting with nouveau (LP: #2150845)", " - [Config] Disable NOVA_CORE", "", " * CVE-2026-46316", " - KVM: arm64: vgic-its: Drop the translation cache reference only for the", " erased entry", "", " * CVE-2026-46244", " - netfilter: nft_inner: Fix IPv6 inner_thoff desync", "", " * CVE-2026-46137", " - mptcp: pm: ADD_ADDR rtx: allow ID 0", " - mptcp: pm: ADD_ADDR rtx: fix potential data-race", "", " * CVE-2026-46185", " - smb/client: fix out-of-bounds read in symlink_data()", "", " * CVE-2026-46195", " - smb: client: validate dacloffset before building DACL pointers", "", " * CVE-2026-46289", " - lib/scatterlist: fix length calculations in extract_kvec_to_sg", "", " * CVE-2026-46119", " - libceph: Fix slab-out-of-bounds access in auth message processing", "", " * CVE-2026-46135", " - nvmet-tcp: fix race between ICReq handling and queue teardown", "", " * CVE-2026-46155", " - smb/client: fix out-of-bounds read in smb2_compound_op()", "", " * CVE-2026-46115", " - block: add pgmap check to biovec_phys_mergeable", "", " * CVE-2026-46243", " - smb: client: reject userspace cifs.spnego descriptions", "" ], "package": "linux", "version": "7.0.0-27.27", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2157114, 1786013, 2150845 ], "author": "Manuel Diewald ", "date": "Thu, 18 Jun 2026 18:54:56 +0200" }, { "cves": [ { "cve": "CVE-2026-47337", "url": "https://ubuntu.com/security/CVE-2026-47337", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a possible NULL pointer dereference in the handling of AF_INET/AF_INET6 socket mediation. The bug can be triggered by an unprivileged local user. This can lead to a kernel oops.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47334", "url": "https://ubuntu.com/security/CVE-2026-47334", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly sleep while holding a spinlock in notification handling code. The bug can be triggered by an unprivileged local user and can result in kernel panic or deadlock.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47333", "url": "https://ubuntu.com/security/CVE-2026-47333", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which can potentially incorrectly compute the size of an internal buffer, leading to a heap memory out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in invalid data being processed by the AppArmor DFA policy engine.", "cve_priority": "high", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47332", "url": "https://ubuntu.com/security/CVE-2026-47332", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly validate the size of an internal structure, leading to an out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in information disclosure from adjacent slab objects.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47330", "url": "https://ubuntu.com/security/CVE-2026-47330", "cve_description": "Ubuntu Linux 6.8, 7.17 and 7.0 contain AppArmor SAUCE patches which can, under certain circumstances, use an uninitialized variable in notification handling code. The bug can be triggered by an unprivileged local user and can result in the incorrect caching of AppArmor notification responses.", "cve_priority": "low", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47329", "url": "https://ubuntu.com/security/CVE-2026-47329", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches which fail to validate invalid sizes of the name field in AppAmor notification responses. The bug can be triggered by an unprivileged local user and could result in handling of crafted responses.", "cve_priority": "low", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47327", "url": "https://ubuntu.com/security/CVE-2026-47327", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a possible NULL pointer dereference in the handling of AppArmor notifications. The bug can be triggered by an unprivileged local user. This can lead to a kernel oops.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47328", "url": "https://ubuntu.com/security/CVE-2026-47328", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly attempt to free a pointer which was not previously kmalloc()d, while at the same time leaking allocated memory. The bug can be triggered by an unprivileged local user and can result in the corruption of slab metadata and could lead to resource exhaustion.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47326", "url": "https://ubuntu.com/security/CVE-2026-47326", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a memory leak in the handling of big responses to AppArmor notifications. The bug can be triggered by an unprivileged local user. The memory leak could lead to resource exhaustion.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-46300", "url": "https://ubuntu.com/security/CVE-2026-46300", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: skbuff: preserve shared-frag marker during coalescing skb_try_coalesce() can attach paged frags from @from to @to. If @from has SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same externally-owned or page-cache-backed frags, but the shared-frag marker is currently lost. That breaks the invariant relied on by later in-place writers. In particular, ESP input checks skb_has_shared_frag() before deciding whether an uncloned nonlinear skb can skip skb_cow_data(). If TCP receive coalescing has moved shared frags into an unmarked skb, ESP can see skb_has_shared_frag() as false and decrypt in place over page-cache backed frags. Propagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged frags. The tailroom copy path does not need the marker because it copies bytes into @to's linear data rather than transferring frag descriptors.", "cve_priority": "high", "cve_public_date": "2026-05-23 12:17:00 UTC" }, { "cve": "CVE-2026-46333", "url": "https://ubuntu.com/security/CVE-2026-46333", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ptrace: slightly saner 'get_dumpable()' logic The 'dumpability' of a task is fundamentally about the memory image of the task - the concept comes from whether it can core dump or not - and makes no sense when you don't have an associated mm. And almost all users do in fact use it only for the case where the task has a mm pointer. But we have one odd special case: ptrace_may_access() uses 'dumpable' to check various other things entirely independently of the MM (typically explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for threads that no longer have a VM (and maybe never did, like most kernel threads). It's not what this flag was designed for, but it is what it is. The ptrace code does check that the uid/gid matches, so you do have to be uid-0 to see kernel thread details, but this means that the traditional \"drop capabilities\" model doesn't make any difference for this all. Make it all make a *bit* more sense by saying that if you don't have a MM pointer, we'll use a cached \"last dumpability\" flag if the thread ever had a MM (it will be zero for kernel threads since it is never set), and require a proper CAP_SYS_PTRACE capability to override.", "cve_priority": "high", "cve_public_date": "2026-05-15 14:16:00 UTC" }, { "cve": "CVE-2026-43500", "url": "https://ubuntu.com/security/CVE-2026-43500", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE handler in rxrpc_verify_response() copy the skb to a linear one before calling into the security ops only when skb_cloned() is true. An skb that is not cloned but still carries externally-owned paged fragments (e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via __ip_append_data, or a chained skb_has_frag_list()) falls through to the in-place decryption path, which binds the frag pages directly into the AEAD/skcipher SGL via skb_to_sgvec(). Extend the gate to also unshare when skb_has_frag_list() or skb_has_shared_frag() is true. This catches the splice-loopback vector and other externally-shared frag sources while preserving the zero-copy fast path for skbs whose frags are kernel-private (e.g. NIC page_pool RX, GRO). The OOM/trace handling already in place is reused.", "cve_priority": "high", "cve_public_date": "2026-05-11 08:16:00 UTC" }, { "cve": "CVE-2026-43284", "url": "https://ubuntu.com/security/CVE-2026-43284", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place decrypt on shared skb frags MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later paths that may modify packet data can first make a private copy. The IPv4/IPv6 datagram append paths did not set this flag when splicing pages into UDP skbs. That leaves an ESP-in-UDP packet made from shared pipe pages looking like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW fast path for uncloned skbs without a frag_list and decrypts in place over data that is not owned privately by the skb. Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching TCP. Also make ESP input fall back to skb_cow_data() when the flag is present, so ESP does not decrypt externally backed frags in place. Private nonlinear skb frags still use the existing fast path. This intentionally does not change ESP output. In esp_output_head(), the path that appends the ESP trailer to existing skb tailroom without calling skb_cow_data() is not reachable for nonlinear skbs: skb_tailroom() returns zero when skb->data_len is nonzero, while ESP tailen is positive. Thus ESP output will either use the separate destination-frag path or fall back to skb_cow_data().", "cve_priority": "high", "cve_public_date": "2026-05-08 08:16:00 UTC" } ], "log": [ "", " * resolute/linux: 7.0.0-26.26 -proposed tracker (LP: #2154530)", "", " * Packaging resync (LP: #1786013)", " - Revert \"UBUNTU: SAUCE: import Huawei ES3000_V2 (2.1.0.23)\"", " - [Packaging] debian.master/dkms-versions -- remove dkms-versions", " (main/2026.05.18)", "", " * Fix mic mute led on a HP EliteBook 6 G2a platform (LP: #2150065)", " - ALSA: hda/realtek: Add LED fixup for HP EliteBook 6 G2a Laptops", "", " * ov08x40 module mounted upside down on a certain DELL platforms", " (LP: #2146517)", " - SAUCE: media: ipu-bridge: Add DMI quirk for new Dell XPS laptops with", " upside down sensors", " - SAUCE: media: ipu-bridge: Add DMI quirk for Dell 14 laptops with upside", " down sensors", "", " * Support additional 2888x1808@30fps 900MHz for OVTI05C1 camera sensor", " (LP: #2147409)", " - SAUCE: media: ipu-bridge: Add 900MHz for OV05C10", " - SAUCE: platform/x86: int3472: increase handshake delay to 50ms for", " OV05C10", "", " * Support Samsung S5K3J1 sensor for Intel MIPI camera (LP: #2121852)", " - SAUCE: media: ipu-bridge: Support s5k3j1 sensor", "", " * [SRU] ASoC: enable rt1320 speaker amp and DMIC on PTL SoundWire platforms", " (LP: #2150196)", " - ASoC: Intel: soc-acpi-intel-ptl-match: drop rt722 monolithic match", " tables", " - ASoC: SOF: Intel: Add a is_amp flag to fix the wrong name prefix", " - ASoC: sdw_utils: add rt1320 and rt1321 dmic dai in codec_info_list", "", " * powerpc-build in ubuntu_kernel_selftests fails to build due to", " uninitialized value (LP: #2129844)", " - selftests/powerpc: Suppress -Wmaybe-uninitialized with GCC 15", "", " * Ubuntu 26.04 linux kernel has non-functional nova-core GPU driver enabled,", " conflicting with nouveau (LP: #2150845)", " - [Config] Disable DRM_NOVA", "", " * Resolute update: v7.0.6 upstream stable release (LP: #2152558)", " - Linux 7.0.6", " - Upstream stable to v7.0.6", "", " * Resolute update: v7.0.5 upstream stable release (LP: #2152556)", " - Linux 7.0.5", " - Upstream stable to v7.0.5", "", " * Resolute update: v7.0.4 upstream stable release (LP: #2152552)", " - ALSA: usb-audio: stop parsing UAC2 rates at MAX_NR_RATES", " - ALSA: usb-audio: Avoid false E-MU sample-rate notifications", " - ALSA: usb-audio: Fix Audio Advantage Micro II SPDIF switch", " - usb: xhci: Make usb_host_endpoint.hcpriv survive endpoint_disable()", " - usb: chipidea: otg: not wait vbus drop if use role_switch", " - usb: chipidea: core: allow ci_irq_handler() handle both ID and VBUS", " change", " - ALSA: usb-audio: Evaluate packsize caps at the right place", " - LoongArch: Add spectre boundry for syscall dispatch table", " - drm/nouveau: fix u32 overflow in pushbuf reloc bounds check", " - leds: qcom-lpg: Check for array overflow when selecting the high", " resolution", " - greybus: gb-beagleplay: bound bootloader receive buffering", " - greybus: gb-beagleplay: fix sleep in atomic context in hdlc_tx_frames()", " - misc: ibmasm: fix OOB MMIO read in ibmasm_handle_mouse_interrupt()", " - ibmasm: fix OOB reads in command_file_write due to missing size checks", " - ibmasm: fix heap over-read in ibmasm_send_i2o_message()", " - sysfs: attribute_group: Respect is_visible_const() when changing owner", " - driver core: Don't let a device probe until it's ready", " - device property: Make modifications of fwnode \"flags\" thread safe", " - drm/nouveau: fix nvkm_device leak on aperture removal failure", " - rust: dma: remove DMA_ATTR_NO_KERNEL_MAPPING from public attrs", " - kbuild: rust: allow `clippy::uninlined_format_args`", " - fs: afs: revert mmap_prepare() change", " - firmware: google: framebuffer: Do not mark framebuffer as busy", " - lib: test_hmm: evict device pages on file close to avoid use-after-free", " - arm64/mm: Enable batched TLB flush in unmap_hotplug_range()", " - arm64: mm: Fix rodata=full block mapping support for realm guests", " - mm: migrate: requeue destination folio on deferred split queue", " - mm: prevent droppable mappings from being locked", " - mm: fix deferred split queue races during migration", " - ocfs2: split transactions in dio completion to avoid credit exhaustion", " - Input: edt-ft5x06 - fix use-after-free in debugfs teardown", " - zram: do not forget to endio for partial discard requests", " - wifi: rtw88: check for PCI upstream bridge existence", " - wifi: mwifiex: fix use-after-free in mwifiex_adapter_cleanup()", " - vfio: selftests: Fix VLA initialisation in vfio_pci_irq_set()", " - vfio/xe: Add a missing vfio_pci_core_release_dev()", " - vfio/virtio: Convert list_lock from spinlock to mutex", " - vfio/cdx: Serialize VFIO_DEVICE_SET_IRQS with a per-device mutex", " - vfio/cdx: Fix NULL pointer dereference in interrupt trigger path", " - um: drivers: call kernel_strrchr() explicitly in cow_user.c", " - thermal: core: Fix thermal zone governor cleanup issues", " - spi: imx: fix use-after-free on unbind", " - spi: ch341: fix memory leaks on probe failures", " - crypto: algif_aead - snapshot IV for async AEAD requests", " - crypto: pcrypt - Fix handling of MAY_BACKLOG requests", " - dt-bindings: display: ti, am65x-dss: Fix AM62L DSS reg and clock", " constraints", " - of: unittest: fix use-after-free in of_unittest_changeset()", " - of: unittest: fix use-after-free in testdrv_probe()", " - hwmon: (powerz) Fix missing usb_kill_urb() on signal interrupt", " - EDAC/versalnet: Fix device_node leak in mc_probe()", " - PCI: imx6: Skip waiting for L2/L3 Ready on i.MX6SX", " - media: amphion: Fix race between m2m job_abort and device_run", " - ALSA: control: Validate buf_len before strnlen() in", " snd_ctl_elem_init_enum_names()", " - net: caif: clear client service pointer on teardown", " - net: strparser: fix skb_head leak in strp_abort_strp()", " - media: mtk-jpeg: fix use-after-free in release path due to uncancelled", " work", " - crypto: atmel-sha204a - Fix OTP sysfs read and error handling", " - PCI: endpoint: pci-epf-ntb: Remove duplicate resource teardown", " - Revert \"ALSA: usb: Increase volume range that triggers a warning\"", " - phy: qcom: m31-eusb2: clear PLL_EN during init", " - PCI: epf-mhi: Return 0, not remaining timeout, when eDMA ops complete", " - lib/ts_kmp: fix integer overflow in pattern length calculation", " - media: i2c: imx219: Check return value of devm_gpiod_get_optional() in", " imx219_probe()", " - net: qrtr: ns: Fix use-after-free in driver remove()", " - ext2: reject inodes with zero i_nlink and valid mode in ext2_iget()", " - mm/zsmalloc: copy KMSAN metadata in zs_page_migrate()", " - ALSA: aoa: i2sbus: clear stale prepared state", " - ALSA: aoa: i2sbus: fix OF node lifetime handling", " - ALSA: aoa: Skip devices with no codecs in i2sbus_resume()", " - ALSA: ctxfi: Add fallback to default RSR for S/PDIF", " - ALSA: seq_oss: return full count for successful SEQ_FULLSIZE writes", " - erofs: fix the out-of-bounds nameoff handling for trailing dirents", " - ipmi:ssif: Clean up kthread on errors", " - jbd2: fix deadlock in jbd2_journal_cancel_revoke()", " - KVM: selftests: Fix reserved value WRMSR testcase for multi-feature MSRs", " - md/raid10: fix deadlock with check operation and nowait requests", " - media: rc: igorplugusb: heed coherency rules", " - media: rockchip: rkcif: fix off by one bugs", " - media: rockchip: rkcif: comply with minimum number of buffers", " requirement", " - mfd: stpmic1: Attempt system shutdown twice in case PMIC is confused", " - mm/alloc_tag: clear codetag for pages allocated before page_ext", " initialization", " - mm/damon/core: fix damon_call() vs kdamond_fn() exit race", " - mm/damon/core: fix damos_walk() vs kdamond_fn() exit race", " - mm/hugetlb: fix early boot crash on parameters without '=' separator", " - mtd: docg3: fix use-after-free in docg3_release()", " - nvme-pci: add NVME_QUIRK_DISABLE_WRITE_ZEROES for Kingston OM3SGP4", " - nvme: respect NVME_QUIRK_DISABLE_WRITE_ZEROES when wzsl is set", " - parisc: _llseek syscall is only available for 32-bit userspace", " - parisc: Drop ip_fast_csum() inline assembly implementation", " - PCI: cadence: Use cdns_pcie_read_sz() for byte or word read access", " - PCI: imx6: Fix reference clock source selection for i.MX95", " - perf annotate: Use jump__delete when freeing LoongArch jumps", " - RDMA/mana_ib: Disable RX steering on RSS QP destroy", " - remoteproc: xlnx: Only access buffer information if IPI is buffered", " - reset: rzv2h-usb2phy: Keep PHY clock enabled for entire device lifetime", " - sched: Use u64 for bandwidth ratio calculations", " - selftests/mqueue: Fix incorrectly named file", " - landlock: Fix LOG_SUBDOMAINS_OFF inheritance across fork()", " - landlock: Allow TSYNC with LOG_SUBDOMAINS_OFF and fd=-1", " - selftests/landlock: Drain stale audit records on init", " - selftests/landlock: Fix format warning for __u64 in net_test", " - selftests/landlock: Fix snprintf truncation checks in audit helpers", " - selftests/landlock: Skip stale records in audit_match_record()", " - rbd: fix null-ptr-deref when device_add_disk() fails", " - mm/zone_device: do not touch device folio after calling ->folio_free()", " - block: fix zone write plugs refcount handling in", " disk_zone_wplug_schedule_bio_work()", " - io_uring/zcrx: return back two step unregistration", " - io_uring/timeout: check unused sqe fields", " - block: relax pgmap check in bio_add_page for compatible zone device", " pages", " - iio: adc: ti-ads7950: use iio_push_to_buffers_with_ts_unaligned()", " - io_uring/register: fix ring resizing with mixed/large SQEs/CQEs", " - io_uring/zcrx: fix user_struct uaf", " - io_uring/poll: fix signed comparison in io_poll_get_ownership()", " - io_uring/poll: ensure EPOLL_ONESHOT is propagated for EPOLL_URING_WAKE", " - module.lds,codetag: force 0 sh_addr for sections", " - module.lds.S: Fix modules on 32-bit parisc architecture", " - ALSA: core: Fix potential data race at fasync handling", " - ALSA: caiaq: Fix control_put() result and cache rollback", " - ALSA: caiaq: Handle probe errors properly", " - ALSA: 6fire: Fix input volume change detection", " - ALSA: hda/realtek - Add mute LED support for HP Victus 15-fa2xxx", " - ALSA: pcmtest: fix reference leak on failed device registration", " - ALSA: pcmtest: Fix resource leaks in module init error paths", " - iio: adc: ad7768-1: fix one-shot mode data acquisition", " - iio: adc: ad7768-1: remove switch to one-shot mode", " - rxrpc: Fix memory leaks in rxkad_verify_response()", " - rxrpc: Fix rxkad crypto unalignment handling", " - rxrpc: Fix error handling in rxgk_extract_token()", " - rxrpc: Fix re-decryption of RESPONSE packets", " - EDAC/versalnet: Fix memory leak in remove and probe error paths", " - tools/accounting: handle truncated taskstats netlink messages", " - net: txgbe: fix RTNL assertion warning when remove module", " - arm64: dts: marvell: uDPU: add ethernet aliases", " - net: qrtr: ns: Limit the maximum server registration per node", " - net: qrtr: ns: Limit the maximum number of lookups", " - net: qrtr: ns: Free the node during ctrl_cmd_bye()", " - net: qrtr: ns: Limit the total number of nodes", " - net: rds: fix MR cleanup on copy error", " - net: txgbe: fix firmware version check", " - net/smc: avoid early lgr access in smc_clc_wait_msg", " - net: ks8851: Reinstate disabling of BHs around IRQ handler", " - net: bridge: use a stable FDB dst snapshot in RCU readers", " - netconsole: avoid out-of-bounds access on empty string in trim_newline()", " - net: mctp: fix don't require received header reserved bits to be zero", " - net: ks8851: Avoid excess softirq scheduling", " - drm/arcpgu: fix device node leak", " - slub: fix data loss and overflow in krealloc()", " - tracing/fprobe: Reject registration of a registered fprobe before init", " - RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv", " - printf: Compile the kunit test with DISABLE_BRANCH_PROFILING", " DISABLE_BRANCH_PROFILING", " - ipv4: icmp: validate reply type before using icmp_pointers", " - libceph: Prevent potential null-ptr-deref in ceph_handle_auth_reply()", " - spi: fix resource leaks on device setup failure", " - extract-cert: Wrap key_pass with '#ifdef USE_PKCS11_ENGINE'", " - tpm: avoid -Wunused-but-set-variable", " - LoongArch: Make arch_irq_work_has_interrupt() true only if IPI HW exist", " - LoongArch: Show CPU vulnerabilites correctly", " - fbdev: defio: Disconnect deferred I/O from the lifetime of struct", " fb_info", " - power: supply: axp288_charger: Do not cancel work before initializing it", " - hwmon: (isl28022) Fix integer overflow in power calculation on 32-bit", " - hwmon: (powerz) Avoid cacheline sharing for DMA buffer", " - media: rzv2h-ivc: Revise default VBLANK formula", " - media: rzv2h-ivc: Fix AXIRX_VBLANK register write", " - fs: prepare for adding LSM blob to backing_file", " - lsm: add backing_file LSM hooks", " - selinux: fix overlayfs mmap() and mprotect() access checks", " - hwmon: (pt5161l) Fix bugs in pt5161l_read_block_data()", " - randomize_kstack: Maintain kstack_offset per task", " - mmc: block: use single block write in retry", " - mmc: sdhci-of-dwcmshc: Disable clock before DLL configuration", " - arm64: dts: ti: am62-verdin: Enable pullup for eMMC data pins", " - crypto: qat - fix IRQ cleanup on 6xxx probe failure", " - xfs: start gc on zonegc_low_space attribute updates", " - xfs: fix a resource leak in xfs_alloc_buftarg()", " - firmware: google: framebuffer: Do not unregister platform device", " - firmware: exynos-acpm: Drop fake 'const' on handle pointer", " - crypto: talitos - fix SEC1 32k ahash request limitation", " - crypto: talitos - rename first/last to first_desc/last_desc", " - pwm: imx-tpm: Count the number of enabled channels in probe", " - tpm2-sessions: Fix missing tpm_buf_destroy() in tpm2_read_public()", " - tpm: Fix auth session leak in tpm2_get_random() error path", " - tpm: Use kfree_sensitive() to free auth session in tpm_dev_release()", " - tpm: tpm_tis: add error logging for data transfer", " - tpm: tpm_tis: stop transmit if retries are exhausted", " - rtc: ntxec: fix OF node reference imbalance", " - mm/vmalloc: take vmap_purge_lock in shrinker", " - mm/memfd_luo: fix physical address conversion in put_folios cleanup", " - mm/mempolicy: fix memory leaks in weighted_interleave_auto_store()", " - mm/damon/stat: fix memory leak on damon_start() failure in", " damon_stat_start()", " - mm/damon/core: validate damos_quota_goal->nid for", " node_mem_{used,free}_bp", " - mm/damon/core: validate damos_quota_goal->nid for", " node_memcg_{used,free}_bp", " - mm/damon/core: use time_in_range_open() for damos quota window start", " - mm/damon/core: disallow time-quota setting zero esz", " - mm/damon/core: disallow non-power of two min_region_sz on damon_start()", " - userfaultfd: allow registration of ranges below mmap_min_addr", " - LoongArch: KVM: Use CSR_CRMD_PLV in kvm_arch_vcpu_in_kernel()", " - KVM: x86: Defer non-architectural deliver of exception payload to", " userspace read", " - KVM: nSVM: Mark all of vmcb02 dirty when restoring nested state", " - KVM: nSVM: Sync NextRIP to cached vmcb12 after VMRUN of L2", " - KVM: nSVM: Sync interrupt shadow to cached vmcb12 after VMRUN of L2", " - KVM: SVM: Inject #UD for INVLPGA if EFER.SVME=0", " - KVM: SVM: Explicitly mark vmcb01 dirty after modifying VMCB intercepts", " - KVM: nSVM: Ensure AVIC is inhibited when restoring a vCPU to guest mode", " - KVM: nSVM: Always use NextRIP as vmcb02's NextRIP after first L2 VMRUN", " - KVM: nSVM: Delay stuffing L2's current RIP into NextRIP until vCPU run", " - KVM: nSVM: Use vcpu->arch.cr2 when updating vmcb12 on nested #VMEXIT", " - KVM: arm64: Account for RESx bits in __compute_fgt()", " - KVM: nSVM: Avoid clearing VMCB_LBR in vmcb12", " - KVM: nSVM: Delay setting soft IRQ RIP tracking fields until vCPU run", " - KVM: SVM: Switch svm_copy_lbrs() to a macro", " - KVM: SVM: Add missing save/restore handling of LBR MSRs", " - KVM: nSVM: Always inject a #GP if mapping VMCB12 fails on nested VMRUN", " - KVM: nSVM: Refactor checking LBRV enablement in vmcb12 into a helper", " - KVM: nSVM: Refactor writing vmcb12 on nested #VMEXIT as a helper", " - KVM: nSVM: Triple fault if restore host CR3 fails on nested #VMEXIT", " - KVM: nSVM: Triple fault if mapping VMCB12 fails on nested #VMEXIT", " - KVM: nSVM: Clear GIF on nested #VMEXIT(INVALID)", " - KVM: nSVM: Clear EVENTINJ fields in vmcb12 on nested #VMEXIT", " - KVM: nSVM: Clear tracking of L1->L2 NMI and soft IRQ on nested #VMEXIT", " - KVM: nSVM: Add missing consistency check for EFER, CR0, CR4, and CS", " - KVM: nSVM: Drop the non-architectural consistency check for NP_ENABLE", " - KVM: nSVM: Add missing consistency check for nCR3 validity", " - KVM: nSVM: Raise #UD if unhandled VMMCALL isn't intercepted by L1", " - KVM: nSVM: Always intercept VMMCALL when L2 is active", " - ARM: 9472/1: fix race condition on PG_dcache_clean in", " __sync_icache_dcache()", " - ring-buffer: Do not double count the reader_page", " - ext4: fix bounds check in check_xattrs() to prevent out-of-bounds access", " - ext4: fix missing brelse() in ext4_xattr_inode_dec_ref_all()", " - udf: fix partition descriptor append bookkeeping", " - mtd: spi-nor: sst: Fix write enable before AAI sequence", " - mtd: spinand: winbond: Declare the QE bit on W25NxxJW", " - amdgpu/jpeg: fix deepsleep register for jpeg 5_0_0 and 5_0_2", " - md/md-llbitmap: skip reading rdevs that are not in_sync", " - md/md-llbitmap: raise barrier before state machine transition", " - md/raid5: fix soft lockup in retry_aligned_read()", " - md/raid5: validate payload size before accessing journal metadata", " - check-uapi: link into shared objects", " - mm, swap: speed up hibernation allocation and writeout", " - HID: apple: ensure the keyboard backlight is off if suspending", " - inotify: fix watch count leak when fsnotify_add_inode_mark_locked()", " fails", " - x86/cpu: Disable FRED when PTI is forced on", " - x86/shstk: Prevent deadlock during shstk sigreturn", " - wifi: rtl8xxxu: fix potential use of uninitialized value", " - tcp: call sk_data_ready() after listener migration", " - taskstats: set version in TGID exit notifications", " - mptcp: sync the msk->sndbuf at accept() time", " - mfd: core: Preserve OF node when ACPI handle is present", " - 9p: fix access mode flags being ORed instead of replaced", " - Bluetooth: hci_event: fix potential UAF in SSP passkey handlers", " - bus: mhi: host: pci_generic: Switch to async power up to avoid boot", " delays", " - can: ucan: fix devres lifetime", " - crypto: acomp - fix wrong pointer stored by acomp_save_req()", " - crypto: arm64/aes - Fix 32-bit aes_mac_update() arg treated as 64-bit", " - crypto: atmel-aes - Fix 3-page memory leak in atmel_aes_buff_cleanup", " - crypto: atmel-ecc - Release client on allocation failure", " - crypto: hisilicon - Fix dma_unmap_single() direction", " - crypto: ccree - fix a memory leak in cc_mac_digest()", " - crypto: atmel-tdes - fix DMA sync direction", " - crypto: atmel-sha204a - Fix error codes in OTP reads", " - crypto: atmel-sha204a - Fix potential UAF and memory leak in remove path", " - crypto: atmel-sha204a - Fix uninitialized data access on OTP read error", " - crypto: nx - fix bounce buffer leaks in nx842_crypto_{alloc,free}_ctx", " - crypto: nx - fix context leak in nx842_crypto_free_ctx", " - crypto: nx - Fix packed layout in struct nx842_crypto_header", " - dm mirror: fix integer overflow in create_dirty_log()", " - erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap()", " - ceph: fix num_ops off-by-one when crypto allocation fails", " - ceph: only d_add() negative dentries when they are unhashed", " - gtp: disable BH before calling udp_tunnel_xmit_skb()", " - IB/core: Fix zero dmac race in neighbor resolution", " - ktest: Fix the month in the name of the failure directory", " - NFSv4.1: Apply session size limits on clone path", " - ntfs3: add buffer boundary checks to run_unpack()", " - ntfs3: fix integer overflow in run_unpack() volume boundary check", " - rtmutex: Use waiter::task instead of current in remove_waiter()", " - rxgk: Fix potential integer overflow in length check", " - sched_ext: Documentation: Clarify ops.dispatch() role in task lifecycle", " - scsi: sd: fix missing put_disk() when device_add(&disk_dev) fails", " - seg6: fix seg6 lwtunnel output redirect for L2 reduced encap mode", " - perf loongarch: Fix build failure with CONFIG_LIBDW_DWARF_UNWIND", " - iio: frequency: admv1013: add dev variable", " - iio: frequency: admv1013: fix NULL pointer dereference on str", " - wifi: mt76: mt792x: describe USB WFSYS reset with a descriptor", " - wifi: mt76: mt792x: fix mt7925u USB WFSYS reset handling", " - mm: various small mmap_prepare cleanups", " - mm: avoid deadlock when holding rmap on mmap_prepare error", " - mei: me: use PCI_DEVICE_DATA macro", " - mei: me: add nova lake point H DID", " - crypto: authencesn - reject short ahash digests during instance creation", " - driver core: Add kernel-doc for DEV_FLAG_COUNT enum value", " - ALSA: caiaq: Fix potentially leftover ep1_in_urb at error path", " - ALSA: caiaq: Don't abort when no input device is available", " - ipv6: rpl: reserve mac_len headroom when recompressed SRH grows", " - drm/amdgpu: fix zero-size GDS range init on RDNA4", " - drm/imagination: Fix segfault when updating ftrace mask", " - ALSA: caiaq: fix usb_dev refcount leak on probe failure", " - ALSA: aloop: Fix peer runtime UAF during format-change stop", " - vmalloc: fix buffer overflow in vrealloc_node_align()", " - mm/page_alloc: return NULL early from alloc_frozen_pages_nolock() in NMI", " on UP", " - mm/slab: return NULL early from kmalloc_nolock() in NMI on UP", " - net: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels", " - netfilter: reject zero shift in nft_bitwise", " - ipmi:ssif: Remove unnecessary indention", " - ipmi:ssif: NULL thread on error", " - Linux 7.0.4", " - Upstream stable to v7.0.4", "", " * Resolute update: v7.0.3 upstream stable release (LP: #2152550)", " - Buffer overflow in drivers/xen/sys-hypervisor.c", " - xen/privcmd: fix double free via VMA splitting", " - Linux 7.0.3", " - Upstream stable to v7.0.3", "", " * Resolute update: v7.0.2 upstream stable release (LP: #2150553)", " - crypto: authencesn - Fix src offset when decrypting in-place", " - pwm: th1520: fix `CLIPPY=1` warning", " - drm/amdgpu: replace PASID IDR with XArray", " - crypto: krb5enc - fix sleepable flag handling in encrypt dispatch", " - crypto: krb5enc - fix async decrypt skipping hash verification", " - ksmbd: fix use-after-free in __ksmbd_close_fd() via durable scavenger", " - ksmbd: validate owner of durable handle on reconnect", " - scripts: generate_rust_analyzer.py: define scripts", " - scripts/dtc: Remove unused dts_version in dtc-lexer.l", " - fs/ntfs3: validate rec->used in journal-replay file record check", " - f2fs: fix to do sanity check on dcc->discard_cmd_cnt conditionally", " - f2fs: fix UAF caused by decrementing sbi->nr_pages[] in", " f2fs_write_end_io()", " - f2fs: fix to avoid memory leak in f2fs_rename()", " - f2fs: fix to avoid uninit-value access in f2fs_sanity_check_node_footer", " - fuse: reject oversized dirents in page cache", " - fuse: abort on fatal signal during sync init", " - fuse: Check for large folio with SPLICE_F_MOVE", " - fuse: quiet down complaints in fuse_conn_limit_write", " - fuse: fuse_dev_ioctl_clone() should wait for device file to be", " initialized", " - ksmbd: require minimum ACE size in smb_check_perm_dacl()", " - smb: server: fix active_num_conn leak on transport allocation failure", " - smb: client: fix dir separator in SMB1 UNIX mounts", " - smb: server: fix max_connections off-by-one in tcp accept path", " - smb: client: require a full NFS mode SID before reading mode bits", " - smb: client: validate the whole DACL before rewriting it in cifsacl", " - smb: client: fix OOB read in smb2_ioctl_query_info QUERY_INFO path", " - ksmbd: validate response sizes in ipc_validate_msg()", " - ksmbd: validate num_aces and harden ACE walk in smb_inherit_dacl()", " - ksmbd: fix out-of-bounds write in smb2_get_ea() EA alignment", " - ksmbd: use check_add_overflow() to prevent u16 DACL size overflow", " - ksmbd: reset rcount per connection in ksmbd_conn_wait_idle_sess_id()", " - writeback: Fix use after free in inode_switch_wbs_work_fn()", " - f2fs: fix use-after-free of sbi in f2fs_compress_write_end_io()", " - ALSA: usb-audio: apply quirk for MOONDROP JU Jiu", " - ALSA: hda/realtek: Add quirk for Legion S7 15IMH", " - ALSA: caiaq: take a reference on the USB device in create_card()", " - net/packet: fix TOCTOU race on mmap'd vnet_hdr in tpacket_snd()", " - crypto: ccp: Don't attempt to copy CSR to userspace if PSP command", " failed", " - crypto: ccp: Don't attempt to copy PDH cert to userspace if PSP command", " failed", " - crypto: ccp: Don't attempt to copy ID to userspace if PSP command failed", " - rxrpc: Fix missing validation of ticket length in non-XDR key preparsing", " - mshv_vtl: Fix vmemmap_shift exceeding MAX_FOLIO_ORDER", " - Linux 7.0.2", "", " * Resolute update: v7.0.1 upstream stable release (LP: #2150547)", " - Revert \"UBUNTU: SAUCE: cdc-acm: Exclude Exar USB serial ports\"", " - nfc: llcp: add missing return after LLCP_CLOSED checks", " - x86/CPU: Fix FPDSS on Zen1", " - can: raw: fix ro->uniq use-after-free in raw_rcv()", " - i2c: s3c24xx: check the size of the SMBUS message before using it", " - staging: rtl8723bs: initialize le_tmp64 in rtw_BIP_verify()", " - HID: alps: fix NULL pointer dereference in alps_raw_event()", " - HID: core: clamp report_size in s32ton() to avoid undefined shift", " - net: usb: cdc-phonet: fix skb frags[] overflow in rx_complete()", " - NFC: digital: Bounds check NFC-A cascade depth in SDD response handler", " - drm/vc4: platform_get_irq_byname() returns an int", " - bnge: return after auxiliary_device_uninit() in error path", " - ALSA: usx2y: us144mkii: fix NULL deref on missing interface 0", " - ALSA: fireworks: bound device-supplied status before string array lookup", " - fbdev: tdfxfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO", " - usb: gadget: f_ncm: validate minimum block_len in ncm_unwrap_ntb()", " - usb: gadget: f_phonet: fix skb frags[] overflow in pn_rx_complete()", " - usb: gadget: renesas_usb3: validate endpoint index in standard request", " handlers", " - smb: client: fix off-by-8 bounds check in check_wsl_eas()", " - smb: client: fix OOB reads parsing symlink error response", " - ksmbd: validate EaNameLength in smb2_get_ea()", " - ksmbd: require 3 sub-authorities before reading sub_auth[2]", " - ksmbd: fix mechToken leak when SPNEGO decode fails after token alloc", " - smb: client: avoid double-free in smbd_free_send_io() after", " smbd_send_batch_flush()", " - smb: server: avoid double-free in smb_direct_free_sendmsg after", " smb_direct_flush_send_list()", " - usbip: validate number_of_packets in usbip_pack_ret_submit()", " - usb: typec: fusb302: Switch to threaded IRQ handler", " - usb: storage: Expand range of matched versions for VL817 quirks entry", " - USB: cdc-acm: Add quirks for Yoga Book 9 14IAH10 INGENIC touchscreen", " - usb: gadget: f_hid: don't call cdev_init while cdev in use", " - usb: port: add delay after usb_hub_set_port_power()", " - fbdev: udlfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO", " - scripts/gdb/symbols: handle module path parameters", " - scripts: generate_rust_analyzer.py: avoid FD leak", " - wifi: rtw88: fix device leak on probe failure", " - staging: sm750fb: fix division by zero in ps_to_hz()", " - selftests/mm: hmm-tests: don't hardcode THP size to 2MB", " - USB: serial: option: add Telit Cinterion FN990A MBIM composition", " - Docs/admin-guide/mm/damon/reclaim: warn commit_inputs vs param updates", " race", " - Docs/admin-guide/mm/damon/lru_sort: warn commit_inputs vs param updates", " race", " - ALSA: ctxfi: Limit PTP to a single page", " - dcache: Limit the minimal number of bucket to two", " - vfio/xe: Reorganize the init to decouple migration from reset", " - arm64: mm: Handle invalid large leaf mappings correctly", " - media: vidtv: fix NULL pointer dereference in", " vidtv_channel_pmt_match_sections", " - ocfs2: fix possible deadlock between unlink and dio_end_io_write", " - ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY", " - ocfs2: handle invalid dinode in ocfs2_group_extend", " - PCI: endpoint: pci-epf-vntb: Stop cmd_handler work in", " epf_ntb_epc_cleanup", " - PCI: endpoint: pci-epf-vntb: Remove duplicate resource teardown", " - KVM: selftests: Remove duplicate LAUNCH_UPDATE_VMSA call in SEV-ES", " migrate test", " - KVM: SEV: Reject attempts to sync VMSA of an already-launched/encrypted", " vCPU", " - KVM: SEV: Protect *all* of sev_mem_enc_register_region() with kvm->lock", " - KVM: SEV: Disallow LAUNCH_FINISH if vCPUs are actively being created", " - KVM: SEV: Lock all vCPUs when synchronzing VMSAs for SNP launch finish", " - KVM: SEV: Drop WARN on large size for KVM_MEMORY_ENCRYPT_REG_REGION", " - mm: call ->free_folio() directly in folio_unmap_invalidate()", " - checkpatch: add support for Assisted-by tag", " - x86-64: rename misleadingly named '__copy_user_nocache()' function", " - x86: rename and clean up __copy_from_user_inatomic_nocache()", " - x86-64/arm64/powerpc: clean up and rename __copy_from_user_flushcache", " - KVM: x86: Use scratch field in MMIO fragment to hold small write values", " - ASoC: qcom: q6apm: move component registration to unmanaged version", " - mm/kasan: fix double free for kasan pXds", " - mm: blk-cgroup: fix use-after-free in cgwb_release_workfn()", " - media: vidtv: fix nfeeds state corruption on start_streaming failure", " - media: mediatek: vcodec: fix use-after-free in encoder release path", " - media: em28xx: fix use-after-free in em28xx_v4l2_open()", " - hwmon: (powerz) Fix use-after-free on USB disconnect", " - ALSA: 6fire: fix use-after-free on disconnect", " - bcache: fix cached_dev.sb_bio use-after-free and crash", " - wireguard: device: use exit_rtnl callback instead of manual rtnl_lock in", " pre_exit", " - media: as102: fix to not free memory after the device is registered in", " as102_usb_probe()", " - nilfs2: fix NULL i_assoc_inode dereference in", " nilfs_mdt_save_to_shadow_map", " - media: vidtv: fix pass-by-value structs causing MSAN warnings", " - media: hackrf: fix to not free memory after the device is registered in", " hackrf_probe()", " - mm/userfaultfd: fix hugetlb fault mutex hash calculation", " - clockevents: Add missing resets of the next_event_forced flag", " - Linux 7.0.1", "", " * GRO managed-frag use-after-free leading to local privilege escalation", " (LP: #2154172)", " - net: gro: don't merge zcopy skbs", "", " * AppArmor Vulnerabilities (LP: #2151747)", " - SAUCE: apparmor: pass big_resp to handler", " - SAUCE: apparmor: remove redundant kref_init for listener->count", " - SAUCE: apparmor: fix NULL pointer dereference in unpack_pdb", "", " * AppArmor Vulnerabilities (LP: #2151747) // CVE-2026-47337", " - SAUCE: apparmor: fix NULL pointer dereference in bind_map_addr", "", " * AppArmor Vulnerabilities (LP: #2151747) // CVE-2026-47334", " - SAUCE: apparmor: fix sleep prone memory allocation under a spin_lock", "", " * AppArmor Vulnerabilities (LP: #2151747) // CVE-2026-47333", " - SAUCE: apparmor: fix dfa unpacking size of the notification filter", "", " * AppArmor Vulnerabilities (LP: #2151747) // CVE-2026-47332", " - SAUCE: apparmor: fix size check against type instead of pointer", "", " * apparmor: LLVM/clang build failure due to uninitialized variable in", " notify.c (LP: #2148809) // CVE-2026-47330", " - SAUCE: apparmor: initialize variable used in uninitialized context", "", " * AppArmor Vulnerabilities (LP: #2151747) // CVE-2026-47329", " - SAUCE: apparmor: fix name validation bypass on notification", "", " * AppArmor Vulnerabilities (LP: #2151747) // CVE-2026-47327 //", " CVE-2026-47328", " - SAUCE: apparmor: fix glob memory leak after kstrdup", "", " * AppArmor Vulnerabilities (LP: #2151747) // CVE-2026-47326", " - SAUCE: apparmor: fix inverted NULL check after aa_get_buffer", "", " * CVE-2026-46300", " - net: skbuff: preserve shared-frag marker during coalescing", " - net: skbuff: propagate shared-frag marker through frag-transfer helpers", "", " * net/rds: reset op_nents when zerocopy page pin fails (LP: #2153962)", " - net/rds: reset op_nents when zerocopy page pin fails", "", " * CVE-2026-46333", " - ptrace: slightly saner 'get_dumpable()' logic", "", " * CVE-2026-43500", " - rxrpc: Fix conn-level packet handling to unshare RESPONSE packets", " - rxrpc: Fix potential UAF after skb_unshare() failure", " - rxrpc: Fix rxrpc_input_call_event() to only unshare DATA packets", " - rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present", "", " * CVE-2026-43284", " - xfrm: esp: avoid in-place decrypt on shared skb frags", "" ], "package": "linux", "version": "7.0.0-26.26", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2154530, 1786013, 2150065, 2146517, 2147409, 2121852, 2150196, 2129844, 2150845, 2152558, 2152556, 2152552, 2152550, 2150553, 2150547, 2154172, 2151747, 2151747, 2151747, 2151747, 2151747, 2148809, 2151747, 2151747, 2151747, 2153962 ], "author": "Edoardo Canepa ", "date": "Fri, 29 May 2026 03:41:14 +0200" } ], "notes": "linux-tools-7.0.0-27 version '7.0.0-27.27' (source package linux version '7.0.0-27.27') was added. linux-tools-7.0.0-27 version '7.0.0-27.27' has the same source package name, linux, as removed package linux-headers-7.0.0-22. As such we can use the source package version of the removed package, '7.0.0-22.22', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false }, { "name": "linux-tools-7.0.0-27-generic", "from_version": { "source_package_name": "linux", "source_package_version": "7.0.0-22.22", "version": null }, "to_version": { "source_package_name": "linux", "source_package_version": "7.0.0-27.27", "version": "7.0.0-27.27" }, "cves": [ { "cve": "CVE-2026-46316", "url": "https://ubuntu.com/security/CVE-2026-46316", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: vgic-its: Drop the translation cache reference only for the erased entry vgic_its_invalidate_cache() walks the per-ITS translation cache with xa_for_each() and drops the cache's reference on each entry with vgic_put_irq(). It puts the iterated pointer, though, rather than the value returned by xa_erase(). The function is called from contexts that do not exclude one another: the ITS command handlers hold its_lock, the GITS_CTLR write path holds cmd_lock, and the path that clears EnableLPIs in a redistributor's GICR_CTLR holds neither. Two or more of them can drain the same cache concurrently, and if each one observes the same entry, erases it and then puts it, the single reference the cache holds on that entry is dropped more than once. The entry can then be freed while an ITE still maps it. xa_erase() is atomic and returns the previous entry, so put only the entry that this context actually removed. The cache reference is then dropped exactly once per entry even when the invalidations run concurrently, and the behavior is unchanged when only one context runs.", "cve_priority": "medium", "cve_public_date": "2026-06-09 13:16:00 UTC" }, { "cve": "CVE-2026-46244", "url": "https://ubuntu.com/security/CVE-2026-46244", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_inner: Fix IPv6 inner_thoff desync In nft_inner_parse_l2l3(), when processing inner IPv6 packets, ipv6_find_hdr() correctly computes the transport header offset traversing all extension headers, but the result is immediately overwritten with nhoff + sizeof(_ip6h) (40 bytes), which only accounts for the IPv6 base header. This creates a desync between inner_thoff (wrong — points to extension header start) and l4proto (correct — e.g., IPPROTO_TCP), enabling transport header forgery and potential firewall bypass. This issue affects stable versions from Linux 6.2. For comparison, the normal (non-inner) IPv6 path correctly preserves ipv6_find_hdr()'s result. Removing the incorrect overwrite ensures that ipv6_find_hdr()'s calculated transport header offset is preserved, thereby fixing the desynchronization.", "cve_priority": "medium", "cve_public_date": "2026-06-03 18:16:00 UTC" }, { "cve": "CVE-2026-46137", "url": "https://ubuntu.com/security/CVE-2026-46137", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: ADD_ADDR rtx: fix potential data-race This mptcp_pm_add_timer() helper is executed as a timer callback in softirq context. To avoid any data races, the socket lock needs to be held with bh_lock_sock(). If the socket is in use, retry again soon after, similar to what is done with the keepalive timer.", "cve_priority": "medium", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46185", "url": "https://ubuntu.com/security/CVE-2026-46185", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb/client: fix out-of-bounds read in symlink_data() Since smb2_check_message() returns success without length validation for the symlink error response, in symlink_data() it is possible for iov->iov_len to be smaller than sizeof(struct smb2_err_rsp). If the buffer only contains the base SMB2 header (64 bytes), accessing err->ErrorContextCount (at offset 66) or err->ByteCount later in symlink_data() will cause an out-of-bounds read.", "cve_priority": "high", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46195", "url": "https://ubuntu.com/security/CVE-2026-46195", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: validate dacloffset before building DACL pointers parse_sec_desc(), build_sec_desc(), and the chown path in id_mode_to_cifs_acl() all add the server-supplied dacloffset to pntsd before proving a DACL header fits inside the returned security descriptor. On 32-bit builds a malicious server can return dacloffset near U32_MAX, wrap the derived DACL pointer below end_of_acl, and then slip past the later pointer-based bounds checks. build_sec_desc() and id_mode_to_cifs_acl() can then dereference DACL fields from the wrapped pointer in the chmod/chown rewrite paths. Validate dacloffset numerically before building any DACL pointer and reuse the same helper at the three DACL entry points.", "cve_priority": "high", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46289", "url": "https://ubuntu.com/security/CVE-2026-46289", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: lib/scatterlist: fix length calculations in extract_kvec_to_sg Patch series \"Fix bugs in extract_iter_to_sg()\", v3. Fix bugs in the kvec and user variants of extract_iter_to_sg. This series is growing due to useful remarks made by sashiko.dev. The main bugs are: - The length for an sglist entry when extracting from a kvec can exceed the number of bytes in the page. This is obviously not intended. - When extracting a user buffer the sglist is temporarily used as a scratch buffer for extracted page pointers. If the sglist already contains some elements this scratch buffer could overlap with existing entries in the sglist. The series adds test cases to the kunit_iov_iter test that demonstrate all of these bugs. Additionally, there is a memory leak fix for the test itself. The bugs were orignally introduced into kernel v6.3 where the function lived in fs/netfs/iterator.c. It was later moved to lib/scatterlist.c in v6.5. Thus the actual fix is only marked for backports to v6.5+. This patch (of 5): When extracting from a kvec to a scatterlist, do not cross page boundaries. The required length was already calculated but not used as intended. Adjust the copied length if the loop runs out of sglist entries without extracting everything. While there, return immediately from extract_iter_to_sg if there are no sglist entries at all. A subsequent commit will add kunit test cases that demonstrate that the patch is necessary.", "cve_priority": "medium", "cve_public_date": "2026-06-08 17:16:00 UTC" }, { "cve": "CVE-2026-46119", "url": "https://ubuntu.com/security/CVE-2026-46119", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: libceph: Fix slab-out-of-bounds access in auth message processing If a (potentially corrupted) message of type CEPH_MSG_AUTH_REPLY contains a positive value in its result field, it is treated as an error code by ceph_handle_auth_reply() and returned to handle_auth_reply(). Thereafter, an attempt is made to send the preallocated message of type CEPH_MSG_AUTH, where the returned value is interpreted as the size of the front segment to send. If the result value in the message is greater than the size of the memory buffer allocated for the front segment, an out-of-bounds access occurs, and the content of the memory region beyond this buffer is sent out. This patch fixes the issue by treating only negative values in the result field as errors. Positive values are therefore treated as success in the same way as a zero value. Additionally, a BUG_ON is added to __send_prepared_auth_request() comparing the len parameter to front_alloc_len to prevent sending the message if it exceeds the bounds of the allocation and to make it easier to catch any logic flaws leading to this.", "cve_priority": "high", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46135", "url": "https://ubuntu.com/security/CVE-2026-46135", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: fix race between ICReq handling and queue teardown nvmet_tcp_handle_icreq() updates queue->state after sending an Initialization Connection Response (ICResp), but it does so without serializing against target-side queue teardown. If an NVMe/TCP host sends an Initialization Connection Request (ICReq) and immediately closes the connection, target-side teardown may start in softirq context before io_work drains the already buffered ICReq. In that case, nvmet_tcp_schedule_release_queue() sets queue->state to NVMET_TCP_Q_DISCONNECTING and drops the queue reference under state_lock. If io_work later processes that ICReq, nvmet_tcp_handle_icreq() can still overwrite the state back to NVMET_TCP_Q_LIVE. That defeats the DISCONNECTING-state guard in nvmet_tcp_schedule_release_queue() and allows a later socket state change to re-enter teardown and issue a second kref_put() on an already released queue. The ICResp send failure path has the same problem. If teardown has already moved the queue to DISCONNECTING, a send error can still overwrite the state with NVMET_TCP_Q_FAILED, again reopening the window for a second teardown path to drop the queue reference. Fix this by serializing both post-send state transitions with state_lock and bailing out if teardown has already started. Use -ESHUTDOWN as an internal sentinel for that bail-out path rather than propagating it as a transport error like -ECONNRESET. Keep nvmet_tcp_socket_error() setting rcv_state to NVMET_TCP_RECV_ERR before honoring that sentinel so receive-side parsing stays quiesced until the existing release path completes.", "cve_priority": "critical", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46155", "url": "https://ubuntu.com/security/CVE-2026-46155", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb/client: fix out-of-bounds read in smb2_compound_op() If a server sends a truncated response but a large OutputBufferLength, and terminates the EA list early, check_wsl_eas() returns success without validating that the entire OutputBufferLength fits within iov_len. Then smb2_compound_op() does: memcpy(idata->wsl.eas, data[0], size[0]); Where size[0] is OutputBufferLength. If iov_len is smaller than size[0], memcpy can read beyond the end of the rsp_iov allocation and leak adjacent kernel heap memory.", "cve_priority": "medium", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46115", "url": "https://ubuntu.com/security/CVE-2026-46115", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: block: add pgmap check to biovec_phys_mergeable biovec_phys_mergeable() is used by the request merge, DMA mapping, and integrity merge paths to decide if two physically contiguous bvec segments can be coalesced into one. It currently has no check for whether the segments belong to different dev_pagemaps. When zone device memory is registered in multiple chunks, each chunk gets its own dev_pagemap. A single bio can legitimately contain bvecs from different pgmaps -- iov_iter_extract_bvecs() breaks at pgmap boundaries but the outer loop in bio_iov_iter_get_pages() continues filling the same bio. If such bvecs are physically contiguous, biovec_phys_mergeable() will coalesce them, making it impossible to recover the correct pgmap for the merged segment via page_pgmap(). Add a zone_device_pages_have_same_pgmap() check to prevent merging bvec segments that span different pgmaps.", "cve_priority": "medium", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46243", "url": "https://ubuntu.com/security/CVE-2026-46243", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: reject userspace cifs.spnego descriptions cifs.spnego key descriptions contain authority-bearing fields such as pid, uid, creduid, and upcall_target that cifs.upcall treats as kernel-originating inputs. However, userspace can also create keys of this type through request_key(2) or add_key(2), allowing those fields to be supplied without CIFS origin. Only accept cifs.spnego descriptions while CIFS is using its private spnego_cred to request the key.", "cve_priority": "medium", "cve_public_date": "2026-06-01 17:17:00 UTC" }, { "cve": "CVE-2026-47337", "url": "https://ubuntu.com/security/CVE-2026-47337", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a possible NULL pointer dereference in the handling of AF_INET/AF_INET6 socket mediation. The bug can be triggered by an unprivileged local user. This can lead to a kernel oops.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47334", "url": "https://ubuntu.com/security/CVE-2026-47334", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly sleep while holding a spinlock in notification handling code. The bug can be triggered by an unprivileged local user and can result in kernel panic or deadlock.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47333", "url": "https://ubuntu.com/security/CVE-2026-47333", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which can potentially incorrectly compute the size of an internal buffer, leading to a heap memory out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in invalid data being processed by the AppArmor DFA policy engine.", "cve_priority": "high", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47332", "url": "https://ubuntu.com/security/CVE-2026-47332", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly validate the size of an internal structure, leading to an out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in information disclosure from adjacent slab objects.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47330", "url": "https://ubuntu.com/security/CVE-2026-47330", "cve_description": "Ubuntu Linux 6.8, 7.17 and 7.0 contain AppArmor SAUCE patches which can, under certain circumstances, use an uninitialized variable in notification handling code. The bug can be triggered by an unprivileged local user and can result in the incorrect caching of AppArmor notification responses.", "cve_priority": "low", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47329", "url": "https://ubuntu.com/security/CVE-2026-47329", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches which fail to validate invalid sizes of the name field in AppAmor notification responses. The bug can be triggered by an unprivileged local user and could result in handling of crafted responses.", "cve_priority": "low", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47327", "url": "https://ubuntu.com/security/CVE-2026-47327", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a possible NULL pointer dereference in the handling of AppArmor notifications. The bug can be triggered by an unprivileged local user. This can lead to a kernel oops.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47328", "url": "https://ubuntu.com/security/CVE-2026-47328", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly attempt to free a pointer which was not previously kmalloc()d, while at the same time leaking allocated memory. The bug can be triggered by an unprivileged local user and can result in the corruption of slab metadata and could lead to resource exhaustion.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47326", "url": "https://ubuntu.com/security/CVE-2026-47326", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a memory leak in the handling of big responses to AppArmor notifications. The bug can be triggered by an unprivileged local user. The memory leak could lead to resource exhaustion.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-46300", "url": "https://ubuntu.com/security/CVE-2026-46300", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: skbuff: preserve shared-frag marker during coalescing skb_try_coalesce() can attach paged frags from @from to @to. If @from has SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same externally-owned or page-cache-backed frags, but the shared-frag marker is currently lost. That breaks the invariant relied on by later in-place writers. In particular, ESP input checks skb_has_shared_frag() before deciding whether an uncloned nonlinear skb can skip skb_cow_data(). If TCP receive coalescing has moved shared frags into an unmarked skb, ESP can see skb_has_shared_frag() as false and decrypt in place over page-cache backed frags. Propagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged frags. The tailroom copy path does not need the marker because it copies bytes into @to's linear data rather than transferring frag descriptors.", "cve_priority": "high", "cve_public_date": "2026-05-23 12:17:00 UTC" }, { "cve": "CVE-2026-46333", "url": "https://ubuntu.com/security/CVE-2026-46333", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ptrace: slightly saner 'get_dumpable()' logic The 'dumpability' of a task is fundamentally about the memory image of the task - the concept comes from whether it can core dump or not - and makes no sense when you don't have an associated mm. And almost all users do in fact use it only for the case where the task has a mm pointer. But we have one odd special case: ptrace_may_access() uses 'dumpable' to check various other things entirely independently of the MM (typically explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for threads that no longer have a VM (and maybe never did, like most kernel threads). It's not what this flag was designed for, but it is what it is. The ptrace code does check that the uid/gid matches, so you do have to be uid-0 to see kernel thread details, but this means that the traditional \"drop capabilities\" model doesn't make any difference for this all. Make it all make a *bit* more sense by saying that if you don't have a MM pointer, we'll use a cached \"last dumpability\" flag if the thread ever had a MM (it will be zero for kernel threads since it is never set), and require a proper CAP_SYS_PTRACE capability to override.", "cve_priority": "high", "cve_public_date": "2026-05-15 14:16:00 UTC" }, { "cve": "CVE-2026-43500", "url": "https://ubuntu.com/security/CVE-2026-43500", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE handler in rxrpc_verify_response() copy the skb to a linear one before calling into the security ops only when skb_cloned() is true. An skb that is not cloned but still carries externally-owned paged fragments (e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via __ip_append_data, or a chained skb_has_frag_list()) falls through to the in-place decryption path, which binds the frag pages directly into the AEAD/skcipher SGL via skb_to_sgvec(). Extend the gate to also unshare when skb_has_frag_list() or skb_has_shared_frag() is true. This catches the splice-loopback vector and other externally-shared frag sources while preserving the zero-copy fast path for skbs whose frags are kernel-private (e.g. NIC page_pool RX, GRO). The OOM/trace handling already in place is reused.", "cve_priority": "high", "cve_public_date": "2026-05-11 08:16:00 UTC" }, { "cve": "CVE-2026-43284", "url": "https://ubuntu.com/security/CVE-2026-43284", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place decrypt on shared skb frags MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later paths that may modify packet data can first make a private copy. The IPv4/IPv6 datagram append paths did not set this flag when splicing pages into UDP skbs. That leaves an ESP-in-UDP packet made from shared pipe pages looking like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW fast path for uncloned skbs without a frag_list and decrypts in place over data that is not owned privately by the skb. Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching TCP. Also make ESP input fall back to skb_cow_data() when the flag is present, so ESP does not decrypt externally backed frags in place. Private nonlinear skb frags still use the existing fast path. This intentionally does not change ESP output. In esp_output_head(), the path that appends the ESP trailer to existing skb tailroom without calling skb_cow_data() is not reachable for nonlinear skbs: skb_tailroom() returns zero when skb->data_len is nonzero, while ESP tailen is positive. Thus ESP output will either use the separate destination-frag path or fall back to skb_cow_data().", "cve_priority": "high", "cve_public_date": "2026-05-08 08:16:00 UTC" } ], "launchpad_bugs_fixed": [ 2157114, 1786013, 2150845, 2154530, 1786013, 2150065, 2146517, 2147409, 2121852, 2150196, 2129844, 2150845, 2152558, 2152556, 2152552, 2152550, 2150553, 2150547, 2154172, 2151747, 2151747, 2151747, 2151747, 2151747, 2148809, 2151747, 2151747, 2151747, 2153962 ], "changes": [ { "cves": [ { "cve": "CVE-2026-46316", "url": "https://ubuntu.com/security/CVE-2026-46316", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: vgic-its: Drop the translation cache reference only for the erased entry vgic_its_invalidate_cache() walks the per-ITS translation cache with xa_for_each() and drops the cache's reference on each entry with vgic_put_irq(). It puts the iterated pointer, though, rather than the value returned by xa_erase(). The function is called from contexts that do not exclude one another: the ITS command handlers hold its_lock, the GITS_CTLR write path holds cmd_lock, and the path that clears EnableLPIs in a redistributor's GICR_CTLR holds neither. Two or more of them can drain the same cache concurrently, and if each one observes the same entry, erases it and then puts it, the single reference the cache holds on that entry is dropped more than once. The entry can then be freed while an ITE still maps it. xa_erase() is atomic and returns the previous entry, so put only the entry that this context actually removed. The cache reference is then dropped exactly once per entry even when the invalidations run concurrently, and the behavior is unchanged when only one context runs.", "cve_priority": "medium", "cve_public_date": "2026-06-09 13:16:00 UTC" }, { "cve": "CVE-2026-46244", "url": "https://ubuntu.com/security/CVE-2026-46244", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_inner: Fix IPv6 inner_thoff desync In nft_inner_parse_l2l3(), when processing inner IPv6 packets, ipv6_find_hdr() correctly computes the transport header offset traversing all extension headers, but the result is immediately overwritten with nhoff + sizeof(_ip6h) (40 bytes), which only accounts for the IPv6 base header. This creates a desync between inner_thoff (wrong — points to extension header start) and l4proto (correct — e.g., IPPROTO_TCP), enabling transport header forgery and potential firewall bypass. This issue affects stable versions from Linux 6.2. For comparison, the normal (non-inner) IPv6 path correctly preserves ipv6_find_hdr()'s result. Removing the incorrect overwrite ensures that ipv6_find_hdr()'s calculated transport header offset is preserved, thereby fixing the desynchronization.", "cve_priority": "medium", "cve_public_date": "2026-06-03 18:16:00 UTC" }, { "cve": "CVE-2026-46137", "url": "https://ubuntu.com/security/CVE-2026-46137", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: ADD_ADDR rtx: fix potential data-race This mptcp_pm_add_timer() helper is executed as a timer callback in softirq context. To avoid any data races, the socket lock needs to be held with bh_lock_sock(). If the socket is in use, retry again soon after, similar to what is done with the keepalive timer.", "cve_priority": "medium", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46185", "url": "https://ubuntu.com/security/CVE-2026-46185", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb/client: fix out-of-bounds read in symlink_data() Since smb2_check_message() returns success without length validation for the symlink error response, in symlink_data() it is possible for iov->iov_len to be smaller than sizeof(struct smb2_err_rsp). If the buffer only contains the base SMB2 header (64 bytes), accessing err->ErrorContextCount (at offset 66) or err->ByteCount later in symlink_data() will cause an out-of-bounds read.", "cve_priority": "high", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46195", "url": "https://ubuntu.com/security/CVE-2026-46195", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: validate dacloffset before building DACL pointers parse_sec_desc(), build_sec_desc(), and the chown path in id_mode_to_cifs_acl() all add the server-supplied dacloffset to pntsd before proving a DACL header fits inside the returned security descriptor. On 32-bit builds a malicious server can return dacloffset near U32_MAX, wrap the derived DACL pointer below end_of_acl, and then slip past the later pointer-based bounds checks. build_sec_desc() and id_mode_to_cifs_acl() can then dereference DACL fields from the wrapped pointer in the chmod/chown rewrite paths. Validate dacloffset numerically before building any DACL pointer and reuse the same helper at the three DACL entry points.", "cve_priority": "high", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46289", "url": "https://ubuntu.com/security/CVE-2026-46289", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: lib/scatterlist: fix length calculations in extract_kvec_to_sg Patch series \"Fix bugs in extract_iter_to_sg()\", v3. Fix bugs in the kvec and user variants of extract_iter_to_sg. This series is growing due to useful remarks made by sashiko.dev. The main bugs are: - The length for an sglist entry when extracting from a kvec can exceed the number of bytes in the page. This is obviously not intended. - When extracting a user buffer the sglist is temporarily used as a scratch buffer for extracted page pointers. If the sglist already contains some elements this scratch buffer could overlap with existing entries in the sglist. The series adds test cases to the kunit_iov_iter test that demonstrate all of these bugs. Additionally, there is a memory leak fix for the test itself. The bugs were orignally introduced into kernel v6.3 where the function lived in fs/netfs/iterator.c. It was later moved to lib/scatterlist.c in v6.5. Thus the actual fix is only marked for backports to v6.5+. This patch (of 5): When extracting from a kvec to a scatterlist, do not cross page boundaries. The required length was already calculated but not used as intended. Adjust the copied length if the loop runs out of sglist entries without extracting everything. While there, return immediately from extract_iter_to_sg if there are no sglist entries at all. A subsequent commit will add kunit test cases that demonstrate that the patch is necessary.", "cve_priority": "medium", "cve_public_date": "2026-06-08 17:16:00 UTC" }, { "cve": "CVE-2026-46119", "url": "https://ubuntu.com/security/CVE-2026-46119", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: libceph: Fix slab-out-of-bounds access in auth message processing If a (potentially corrupted) message of type CEPH_MSG_AUTH_REPLY contains a positive value in its result field, it is treated as an error code by ceph_handle_auth_reply() and returned to handle_auth_reply(). Thereafter, an attempt is made to send the preallocated message of type CEPH_MSG_AUTH, where the returned value is interpreted as the size of the front segment to send. If the result value in the message is greater than the size of the memory buffer allocated for the front segment, an out-of-bounds access occurs, and the content of the memory region beyond this buffer is sent out. This patch fixes the issue by treating only negative values in the result field as errors. Positive values are therefore treated as success in the same way as a zero value. Additionally, a BUG_ON is added to __send_prepared_auth_request() comparing the len parameter to front_alloc_len to prevent sending the message if it exceeds the bounds of the allocation and to make it easier to catch any logic flaws leading to this.", "cve_priority": "high", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46135", "url": "https://ubuntu.com/security/CVE-2026-46135", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: fix race between ICReq handling and queue teardown nvmet_tcp_handle_icreq() updates queue->state after sending an Initialization Connection Response (ICResp), but it does so without serializing against target-side queue teardown. If an NVMe/TCP host sends an Initialization Connection Request (ICReq) and immediately closes the connection, target-side teardown may start in softirq context before io_work drains the already buffered ICReq. In that case, nvmet_tcp_schedule_release_queue() sets queue->state to NVMET_TCP_Q_DISCONNECTING and drops the queue reference under state_lock. If io_work later processes that ICReq, nvmet_tcp_handle_icreq() can still overwrite the state back to NVMET_TCP_Q_LIVE. That defeats the DISCONNECTING-state guard in nvmet_tcp_schedule_release_queue() and allows a later socket state change to re-enter teardown and issue a second kref_put() on an already released queue. The ICResp send failure path has the same problem. If teardown has already moved the queue to DISCONNECTING, a send error can still overwrite the state with NVMET_TCP_Q_FAILED, again reopening the window for a second teardown path to drop the queue reference. Fix this by serializing both post-send state transitions with state_lock and bailing out if teardown has already started. Use -ESHUTDOWN as an internal sentinel for that bail-out path rather than propagating it as a transport error like -ECONNRESET. Keep nvmet_tcp_socket_error() setting rcv_state to NVMET_TCP_RECV_ERR before honoring that sentinel so receive-side parsing stays quiesced until the existing release path completes.", "cve_priority": "critical", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46155", "url": "https://ubuntu.com/security/CVE-2026-46155", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb/client: fix out-of-bounds read in smb2_compound_op() If a server sends a truncated response but a large OutputBufferLength, and terminates the EA list early, check_wsl_eas() returns success without validating that the entire OutputBufferLength fits within iov_len. Then smb2_compound_op() does: memcpy(idata->wsl.eas, data[0], size[0]); Where size[0] is OutputBufferLength. If iov_len is smaller than size[0], memcpy can read beyond the end of the rsp_iov allocation and leak adjacent kernel heap memory.", "cve_priority": "medium", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46115", "url": "https://ubuntu.com/security/CVE-2026-46115", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: block: add pgmap check to biovec_phys_mergeable biovec_phys_mergeable() is used by the request merge, DMA mapping, and integrity merge paths to decide if two physically contiguous bvec segments can be coalesced into one. It currently has no check for whether the segments belong to different dev_pagemaps. When zone device memory is registered in multiple chunks, each chunk gets its own dev_pagemap. A single bio can legitimately contain bvecs from different pgmaps -- iov_iter_extract_bvecs() breaks at pgmap boundaries but the outer loop in bio_iov_iter_get_pages() continues filling the same bio. If such bvecs are physically contiguous, biovec_phys_mergeable() will coalesce them, making it impossible to recover the correct pgmap for the merged segment via page_pgmap(). Add a zone_device_pages_have_same_pgmap() check to prevent merging bvec segments that span different pgmaps.", "cve_priority": "medium", "cve_public_date": "2026-05-28 10:16:00 UTC" }, { "cve": "CVE-2026-46243", "url": "https://ubuntu.com/security/CVE-2026-46243", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: reject userspace cifs.spnego descriptions cifs.spnego key descriptions contain authority-bearing fields such as pid, uid, creduid, and upcall_target that cifs.upcall treats as kernel-originating inputs. However, userspace can also create keys of this type through request_key(2) or add_key(2), allowing those fields to be supplied without CIFS origin. Only accept cifs.spnego descriptions while CIFS is using its private spnego_cred to request the key.", "cve_priority": "medium", "cve_public_date": "2026-06-01 17:17:00 UTC" } ], "log": [ "", " * resolute/linux: 7.0.0-27.27 -proposed tracker (LP: #2157114)", "", " * Packaging resync (LP: #1786013)", " - [Packaging] update annotations scripts", "", " * Ubuntu 26.04 linux kernel has non-functional nova-core GPU driver enabled,", " conflicting with nouveau (LP: #2150845)", " - [Config] Disable NOVA_CORE", "", " * CVE-2026-46316", " - KVM: arm64: vgic-its: Drop the translation cache reference only for the", " erased entry", "", " * CVE-2026-46244", " - netfilter: nft_inner: Fix IPv6 inner_thoff desync", "", " * CVE-2026-46137", " - mptcp: pm: ADD_ADDR rtx: allow ID 0", " - mptcp: pm: ADD_ADDR rtx: fix potential data-race", "", " * CVE-2026-46185", " - smb/client: fix out-of-bounds read in symlink_data()", "", " * CVE-2026-46195", " - smb: client: validate dacloffset before building DACL pointers", "", " * CVE-2026-46289", " - lib/scatterlist: fix length calculations in extract_kvec_to_sg", "", " * CVE-2026-46119", " - libceph: Fix slab-out-of-bounds access in auth message processing", "", " * CVE-2026-46135", " - nvmet-tcp: fix race between ICReq handling and queue teardown", "", " * CVE-2026-46155", " - smb/client: fix out-of-bounds read in smb2_compound_op()", "", " * CVE-2026-46115", " - block: add pgmap check to biovec_phys_mergeable", "", " * CVE-2026-46243", " - smb: client: reject userspace cifs.spnego descriptions", "" ], "package": "linux", "version": "7.0.0-27.27", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2157114, 1786013, 2150845 ], "author": "Manuel Diewald ", "date": "Thu, 18 Jun 2026 18:54:56 +0200" }, { "cves": [ { "cve": "CVE-2026-47337", "url": "https://ubuntu.com/security/CVE-2026-47337", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a possible NULL pointer dereference in the handling of AF_INET/AF_INET6 socket mediation. The bug can be triggered by an unprivileged local user. This can lead to a kernel oops.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47334", "url": "https://ubuntu.com/security/CVE-2026-47334", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly sleep while holding a spinlock in notification handling code. The bug can be triggered by an unprivileged local user and can result in kernel panic or deadlock.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47333", "url": "https://ubuntu.com/security/CVE-2026-47333", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which can potentially incorrectly compute the size of an internal buffer, leading to a heap memory out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in invalid data being processed by the AppArmor DFA policy engine.", "cve_priority": "high", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47332", "url": "https://ubuntu.com/security/CVE-2026-47332", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly validate the size of an internal structure, leading to an out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in information disclosure from adjacent slab objects.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47330", "url": "https://ubuntu.com/security/CVE-2026-47330", "cve_description": "Ubuntu Linux 6.8, 7.17 and 7.0 contain AppArmor SAUCE patches which can, under certain circumstances, use an uninitialized variable in notification handling code. The bug can be triggered by an unprivileged local user and can result in the incorrect caching of AppArmor notification responses.", "cve_priority": "low", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47329", "url": "https://ubuntu.com/security/CVE-2026-47329", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches which fail to validate invalid sizes of the name field in AppAmor notification responses. The bug can be triggered by an unprivileged local user and could result in handling of crafted responses.", "cve_priority": "low", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47327", "url": "https://ubuntu.com/security/CVE-2026-47327", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a possible NULL pointer dereference in the handling of AppArmor notifications. The bug can be triggered by an unprivileged local user. This can lead to a kernel oops.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47328", "url": "https://ubuntu.com/security/CVE-2026-47328", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly attempt to free a pointer which was not previously kmalloc()d, while at the same time leaking allocated memory. The bug can be triggered by an unprivileged local user and can result in the corruption of slab metadata and could lead to resource exhaustion.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47326", "url": "https://ubuntu.com/security/CVE-2026-47326", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a memory leak in the handling of big responses to AppArmor notifications. The bug can be triggered by an unprivileged local user. The memory leak could lead to resource exhaustion.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-46300", "url": "https://ubuntu.com/security/CVE-2026-46300", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: skbuff: preserve shared-frag marker during coalescing skb_try_coalesce() can attach paged frags from @from to @to. If @from has SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same externally-owned or page-cache-backed frags, but the shared-frag marker is currently lost. That breaks the invariant relied on by later in-place writers. In particular, ESP input checks skb_has_shared_frag() before deciding whether an uncloned nonlinear skb can skip skb_cow_data(). If TCP receive coalescing has moved shared frags into an unmarked skb, ESP can see skb_has_shared_frag() as false and decrypt in place over page-cache backed frags. Propagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged frags. The tailroom copy path does not need the marker because it copies bytes into @to's linear data rather than transferring frag descriptors.", "cve_priority": "high", "cve_public_date": "2026-05-23 12:17:00 UTC" }, { "cve": "CVE-2026-46333", "url": "https://ubuntu.com/security/CVE-2026-46333", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ptrace: slightly saner 'get_dumpable()' logic The 'dumpability' of a task is fundamentally about the memory image of the task - the concept comes from whether it can core dump or not - and makes no sense when you don't have an associated mm. And almost all users do in fact use it only for the case where the task has a mm pointer. But we have one odd special case: ptrace_may_access() uses 'dumpable' to check various other things entirely independently of the MM (typically explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for threads that no longer have a VM (and maybe never did, like most kernel threads). It's not what this flag was designed for, but it is what it is. The ptrace code does check that the uid/gid matches, so you do have to be uid-0 to see kernel thread details, but this means that the traditional \"drop capabilities\" model doesn't make any difference for this all. Make it all make a *bit* more sense by saying that if you don't have a MM pointer, we'll use a cached \"last dumpability\" flag if the thread ever had a MM (it will be zero for kernel threads since it is never set), and require a proper CAP_SYS_PTRACE capability to override.", "cve_priority": "high", "cve_public_date": "2026-05-15 14:16:00 UTC" }, { "cve": "CVE-2026-43500", "url": "https://ubuntu.com/security/CVE-2026-43500", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE handler in rxrpc_verify_response() copy the skb to a linear one before calling into the security ops only when skb_cloned() is true. An skb that is not cloned but still carries externally-owned paged fragments (e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via __ip_append_data, or a chained skb_has_frag_list()) falls through to the in-place decryption path, which binds the frag pages directly into the AEAD/skcipher SGL via skb_to_sgvec(). Extend the gate to also unshare when skb_has_frag_list() or skb_has_shared_frag() is true. This catches the splice-loopback vector and other externally-shared frag sources while preserving the zero-copy fast path for skbs whose frags are kernel-private (e.g. NIC page_pool RX, GRO). The OOM/trace handling already in place is reused.", "cve_priority": "high", "cve_public_date": "2026-05-11 08:16:00 UTC" }, { "cve": "CVE-2026-43284", "url": "https://ubuntu.com/security/CVE-2026-43284", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place decrypt on shared skb frags MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later paths that may modify packet data can first make a private copy. The IPv4/IPv6 datagram append paths did not set this flag when splicing pages into UDP skbs. That leaves an ESP-in-UDP packet made from shared pipe pages looking like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW fast path for uncloned skbs without a frag_list and decrypts in place over data that is not owned privately by the skb. Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching TCP. Also make ESP input fall back to skb_cow_data() when the flag is present, so ESP does not decrypt externally backed frags in place. Private nonlinear skb frags still use the existing fast path. This intentionally does not change ESP output. In esp_output_head(), the path that appends the ESP trailer to existing skb tailroom without calling skb_cow_data() is not reachable for nonlinear skbs: skb_tailroom() returns zero when skb->data_len is nonzero, while ESP tailen is positive. Thus ESP output will either use the separate destination-frag path or fall back to skb_cow_data().", "cve_priority": "high", "cve_public_date": "2026-05-08 08:16:00 UTC" } ], "log": [ "", " * resolute/linux: 7.0.0-26.26 -proposed tracker (LP: #2154530)", "", " * Packaging resync (LP: #1786013)", " - Revert \"UBUNTU: SAUCE: import Huawei ES3000_V2 (2.1.0.23)\"", " - [Packaging] debian.master/dkms-versions -- remove dkms-versions", " (main/2026.05.18)", "", " * Fix mic mute led on a HP EliteBook 6 G2a platform (LP: #2150065)", " - ALSA: hda/realtek: Add LED fixup for HP EliteBook 6 G2a Laptops", "", " * ov08x40 module mounted upside down on a certain DELL platforms", " (LP: #2146517)", " - SAUCE: media: ipu-bridge: Add DMI quirk for new Dell XPS laptops with", " upside down sensors", " - SAUCE: media: ipu-bridge: Add DMI quirk for Dell 14 laptops with upside", " down sensors", "", " * Support additional 2888x1808@30fps 900MHz for OVTI05C1 camera sensor", " (LP: #2147409)", " - SAUCE: media: ipu-bridge: Add 900MHz for OV05C10", " - SAUCE: platform/x86: int3472: increase handshake delay to 50ms for", " OV05C10", "", " * Support Samsung S5K3J1 sensor for Intel MIPI camera (LP: #2121852)", " - SAUCE: media: ipu-bridge: Support s5k3j1 sensor", "", " * [SRU] ASoC: enable rt1320 speaker amp and DMIC on PTL SoundWire platforms", " (LP: #2150196)", " - ASoC: Intel: soc-acpi-intel-ptl-match: drop rt722 monolithic match", " tables", " - ASoC: SOF: Intel: Add a is_amp flag to fix the wrong name prefix", " - ASoC: sdw_utils: add rt1320 and rt1321 dmic dai in codec_info_list", "", " * powerpc-build in ubuntu_kernel_selftests fails to build due to", " uninitialized value (LP: #2129844)", " - selftests/powerpc: Suppress -Wmaybe-uninitialized with GCC 15", "", " * Ubuntu 26.04 linux kernel has non-functional nova-core GPU driver enabled,", " conflicting with nouveau (LP: #2150845)", " - [Config] Disable DRM_NOVA", "", " * Resolute update: v7.0.6 upstream stable release (LP: #2152558)", " - Linux 7.0.6", " - Upstream stable to v7.0.6", "", " * Resolute update: v7.0.5 upstream stable release (LP: #2152556)", " - Linux 7.0.5", " - Upstream stable to v7.0.5", "", " * Resolute update: v7.0.4 upstream stable release (LP: #2152552)", " - ALSA: usb-audio: stop parsing UAC2 rates at MAX_NR_RATES", " - ALSA: usb-audio: Avoid false E-MU sample-rate notifications", " - ALSA: usb-audio: Fix Audio Advantage Micro II SPDIF switch", " - usb: xhci: Make usb_host_endpoint.hcpriv survive endpoint_disable()", " - usb: chipidea: otg: not wait vbus drop if use role_switch", " - usb: chipidea: core: allow ci_irq_handler() handle both ID and VBUS", " change", " - ALSA: usb-audio: Evaluate packsize caps at the right place", " - LoongArch: Add spectre boundry for syscall dispatch table", " - drm/nouveau: fix u32 overflow in pushbuf reloc bounds check", " - leds: qcom-lpg: Check for array overflow when selecting the high", " resolution", " - greybus: gb-beagleplay: bound bootloader receive buffering", " - greybus: gb-beagleplay: fix sleep in atomic context in hdlc_tx_frames()", " - misc: ibmasm: fix OOB MMIO read in ibmasm_handle_mouse_interrupt()", " - ibmasm: fix OOB reads in command_file_write due to missing size checks", " - ibmasm: fix heap over-read in ibmasm_send_i2o_message()", " - sysfs: attribute_group: Respect is_visible_const() when changing owner", " - driver core: Don't let a device probe until it's ready", " - device property: Make modifications of fwnode \"flags\" thread safe", " - drm/nouveau: fix nvkm_device leak on aperture removal failure", " - rust: dma: remove DMA_ATTR_NO_KERNEL_MAPPING from public attrs", " - kbuild: rust: allow `clippy::uninlined_format_args`", " - fs: afs: revert mmap_prepare() change", " - firmware: google: framebuffer: Do not mark framebuffer as busy", " - lib: test_hmm: evict device pages on file close to avoid use-after-free", " - arm64/mm: Enable batched TLB flush in unmap_hotplug_range()", " - arm64: mm: Fix rodata=full block mapping support for realm guests", " - mm: migrate: requeue destination folio on deferred split queue", " - mm: prevent droppable mappings from being locked", " - mm: fix deferred split queue races during migration", " - ocfs2: split transactions in dio completion to avoid credit exhaustion", " - Input: edt-ft5x06 - fix use-after-free in debugfs teardown", " - zram: do not forget to endio for partial discard requests", " - wifi: rtw88: check for PCI upstream bridge existence", " - wifi: mwifiex: fix use-after-free in mwifiex_adapter_cleanup()", " - vfio: selftests: Fix VLA initialisation in vfio_pci_irq_set()", " - vfio/xe: Add a missing vfio_pci_core_release_dev()", " - vfio/virtio: Convert list_lock from spinlock to mutex", " - vfio/cdx: Serialize VFIO_DEVICE_SET_IRQS with a per-device mutex", " - vfio/cdx: Fix NULL pointer dereference in interrupt trigger path", " - um: drivers: call kernel_strrchr() explicitly in cow_user.c", " - thermal: core: Fix thermal zone governor cleanup issues", " - spi: imx: fix use-after-free on unbind", " - spi: ch341: fix memory leaks on probe failures", " - crypto: algif_aead - snapshot IV for async AEAD requests", " - crypto: pcrypt - Fix handling of MAY_BACKLOG requests", " - dt-bindings: display: ti, am65x-dss: Fix AM62L DSS reg and clock", " constraints", " - of: unittest: fix use-after-free in of_unittest_changeset()", " - of: unittest: fix use-after-free in testdrv_probe()", " - hwmon: (powerz) Fix missing usb_kill_urb() on signal interrupt", " - EDAC/versalnet: Fix device_node leak in mc_probe()", " - PCI: imx6: Skip waiting for L2/L3 Ready on i.MX6SX", " - media: amphion: Fix race between m2m job_abort and device_run", " - ALSA: control: Validate buf_len before strnlen() in", " snd_ctl_elem_init_enum_names()", " - net: caif: clear client service pointer on teardown", " - net: strparser: fix skb_head leak in strp_abort_strp()", " - media: mtk-jpeg: fix use-after-free in release path due to uncancelled", " work", " - crypto: atmel-sha204a - Fix OTP sysfs read and error handling", " - PCI: endpoint: pci-epf-ntb: Remove duplicate resource teardown", " - Revert \"ALSA: usb: Increase volume range that triggers a warning\"", " - phy: qcom: m31-eusb2: clear PLL_EN during init", " - PCI: epf-mhi: Return 0, not remaining timeout, when eDMA ops complete", " - lib/ts_kmp: fix integer overflow in pattern length calculation", " - media: i2c: imx219: Check return value of devm_gpiod_get_optional() in", " imx219_probe()", " - net: qrtr: ns: Fix use-after-free in driver remove()", " - ext2: reject inodes with zero i_nlink and valid mode in ext2_iget()", " - mm/zsmalloc: copy KMSAN metadata in zs_page_migrate()", " - ALSA: aoa: i2sbus: clear stale prepared state", " - ALSA: aoa: i2sbus: fix OF node lifetime handling", " - ALSA: aoa: Skip devices with no codecs in i2sbus_resume()", " - ALSA: ctxfi: Add fallback to default RSR for S/PDIF", " - ALSA: seq_oss: return full count for successful SEQ_FULLSIZE writes", " - erofs: fix the out-of-bounds nameoff handling for trailing dirents", " - ipmi:ssif: Clean up kthread on errors", " - jbd2: fix deadlock in jbd2_journal_cancel_revoke()", " - KVM: selftests: Fix reserved value WRMSR testcase for multi-feature MSRs", " - md/raid10: fix deadlock with check operation and nowait requests", " - media: rc: igorplugusb: heed coherency rules", " - media: rockchip: rkcif: fix off by one bugs", " - media: rockchip: rkcif: comply with minimum number of buffers", " requirement", " - mfd: stpmic1: Attempt system shutdown twice in case PMIC is confused", " - mm/alloc_tag: clear codetag for pages allocated before page_ext", " initialization", " - mm/damon/core: fix damon_call() vs kdamond_fn() exit race", " - mm/damon/core: fix damos_walk() vs kdamond_fn() exit race", " - mm/hugetlb: fix early boot crash on parameters without '=' separator", " - mtd: docg3: fix use-after-free in docg3_release()", " - nvme-pci: add NVME_QUIRK_DISABLE_WRITE_ZEROES for Kingston OM3SGP4", " - nvme: respect NVME_QUIRK_DISABLE_WRITE_ZEROES when wzsl is set", " - parisc: _llseek syscall is only available for 32-bit userspace", " - parisc: Drop ip_fast_csum() inline assembly implementation", " - PCI: cadence: Use cdns_pcie_read_sz() for byte or word read access", " - PCI: imx6: Fix reference clock source selection for i.MX95", " - perf annotate: Use jump__delete when freeing LoongArch jumps", " - RDMA/mana_ib: Disable RX steering on RSS QP destroy", " - remoteproc: xlnx: Only access buffer information if IPI is buffered", " - reset: rzv2h-usb2phy: Keep PHY clock enabled for entire device lifetime", " - sched: Use u64 for bandwidth ratio calculations", " - selftests/mqueue: Fix incorrectly named file", " - landlock: Fix LOG_SUBDOMAINS_OFF inheritance across fork()", " - landlock: Allow TSYNC with LOG_SUBDOMAINS_OFF and fd=-1", " - selftests/landlock: Drain stale audit records on init", " - selftests/landlock: Fix format warning for __u64 in net_test", " - selftests/landlock: Fix snprintf truncation checks in audit helpers", " - selftests/landlock: Skip stale records in audit_match_record()", " - rbd: fix null-ptr-deref when device_add_disk() fails", " - mm/zone_device: do not touch device folio after calling ->folio_free()", " - block: fix zone write plugs refcount handling in", " disk_zone_wplug_schedule_bio_work()", " - io_uring/zcrx: return back two step unregistration", " - io_uring/timeout: check unused sqe fields", " - block: relax pgmap check in bio_add_page for compatible zone device", " pages", " - iio: adc: ti-ads7950: use iio_push_to_buffers_with_ts_unaligned()", " - io_uring/register: fix ring resizing with mixed/large SQEs/CQEs", " - io_uring/zcrx: fix user_struct uaf", " - io_uring/poll: fix signed comparison in io_poll_get_ownership()", " - io_uring/poll: ensure EPOLL_ONESHOT is propagated for EPOLL_URING_WAKE", " - module.lds,codetag: force 0 sh_addr for sections", " - module.lds.S: Fix modules on 32-bit parisc architecture", " - ALSA: core: Fix potential data race at fasync handling", " - ALSA: caiaq: Fix control_put() result and cache rollback", " - ALSA: caiaq: Handle probe errors properly", " - ALSA: 6fire: Fix input volume change detection", " - ALSA: hda/realtek - Add mute LED support for HP Victus 15-fa2xxx", " - ALSA: pcmtest: fix reference leak on failed device registration", " - ALSA: pcmtest: Fix resource leaks in module init error paths", " - iio: adc: ad7768-1: fix one-shot mode data acquisition", " - iio: adc: ad7768-1: remove switch to one-shot mode", " - rxrpc: Fix memory leaks in rxkad_verify_response()", " - rxrpc: Fix rxkad crypto unalignment handling", " - rxrpc: Fix error handling in rxgk_extract_token()", " - rxrpc: Fix re-decryption of RESPONSE packets", " - EDAC/versalnet: Fix memory leak in remove and probe error paths", " - tools/accounting: handle truncated taskstats netlink messages", " - net: txgbe: fix RTNL assertion warning when remove module", " - arm64: dts: marvell: uDPU: add ethernet aliases", " - net: qrtr: ns: Limit the maximum server registration per node", " - net: qrtr: ns: Limit the maximum number of lookups", " - net: qrtr: ns: Free the node during ctrl_cmd_bye()", " - net: qrtr: ns: Limit the total number of nodes", " - net: rds: fix MR cleanup on copy error", " - net: txgbe: fix firmware version check", " - net/smc: avoid early lgr access in smc_clc_wait_msg", " - net: ks8851: Reinstate disabling of BHs around IRQ handler", " - net: bridge: use a stable FDB dst snapshot in RCU readers", " - netconsole: avoid out-of-bounds access on empty string in trim_newline()", " - net: mctp: fix don't require received header reserved bits to be zero", " - net: ks8851: Avoid excess softirq scheduling", " - drm/arcpgu: fix device node leak", " - slub: fix data loss and overflow in krealloc()", " - tracing/fprobe: Reject registration of a registered fprobe before init", " - RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv", " - printf: Compile the kunit test with DISABLE_BRANCH_PROFILING", " DISABLE_BRANCH_PROFILING", " - ipv4: icmp: validate reply type before using icmp_pointers", " - libceph: Prevent potential null-ptr-deref in ceph_handle_auth_reply()", " - spi: fix resource leaks on device setup failure", " - extract-cert: Wrap key_pass with '#ifdef USE_PKCS11_ENGINE'", " - tpm: avoid -Wunused-but-set-variable", " - LoongArch: Make arch_irq_work_has_interrupt() true only if IPI HW exist", " - LoongArch: Show CPU vulnerabilites correctly", " - fbdev: defio: Disconnect deferred I/O from the lifetime of struct", " fb_info", " - power: supply: axp288_charger: Do not cancel work before initializing it", " - hwmon: (isl28022) Fix integer overflow in power calculation on 32-bit", " - hwmon: (powerz) Avoid cacheline sharing for DMA buffer", " - media: rzv2h-ivc: Revise default VBLANK formula", " - media: rzv2h-ivc: Fix AXIRX_VBLANK register write", " - fs: prepare for adding LSM blob to backing_file", " - lsm: add backing_file LSM hooks", " - selinux: fix overlayfs mmap() and mprotect() access checks", " - hwmon: (pt5161l) Fix bugs in pt5161l_read_block_data()", " - randomize_kstack: Maintain kstack_offset per task", " - mmc: block: use single block write in retry", " - mmc: sdhci-of-dwcmshc: Disable clock before DLL configuration", " - arm64: dts: ti: am62-verdin: Enable pullup for eMMC data pins", " - crypto: qat - fix IRQ cleanup on 6xxx probe failure", " - xfs: start gc on zonegc_low_space attribute updates", " - xfs: fix a resource leak in xfs_alloc_buftarg()", " - firmware: google: framebuffer: Do not unregister platform device", " - firmware: exynos-acpm: Drop fake 'const' on handle pointer", " - crypto: talitos - fix SEC1 32k ahash request limitation", " - crypto: talitos - rename first/last to first_desc/last_desc", " - pwm: imx-tpm: Count the number of enabled channels in probe", " - tpm2-sessions: Fix missing tpm_buf_destroy() in tpm2_read_public()", " - tpm: Fix auth session leak in tpm2_get_random() error path", " - tpm: Use kfree_sensitive() to free auth session in tpm_dev_release()", " - tpm: tpm_tis: add error logging for data transfer", " - tpm: tpm_tis: stop transmit if retries are exhausted", " - rtc: ntxec: fix OF node reference imbalance", " - mm/vmalloc: take vmap_purge_lock in shrinker", " - mm/memfd_luo: fix physical address conversion in put_folios cleanup", " - mm/mempolicy: fix memory leaks in weighted_interleave_auto_store()", " - mm/damon/stat: fix memory leak on damon_start() failure in", " damon_stat_start()", " - mm/damon/core: validate damos_quota_goal->nid for", " node_mem_{used,free}_bp", " - mm/damon/core: validate damos_quota_goal->nid for", " node_memcg_{used,free}_bp", " - mm/damon/core: use time_in_range_open() for damos quota window start", " - mm/damon/core: disallow time-quota setting zero esz", " - mm/damon/core: disallow non-power of two min_region_sz on damon_start()", " - userfaultfd: allow registration of ranges below mmap_min_addr", " - LoongArch: KVM: Use CSR_CRMD_PLV in kvm_arch_vcpu_in_kernel()", " - KVM: x86: Defer non-architectural deliver of exception payload to", " userspace read", " - KVM: nSVM: Mark all of vmcb02 dirty when restoring nested state", " - KVM: nSVM: Sync NextRIP to cached vmcb12 after VMRUN of L2", " - KVM: nSVM: Sync interrupt shadow to cached vmcb12 after VMRUN of L2", " - KVM: SVM: Inject #UD for INVLPGA if EFER.SVME=0", " - KVM: SVM: Explicitly mark vmcb01 dirty after modifying VMCB intercepts", " - KVM: nSVM: Ensure AVIC is inhibited when restoring a vCPU to guest mode", " - KVM: nSVM: Always use NextRIP as vmcb02's NextRIP after first L2 VMRUN", " - KVM: nSVM: Delay stuffing L2's current RIP into NextRIP until vCPU run", " - KVM: nSVM: Use vcpu->arch.cr2 when updating vmcb12 on nested #VMEXIT", " - KVM: arm64: Account for RESx bits in __compute_fgt()", " - KVM: nSVM: Avoid clearing VMCB_LBR in vmcb12", " - KVM: nSVM: Delay setting soft IRQ RIP tracking fields until vCPU run", " - KVM: SVM: Switch svm_copy_lbrs() to a macro", " - KVM: SVM: Add missing save/restore handling of LBR MSRs", " - KVM: nSVM: Always inject a #GP if mapping VMCB12 fails on nested VMRUN", " - KVM: nSVM: Refactor checking LBRV enablement in vmcb12 into a helper", " - KVM: nSVM: Refactor writing vmcb12 on nested #VMEXIT as a helper", " - KVM: nSVM: Triple fault if restore host CR3 fails on nested #VMEXIT", " - KVM: nSVM: Triple fault if mapping VMCB12 fails on nested #VMEXIT", " - KVM: nSVM: Clear GIF on nested #VMEXIT(INVALID)", " - KVM: nSVM: Clear EVENTINJ fields in vmcb12 on nested #VMEXIT", " - KVM: nSVM: Clear tracking of L1->L2 NMI and soft IRQ on nested #VMEXIT", " - KVM: nSVM: Add missing consistency check for EFER, CR0, CR4, and CS", " - KVM: nSVM: Drop the non-architectural consistency check for NP_ENABLE", " - KVM: nSVM: Add missing consistency check for nCR3 validity", " - KVM: nSVM: Raise #UD if unhandled VMMCALL isn't intercepted by L1", " - KVM: nSVM: Always intercept VMMCALL when L2 is active", " - ARM: 9472/1: fix race condition on PG_dcache_clean in", " __sync_icache_dcache()", " - ring-buffer: Do not double count the reader_page", " - ext4: fix bounds check in check_xattrs() to prevent out-of-bounds access", " - ext4: fix missing brelse() in ext4_xattr_inode_dec_ref_all()", " - udf: fix partition descriptor append bookkeeping", " - mtd: spi-nor: sst: Fix write enable before AAI sequence", " - mtd: spinand: winbond: Declare the QE bit on W25NxxJW", " - amdgpu/jpeg: fix deepsleep register for jpeg 5_0_0 and 5_0_2", " - md/md-llbitmap: skip reading rdevs that are not in_sync", " - md/md-llbitmap: raise barrier before state machine transition", " - md/raid5: fix soft lockup in retry_aligned_read()", " - md/raid5: validate payload size before accessing journal metadata", " - check-uapi: link into shared objects", " - mm, swap: speed up hibernation allocation and writeout", " - HID: apple: ensure the keyboard backlight is off if suspending", " - inotify: fix watch count leak when fsnotify_add_inode_mark_locked()", " fails", " - x86/cpu: Disable FRED when PTI is forced on", " - x86/shstk: Prevent deadlock during shstk sigreturn", " - wifi: rtl8xxxu: fix potential use of uninitialized value", " - tcp: call sk_data_ready() after listener migration", " - taskstats: set version in TGID exit notifications", " - mptcp: sync the msk->sndbuf at accept() time", " - mfd: core: Preserve OF node when ACPI handle is present", " - 9p: fix access mode flags being ORed instead of replaced", " - Bluetooth: hci_event: fix potential UAF in SSP passkey handlers", " - bus: mhi: host: pci_generic: Switch to async power up to avoid boot", " delays", " - can: ucan: fix devres lifetime", " - crypto: acomp - fix wrong pointer stored by acomp_save_req()", " - crypto: arm64/aes - Fix 32-bit aes_mac_update() arg treated as 64-bit", " - crypto: atmel-aes - Fix 3-page memory leak in atmel_aes_buff_cleanup", " - crypto: atmel-ecc - Release client on allocation failure", " - crypto: hisilicon - Fix dma_unmap_single() direction", " - crypto: ccree - fix a memory leak in cc_mac_digest()", " - crypto: atmel-tdes - fix DMA sync direction", " - crypto: atmel-sha204a - Fix error codes in OTP reads", " - crypto: atmel-sha204a - Fix potential UAF and memory leak in remove path", " - crypto: atmel-sha204a - Fix uninitialized data access on OTP read error", " - crypto: nx - fix bounce buffer leaks in nx842_crypto_{alloc,free}_ctx", " - crypto: nx - fix context leak in nx842_crypto_free_ctx", " - crypto: nx - Fix packed layout in struct nx842_crypto_header", " - dm mirror: fix integer overflow in create_dirty_log()", " - erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap()", " - ceph: fix num_ops off-by-one when crypto allocation fails", " - ceph: only d_add() negative dentries when they are unhashed", " - gtp: disable BH before calling udp_tunnel_xmit_skb()", " - IB/core: Fix zero dmac race in neighbor resolution", " - ktest: Fix the month in the name of the failure directory", " - NFSv4.1: Apply session size limits on clone path", " - ntfs3: add buffer boundary checks to run_unpack()", " - ntfs3: fix integer overflow in run_unpack() volume boundary check", " - rtmutex: Use waiter::task instead of current in remove_waiter()", " - rxgk: Fix potential integer overflow in length check", " - sched_ext: Documentation: Clarify ops.dispatch() role in task lifecycle", " - scsi: sd: fix missing put_disk() when device_add(&disk_dev) fails", " - seg6: fix seg6 lwtunnel output redirect for L2 reduced encap mode", " - perf loongarch: Fix build failure with CONFIG_LIBDW_DWARF_UNWIND", " - iio: frequency: admv1013: add dev variable", " - iio: frequency: admv1013: fix NULL pointer dereference on str", " - wifi: mt76: mt792x: describe USB WFSYS reset with a descriptor", " - wifi: mt76: mt792x: fix mt7925u USB WFSYS reset handling", " - mm: various small mmap_prepare cleanups", " - mm: avoid deadlock when holding rmap on mmap_prepare error", " - mei: me: use PCI_DEVICE_DATA macro", " - mei: me: add nova lake point H DID", " - crypto: authencesn - reject short ahash digests during instance creation", " - driver core: Add kernel-doc for DEV_FLAG_COUNT enum value", " - ALSA: caiaq: Fix potentially leftover ep1_in_urb at error path", " - ALSA: caiaq: Don't abort when no input device is available", " - ipv6: rpl: reserve mac_len headroom when recompressed SRH grows", " - drm/amdgpu: fix zero-size GDS range init on RDNA4", " - drm/imagination: Fix segfault when updating ftrace mask", " - ALSA: caiaq: fix usb_dev refcount leak on probe failure", " - ALSA: aloop: Fix peer runtime UAF during format-change stop", " - vmalloc: fix buffer overflow in vrealloc_node_align()", " - mm/page_alloc: return NULL early from alloc_frozen_pages_nolock() in NMI", " on UP", " - mm/slab: return NULL early from kmalloc_nolock() in NMI on UP", " - net: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels", " - netfilter: reject zero shift in nft_bitwise", " - ipmi:ssif: Remove unnecessary indention", " - ipmi:ssif: NULL thread on error", " - Linux 7.0.4", " - Upstream stable to v7.0.4", "", " * Resolute update: v7.0.3 upstream stable release (LP: #2152550)", " - Buffer overflow in drivers/xen/sys-hypervisor.c", " - xen/privcmd: fix double free via VMA splitting", " - Linux 7.0.3", " - Upstream stable to v7.0.3", "", " * Resolute update: v7.0.2 upstream stable release (LP: #2150553)", " - crypto: authencesn - Fix src offset when decrypting in-place", " - pwm: th1520: fix `CLIPPY=1` warning", " - drm/amdgpu: replace PASID IDR with XArray", " - crypto: krb5enc - fix sleepable flag handling in encrypt dispatch", " - crypto: krb5enc - fix async decrypt skipping hash verification", " - ksmbd: fix use-after-free in __ksmbd_close_fd() via durable scavenger", " - ksmbd: validate owner of durable handle on reconnect", " - scripts: generate_rust_analyzer.py: define scripts", " - scripts/dtc: Remove unused dts_version in dtc-lexer.l", " - fs/ntfs3: validate rec->used in journal-replay file record check", " - f2fs: fix to do sanity check on dcc->discard_cmd_cnt conditionally", " - f2fs: fix UAF caused by decrementing sbi->nr_pages[] in", " f2fs_write_end_io()", " - f2fs: fix to avoid memory leak in f2fs_rename()", " - f2fs: fix to avoid uninit-value access in f2fs_sanity_check_node_footer", " - fuse: reject oversized dirents in page cache", " - fuse: abort on fatal signal during sync init", " - fuse: Check for large folio with SPLICE_F_MOVE", " - fuse: quiet down complaints in fuse_conn_limit_write", " - fuse: fuse_dev_ioctl_clone() should wait for device file to be", " initialized", " - ksmbd: require minimum ACE size in smb_check_perm_dacl()", " - smb: server: fix active_num_conn leak on transport allocation failure", " - smb: client: fix dir separator in SMB1 UNIX mounts", " - smb: server: fix max_connections off-by-one in tcp accept path", " - smb: client: require a full NFS mode SID before reading mode bits", " - smb: client: validate the whole DACL before rewriting it in cifsacl", " - smb: client: fix OOB read in smb2_ioctl_query_info QUERY_INFO path", " - ksmbd: validate response sizes in ipc_validate_msg()", " - ksmbd: validate num_aces and harden ACE walk in smb_inherit_dacl()", " - ksmbd: fix out-of-bounds write in smb2_get_ea() EA alignment", " - ksmbd: use check_add_overflow() to prevent u16 DACL size overflow", " - ksmbd: reset rcount per connection in ksmbd_conn_wait_idle_sess_id()", " - writeback: Fix use after free in inode_switch_wbs_work_fn()", " - f2fs: fix use-after-free of sbi in f2fs_compress_write_end_io()", " - ALSA: usb-audio: apply quirk for MOONDROP JU Jiu", " - ALSA: hda/realtek: Add quirk for Legion S7 15IMH", " - ALSA: caiaq: take a reference on the USB device in create_card()", " - net/packet: fix TOCTOU race on mmap'd vnet_hdr in tpacket_snd()", " - crypto: ccp: Don't attempt to copy CSR to userspace if PSP command", " failed", " - crypto: ccp: Don't attempt to copy PDH cert to userspace if PSP command", " failed", " - crypto: ccp: Don't attempt to copy ID to userspace if PSP command failed", " - rxrpc: Fix missing validation of ticket length in non-XDR key preparsing", " - mshv_vtl: Fix vmemmap_shift exceeding MAX_FOLIO_ORDER", " - Linux 7.0.2", "", " * Resolute update: v7.0.1 upstream stable release (LP: #2150547)", " - Revert \"UBUNTU: SAUCE: cdc-acm: Exclude Exar USB serial ports\"", " - nfc: llcp: add missing return after LLCP_CLOSED checks", " - x86/CPU: Fix FPDSS on Zen1", " - can: raw: fix ro->uniq use-after-free in raw_rcv()", " - i2c: s3c24xx: check the size of the SMBUS message before using it", " - staging: rtl8723bs: initialize le_tmp64 in rtw_BIP_verify()", " - HID: alps: fix NULL pointer dereference in alps_raw_event()", " - HID: core: clamp report_size in s32ton() to avoid undefined shift", " - net: usb: cdc-phonet: fix skb frags[] overflow in rx_complete()", " - NFC: digital: Bounds check NFC-A cascade depth in SDD response handler", " - drm/vc4: platform_get_irq_byname() returns an int", " - bnge: return after auxiliary_device_uninit() in error path", " - ALSA: usx2y: us144mkii: fix NULL deref on missing interface 0", " - ALSA: fireworks: bound device-supplied status before string array lookup", " - fbdev: tdfxfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO", " - usb: gadget: f_ncm: validate minimum block_len in ncm_unwrap_ntb()", " - usb: gadget: f_phonet: fix skb frags[] overflow in pn_rx_complete()", " - usb: gadget: renesas_usb3: validate endpoint index in standard request", " handlers", " - smb: client: fix off-by-8 bounds check in check_wsl_eas()", " - smb: client: fix OOB reads parsing symlink error response", " - ksmbd: validate EaNameLength in smb2_get_ea()", " - ksmbd: require 3 sub-authorities before reading sub_auth[2]", " - ksmbd: fix mechToken leak when SPNEGO decode fails after token alloc", " - smb: client: avoid double-free in smbd_free_send_io() after", " smbd_send_batch_flush()", " - smb: server: avoid double-free in smb_direct_free_sendmsg after", " smb_direct_flush_send_list()", " - usbip: validate number_of_packets in usbip_pack_ret_submit()", " - usb: typec: fusb302: Switch to threaded IRQ handler", " - usb: storage: Expand range of matched versions for VL817 quirks entry", " - USB: cdc-acm: Add quirks for Yoga Book 9 14IAH10 INGENIC touchscreen", " - usb: gadget: f_hid: don't call cdev_init while cdev in use", " - usb: port: add delay after usb_hub_set_port_power()", " - fbdev: udlfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO", " - scripts/gdb/symbols: handle module path parameters", " - scripts: generate_rust_analyzer.py: avoid FD leak", " - wifi: rtw88: fix device leak on probe failure", " - staging: sm750fb: fix division by zero in ps_to_hz()", " - selftests/mm: hmm-tests: don't hardcode THP size to 2MB", " - USB: serial: option: add Telit Cinterion FN990A MBIM composition", " - Docs/admin-guide/mm/damon/reclaim: warn commit_inputs vs param updates", " race", " - Docs/admin-guide/mm/damon/lru_sort: warn commit_inputs vs param updates", " race", " - ALSA: ctxfi: Limit PTP to a single page", " - dcache: Limit the minimal number of bucket to two", " - vfio/xe: Reorganize the init to decouple migration from reset", " - arm64: mm: Handle invalid large leaf mappings correctly", " - media: vidtv: fix NULL pointer dereference in", " vidtv_channel_pmt_match_sections", " - ocfs2: fix possible deadlock between unlink and dio_end_io_write", " - ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY", " - ocfs2: handle invalid dinode in ocfs2_group_extend", " - PCI: endpoint: pci-epf-vntb: Stop cmd_handler work in", " epf_ntb_epc_cleanup", " - PCI: endpoint: pci-epf-vntb: Remove duplicate resource teardown", " - KVM: selftests: Remove duplicate LAUNCH_UPDATE_VMSA call in SEV-ES", " migrate test", " - KVM: SEV: Reject attempts to sync VMSA of an already-launched/encrypted", " vCPU", " - KVM: SEV: Protect *all* of sev_mem_enc_register_region() with kvm->lock", " - KVM: SEV: Disallow LAUNCH_FINISH if vCPUs are actively being created", " - KVM: SEV: Lock all vCPUs when synchronzing VMSAs for SNP launch finish", " - KVM: SEV: Drop WARN on large size for KVM_MEMORY_ENCRYPT_REG_REGION", " - mm: call ->free_folio() directly in folio_unmap_invalidate()", " - checkpatch: add support for Assisted-by tag", " - x86-64: rename misleadingly named '__copy_user_nocache()' function", " - x86: rename and clean up __copy_from_user_inatomic_nocache()", " - x86-64/arm64/powerpc: clean up and rename __copy_from_user_flushcache", " - KVM: x86: Use scratch field in MMIO fragment to hold small write values", " - ASoC: qcom: q6apm: move component registration to unmanaged version", " - mm/kasan: fix double free for kasan pXds", " - mm: blk-cgroup: fix use-after-free in cgwb_release_workfn()", " - media: vidtv: fix nfeeds state corruption on start_streaming failure", " - media: mediatek: vcodec: fix use-after-free in encoder release path", " - media: em28xx: fix use-after-free in em28xx_v4l2_open()", " - hwmon: (powerz) Fix use-after-free on USB disconnect", " - ALSA: 6fire: fix use-after-free on disconnect", " - bcache: fix cached_dev.sb_bio use-after-free and crash", " - wireguard: device: use exit_rtnl callback instead of manual rtnl_lock in", " pre_exit", " - media: as102: fix to not free memory after the device is registered in", " as102_usb_probe()", " - nilfs2: fix NULL i_assoc_inode dereference in", " nilfs_mdt_save_to_shadow_map", " - media: vidtv: fix pass-by-value structs causing MSAN warnings", " - media: hackrf: fix to not free memory after the device is registered in", " hackrf_probe()", " - mm/userfaultfd: fix hugetlb fault mutex hash calculation", " - clockevents: Add missing resets of the next_event_forced flag", " - Linux 7.0.1", "", " * GRO managed-frag use-after-free leading to local privilege escalation", " (LP: #2154172)", " - net: gro: don't merge zcopy skbs", "", " * AppArmor Vulnerabilities (LP: #2151747)", " - SAUCE: apparmor: pass big_resp to handler", " - SAUCE: apparmor: remove redundant kref_init for listener->count", " - SAUCE: apparmor: fix NULL pointer dereference in unpack_pdb", "", " * AppArmor Vulnerabilities (LP: #2151747) // CVE-2026-47337", " - SAUCE: apparmor: fix NULL pointer dereference in bind_map_addr", "", " * AppArmor Vulnerabilities (LP: #2151747) // CVE-2026-47334", " - SAUCE: apparmor: fix sleep prone memory allocation under a spin_lock", "", " * AppArmor Vulnerabilities (LP: #2151747) // CVE-2026-47333", " - SAUCE: apparmor: fix dfa unpacking size of the notification filter", "", " * AppArmor Vulnerabilities (LP: #2151747) // CVE-2026-47332", " - SAUCE: apparmor: fix size check against type instead of pointer", "", " * apparmor: LLVM/clang build failure due to uninitialized variable in", " notify.c (LP: #2148809) // CVE-2026-47330", " - SAUCE: apparmor: initialize variable used in uninitialized context", "", " * AppArmor Vulnerabilities (LP: #2151747) // CVE-2026-47329", " - SAUCE: apparmor: fix name validation bypass on notification", "", " * AppArmor Vulnerabilities (LP: #2151747) // CVE-2026-47327 //", " CVE-2026-47328", " - SAUCE: apparmor: fix glob memory leak after kstrdup", "", " * AppArmor Vulnerabilities (LP: #2151747) // CVE-2026-47326", " - SAUCE: apparmor: fix inverted NULL check after aa_get_buffer", "", " * CVE-2026-46300", " - net: skbuff: preserve shared-frag marker during coalescing", " - net: skbuff: propagate shared-frag marker through frag-transfer helpers", "", " * net/rds: reset op_nents when zerocopy page pin fails (LP: #2153962)", " - net/rds: reset op_nents when zerocopy page pin fails", "", " * CVE-2026-46333", " - ptrace: slightly saner 'get_dumpable()' logic", "", " * CVE-2026-43500", " - rxrpc: Fix conn-level packet handling to unshare RESPONSE packets", " - rxrpc: Fix potential UAF after skb_unshare() failure", " - rxrpc: Fix rxrpc_input_call_event() to only unshare DATA packets", " - rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present", "", " * CVE-2026-43284", " - xfrm: esp: avoid in-place decrypt on shared skb frags", "" ], "package": "linux", "version": "7.0.0-26.26", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2154530, 1786013, 2150065, 2146517, 2147409, 2121852, 2150196, 2129844, 2150845, 2152558, 2152556, 2152552, 2152550, 2150553, 2150547, 2154172, 2151747, 2151747, 2151747, 2151747, 2151747, 2148809, 2151747, 2151747, 2151747, 2153962 ], "author": "Edoardo Canepa ", "date": "Fri, 29 May 2026 03:41:14 +0200" } ], "notes": "linux-tools-7.0.0-27-generic version '7.0.0-27.27' (source package linux version '7.0.0-27.27') was added. linux-tools-7.0.0-27-generic version '7.0.0-27.27' has the same source package name, linux, as removed package linux-headers-7.0.0-22. As such we can use the source package version of the removed package, '7.0.0-22.22', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false } ], "snap": [] }, "removed": { "deb": [ { "name": "linux-headers-7.0.0-22", "from_version": { "source_package_name": "linux", "source_package_version": "7.0.0-22.22", "version": "7.0.0-22.22" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false }, { "name": "linux-headers-7.0.0-22-generic", "from_version": { "source_package_name": "linux", "source_package_version": "7.0.0-22.22", "version": "7.0.0-22.22" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false }, { "name": "linux-image-7.0.0-22-generic", "from_version": { "source_package_name": "linux", "source_package_version": "7.0.0-22.22", "version": "7.0.0-22.22" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false }, { "name": "linux-main-modules-zfs-7.0.0-22-generic", "from_version": { "source_package_name": "linux-main-signed", "source_package_version": "7.0.0-22.22", "version": "7.0.0-22.22" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false }, { "name": "linux-modules-7.0.0-22-generic", "from_version": { "source_package_name": "linux", "source_package_version": "7.0.0-22.22", "version": "7.0.0-22.22" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false }, { "name": "linux-tools-7.0.0-22", "from_version": { "source_package_name": "linux", "source_package_version": "7.0.0-22.22", "version": "7.0.0-22.22" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false }, { "name": "linux-tools-7.0.0-22-generic", "from_version": { "source_package_name": "linux", "source_package_version": "7.0.0-22.22", "version": "7.0.0-22.22" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false } ], "snap": [] }, "notes": "Changelog diff for Ubuntu 26.04 resolute image from release image serial 20260612 to 20260627", "from_series": "resolute", "to_series": "resolute", "from_serial": "20260612", "to_serial": "20260627", "from_manifest_filename": "release_manifest.previous", "to_manifest_filename": "manifest.current" }