{"schema_version":"1.7.2","id":"OESA-2026-2676","modified":"2026-06-12T12:28:30Z","published":"2026-06-12T12:28:30Z","upstream":["CVE-2025-39781","CVE-2025-71109","CVE-2026-23213","CVE-2026-23214","CVE-2026-31527","CVE-2026-31607","CVE-2026-31662","CVE-2026-31709","CVE-2026-31759","CVE-2026-43024","CVE-2026-43038","CVE-2026-43059","CVE-2026-43083","CVE-2026-43088","CVE-2026-43089","CVE-2026-43101","CVE-2026-43107","CVE-2026-43180","CVE-2026-43194","CVE-2026-43198","CVE-2026-43216","CVE-2026-43248","CVE-2026-43303","CVE-2026-43334","CVE-2026-43465","CVE-2026-43466","CVE-2026-45850","CVE-2026-45893","CVE-2026-45894","CVE-2026-45895","CVE-2026-45915","CVE-2026-45920","CVE-2026-45944","CVE-2026-45949","CVE-2026-45968","CVE-2026-45973","CVE-2026-45984","CVE-2026-46006","CVE-2026-46021","CVE-2026-46032","CVE-2026-46033","CVE-2026-46052","CVE-2026-46065","CVE-2026-46153","CVE-2026-46242","CVE-2026-46245"],"summary":"kernel security update","details":"The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nparisc: Drop WARN_ON_ONCE() from flush_cache_vmap\n\nI have observed warning to occassionally trigger.(CVE-2025-39781)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nMIPS: ftrace: Fix memory corruption when kernel is located beyond 32 bits\n\nSince commit e424054000878 ("MIPS: Tracing: Reduce the overhead of\ndynamic Function Tracer"), the macro UASM_i_LA_mostly has been used,\nand this macro can generate more than 2 instructions. At the same\ntime, the code in ftrace assumes that no more than 2 instructions can\nbe generated, which is why it stores them in an int[2] array. However,\nas previously noted, the macro UASM_i_LA_mostly (and now UASM_i_LA)\ncauses a buffer overflow when _mcount is beyond 32 bits. This leads to\ncorruption of the variables located in the __read_mostly section.\n\nThis corruption was observed because the variable\n__cpu_primary_thread_mask was corrupted, causing a hang very early\nduring boot.\n\nThis fix prevents the corruption by avoiding the generation of\ninstructions if they could exceed 2 instructions in\nlength. Fortunately, insn_la_mcount is only used if the instrumented\ncode is located outside the kernel code section, so dynamic ftrace can\nstill be used, albeit in a more limited scope. This is still\npreferable to corrupting memory and/or crashing the kernel.(CVE-2025-71109)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/pm: Disable MMIO access during SMU Mode 1 reset\n\nDuring Mode 1 reset, the ASIC undergoes a reset cycle and becomes\ntemporarily inaccessible via PCIe. Any attempt to access MMIO registers\nduring this window (e.g., from interrupt handlers or other driver threads)\ncan result in uncompleted PCIe transactions, leading to NMI panics or\nsystem hangs.\n\nTo prevent this, set the `no_hw_access` flag to true immediately after\ntriggering the reset. This signals other driver components to skip\nregister accesses while the device is offline.\n\nA memory barrier `smp_mb()` is added to ensure the flag update is\nglobally visible to all cores before the driver enters the sleep/wait\nstate.\n\n(cherry picked from commit 7edb503fe4b6d67f47d8bb0dfafb8e699bb0f8a4)(CVE-2026-23213)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: reject new transactions if the fs is fully read-only\n\n[BUG]\nThere is a bug report where a heavily fuzzed fs is mounted with all\nrescue mount options, which leads to the following warnings during\nunmount:\n\n BTRFS: Transaction aborted (error -22)\n Modules linked in:\n CPU: 0 UID: 0 PID: 9758 Comm: repro.out Not tainted\n 6.19.0-rc5-00002-gb71e635feefc #7 PREEMPT(full)\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\n RIP: 0010:find_free_extent_update_loop fs/btrfs/extent-tree.c:4208 [inline]\n RIP: 0010:find_free_extent+0x52f0/0x5d20 fs/btrfs/extent-tree.c:4611\n Call Trace:\n <TASK>\n btrfs_reserve_extent+0x2cd/0x790 fs/btrfs/extent-tree.c:4705\n btrfs_alloc_tree_block+0x1e1/0x10e0 fs/btrfs/extent-tree.c:5157\n btrfs_force_cow_block+0x578/0x2410 fs/btrfs/ctree.c:517\n btrfs_cow_block+0x3c4/0xa80 fs/btrfs/ctree.c:708\n btrfs_search_slot+0xcad/0x2b50 fs/btrfs/ctree.c:2130\n btrfs_truncate_inode_items+0x45d/0x2350 fs/btrfs/inode-item.c:499\n btrfs_evict_inode+0x923/0xe70 fs/btrfs/inode.c:5628\n evict+0x5f4/0xae0 fs/inode.c:837\n __dentry_kill+0x209/0x660 fs/dcache.c:670\n finish_dput+0xc9/0x480 fs/dcache.c:879\n shrink_dcache_for_umount+0xa0/0x170 fs/dcache.c:1661\n generic_shutdown_super+0x67/0x2c0 fs/super.c:621\n kill_anon_super+0x3b/0x70 fs/super.c:1289\n btrfs_kill_super+0x41/0x50 fs/btrfs/super.c:2127\n deactivate_locked_super+0xbc/0x130 fs/super.c:474\n cleanup_mnt+0x425/0x4c0 fs/namespace.c:1318\n task_work_run+0x1d4/0x260 kernel/task_work.c:233\n exit_task_work include/linux/task_work.h:40 [inline]\n do_exit+0x694/0x22f0 kernel/exit.c:971\n do_group_exit+0x21c/0x2d0 kernel/exit.c:1112\n __do_sys_exit_group kernel/exit.c:1123 [inline]\n __se_sys_exit_group kernel/exit.c:1121 [inline]\n __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1121\n x64_sys_call+0x2210/0x2210 arch/x86/include/generated/asm/syscalls_64.h:232\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xe8/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n RIP: 0033:0x44f639\n Code: Unable to access opcode bytes at 0x44f60f.\n RSP: 002b:00007ffc15c4e088 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7\n RAX: ffffffffffffffda RBX: 00000000004c32f0 RCX: 000000000044f639\n RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001\n RBP: 0000000000000001 R08: ffffffffffffffc0 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004c32f0\n R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001\n </TASK>\n\nSince rescue mount options will mark the full fs read-only, there should\nbe no new transaction triggered.\n\nBut during unmount we will evict all inodes, which can trigger a new\ntransaction, and triggers warnings on a heavily corrupted fs.\n\n[CAUSE]\nBtrfs allows new transaction even on a read-only fs, this is to allow\nlog replay happen even on read-only mounts, just like what ext4/xfs do.\n\nHowever with rescue mount options, the fs is fully read-only and cannot\nbe remounted read-write, thus in that case we should also reject any new\ntransactions.\n\n[FIX]\nIf we find the fs has rescue mount options, we should treat the fs as\nerror, so that no new transaction can be started.(CVE-2026-23214)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\ndriver core: platform: use generic driver_override infrastructure\n\nWhen a driver is probed through __driver_attach(), the bus' match()\ncallback is called without the device lock held, thus accessing the\ndriver_override field without a lock, which can cause a UAF.\n\nFix this by using the driver-core driver_override infrastructure taking\ncare of proper locking internally.\n\nNote that calling match() from __driver_attach() without the device lock\nheld is intentional. [1](CVE-2026-31527)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nusbip: validate number_of_packets in usbip_pack_ret_submit()\n\nWhen a USB/IP client receives a RET_SUBMIT response,\nusbip_pack_ret_submit() unconditionally overwrites\nurb->number_of_packets from the network PDU. This value is\nsubsequently used as the loop bound in usbip_recv_iso() and\nusbip_pad_iso() to iterate over urb->iso_frame_desc[], a flexible\narray whose size was fixed at URB allocation time based on the\n*original* number_of_packets from the CMD_SUBMIT.\n\nA malicious USB/IP server can set number_of_packets in the response\nto a value larger than what was originally submitted, causing a heap\nout-of-bounds write when usbip_recv_iso() writes to\nurb->iso_frame_desc[i] beyond the allocated region.\n\nKASAN confirmed this with kernel 7.0.0-rc5:\n\n BUG: KASAN: slab-out-of-bounds in usbip_recv_iso+0x46a/0x640\n Write of size 4 at addr ffff888106351d40 by task vhci_rx/69\n\n The buggy address is located 0 bytes to the right of\n allocated 320-byte region [ffff888106351c00, ffff888106351d40)\n\nThe server side (stub_rx.c) and gadget side (vudc_rx.c) already\nvalidate number_of_packets in the CMD_SUBMIT path since commits\nc6688ef9f297 ("usbip: fix stub_rx: harden CMD_SUBMIT path to handle\nmalicious input") and b78d830f0049 ("usbip: fix vudc_rx: harden\nCMD_SUBMIT path to handle malicious input"). The server side validates\nagainst USBIP_MAX_ISO_PACKETS because no URB exists yet at that point.\nOn the client side we have the original URB, so we can use the tighter\nbound: the response must not exceed the original number_of_packets.\n\nThis mirrors the existing validation of actual_length against\ntransfer_buffer_length in usbip_recv_xbuff(), which checks the\nresponse value against the original allocation size.\n\nKelvin Mbogo's series ("usb: usbip: fix integer overflow in\nusbip_recv_iso()", v2) hardens the receive-side functions themselves;\nthis patch complements that work by catching the bad value at its\nsource -- in usbip_pack_ret_submit() before the overwrite -- and\nusing the tighter per-URB allocation bound rather than the global\nUSBIP_MAX_ISO_PACKETS limit.\n\nFix this by checking rpdu->number_of_packets against\nurb->number_of_packets in usbip_pack_ret_submit() before the\noverwrite. On violation, clamp to zero so that usbip_recv_iso() and\nusbip_pad_iso() safely return early.(CVE-2026-31607)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\ntipc: fix bc_ackers underflow on duplicate GRP_ACK_MSG\n\nThe GRP_ACK_MSG handler in tipc_group_proto_rcv() currently decrements\nbc_ackers on every inbound group ACK, even when the same member has\nalready acknowledged the current broadcast round.\n\nBecause bc_ackers is a u16, a duplicate ACK received after the last\nlegitimate ACK wraps the counter to 65535. Once wrapped,\ntipc_group_bc_cong() keeps reporting congestion and later group\nbroadcasts on the affected socket stay blocked until the group is\nrecreated.\n\nFix this by ignoring duplicate or stale ACKs before touching bc_acked or\nbc_ackers. This makes repeated GRP_ACK_MSG handling idempotent and\nprevents the underflow path.(CVE-2026-31662)\n\nIn the Linux kernel, the following vulnerability has been resolved: smb: client: validate the whole DACL before rewriting it in cifsacl. build_sec_desc() and id_mode_to_cifs_acl() derive a DACL pointer from a server-supplied dacloffset and then use the incoming ACL to rebuild the chmod/chown security descriptor. The original fix only checked that the struct smb_acl header fits before reading dacl_ptr->size or dacl_ptr->num_aces. That avoids the immediate header-field OOB read, but the rewrite helpers still walk ACEs based on pdacl->num_aces with no structural validation of the incoming DACL body. A malicious server can return a truncated DACL that still contains a header, claims one or more ACEs, and then drive replace_sids_and_copy_aces() or set_chmod_dacl() past the validated extent while they compare or copy attacker-controlled ACEs.(CVE-2026-31709)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nusb: ulpi: fix double free in ulpi_register_interface() error path\n\nWhen device_register() fails, ulpi_register() calls put_device() on\nulpi->dev.\n\nThe device release callback ulpi_dev_release() drops the OF node\nreference and frees ulpi, but the current error path in\nulpi_register_interface() then calls kfree(ulpi) again, causing a\ndouble free.\n\nLet put_device() handle the cleanup through ulpi_dev_release() and\navoid freeing ulpi again in ulpi_register_interface().(CVE-2026-31759)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: reject immediate NF_QUEUE verdict\n\nnft_queue is always used from userspace nftables to deliver the NF_QUEUE\nverdict. Immediately emitting an NF_QUEUE verdict is never used by the\nuserspace nft tools, so reject immediate NF_QUEUE verdicts.\n\nThe arp family does not provide queue support, but such an immediate\nverdict is still reachable. Globally reject NF_QUEUE immediate verdicts\nto address this issue.(CVE-2026-43024)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nipv6: icmp: clear skb2->cb[] in ip6_err_gen_icmpv6_unreach()\n\nSashiko AI-review observed:\n\n In ip6_err_gen_icmpv6_unreach(), the skb is an outer IPv4 ICMP error packet\n where its cb contains an IPv4 inet_skb_parm. When skb is cloned into skb2\n and passed to icmp6_send(), it uses IP6CB(skb2).\n\n IP6CB interprets the IPv4 inet_skb_parm as an inet6_skb_parm. The cipso\n offset in inet_skb_parm.opt directly overlaps with dsthao in inet6_skb_parm\n at offset 18.\n\n If an attacker sends a forged ICMPv4 error with a CIPSO IP option, dsthao\n would be a non-zero offset. Inside icmp6_send(), mip6_addr_swap() is called\n and uses ipv6_find_tlv(skb, opt->dsthao, IPV6_TLV_HAO).\n\n This would scan the inner, attacker-controlled IPv6 packet starting at that\n offset, potentially returning a fake TLV without checking if the remaining\n packet length can hold the full 18-byte struct ipv6_destopt_hao.\n\n Could mip6_addr_swap() then perform a 16-byte swap that extends past the end\n of the packet data into skb_shared_info?\n\n Should the cb array also be cleared in ip6_err_gen_icmpv6_unreach() and\n ip6ip6_err() to prevent this?\n\nThis patch implements the first suggestion.\n\nI am not sure if ip6ip6_err() needs to be changed.\nA separate patch would be better anyway.(CVE-2026-43038)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: MGMT: Fix list corruption and UAF in command complete handlers\n\nCommit 302a1f674c00 ("Bluetooth: MGMT: Fix possible UAFs") introduced\nmgmt_pending_valid(), which not only validates the pending command but\nalso unlinks it from the pending list if it is valid. This change in\nsemantics requires updates to several completion handlers to avoid list\ncorruption and memory safety issues.\n\nThis patch addresses two left-over issues from the aforementioned rework:\n\n1. In mgmt_add_adv_patterns_monitor_complete(), mgmt_pending_remove()\nis replaced with mgmt_pending_free() in the success path. Since\nmgmt_pending_valid() already unlinks the command at the beginning of\nthe function, calling mgmt_pending_remove() leads to a double list_del()\nand subsequent list corruption/kernel panic.\n\n2. In set_mesh_complete(), the use of mgmt_pending_foreach() in the error\npath is removed. Since the current command is already unlinked by\nmgmt_pending_valid(), this foreach loop would incorrectly target other\npending mesh commands, potentially freeing them while they are still being\nprocessed concurrently (leading to UAFs). The redundant mgmt_cmd_status()\nis also simplified to use cmd->opcode directly.(CVE-2026-43059)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nnet: ioam6: fix OOB and missing lock\n\nWhen trace->type.bit6 is set:\n\n if (trace->type.bit6) {\n ...\n queue = skb_get_tx_queue(dev, skb);\n qdisc = rcu_dereference(queue->qdisc);\n\nThis code can lead to an out-of-bounds access of the dev->_tx[] array\nwhen is_input is true. In such a case, the packet is on the RX path and\nskb->queue_mapping contains the RX queue index of the ingress device. If\nthe ingress device has more RX queues than the egress device (dev) has\nTX queues, skb_get_queue_mapping(skb) will exceed dev->num_tx_queues.\nAdd a check to avoid this situation since skb_get_tx_queue() does not\nclamp the index. This issue has also revealed that per queue visibility\ncannot be accurate and will be replaced later as a new feature.\n\nWhile at it, add missing lock around qdisc_qstats_qlen_backlog(). The\nfunction __ioam6_fill_trace_data() is called from both softirq and\nprocess contexts, hence the use of spin_lock_bh() here.(CVE-2026-43083)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nnet: af_key: zero aligned sockaddr tail in PF_KEY exports\n\nPF_KEY export paths use `pfkey_sockaddr_size()` when reserving sockaddr\npayload space, so IPv6 addresses occupy 32 bytes on the wire. However,\n`pfkey_sockaddr_fill()` initializes only the first 28 bytes of\n`struct sockaddr_in6`, leaving the final 4 aligned bytes uninitialized.\n\nNot every PF_KEY message is affected. The state and policy dump builders\nalready zero the whole message buffer before filling the sockaddr\npayloads. Keep the fix to the export paths that still append aligned\nsockaddr payloads with plain `skb_put()`:\n\n - `SADB_ACQUIRE`\n - `SADB_X_NAT_T_NEW_MAPPING`\n - `SADB_X_MIGRATE`\n\nFix those paths by clearing only the aligned sockaddr tail after\n`pfkey_sockaddr_fill()`.(CVE-2026-43088)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nxfrm_user: fix info leak in build_mapping()\n\nstruct xfrm_usersa_id has a one-byte padding hole after the proto\nfield, which ends up never getting set to zero before copying out to\nuserspace. Fix that up by zeroing out the whole structure before\nsetting individual variables.(CVE-2026-43089)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nipv6: ioam: fix potential NULL dereferences in __ioam6_fill_trace_data()\n\nWe need to check __in6_dev_get() for possible NULL value, as\nsuggested by Yiming Qian.\n\nAlso add skb_dst_dev_rcu() instead of skb_dst_dev(),\nand two missing READ_ONCE().\n\nNote that @dev can't be NULL.(CVE-2026-43101)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: account XFRMA_IF_ID in aevent size calculation\n\nxfrm_get_ae() allocates the reply skb with xfrm_aevent_msgsize(), then\nbuild_aevent() appends attributes including XFRMA_IF_ID when x->if_id is\nset.\n\nxfrm_aevent_msgsize() does not include space for XFRMA_IF_ID. For states\nwith if_id, build_aevent() can fail with -EMSGSIZE and hit BUG_ON(err < 0)\nin xfrm_get_ae(), turning a malformed netlink interaction into a kernel\npanic.\n\nAccount XFRMA_IF_ID in the size calculation unconditionally and replace\nthe BUG_ON with normal error unwinding.(CVE-2026-43107)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: kaweth: remove TX queue manipulation in kaweth_set_rx_mode\n\nkaweth_set_rx_mode(), the ndo_set_rx_mode callback, calls\nnetif_stop_queue() and netif_wake_queue(). These are TX queue flow\ncontrol functions unrelated to RX multicast configuration.\n\nThe premature netif_wake_queue() can re-enable TX while tx_urb is still\nin-flight, leading to a double usb_submit_urb() on the same URB:\n\nkaweth_start_xmit() {\n netif_stop_queue();\n usb_submit_urb(kaweth->tx_urb);\n}\n\nkaweth_set_rx_mode() {\n netif_stop_queue();\n netif_wake_queue(); // wakes TX queue before URB is done\n}\n\nkaweth_start_xmit() {\n netif_stop_queue();\n usb_submit_urb(kaweth->tx_urb); // URB submitted while active\n}\n\nThis triggers the WARN in usb_submit_urb():\n\n "URB submitted while active"\n\nThis is a similar class of bug fixed in rtl8150 by\n\n- commit 958baf5eaee3 ("net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast").\n\nAlso kaweth_set_rx_mode() is already functionally broken, the\nreal set_rx_mode action is performed by kaweth_async_set_rx_mode(),\nwhich in turn is not a no-op only at ndo_open() time.(CVE-2026-43180)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nnet: consume xmit errors of GSO frames\n\nudpgro_frglist.sh and udpgro_bench.sh are the flakiest tests\ncurrently in NIPA. They fail in the same exact way, TCP GRO\ntest stalls occasionally and the test gets killed after 10min.\n\nThese tests use veth to simulate GRO. They attach a trivial\n("return XDP_PASS;") XDP program to the veth to force TSO off\nand NAPI on.\n\nDigging into the failure mode we can see that the connection\nis completely stuck after a burst of drops. The sender's snd_nxt\nis at sequence number N [1], but the receiver claims to have\nreceived (rcv_nxt) up to N + 3 * MSS [2]. Last piece of the puzzle\nis that senders rtx queue is not empty (let's say the block in\nthe rtx queue is at sequence number N - 4 * MSS [3]).\n\nIn this state, sender sends a retransmission from the rtx queue\nwith a single segment, and sequence numbers N-4*MSS:N-3*MSS [3].\nReceiver sees it and responds with an ACK all the way up to\nN + 3 * MSS [2]. But sender will reject this ack as TCP_ACK_UNSENT_DATA\nbecause it has no recollection of ever sending data that far out [1].\nAnd we are stuck.\n\nThe root cause is the mess of the xmit return codes. veth returns\nan error when it can't xmit a frame. We end up with a loss event\nlike this:\n\n -------------------------------------------------\n | GSO super frame 1 | GSO super frame 2 |\n |-----------------------------------------------|\n | seg | seg | seg | seg | seg | seg | seg | seg |\n | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 |\n -------------------------------------------------\n x ok ok <ok>| ok ok ok <x>\n \\\\\n\t\t\t snd_nxt\n\n"x" means packet lost by veth, and "ok" means it went thru.\nSince veth has TSO disabled in this test it sees individual segments.\nSegment 1 is on the retransmit queue and will be resent.\n\nSo why did the sender not advance snd_nxt even tho it clearly did\nsend up to seg 8? tcp_write_xmit() interprets the return code\nfrom the core to mean that data has not been sent at all. Since\nTCP deals with GSO super frames, not individual segment the crux\nof the problem is that loss of a single segment can be interpreted\nas loss of all. TCP only sees the last return code for the last\nsegment of the GSO frame (in <> brackets in the diagram above).\n\nOf course for the problem to occur we need a setup or a device\nwithout a Qdisc. Otherwise Qdisc layer disconnects the protocol\nlayer from the device errors completely.\n\nWe have multiple ways to fix this.\n\n 1) make veth not return an error when it lost a packet.\n While this is what I think we did in the past, the issue keeps\n reappearing and it's annoying to debug. The game of whack\n a mole is not great.\n\n 2) fix the damn return codes\n We only talk about NETDEV_TX_OK and NETDEV_TX_BUSY in the\n documentation, so maybe we should make the return code from\n ndo_start_xmit() a boolean. I like that the most, but perhaps\n some ancient, not-really-networking protocol would suffer.\n\n 3) make TCP ignore the errors\n It is not entirely clear to me what benefit TCP gets from\n interpreting the result of ip_queue_xmit()? Specifically once\n the connection is established and we're pushing data - packet\n loss is just packet loss?\n\n 4) this fix\n Ignore the rc in the Qdisc-less+GSO case, since it's unreliable.\n We already always return OK in the TCQ_F_CAN_BYPASS case.\n In the Qdisc-less case let's be a bit more conservative and only\n mask the GSO errors. This path is taken by non-IP-"networks"\n like CAN, MCTP etc, so we could regress some ancient thing.\n This is the simplest, but also maybe the hackiest fix?\n\nSimilar fix has been proposed by Eric in the past but never committed\nbecause original reporter was working with an OOT driver and wasn't\nproviding feedback (see Link).(CVE-2026-43194)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\ntcp: fix potential race in tcp_v6_syn_recv_sock()\n\nCode in tcp_v6_syn_recv_sock() after the call to tcp_v4_syn_recv_sock()\nis done too late.\n\nAfter tcp_v4_syn_recv_sock(), the child socket is already visible\nfrom TCP ehash table and other cpus might use it.\n\nSince newinet->pinet6 is still pointing to the listener ipv6_pinfo\nbad things can happen as syzbot found.\n\nMove the problematic code in tcp_v6_mapped_child_init()\nand call this new helper from tcp_v4_syn_recv_sock() before\nthe ehash insertion.\n\nThis allows the removal of one tcp_sync_mss(), since\ntcp_v4_syn_recv_sock() will call it with the correct\ncontext.(CVE-2026-43198)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nnet: Drop the lock in skb_may_tx_timestamp()\n\nskb_may_tx_timestamp() may acquire sock::sk_callback_lock. The lock must\nnot be taken in IRQ context, only softirq is okay. A few drivers receive\nthe timestamp via a dedicated interrupt and complete the TX timestamp\nfrom that handler. This will lead to a deadlock if the lock is already\nwrite-locked on the same CPU.\n\nTaking the lock can be avoided. The socket (pointed by the skb) will\nremain valid until the skb is released. The ->sk_socket and ->file\nmember will be set to NULL once the user closes the socket which may\nhappen before the timestamp arrives.\nIf we happen to observe the pointer while the socket is closing but\nbefore the pointer is set to NULL then we may use it because both\npointer (and the file's cred member) are RCU freed.\n\nDrop the lock. Use READ_ONCE() to obtain the individual pointer. Add a\nmatching WRITE_ONCE() where the pointer are cleared.(CVE-2026-43216)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nvhost: move vdpa group bound check to vhost_vdpa\n\nRemove duplication by consolidating these here. This reduces the\nposibility of a parent driver missing them.\n\nWhile we're at it, fix a bug in vdpa_sim where a valid ASID can be\nassigned to a group equal to ngroups, causing an out of bound write.(CVE-2026-43248)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nmm/page_alloc: clear page->private in free_pages_prepare()\n\nSeveral subsystems (slub, shmem, ttm, etc.) use page->private but don't\nclear it before freeing pages. When these pages are later allocated as\nhigh-order pages and split via split_page(), tail pages retain stale\npage->private values.\n\nThis causes a use-after-free in the swap subsystem. The swap code uses\npage->private to track swap count continuations, assuming freshly\nallocated pages have page->private == 0. When stale values are present,\nswap_count_continued() incorrectly assumes the continuation list is valid\nand iterates over uninitialized page->lru containing LIST_POISON values,\ncausing a crash:\n\n KASAN: maybe wild-memory-access in range [0xdead000000000100-0xdead000000000107]\n RIP: 0010:__do_sys_swapoff+0x1151/0x1860\n\nFix this by clearing page->private in free_pages_prepare(), ensuring all\nfreed pages have clean state regardless of previous use.(CVE-2026-43303)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: SMP: force responder MITM requirements before building the pairing response\n\nsmp_cmd_pairing_req() currently builds the pairing response from the\ninitiator auth_req before enforcing the local BT_SECURITY_HIGH\nrequirement. If the initiator omits SMP_AUTH_MITM, the response can\nalso omit it even though the local side still requires MITM.\n\ntk_request() then sees an auth value without SMP_AUTH_MITM and may\nselect JUST_CFM, making method selection inconsistent with the pairing\npolicy the responder already enforces.\n\nWhen the local side requires HIGH security, first verify that MITM can\nbe achieved from the IO capabilities and then force SMP_AUTH_MITM in the\nresponse in both rsp.auth_req and auth. This keeps the responder auth bits\nand later method selection aligned.(CVE-2026-43334)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: RX, Fix XDP multi-buf frag counting for striding RQ\n\nXDP multi-buf programs can modify the layout of the XDP buffer when the\nprogram calls bpf_xdp_pull_data() or bpf_xdp_adjust_tail(). The\nreferenced commit in the fixes tag corrected the assumption in the mlx5\ndriver that the XDP buffer layout doesn't change during a program\nexecution. However, this fix introduced another issue: the dropped\nfragments still need to be counted on the driver side to avoid page\nfragment reference counting issues.\n\nThe issue was discovered by the drivers/net/xdp.py selftest,\nmore specifically the test_xdp_native_tx_mb:\n- The mlx5 driver allocates a page_pool page and initializes it with\n a frag counter of 64 (pp_ref_count=64) and the internal frag counter\n to 0.\n- The test sends one packet with no payload.\n- On RX (mlx5e_skb_from_cqe_mpwrq_nonlinear()), mlx5 configures the XDP\n buffer with the packet data starting in the first fragment which is the\n page mentioned above.\n- The XDP program runs and calls bpf_xdp_pull_data() which moves the\n header into the linear part of the XDP buffer. As the packet doesn't\n contain more data, the program drops the tail fragment since it no\n longer contains any payload (pp_ref_count=63).\n- mlx5 device skips counting this fragment. Internal frag counter\n remains 0.\n- mlx5 releases all 64 fragments of the page but page pp_ref_count is\n 63 => negative reference counting error.\n\nResulting splat during the test:\n\n WARNING: CPU: 0 PID: 188225 at ./include/net/page_pool/helpers.h:297 mlx5e_page_release_fragmented.isra.0+0xbd/0xe0 [mlx5_core]\n Modules linked in: [...]\n CPU: 0 UID: 0 PID: 188225 Comm: ip Not tainted 6.18.0-rc7_for_upstream_min_debug_2025_12_08_11_44 #1 NONE\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n RIP: 0010:mlx5e_page_release_fragmented.isra.0+0xbd/0xe0 [mlx5_core]\n [...]\n Call Trace:\n <TASK>\n mlx5e_free_rx_mpwqe+0x20a/0x250 [mlx5_core]\n mlx5e_dealloc_rx_mpwqe+0x37/0xb0 [mlx5_core]\n mlx5e_free_rx_descs+0x11a/0x170 [mlx5_core]\n mlx5e_close_rq+0x78/0xa0 [mlx5_core]\n mlx5e_close_queues+0x46/0x2a0 [mlx5_core]\n mlx5e_close_channel+0x24/0x90 [mlx5_core]\n mlx5e_close_channels+0x5d/0xf0 [mlx5_core]\n mlx5e_safe_switch_params+0x2ec/0x380 [mlx5_core]\n mlx5e_change_mtu+0x11d/0x490 [mlx5_core]\n mlx5e_change_nic_mtu+0x19/0x30 [mlx5_core]\n netif_set_mtu_ext+0xfc/0x240\n do_setlink.isra.0+0x226/0x1100\n rtnl_newlink+0x7a9/0xba0\n rtnetlink_rcv_msg+0x220/0x3c0\n netlink_rcv_skb+0x4b/0xf0\n netlink_unicast+0x255/0x380\n netlink_sendmsg+0x1f3/0x420\n __sock_sendmsg+0x38/0x60\n ____sys_sendmsg+0x1e8/0x240\n ___sys_sendmsg+0x7c/0xb0\n [...]\n __sys_sendmsg+0x5f/0xb0\n do_syscall_64+0x55/0xc70\n\nThe problem applies for XDP_PASS as well which is handled in a different\ncode path in the driver.\n\nThis patch fixes the issue by doing page frag counting on all the\noriginal XDP buffer fragments for all relevant XDP actions (XDP_TX ,\nXDP_REDIRECT and XDP_PASS). This is basically reverting to the original\ncounting before the commit in the fixes tag.\n\nAs frag_page is still pointing to the original tail, the nr_frags\nparameter to xdp_update_skb_frags_info() needs to be calculated\nin a different way to reflect the new nr_frags.(CVE-2026-43465)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Fix DMA FIFO desync on error CQE SQ recovery\n\nIn case of a TX error CQE, a recovery flow is triggered,\nmlx5e_reset_txqsq_cc_pc() resets dma_fifo_cc to 0 but not dma_fifo_pc,\ndesyncing the DMA FIFO producer and consumer.\n\nAfter recovery, the producer pushes new DMA entries at the old\ndma_fifo_pc, while the consumer reads from position 0.\nThis causes us to unmap stale DMA addresses from before the recovery.\n\nThe DMA FIFO is a purely software construct with no HW counterpart.\nAt the point of reset, all WQEs have been flushed so dma_fifo_cc is\nalready equal to dma_fifo_pc. There is no need to reset either counter,\nsimilar to how skb_fifo pc/cc are untouched.\n\nRemove the 'dma_fifo_cc = 0' reset.\n\nThis fixes the following WARNING:\n WARNING: CPU: 0 PID: 0 at drivers/iommu/dma-iommu.c:1240 iommu_dma_unmap_page+0x79/0x90\n Modules linked in: mlx5_vdpa vringh vdpa bonding mlx5_ib mlx5_vfio_pci ipip mlx5_fwctl tunnel4 mlx5_core ib_ipoib geneve ip6_gre ip_gre gre nf_tables ip6_tunnel rdma_ucm ib_uverbs ib_umad vfio_pci vfio_pci_core act_mirred act_skbedit act_vlan vhost_net vhost tap ip6table_mangle ip6table_nat ip6table_filter ip6_tables iptable_mangle cls_matchall nfnetlink_cttimeout act_gact cls_flower sch_ingress vhost_iotlb iptable_raw tunnel6 vfio_iommu_type1 vfio openvswitch nsh rpcsec_gss_krb5 auth_rpcgss oid_registry xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink iptable_nat nf_nat xt_addrtype br_netfilter overlay zram zsmalloc rpcrdma ib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_cm ib_core fuse [last unloaded: nf_tables]\n CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.13.0-rc5_for_upstream_min_debug_2024_12_30_21_33 #1\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n RIP: 0010:iommu_dma_unmap_page+0x79/0x90\n Code: 2b 4d 3b 21 72 26 4d 3b 61 08 73 20 49 89 d8 44 89 f9 5b 4c 89 f2 4c 89 e6 48 89 ef 5d 41 5c 41 5d 41 5e 41 5f e9 c7 ae 9e ff <0f> 0b 5b 5d 41 5c 41 5d 41 5e 41 5f c3 66 2e 0f 1f 84 00 00 00 00\n Call Trace:\n <IRQ>\n ? __warn+0x7d/0x110\n ? iommu_dma_unmap_page+0x79/0x90\n ? report_bug+0x16d/0x180\n ? handle_bug+0x4f/0x90\n ? exc_invalid_op+0x14/0x70\n ? asm_exc_invalid_op+0x16/0x20\n ? iommu_dma_unmap_page+0x79/0x90\n ? iommu_dma_unmap_page+0x2e/0x90\n dma_unmap_page_attrs+0x10d/0x1b0\n mlx5e_tx_wi_dma_unmap+0xbe/0x120 [mlx5_core]\n mlx5e_poll_tx_cq+0x16d/0x690 [mlx5_core]\n mlx5e_napi_poll+0x8b/0xac0 [mlx5_core]\n __napi_poll+0x24/0x190\n net_rx_action+0x32a/0x3b0\n ? mlx5_eq_comp_int+0x7e/0x270 [mlx5_core]\n ? notifier_call_chain+0x35/0xa0\n handle_softirqs+0xc9/0x270\n irq_exit_rcu+0x71/0xd0\n common_interrupt+0x7f/0xa0\n </IRQ>\n <TASK>\n asm_common_interrupt+0x22/0x40(CVE-2026-43466)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nipvs: skip ipv6 extension headers for csum checks\n\nProtocol checksum validation fails for IPv6 if there are extension\nheaders before the protocol header. iph->len already contains its\noffset, so use it to fix the problem.(CVE-2026-45850)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\napparmor: Fix & Optimize table creation from possibly unaligned memory\n\nSource blob may come from userspace and might be unaligned.\nTry to optize the copying process by avoiding unaligned memory accesses.\n\n- Added Fixes tag\n- Added "Fix &" to description as this doesn't just optimize but fixes\n a potential unaligned memory access\n[jj: remove duplicate word "convert" in comment trigger checkpatch warning](CVE-2026-45893)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\niommu/vt-d: Clear Present bit before tearing down PASID entry\n\nThe Intel VT-d Scalable Mode PASID table entry consists of 512 bits (64\nbytes). When tearing down an entry, the current implementation zeros the\nentire 64-byte structure immediately using multiple 64-bit writes.\n\nSince the IOMMU hardware may fetch these 64 bytes using multiple\ninternal transactions (e.g., four 128-bit bursts), updating or zeroing\nthe entire entry while it is active (P=1) risks a "torn" read. If a\nhardware fetch occurs simultaneously with the CPU zeroing the entry, the\nhardware could observe an inconsistent state, leading to unpredictable\nbehavior or spurious faults.\n\nFollow the "Guidance to Software for Invalidations" in the VT-d spec\n(Section 6.5.3.3) by implementing the recommended ownership handshake:\n\n1. Clear only the 'Present' (P) bit of the PASID entry.\n2. Use a dma_wmb() to ensure the cleared bit is visible to hardware\n before proceeding.\n3. Execute the required invalidation sequence (PASID cache, IOTLB, and\n Device-TLB flush) to ensure the hardware has released all cached\n references.\n4. Only after the flushes are complete, zero out the remaining fields\n of the PASID entry.\n\nAlso, add a dma_wmb() in pasid_set_present() to ensure that all other\nfields of the PASID entry are visible to the hardware before the Present\nbit is set.(CVE-2026-45894)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nquota: fix livelock between quotactl and freeze_super\n\nWhen a filesystem is frozen, quotactl_block() enters a retry loop\nwaiting for the filesystem to thaw. It acquires s_umount, checks the\nfreeze state, drops s_umount and uses sb_start_write() - sb_end_write()\npair to wait for the unfreeze.\n\nHowever, this retry loop can trigger a livelock issue, specifically on\nkernels with preemption disabled.\n\nThe mechanism is as follows:\n1. freeze_super() sets SB_FREEZE_WRITE and calls sb_wait_write().\n2. sb_wait_write() calls percpu_down_write(), which initiates\n synchronize_rcu().\n3. Simultaneously, quotactl_block() spins in its retry loop, immediately\n executing the sb_start_write() - sb_end_write() pair.\n4. Because the kernel is non-preemptible and the loop contains no\n scheduling points, quotactl_block() never yields the CPU. This\n prevents that CPU from reaching an RCU quiescent state.\n5. synchronize_rcu() in the freezer thread waits indefinitely for the\n quotactl_block() CPU to report a quiescent state.\n6. quotactl_block() spins indefinitely waiting for the freezer to\n advance, which it cannot do as it is blocked on the RCU sync.\n\nThis results in a hang of the freezer process and 100% CPU usage by the\nquota process.\n\nWhile this can occur intermittently on multi-core systems, it is\nreliably reproducing on a node with the following script, running both\nthe freezer and the quota toggle on the same CPU:\n\n # mkfs.ext4 -O quota /dev/sda 2g && mkdir a_mount\n # mount /dev/sda -o quota,usrquota,grpquota a_mount\n # taskset -c 3 bash -c "while true; do xfs_freeze -f a_mount; \\\n xfs_freeze -u a_mount; done" &\n # taskset -c 3 bash -c "while true; do quotaon a_mount; \\\n quotaoff a_mount; done" &\n\nAdding cond_resched() to the retry loop fixes the issue. It acts as an\nRCU quiescent state, allowing synchronize_rcu() in percpu_down_write()\nto complete.(CVE-2026-45895)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nfat: avoid parent link count underflow in rmdir\n\nCorrupted FAT images can leave a directory inode with an incorrect\ni_nlink (e.g. 2 even though subdirectories exist). rmdir then\nunconditionally calls drop_nlink(dir) and can drive i_nlink to 0,\ntriggering the WARN_ON in drop_nlink().\n\nAdd a sanity check in vfat_rmdir() and msdos_rmdir(): only drop the\nparent link count when it is at least 3, otherwise report a filesystem\nerror.(CVE-2026-45915)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\next4: fix dirtyclusters double decrement on fs shutdown\n\nfstests test generic/388 occasionally reproduces a warning in\next4_put_super() associated with the dirty clusters count:\n\n WARNING: CPU: 7 PID: 76064 at fs/ext4/super.c:1324 ext4_put_super+0x48c/0x590 [ext4]\n\nTracing the failure shows that the warning fires due to an\ns_dirtyclusters_counter value of -1. IOW, this appears to be a\nspurious decrement as opposed to some sort of leak. Further tracing\nof the dirty cluster count deltas and an LLM scan of the resulting\noutput identified the cause as a double decrement in the error path\nbetween ext4_mb_mark_diskspace_used() and the caller\next4_mb_new_blocks().\n\nFirst, note that generic/388 is a shutdown vs. fsstress test and so\nproduces a random set of operations and shutdown injections. In the\nproblematic case, the shutdown triggers an error return from the\next4_handle_dirty_metadata() call(s) made from\next4_mb_mark_context(). The changed value is non-zero at this point,\nso ext4_mb_mark_diskspace_used() does not exit after the error\nbubbles up from ext4_mb_mark_context(). Instead, the former\ndecrements both cluster counters and returns the error up to\next4_mb_new_blocks(). The latter falls into the !ar->len out path\nwhich decrements the dirty clusters counter a second time, creating\nthe inconsistency.\n\nTo avoid this problem and simplify ownership of the cluster\nreservation in this codepath, lift the counter reduction to a single\nplace in the caller. This makes it more clear that\next4_mb_new_blocks() is responsible for acquiring cluster\nreservation (via ext4_claim_free_clusters()) in the !delalloc case\nas well as releasing it, regardless of whether it ends up consumed\nor returned due to failure.(CVE-2026-45920)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\niommu/vt-d: Clear Present bit before tearing down context entry\n\nWhen tearing down a context entry, the current implementation zeros the\nentire 128-bit entry using multiple 64-bit writes. This creates a window\nwhere the hardware can fetch a "torn" entry — where some fields are\nalready zeroed while the 'Present' bit is still set — leading to\nunpredictable behavior or spurious faults.\n\nWhile x86 provides strong write ordering, the compiler may reorder writes\nto the two 64-bit halves of the context entry. Even without compiler\nreordering, the hardware fetch is not guaranteed to be atomic with\nrespect to multiple CPU writes.\n\nAlign with the "Guidance to Software for Invalidations" in the VT-d spec\n(Section 6.5.3.3) by implementing the recommended ownership handshake:\n\n1. Clear only the 'Present' (P) bit of the context entry first to\n signal the transition of ownership from hardware to software.\n2. Use dma_wmb() to ensure the cleared bit is visible to the IOMMU.\n3. Perform the required cache and context-cache invalidation to ensure\n hardware no longer has cached references to the entry.\n4. Fully zero out the entry only after the invalidation is complete.\n\nAlso, add a dma_wmb() to context_set_present() to ensure the entry\nis fully initialized before the 'Present' bit becomes visible.(CVE-2026-45944)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nhwrng: core - use RCU and work_struct to fix race condition\n\nCurrently, hwrng_fill is not cleared until the hwrng_fillfn() thread\nexits. Since hwrng_unregister() reads hwrng_fill outside the rng_mutex\nlock, a concurrent hwrng_unregister() may call kthread_stop() again on\nthe same task.\n\nAdditionally, if hwrng_unregister() is called immediately after\nhwrng_register(), the stopped thread may have never been executed. Thus,\nhwrng_fill remains dirty even after hwrng_unregister() returns. In this\ncase, subsequent calls to hwrng_register() will fail to start new\nthreads, and hwrng_unregister() will call kthread_stop() on the same\nfreed task. In both cases, a use-after-free occurs:\n\nrefcount_t: addition on 0; use-after-free.\nWARNING: ... at lib/refcount.c:25 refcount_warn_saturate+0xec/0x1c0\nCall Trace:\n kthread_stop+0x181/0x360\n hwrng_unregister+0x288/0x380\n virtrng_remove+0xe3/0x200\n\nThis patch fixes the race by protecting the global hwrng_fill pointer\ninside the rng_mutex lock, so that hwrng_fillfn() thread is stopped only\nonce, and calls to kthread_run() and kthread_stop() are serialized\nwith the lock held.\n\nTo avoid deadlock in hwrng_fillfn() while being stopped with the lock\nheld, we convert current_rng to RCU, so that get_current_rng() can read\ncurrent_rng without holding the lock. To remove the lock from put_rng(),\nwe also delay the actual cleanup into a work_struct.\n\nSince get_current_rng() no longer returns ERR_PTR values, the IS_ERR()\nchecks are removed from its callers.\n\nWith hwrng_fill protected by the rng_mutex lock, hwrng_fillfn() can no\nlonger clear hwrng_fill itself. Therefore, if hwrng_fillfn() returns\ndirectly after current_rng is dropped, kthread_stop() would be called on\na freed task_struct later. To fix this, hwrng_fillfn() calls schedule()\nnow to keep the task alive until being stopped. The kthread_stop() call\nis also moved from hwrng_unregister() to drop_current_rng(), ensuring\nkthread_stop() is called on all possible paths where current_rng becomes\nNULL, so that the thread would not wait forever.(CVE-2026-45949)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\ncpuidle: Skip governor when only one idle state is available\n\nOn certain platforms (PowerNV systems without a power-mgt DT node),\ncpuidle may register only a single idle state. In cases where that\nsingle state is a polling state (state 0), the ladder governor may\nincorrectly treat state 1 as the first usable state and pass an\nout-of-bounds index. This can lead to a NULL enter callback being\ninvoked, ultimately resulting in a system crash.\n\n[ 13.342636] cpuidle-powernv : Only Snooze is available\n[ 13.351854] Faulting instruction address: 0x00000000\n[ 13.376489] NIP [0000000000000000] 0x0\n[ 13.378351] LR [c000000001e01974] cpuidle_enter_state+0x2c4/0x668\n\nFix this by adding a bail-out in cpuidle_select() that returns state 0\ndirectly when state_count <= 1, bypassing the governor and keeping the\ntick running.(CVE-2026-45968)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mlx5: Fix UMR hang in LAG error state unload\n\nDuring firmware reset in LAG mode, a race condition causes the driver\nto hang indefinitely while waiting for UMR completion during device\nunload. See [1].\n\nIn LAG mode the bond device is only registered on the master, so it\nnever sees sys_error events from the slave.\nDuring firmware reset this causes UMR waits to hang forever on unload\nas the slave is dead but the master hasn't entered error state yet, so\nUMR posts succeed but completions never arrive.\n\nFix this by adding a sys_error notifier that gets registered before\nMLX5_IB_STAGE_IB_REG and stays alive until after ib_unregister_device().\nThis ensures error events reach the bond device throughout teardown.\n\n[1]\nCall Trace:\n __schedule+0x2bd/0x760\n schedule+0x37/0xa0\n schedule_preempt_disabled+0xa/0x10\n __mutex_lock.isra.6+0x2b5/0x4a0\n __mlx5_ib_dereg_mr+0x606/0x870 [mlx5_ib]\n ? __xa_erase+0x4a/0xa0\n ? _cond_resched+0x15/0x30\n ? wait_for_completion+0x31/0x100\n ib_dereg_mr_user+0x48/0xc0 [ib_core]\n ? rdmacg_uncharge_hierarchy+0xa0/0x100\n destroy_hw_idr_uobject+0x20/0x50 [ib_uverbs]\n uverbs_destroy_uobject+0x37/0x150 [ib_uverbs]\n __uverbs_cleanup_ufile+0xda/0x140 [ib_uverbs]\n uverbs_destroy_ufile_hw+0x3a/0xf0 [ib_uverbs]\n ib_uverbs_remove_one+0xc3/0x140 [ib_uverbs]\n remove_client_context+0x8b/0xd0 [ib_core]\n disable_device+0x8c/0x130 [ib_core]\n __ib_unregister_device+0x10d/0x180 [ib_core]\n ib_unregister_device+0x21/0x30 [ib_core]\n __mlx5_ib_remove+0x1e4/0x1f0 [mlx5_ib]\n auxiliary_bus_remove+0x1e/0x30\n device_release_driver_internal+0x103/0x1f0\n bus_remove_device+0xf7/0x170\n device_del+0x181/0x410\n mlx5_rescan_drivers_locked.part.10+0xa9/0x1d0 [mlx5_core]\n mlx5_disable_lag+0x253/0x260 [mlx5_core]\n mlx5_lag_disable_change+0x89/0xc0 [mlx5_core]\n mlx5_eswitch_disable+0x67/0xa0 [mlx5_core]\n mlx5_unload+0x15/0xd0 [mlx5_core]\n mlx5_unload_one+0x71/0xc0 [mlx5_core]\n mlx5_sync_reset_reload_work+0x83/0x100 [mlx5_core]\n process_one_work+0x1a7/0x360\n worker_thread+0x30/0x390\n ? create_worker+0x1a0/0x1a0\n kthread+0x116/0x130\n ? kthread_flush_work_fn+0x10/0x10\n ret_from_fork+0x22/0x40(CVE-2026-45973)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\ngfs2: Fix use-after-free in iomap inline data write path\n\nThe inline data buffer head (dibh) is being released prematurely in\ngfs2_iomap_begin() via release_metapath() while iomap->inline_data\nstill points to dibh->b_data. This causes a use-after-free when\niomap_write_end_inline() later attempts to write to the inline data\narea.\n\nThe bug sequence:\n1. gfs2_iomap_begin() calls gfs2_meta_inode_buffer() to read inode\n metadata into dibh\n2. Sets iomap->inline_data = dibh->b_data + sizeof(struct gfs2_dinode)\n3. Calls release_metapath() which calls brelse(dibh), dropping refcount\n to 0\n4. kswapd reclaims the page (~39ms later in the syzbot report)\n5. iomap_write_end_inline() tries to memcpy() to iomap->inline_data\n6. KASAN detects use-after-free write to freed memory\n\nFix by storing dibh in iomap->private and incrementing its refcount\nwith get_bh() in gfs2_iomap_begin(). The buffer is then properly\nreleased in gfs2_iomap_end() after the inline write completes,\nensuring the page stays alive for the entire iomap operation.\n\nNote: A C reproducer is not available for this issue. The fix is based\non analysis of the KASAN report and code review showing the buffer head\nis freed before use.\n\n[agruenba: Take buffer head reference in gfs2_iomap_begin() to avoid\nleaks in gfs2_iomap_get() and gfs2_iomap_alloc().](CVE-2026-45984)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\ndrm/nouveau: fix u32 overflow in pushbuf reloc bounds check\n\nnouveau_gem_pushbuf_reloc_apply() validates each relocation with\n\n if (r->reloc_bo_offset + 4 > nvbo->bo.base.size)\n\nbut reloc_bo_offset is __u32 (uapi/drm/nouveau_drm.h) and the integer\nliteral 4 promotes to unsigned int, so the addition is performed in 32\nbits and wraps before the comparison against the size_t bo size.\n\nCast to u64 so the addition happens in 64-bit arithmetic.\n\n[ Add Fixes: tag. - Danilo ](CVE-2026-46006)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nthermal: core: Fix thermal zone governor cleanup issues\n\nIf thermal_zone_device_register_with_trips() fails after adding\na thermal governor to the thermal zone being registered, the\ngovernor is not removed from it as appropriate which may lead to\na memory leak.\n\nIn turn, thermal_zone_device_unregister() calls thermal_set_governor()\nwithout acquiring the thermal zone lock beforehand which may race with\na governor update via sysfs and may lead to a use-after-free in that\ncase.\n\nAddress these issues by adding two thermal_set_governor() calls, one to\nthermal_release() to remove the governor from the given thermal zone,\nand one to the thermal zone registration error path to cover failures\npreceding the thermal zone device registration.(CVE-2026-46021)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nKVM: nSVM: Triple fault if restore host CR3 fails on nested #VMEXIT\n\nIf loading L1's CR3 fails on a nested #VMEXIT, nested_svm_vmexit()\nreturns an error code that is ignored by most callers, and continues to\nrun L1 with corrupted state. A sane recovery is not possible in this\ncase, and HW behavior is to cause a shutdown. Inject a triple fault\ninstead, and do not return early from nested_svm_vmexit(). Continue\ncleaning up the vCPU state (e.g. clear pending exceptions), to handle\nthe failure as gracefully as possible.\n\nFrom the APM:\n\n Upon #VMEXIT, the processor performs the following actions in order to\n return to the host execution context:\n\n ...\n\n if (illegal host state loaded, or exception while loading host state)\n shutdown\n else\n execute first host instruction following the VMRUN\n\nRemove the return value of nested_svm_vmexit(), which is mostly\nunchecked anyway.(CVE-2026-46032)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: authencesn - reject short ahash digests during instance creation\n\nauthencesn requires either a zero authsize or an authsize of at least\n4 bytes because the ESN encrypt/decrypt paths always move 4 bytes of\nhigh-order sequence number data at the end of the authenticated data.\n\nWhile crypto_authenc_esn_setauthsize() already rejects explicit\nnon-zero authsizes in the range 1..3, crypto_authenc_esn_create()\nstill copied auth->digestsize into inst->alg.maxauthsize without\nvalidating it. The AEAD core then initialized the tfm's default\nauthsize from that value.\n\nAs a result, selecting an ahash with digest size 1..3, such as\ncbcmac(cipher_null), exposed authencesn instances whose default\nauthsize was invalid even though setauthsize() would have rejected the\nsame value. AF_ALG could then trigger the ESN tail handling with a\ntoo-short tag and hit an out-of-bounds access.\n\nReject authencesn instances whose ahash digest size is in the invalid\nnon-zero range 1..3 so that no tfm can inherit an unsupported default\nauthsize.(CVE-2026-46033)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nceph: only d_add() negative dentries when they are unhashed\n\nCeph can call d_add(dentry, NULL) on a negative dentry that is already\npresent in the primary dcache hash.\n\nIn the current VFS that is not safe. d_add() goes through __d_add()\nto __d_rehash(), which unconditionally reinserts dentry->d_hash into\nthe hlist_bl bucket. If the dentry is already hashed, reinserting the\nsame node can corrupt the bucket, including creating a self-loop.\nOnce that happens, __d_lookup() can spin forever in the hlist_bl walk,\ntypically looping only on the d_name.hash mismatch check and\neventually triggering RCU stall reports like this one:\n\n rcu: INFO: rcu_sched self-detected stall on CPU\n rcu: 87-....: (2100 ticks this GP) idle=3a4c/1/0x4000000000000000 softirq=25003319/25003319 fqs=829\n rcu: (t=2101 jiffies g=79058445 q=698988 ncpus=192)\n CPU: 87 UID: 2952868916 PID: 3933303 Comm: php-cgi8.3 Not tainted 6.18.17-i1-amd #950 NONE\n Hardware name: Dell Inc. PowerEdge R7615/0G9DHV, BIOS 1.6.6 09/22/2023\n RIP: 0010:__d_lookup+0x46/0xb0\n Code: c1 e8 07 48 8d 04 c2 48 8b 00 49 89 fc 49 89 f5 48 89 c3 48 83 e3 fe 48 83 f8 01 77 0f eb 2d 0f 1f 44 00 00 48 8b 1b 48 85 db <74> 20 39 6b 18 75 f3 48 8d 7b 78 e8 ba 85 d0 00 4c 39 63 10 74 1f\n RSP: 0018:ff745a70c8253898 EFLAGS: 00000282\n RAX: ff26e470054cb208 RBX: ff26e470054cb208 RCX: 000000006e958966\n RDX: ff26e48267340000 RSI: ff745a70c82539b0 RDI: ff26e458f74655c0\n RBP: 000000006e958966 R08: 0000000000000180 R09: 9cd08d909b919a89\n R10: ff26e458f74655c0 R11: 0000000000000000 R12: ff26e458f74655c0\n R13: ff745a70c82539b0 R14: d0d0d0d0d0d0d0d0 R15: 2f2f2f2f2f2f2f2f\n FS: 00007f5770896980(0000) GS:ff26e482c5d88000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f5764de50c0 CR3: 000000a72abb5001 CR4: 0000000000771ef0\n PKRU: 55555554\n Call Trace:\n <TASK>\n lookup_fast+0x9f/0x100\n walk_component+0x1f/0x150\n link_path_walk+0x20e/0x3d0\n path_lookupat+0x68/0x180\n filename_lookup+0xdc/0x1e0\n vfs_statx+0x6c/0x140\n vfs_fstatat+0x67/0xa0\n __do_sys_newfstatat+0x24/0x60\n do_syscall_64+0x6a/0x230\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nThis is reachable with reused cached negative dentries. A Ceph lookup\nor atomic_open can be handed a negative dentry that is already hashed,\nand fs/ceph/dir.c then hits one of two paths that incorrectly assume\n"negative" also means "unhashed":\n\n - ceph_finish_lookup():\n MDS reply is -ENOENT with no trace\n -> d_add(dentry, NULL)\n\n - ceph_lookup():\n local ENOENT fast path for a complete directory with shared caps\n -> d_add(dentry, NULL)\n\nBoth paths can therefore re-add an already-hashed negative dentry.\n\nCeph already uses the correct pattern elsewhere: ceph_fill_trace() only\ncalls d_add(dn, NULL) for a negative null-dentry reply when d_unhashed(dn)\nis true.\n\nFix both fs/ceph/dir.c sites the same way: only call d_add() for a\nnegative dentry when it is actually unhashed. If the negative dentry\nis already hashed, leave it in place and reuse it as-is.\n\nThis preserves the existing behavior for unhashed dentries while\navoiding d_hash list corruption for reused hashed negatives.(CVE-2026-46052)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: defio: Disconnect deferred I/O from the lifetime of struct fb_info\n\nHold state of deferred I/O in struct fb_deferred_io_state. Allocate an\ninstance as part of initializing deferred I/O and remove it only after\nthe final mapping has been closed. If the fb_info and the contained\ndeferred I/O meanwhile goes away, clear struct fb_deferred_io_state.info\nto invalidate the mapping. Any access will then result in a SIGBUS\nsignal.\n\nFixes a long-standing problem, where a device hot-unplug happens while\nuser space still has an active mapping of the graphics memory. The hot-\nunplug frees the instance of struct fb_info. Accessing the memory will\noperate on undefined state.(CVE-2026-46065)\n\nIn the Linux kernel, the vlan_dev_set_egress_priority() function currently keeps cleared egress priority mappings in the hash as tombstones. Repeated set/clear cycles with distinct skb priorities accumulate mapping nodes until device teardown, causing memory leakage. This vulnerability is fixed by deleting mappings instead of keeping tombstones, using RCU protection for safe deallocation.(CVE-2026-46153)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\neventpoll: fix ep_remove struct eventpoll / struct file UAF\n\nep_remove() (via ep_remove_file()) cleared file->f_ep under\nfile->f_lock but then kept using @file inside the critical section\n(is_file_epoll(), hlist_del_rcu() through the head, spin_unlock).\nA concurrent __fput() taking the eventpoll_release() fastpath in\nthat window observed the transient NULL, skipped\neventpoll_release_file() and ran to f_op->release / file_free().\n\nFor the epoll-watches-epoll case, f_op->release is\nep_eventpoll_release() -> ep_clear_and_put() -> ep_free(), which\nkfree()s the watched struct eventpoll. Its embedded ->refs\nhlist_head is exactly where epi->fllink.pprev points, so the\nsubsequent hlist_del_rcu()'s "*pprev = next" scribbles into freed\nkmalloc-192 memory.\n\nIn addition, struct file is SLAB_TYPESAFE_BY_RCU, so the slot\nbacking @file could be recycled by alloc_empty_file() --\nreinitializing f_lock and f_ep -- while ep_remove() is still\nnominally inside that lock. The upshot is an attacker-controllable\nkmem_cache_free() against the wrong slab cache.\n\nPin @file via epi_fget() at the top of ep_remove() and gate the\ncritical section on the pin succeeding. With the pin held @file\ncannot reach refcount zero, which holds __fput() off and\ntransitively keeps the watched struct eventpoll alive across the\nhlist_del_rcu() and the f_lock use, closing both UAFs.\n\nIf the pin fails @file has already reached refcount zero and its\n__fput() is in flight. Because we bailed before clearing f_ep,\nthat path takes the eventpoll_release() slow path into\neventpoll_release_file() and blocks on ep->mtx until the waiter\nside's ep_clear_and_put() drops it. The bailed epi's share of\nep->refcount stays intact, so the trailing ep_refcount_dec_and_test()\nin ep_clear_and_put() cannot free the eventpoll out from under\neventpoll_release_file(); the orphaned epi is then cleaned up\nthere.\n\nA successful pin also proves we are not racing\neventpoll_release_file() on this epi, so drop the now-redundant\nre-check of epi->dying under f_lock. The cheap lockless\nREAD_ONCE(epi->dying) fast-path bailout stays.(CVE-2026-46242)\n\nIn the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix dc_link NULL handling in HPD init amdgpu_dm_hpd_init() may see connectors without a valid dc_link. The code already checks dc_link for the polling decision, but later unconditionally dereferences it when setting up HPD interrupts. Assign dc_link early and skip connectors where it is NULL. Fixes the below: drivers/gpu/drm/amd/amdgpu/../display/amdgpu_dm/amdgpu_dm_irq.c:940 amdgpu_dm_hpd_init() error: we previously assumed 'dc_link' could be null (see line 931) drivers/gpu/drm/amd/amdgpu/../display/amdgpu_dm/amdgpu_dm_irq.c 923 /* 924 * Analog connectors may be hot-plugged unlike other connector 925 * types that don't support HPD. Only poll analog connectors. 926 */ 927 use_polling |= 928 amdgpu_dm_connector->dc_link && ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The patch adds this NULL check but hopefully it can be removed 929 dc_connector_supports_analog(amdgpu_dm_connector->dc_link->link_id.id); 930 931 dc_link = amdgpu_dm_connector->dc_link; dc_link assigned here. 932 933 /* 934 * Get a base driver irq reference for hpd ints for the lifetime 935 * of dm. Note that only hpd interrupt types are registered with 936 * base driver; hpd_rx types aren't. IOW, amdgpu_irq_get/put on 937 * hpd_rx isn't available. DM currently controls hpd_rx 938 * explicitly with dc_interrupt_set() 939 */ --> 940 if (dc_link->irq_source_hpd != DC_IRQ_SOURCE_INVALID) { ^^^^^^^^^^^^^^^^^^^^^^^ If it's NULL then we are trouble because we dereference it here. 941 irq_type = dc_link->irq_source_hpd - DC_IRQ_SOURCE_HPD1; 942 /* 943 * TODO: There's a mismatch between mode_info.num_hpd 944 * and what bios reports as the # of connectors with hpd The Linux kernel CVE team has assigned CVE-2026-46245 to this issue.(CVE-2026-46245)","affected":[{"package":{"ecosystem":"openEuler:24.03-LTS-SP3","name":"kernel","purl":"pkg:rpm/openEuler/kernel&distro=openEuler-24.03-LTS-SP3"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"6.6.0-145.3.15.146.oe2403sp3"}]}],"ecosystem_specific":{"aarch64":["bpftool-6.6.0-145.3.15.146.oe2403sp3.aarch64.rpm","bpftool-debuginfo-6.6.0-145.3.15.146.oe2403sp3.aarch64.rpm","kernel-6.6.0-145.3.15.146.oe2403sp3.aarch64.rpm","kernel-debuginfo-6.6.0-145.3.15.146.oe2403sp3.aarch64.rpm","kernel-debugsource-6.6.0-145.3.15.146.oe2403sp3.aarch64.rpm","kernel-devel-6.6.0-145.3.15.146.oe2403sp3.aarch64.rpm","kernel-extra-modules-6.6.0-145.3.15.146.oe2403sp3.aarch64.rpm","kernel-headers-6.6.0-145.3.15.146.oe2403sp3.aarch64.rpm","kernel-source-6.6.0-145.3.15.146.oe2403sp3.aarch64.rpm","kernel-tools-6.6.0-145.3.15.146.oe2403sp3.aarch64.rpm","kernel-tools-debuginfo-6.6.0-145.3.15.146.oe2403sp3.aarch64.rpm","kernel-tools-devel-6.6.0-145.3.15.146.oe2403sp3.aarch64.rpm","perf-6.6.0-145.3.15.146.oe2403sp3.aarch64.rpm","perf-debuginfo-6.6.0-145.3.15.146.oe2403sp3.aarch64.rpm","python3-perf-6.6.0-145.3.15.146.oe2403sp3.aarch64.rpm","python3-perf-debuginfo-6.6.0-145.3.15.146.oe2403sp3.aarch64.rpm"],"src":["kernel-6.6.0-145.3.15.146.oe2403sp3.src.rpm"],"x86_64":["bpftool-6.6.0-145.3.15.146.oe2403sp3.x86_64.rpm","bpftool-debuginfo-6.6.0-145.3.15.146.oe2403sp3.x86_64.rpm","kernel-6.6.0-145.3.15.146.oe2403sp3.x86_64.rpm","kernel-debuginfo-6.6.0-145.3.15.146.oe2403sp3.x86_64.rpm","kernel-debugsource-6.6.0-145.3.15.146.oe2403sp3.x86_64.rpm","kernel-devel-6.6.0-145.3.15.146.oe2403sp3.x86_64.rpm","kernel-extra-modules-6.6.0-145.3.15.146.oe2403sp3.x86_64.rpm","kernel-headers-6.6.0-145.3.15.146.oe2403sp3.x86_64.rpm","kernel-source-6.6.0-145.3.15.146.oe2403sp3.x86_64.rpm","kernel-tools-6.6.0-145.3.15.146.oe2403sp3.x86_64.rpm","kernel-tools-debuginfo-6.6.0-145.3.15.146.oe2403sp3.x86_64.rpm","kernel-tools-devel-6.6.0-145.3.15.146.oe2403sp3.x86_64.rpm","perf-6.6.0-145.3.15.146.oe2403sp3.x86_64.rpm","perf-debuginfo-6.6.0-145.3.15.146.oe2403sp3.x86_64.rpm","python3-perf-6.6.0-145.3.15.146.oe2403sp3.x86_64.rpm","python3-perf-debuginfo-6.6.0-145.3.15.146.oe2403sp3.x86_64.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2676"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-39781"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-71109"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23213"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23214"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31527"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31607"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31662"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31709"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31759"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43024"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43038"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43059"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43083"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43088"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43089"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43101"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43107"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43180"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43194"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43198"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43216"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43248"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43303"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43334"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43465"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43466"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-45850"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-45893"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-45894"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-45895"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-45915"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-45920"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-45944"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-45949"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-45968"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-45973"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-45984"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-46006"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-46021"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-46032"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-46033"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-46052"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-46065"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-46153"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-46242"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-46245"}],"database_specific":{"severity":"Critical"}}