Oracle Linux Security Advisory ELSA-2026-50144 http://linux.oracle.com/errata/ELSA-2026-50144.html
The following updated rpms for have been uploaded to the Unbreakable Linux Network: x86_64: kernel-uek-6.12.0-109.67.6.el10uek.x86_64.rpm kernel-uek-core-6.12.0-109.67.6.el10uek.x86_64.rpm kernel-uek-devel-6.12.0-109.67.6.el10uek.x86_64.rpm kernel-uek-doc-6.12.0-109.67.6.el10uek.noarch.rpm kernel-uek-modules-6.12.0-109.67.6.el10uek.x86_64.rpm kernel-uek-modules-core-6.12.0-109.67.6.el10uek.x86_64.rpm kernel-uek-modules-deprecated-6.12.0-109.67.6.el10uek.x86_64.rpm kernel-uek-modules-desktop-6.12.0-109.67.6.el10uek.x86_64.rpm kernel-uek-modules-extra-6.12.0-109.67.6.el10uek.x86_64.rpm kernel-uek-modules-extra-netfilter-6.12.0-109.67.6.el10uek.x86_64.rpm kernel-uek-modules-usb-6.12.0-109.67.6.el10uek.x86_64.rpm kernel-uek-modules-wireless-6.12.0-109.67.6.el10uek.x86_64.rpm kernel-uek-tools-6.12.0-109.67.6.el10uek.x86_64.rpm kernel-uek-debug-6.12.0-109.67.6.el10uek.x86_64.rpm kernel-uek-debug-core-6.12.0-109.67.6.el10uek.x86_64.rpm kernel-uek-debug-devel-6.12.0-109.67.6.el10uek.x86_64.rpm kernel-uek-debug-modules-6.12.0-109.67.6.el10uek.x86_64.rpm kernel-uek-debug-modules-core-6.12.0-109.67.6.el10uek.x86_64.rpm kernel-uek-debug-modules-deprecated-6.12.0-109.67.6.el10uek.x86_64.rpm kernel-uek-debug-modules-desktop-6.12.0-109.67.6.el10uek.x86_64.rpm kernel-uek-debug-modules-extra-6.12.0-109.67.6.el10uek.x86_64.rpm kernel-uek-debug-modules-extra-netfilter-6.12.0-109.67.6.el10uek.x86_64.rpm kernel-uek-debug-modules-usb-6.12.0-109.67.6.el10uek.x86_64.rpm kernel-uek-debug-modules-wireless-6.12.0-109.67.6.el10uek.x86_64.rpm aarch64: kernel-uek-6.12.0-109.67.6.el10uek.aarch64.rpm kernel-uek-core-6.12.0-109.67.6.el10uek.aarch64.rpm kernel-uek-devel-6.12.0-109.67.6.el10uek.aarch64.rpm kernel-uek-modules-6.12.0-109.67.6.el10uek.aarch64.rpm kernel-uek-modules-core-6.12.0-109.67.6.el10uek.aarch64.rpm kernel-uek-modules-deprecated-6.12.0-109.67.6.el10uek.aarch64.rpm kernel-uek-modules-desktop-6.12.0-109.67.6.el10uek.aarch64.rpm kernel-uek-modules-extra-6.12.0-109.67.6.el10uek.aarch64.rpm kernel-uek-modules-extra-netfilter-6.12.0-109.67.6.el10uek.aarch64.rpm kernel-uek-modules-usb-6.12.0-109.67.6.el10uek.aarch64.rpm kernel-uek-modules-wireless-6.12.0-109.67.6.el10uek.aarch64.rpm kernel-uek-tools-6.12.0-109.67.6.el10uek.aarch64.rpm kernel-uek-debug-6.12.0-109.67.6.el10uek.aarch64.rpm kernel-uek-debug-core-6.12.0-109.67.6.el10uek.aarch64.rpm kernel-uek-debug-devel-6.12.0-109.67.6.el10uek.aarch64.rpm kernel-uek-debug-modules-6.12.0-109.67.6.el10uek.aarch64.rpm kernel-uek-debug-modules-core-6.12.0-109.67.6.el10uek.aarch64.rpm kernel-uek-debug-modules-deprecated-6.12.0-109.67.6.el10uek.aarch64.rpm kernel-uek-debug-modules-desktop-6.12.0-109.67.6.el10uek.aarch64.rpm kernel-uek-debug-modules-extra-6.12.0-109.67.6.el10uek.aarch64.rpm kernel-uek-debug-modules-extra-netfilter-6.12.0-109.67.6.el10uek.aarch64.rpm kernel-uek-debug-modules-usb-6.12.0-109.67.6.el10uek.aarch64.rpm kernel-uek-debug-modules-wireless-6.12.0-109.67.6.el10uek.aarch64.rpm kernel-uek64k-6.12.0-109.67.6.el10uek.aarch64.rpm kernel-uek64k-core-6.12.0-109.67.6.el10uek.aarch64.rpm kernel-uek64k-devel-6.12.0-109.67.6.el10uek.aarch64.rpm kernel-uek64k-modules-6.12.0-109.67.6.el10uek.aarch64.rpm kernel-uek64k-modules-core-6.12.0-109.67.6.el10uek.aarch64.rpm kernel-uek64k-modules-deprecated-6.12.0-109.67.6.el10uek.aarch64.rpm kernel-uek64k-modules-desktop-6.12.0-109.67.6.el10uek.aarch64.rpm kernel-uek64k-modules-extra-6.12.0-109.67.6.el10uek.aarch64.rpm kernel-uek64k-modules-extra-netfilter-6.12.0-109.67.6.el10uek.aarch64.rpm kernel-uek64k-modules-usb-6.12.0-109.67.6.el10uek.aarch64.rpm kernel-uek64k-modules-wireless-6.12.0-109.67.6.el10uek.aarch64.rpm SRPMS: http://oss.oracle.com/ol10/SRPMS-updates/kernel-uek-6.12.0-109.67.6.el10uek.src.rpm Related CVEs: CVE-2025-22111 CVE-2025-38248 CVE-2025-38591 CVE-2025-68792 CVE-2025-71088 CVE-2025-71127 CVE-2025-71134 CVE-2025-71144 CVE-2025-71160 CVE-2025-71182 CVE-2025-71183 CVE-2025-71184 CVE-2025-71190 CVE-2025-71194 CVE-2026-22976 CVE-2026-22977 CVE-2026-22978 CVE-2026-22979 CVE-2026-22980 CVE-2026-22984 CVE-2026-22988 CVE-2026-22989 CVE-2026-22990 CVE-2026-22991 CVE-2026-22992 CVE-2026-22994 CVE-2026-22996 CVE-2026-22997 CVE-2026-22998 CVE-2026-22999 CVE-2026-23000 CVE-2026-23001 CVE-2026-23002 CVE-2026-23003 CVE-2026-23005 CVE-2026-23010 CVE-2026-23011 CVE-2026-23020 CVE-2026-23021 CVE-2026-23023 CVE-2026-23025 CVE-2026-23030 CVE-2026-23031 CVE-2026-23032 CVE-2026-23035 CVE-2026-23038 CVE-2026-23047 CVE-2026-23049 CVE-2026-23050 CVE-2026-23053 CVE-2026-23054 CVE-2026-23136 CVE-2026-23139 CVE-2026-23140 CVE-2026-23141 CVE-2026-23142 CVE-2026-23144 CVE-2026-23145 Description of changes: [6.12.0-109.67.6] - net: tunnel: make skb_vlan_inet_prepare() return drop reasons (Menglong Dong) [Orabug: 39027305] [6.12.0-109.67.5] - uek-rpm: fixed specs to explicitly call python3 as set as a requirement (Mark Nicholson) [Orabug: 38933158] - Revert "net/rds: fix crash by expanding kref coverage to rds_incoming.i_conn" (Sharath Srinivasan) [Orabug: 38945524] - Revert "net/rds: expand kref coverage to rds_notifier->n_conn" (Sharath Srinivasan) [Orabug: 38945524] [6.12.0-109.67.4] - KVM: x86: conditionally clear masterclock request for uek=exadata (Dongli Zhang) [Orabug: 38905553] - Partial backport of "KVM: x86: Fix software TSC upscaling in kvm_update_guest_time()" (Dongli Zhang) [Orabug: 38905553] - ext4/jbd2: skip sb flush when EIO happened (Wengang Wang) [Orabug: 38916907] - jbd2: store more accurate errno in superblock when possible (Wengang Wang) [Orabug: 38916907] - net/rds: fix rds_message memleak in rds_send_xmit (Sharath Srinivasan) [Orabug: 38923495] - Revert "IB/mlx5: Implement clear counters" (Sharath Srinivasan) [Orabug: 38923518] - Revert "IB/core: Implement clear counters" (Sharath Srinivasan) [Orabug: 38923518] - net/rds: fix rds_message memleak in rds_send_queue_rm (Sharath Srinivasan) [Orabug: 38928269] - net/rds: rds_send_xmit should INIT_LIST_HEAD(&to_be_dropped) on restart (Sharath Srinivasan) [Orabug: 38928271] - net/rds: wait_event_timeout until zero connections during rmmod (Sharath Srinivasan) [Orabug: 38928273] [6.12.0-109.67.3] - RAS/AMD/ATL: Require PRM support for future systems (Yazen Ghannam) [Orabug: 38869580] - ACPI: PRM: Add acpi_prm_handler_available() (Yazen Ghannam) [Orabug: 38869580] - Documentation: add documentation for MFD_MF_KEEP_UE_MAPPED (William Roche) [Orabug: 38768984] - selftests/mm: test userspace MFR for HugeTLB hugepage (William Roche) [Orabug: 38768984] - mm: memfd/hugetlb: introduce memfd-based userspace MFR policy (William Roche) [Orabug: 38768984] - mm/memory-failure: teach kill_accessing_process to accept hugetlb tail page pfn (Jane Chu) [Orabug: 38768984] - mm/memory-failure: fix missing ->mf_stats count in hugetlb poison (Jane Chu) [Orabug: 38768984] - Reapply "cpuidle: menu: Avoid discarding useful information" (Harshvardhan Jha) [Orabug: 38741180] [6.12.0-109.67.2] - net: mana: Reduce waiting time if HWC not responding (Haiyang Zhang) [Orabug: 38881615] [6.12.0-109.67.1] - LTS version: v6.12.67 (Jack Vogel) - mm/fake-numa: handle cases with no SRAT info (Bruno Faccini) - mm/page_alloc: prevent pcp corruption with SMP=n (Vlastimil Babka) [Orabug: 38914772] {CVE-2026-23025} - mm/page_alloc: batch page freeing in decay_pcp_high (Joshua Hahn) - mm/page_alloc/vmstat: simplify refresh_cpu_vm_stats change detection (Joshua Hahn) - dmaengine: fsl-edma: Fix clk leak on alloc_chan_resources failure (Zhen Ni) - phy: rockchip: inno-usb2: Fix a double free bug in rockchip_usb2phy_probe() (Xu Wang) [Orabug: 38914781] {CVE-2026-23030} - phy: phy-rockchip-inno-usb2: Use dev_err_probe() in the probe path (Dragan Simic) for 'numa_nodes_parsed' (Ben Dooks) - mm/fake-numa: allow later numa node hotplug (Bruno Faccini) - mm: kmsan: fix poisoning of high-order non-compound pages (Ryan Roberts) - selftests/bpf: Test invalid narrower ctx load (Paul Chaignon) - bpf: Reject narrower access to pointer ctx fields (Paul Chaignon) [Orabug: 38335080] {CVE-2025-38591} - mm/damon/sysfs-scheme: cleanup access_pattern subdirs on scheme dir setup failure (Seongjae Park) [Orabug: 38970289] {CVE-2026-23142} - mm/damon/sysfs-scheme: cleanup quotas subdirs on scheme dir setup failure (Seongjae Park) - xfs: set max_agbno to allow sparse alloc of last full inode chunk (Brian Foster) - btrfs: fix deadlock in wait_current_trans() due to ignored transaction type (Robbie Ko) [Orabug: 38930778] {CVE-2025-71194} - HID: intel-ish-hid: Fix -Wcast-function-type-strict in devm_ishtp_alloc_workqueue() (Nathan Chancellor) - HID: intel-ish-hid: Use dedicated unbound workqueues to prevent resume blocking (Zhang Lixu) - dmaengine: ti: k3-udma: fix device leak on udma lookup (Johan Hovold) - dmaengine: ti: dma-crossbar: fix device leak on am335x route allocation (Johan Hovold) - dmaengine: ti: dma-crossbar: fix device leak on dra7x route allocation (Johan Hovold) - dmaengine: stm32: dmamux: fix OF node leak on route allocation failure (Johan Hovold) - dmaengine: stm32: dmamux: fix device leak on route allocation (Johan Hovold) - dmaengine: sh: rz-dmac: Fix rz_dmac_terminate_all() (Biju Das) - dmaengine: qcom: gpi: Fix memory leak in gpi_peripheral_config() (Miaoqian Lin) - dmaengine: lpc32xx-dmamux: fix device leak on route allocation (Johan Hovold) - dmaengine: lpc18xx-dmamux: fix device leak on route allocation (Johan Hovold) - dmaengine: idxd: fix device leaks on compat bind and unbind (Johan Hovold) - dmaengine: dw: dmamux: fix OF node leak on route allocation failure (Johan Hovold) - dmaengine: bcm-sba-raid: fix device leak on probe (Johan Hovold) [Orabug: 38914727] {CVE-2025-71190} - dmaengine: at_hdmac: fix device leak on of_dma_xlate() (Johan Hovold) - dmaengine: apple-admac: Add "apple,t8103-admac" compatible (Janne Grunau) - LoongArch: dts: loongson-2k2000: Add default interrupt controller address cells (Binbin Zhou) - LoongArch: dts: loongson-2k1000: Fix i2c-gpio node names (Binbin Zhou) - LoongArch: dts: loongson-2k1000: Add default interrupt controller address cells (Binbin Zhou) - LoongArch: dts: loongson-2k0500: Add default interrupt controller address cells (Binbin Zhou) - drm/vmwgfx: Fix an error return check in vmw_compat_shader_add() (Haoxiang Li) - drm/panel-simple: fix connector type for DataImage SCF0700C48GGU18 panel (Marek Vasut) [Orabug: 38930828] {CVE-2026-23049} - drm/nouveau/disp/nv50-: Set lock_core in curs507a_prepare (Lyude Paul) - drm/amdkfd: fix a memory leak in device_queue_manager_init() (Haoxiang Li) - drm/amd: Clean up kfd node on surprise disconnect (Mario Limonciello) - drm/amd/display: Bump the HDMI clock to 340MHz (Mario Limonciello) - LoongArch: Fix PMU counter allocation for mixed-type event groups (Lisa Robinson) - mm/damon/sysfs: cleanup attrs subdirs on context dir setup failure (Seongjae Park) [Orabug: 38970294] {CVE-2026-23144} - mm/page_alloc: make percpu_pagelist_high_fraction reads lock-free (Aboorva Devarajan) - mm/zswap: fix error pointer free in zswap_cpu_comp_prepare() (Pavel Butsykin) - nvme: fix PCIe subsystem reset controller state transition (Nilay Shroff) - x86/resctrl: Fix memory bandwidth counter width for Hygon (Xiaochen Shen) - x86/resctrl: Add missing resctrl initialization for Hygon (Xiaochen Shen) - i2c: riic: Move suspend handling to NOIRQ phase (Tommaso Merciai) - tcpm: allow looking for role_sw device in the main node (Arnaud Ferraris) - EDAC/i3200: Fix a resource leak in i3200_probe1() (Haoxiang Li) - EDAC/x38: Fix a resource leak in x38_probe1() (Haoxiang Li) - hrtimer: Fix softirq base check in update_needs_ipi() (Thomas Weißschuh) - ext4: fix iloc.bh leak in ext4_xattr_inode_update_ref (Yangerkun) [Orabug: 38970600] {CVE-2026-23145} - ASoC: codecs: wsa881x: fix unnecessary initialisation (Johan Hovold) - nvme-pci: disable secondary temp for Wodposit WPBSNM8 (Ilikara Zheng) - USB: serial: ftdi_sio: add support for PICAXE AXE027 cable (Ethan Nelson-Moore) - USB: serial: option: add Telit LE910 MBIM composition (Ulrich Mohr) - USB: OHCI/UHCI: Add soft dependencies on ehci_platform (Huacai Chen) - usb: core: add USB_QUIRK_NO_BOS for devices that hang on BOS descriptor (Johannes Brüderl) - usb: dwc3: Check for USB4 IP_NAME (Thinh Nguyen) - phy: tegra: xusb: Explicitly configure HS_DISCON_LEVEL to 0x7 (Wayne Chang) - phy: rockchip: inno-usb2: fix disconnection in gadget mode (Louis Chauvet) - phy: freescale: imx8m-pcie: assert phy reset during power on (Rafael Beims) - phy: ti: gmii-sel: fix regmap leak on probe failure (Johan Hovold) - phy: rockchip: inno-usb2: fix communication disruption in gadget mode (Luca Ceresoli) - x86/kaslr: Recognize all ZONE_DEVICE users as physaddr consumers (Dan Williams) - lib/buildid: use __kernel_read() for sleepable context (Shakeel Butt) [Orabug: 38887735] {CVE-2026-23002} - xfs: Fix the return value of xfs_rtcopy_summary() (Nirjhar Roy) - net: can: j1939: j1939_xtp_rx_rts_session_active(): deactivate session upon receiving the second rts (Tetsuo Handa) [Orabug: 38887709] {CVE-2026-22997} - can: ctucanfd: fix SSP_SRC in cases when bit-rate is higher than 1 MBit. (Ondrej Ille) - can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak (Marc Kleine-Budde) [Orabug: 38914785] {CVE-2026-23031} - null_blk: fix kmemleak by releasing references to fault configfs items (Nilay Shroff) [Orabug: 38914794] {CVE-2026-23032} - ALSA: pcm: Improve the fix for race of buffer access at PCM OSS layer (Jaroslav Kysela) - scsi: core: Fix error handler encryption support (Brian Kao) - io_uring: move local task_work in exit cancel loop (Ming Lei) - drm/amd/display: mark static functions noinline_for_stack (Tzung-Bi Shih) - ASoC: codecs: wsa883x: fix unnecessary initialisation (Johan Hovold) - bridge: mcast: Fix use-after-free during router port configuration (Ido Schimmel) [Orabug: 38175058] {CVE-2025-38248} - HID: usbhid: paper over wrong bNumDescriptor field (Benjamin Tissoires) - i2c: qcom-geni: make sure I2C hub controllers can't use SE DMA (Neil Armstrong) - dmaengine: omap-dma: fix dma_pool resource leak in error paths (Xu Wang) - selftests/landlock: Properly close a file descriptor (Günther Noack) - phy: broadcom: ns-usb3: Fix Wvoid-pointer-to-enum-cast warning (again) (Krzysztof Kozlowski) - selftests/landlock: Remove invalid unix socket bind() (Matthieu Buffet) - selftests/landlock: Fix TCP bind(AF_UNSPEC) test case (Matthieu Buffet) - phy: ti: da8xx-usb: Handle devm_pm_runtime_enable() errors (Xu Wang) - phy: stm32-usphyc: Fix off by one in probe() (Dan Carpenter) - phy: qcom-qusb2: Fix NULL pointer dereference on early suspend (Loic Poulain) - phy: drop probe registration printks (Johan Hovold) - phy: phy-snps-eusb2: refactor constructs names (Ivaylo Ivanov) - phy: fsl-imx8mq-usb: Clear the PCS_TX_SWING_FULL field before using it (Stefano Radaelli) - dmaengine: xilinx_dma: Fix uninitialized addr_width when "xlnx,addrwidth" property is missing (Suraj Gupta) - dmaengine: tegra-adma: Fix use-after-free (Sheetal) - dmaengine: xilinx: xdma: Fix regmap max_register (Anthony Brandon) - mm, kfence: describe @slab parameter in __kfence_obj_info() (Bagas Sanjaya) - textsearch: describe @list member in ts_ops search (Bagas Sanjaya) - mm: describe @flags parameter in memalloc_flags_save() (Bagas Sanjaya) - drm/amd/pm: fix smu overdrive data type wrong issue on smu 14.0.2 (Yang Wang) - ASoC: tlv320adcx140: fix word length (Emil Svendsen) - ASoC: tlv320adcx140: fix null pointer (Emil Svendsen) - ASoC: sdw_utils: cs42l43: Enable Headphone pin for LINEOUT jack type (Cole Leavitt) - net/sched: sch_qfq: do not free existing class in qfq_change_class() (Eric Dumazet) [Orabug: 38887717] {CVE-2026-22999} - selftests: drv-net: fix RPS mask handling for high CPU numbers (Gal Pressman) - ipv6: Fix use-after-free in inet6_addr_del(). (Kuniyuki Iwashima) [Orabug: 38887755] {CVE-2026-23010} - net: hv_netvsc: reject RSS hash key programming without RX indirection table (Aditya Garg) [Orabug: 38930846] {CVE-2026-23054} - ALSA: hda/cirrus_scodec_test: Fix incorrect setup of gpiochip (Richard Fitzgerald) - net: octeon_ep_vf: fix free_irq dev_id mismatch in IRQ rollback (Kery Qi) - btrfs: fix memory leaks in create_space_info() error paths (Jiasheng Jiang) - btrfs: introduce btrfs_space_info sub-group (Naohiro Aota) - btrfs: factor out check_removing_space_info() from btrfs_free_block_groups() (Naohiro Aota) - btrfs: factor out init_space_info() from create_space_info() (Naohiro Aota) - net/mlx5e: Restore destroying state bit after profile cleanup (Saeed Mahameed) - net/mlx5e: Pass netdev to mlx5e_destroy_netdev instead of priv (Saeed Mahameed) [Orabug: 38914806] {CVE-2026-23035} - net/mlx5e: Don't store mlx5e_priv in mlx5e_dev devlink priv (Saeed Mahameed) [Orabug: 38887705] {CVE-2026-22996} - net/mlx5e: Fix crash on profile change rollback failure (Saeed Mahameed) [Orabug: 38887724] {CVE-2026-23000} - vsock/test: add a final full barrier after run all tests (Stefano Garzarella) - ipv4: ip_gre: make ipgre_header() robust (Eric Dumazet) [Orabug: 38887757] {CVE-2026-23011} - macvlan: fix possible UAF in macvlan_forward_source() (Eric Dumazet) [Orabug: 38887729] {CVE-2026-23001} - net: update netdev_lock_{type,name} (Eric Dumazet) - ip6_tunnel: use skb_vlan_inet_prepare() in __ip6_tnl_rcv() (Eric Dumazet) [Orabug: 38887737] {CVE-2026-23003} - net: bridge: annotate data-races around fdb->{updated,used} (Eric Dumazet) - btrfs: send: check for inline extents in range_is_hole_in_parent() (Qu Wenruo) [Orabug: 38970283] {CVE-2026-23141} - nvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec (Shivam Kumar) [Orabug: 38887713] {CVE-2026-22998} - can: etas_es58x: allow partial RX URB allocation to succeed (Szymon Wilczek) - PM: EM: Fix incorrect description of the cost field in struct em_perf_state (Yaxiong Tian) - drm/vmwgfx: Merge vmw_bo_release and vmw_bo_free functions (Ian Forbes) - pnfs/blocklayout: Fix memory leak in bl_parse_scsi() (Zilin Guan) - pnfs/flexfiles: Fix memory leak in nfs4_ff_alloc_deviceid_node() (Zilin Guan) [Orabug: 38914815] {CVE-2026-23038} - NFS: Fix a deadlock involving nfs_release_folio() (Trond Myklebust) [Orabug: 38930844] {CVE-2026-23053} - pNFS: Fix a deadlock when returning a delegation during open() (Trond Myklebust) [Orabug: 38930834] {CVE-2026-23050} - xfrm: set ipv4 no_pmtu_disc flag only on output sa when direction is set (Antony Antony) - xfrm: Fix inner mode lookup in tunnel mode GSO segmentation (Jianbo Liu) - ASoC: codecs: wsa884x: fix codec initialisation (Johan Hovold) - x86/fpu: Clear XSTATE_BV[i] in guest XSAVE state whenever XFD[i]=1 (Sean Christopherson) [Orabug: 38887746] {CVE-2026-23005} - Revert "gfs2: Fix use of bio_chain" (Andreas Gruenbacher) - efi/cper: Fix cper_bits_to_str buffer handling and return value (Dandan Zhang) - firmware: imx: scu-irq: Set mu_resource_id before get handle (Peng Fan) - LTS version: v6.12.66 (Jack Vogel) - bpf: test_run: Fix ctx leak in bpf_prog_test_run_xdp error path (Shardul Bankar) - ALSA: hda: intel-dsp-config: Prefer legacy driver as fallback (Takashi Iwai) - tpm2-sessions: Fix out of range indexing in name_size (Jarkko Sakkinen) [Orabug: 38847816] {CVE-2025-68792} - spi: cadence-quadspi: Prevent lost complete() call during indirect read (Mateusz Litwin) - scsi: sg: Fix occasional bogus elapsed time that exceeds timeout (Michal Rábek) - ASoC: fsl_sai: Add missing registers to cache default (Alexander Stein) - ALSA: hda/realtek: enable woofer speakers on Medion NM14LNL (Kai Vehmanen) - ASoC: amd: yc: Add quirk for Honor MagicBook X16 2025 (Andrew Elantsev) - ALSA: usb-audio: Update for native DSD support quirks (Jussi Laako) - can: j1939: make j1939_session_activate() fail if device is no longer registered (Tetsuo Handa) [Orabug: 38914674] {CVE-2025-71182} - drm/amdkfd: Fix improper NULL termination of queue restore SMI event string (Brian Kocoloski) - spi: mt65xx: Use IRQF_ONESHOT with threaded IRQ (Fei Shao) - drm/amd/display: Fix DP no audio issue (Charlene Liu) - ata: libata-core: Disable LPM on ST2000DM008-2FR102 (Niklas Cassel) - netfilter: nf_tables: avoid chain re-validation if possible (Florian Westphal) [Orabug: 38887632] {CVE-2025-71160} - powercap: fix sscanf() error return value handling (Sumeet Pawnikar) - powercap: fix race condition in register_control_type() (Sumeet Pawnikar) - net: sfp: extend Potron XGSPON quirk to cover additional EEPROM variant (Marcus Hughes) - bpf: Fix reference count leak in bpf_prog_test_run_xdp() (Tetsuo Handa) [Orabug: 38887701] {CVE-2026-22994} - bpf, test_run: Subtract size of xdp_frame from allowed metadata size (Toke Høiland-Jørgensen) [Orabug: 38970281] {CVE-2026-23140} - bpf: Support specifying linear xdp packet data size for BPF_PROG_TEST_RUN (Amery Hung) - bpf: Make variables in bpf_prog_test_run_xdp less confusing (Amery Hung) - bpf: Fix an issue in bpf_prog_test_run_xdp when page size greater than 4K (Yonghong Song) - btrfs: fix beyond-EOF write handling (Qu Wenruo) - btrfs: use variable for end offset in extent_writepage_io() (Filipe Manana) - btrfs: truncate ordered extent when skipping writeback past i_size (Filipe Manana) - btrfs: remove btrfs_fs_info::sectors_per_page (Qu Wenruo) - btrfs: add extra error messages for delalloc range related errors (Qu Wenruo) - btrfs: subpage: dump the involved bitmap when ASSERT() failed (Qu Wenruo) - btrfs: fix error handling of submit_uncompressed_range() (Qu Wenruo) - ALSA: ac97: fix a double free in snd_ac97_controller_register() (Haoxiang Li) - ALSA: ac97bus: Use guard() for mutex locks (Takashi Iwai) - erofs: fix file-backed mounts no longer working on EROFS partitions (Gao Xiang) - erofs: don't bother with s_stack_depth increasing for now (Gao Xiang) - arp: do not assume dev_hard_header() does not change skb->head (Eric Dumazet) [Orabug: 38887789] {CVE-2026-22988} - net: enetc: fix build warning when PAGE_SIZE is greater than 128K (Wei Fang) - net: usb: pegasus: fix memory leak in update_eth_regs_async() (Petko Manolov) [Orabug: 38914760] {CVE-2026-23021} - net/sched: sch_qfq: Fix NULL deref when deactivating inactive aggregate in qfq_reset (Xiang Mei) [Orabug: 38872324] {CVE-2026-22976} - HID: quirks: work around VID/PID conflict for appledisplay (René Rebe) - net: netdevsim: fix inconsistent carrier state after link/unlink (Yohei Kojima) - idpf: cap maximum Rx buffer size (Joshua Hay) - idpf: fix memory leak in idpf_vport_rel() (Emil Tantilov) [Orabug: 38914769] {CVE-2026-23023} - idpf: keep the netdev when a reset fails (Emil Tantilov) - net: fix memory leak in skb_segment_list for GRO packets (Mohammad Heib) [Orabug: 38887655] {CVE-2026-22979} - riscv: pgtable: Cleanup useless VA_USER_XXX definitions (Guo Ren) - btrfs: only enforce free space tree if v1 cache is required for bs < ps cases (Qu Wenruo) - vsock: Make accept()ed sockets use custom setsockopt() (Michal Luczaj) - bnxt_en: Fix potential data corruption with HW GRO/LRO (Srijit Bose) - net: wwan: iosm: Fix memory leak in ipc_mux_deinit() (Zilin Guan) - net/mlx5e: Don't print error message due to invalid module (Gal Pressman) - netdev: preserve NETIF_F_ALL_FOR_ALL across TSO updates (Di Zhu) - net: sock: fix hardened usercopy panic in sock_recv_errqueue (Weiming Shi) [Orabug: 38877945] {CVE-2026-22977} - inet: ping: Fix icmp out counting (Yuan Gao) - net: mscc: ocelot: Fix crash when adding interface under a lag (Jerry Wu) - bridge: fix C-VLAN preservation in 802.1ad vlan_tunnel egress (Alexandre Knecht) - net: marvell: prestera: fix NULL dereference on devlink_alloc() failure (Alok Tiwari) - netfilter: nf_conncount: update last_gc only when GC has been performed (Fernando Fernandez Mancera) [Orabug: 38970277] {CVE-2026-23139} - netfilter: nf_tables: fix memory leak in nf_tables_newrule() (Zilin Guan) - gpio: pca953x: handle short interrupt pulses on PCAL devices (Ernest Van Hoecke) - gpio: pca953x: Add support for level-triggered interrupts (Potin Lai) - netfilter: nft_synproxy: avoid possible data-race on update operation (Fernando Fernandez Mancera) - netfilter: nft_set_pipapo: fix range overlap detection (Florian Westphal) - arm64: dts: mba8mx: Fix Ethernet PHY IRQ support (Alexander Stein) - arm64: dts: imx8qm-ss-dma: correct the dma channels of lpuart (Sherry Sun) - arm64: dts: imx8mp: Fix LAN8740Ai PHY reference clock on DH electronics i.MX8M Plus DHCOM (Marek Vasut) - ARM: dts: imx6q-ba16: fix RTC interrupt level (Ian Ray) - arm64: dts: add off-on-delay-us for usdhc2 regulator (Haibo Chen) - crypto: qat - fix duplicate restarting msg during AER error (Harshita Bhilwaria) - arm64: dts: ti: k3-am62-lp-sk-nand: Rename pinctrls to fix schema warnings (Wadim Egorov) - drm/amd/display: Apply e4479aecf658 to dml (Nathan Chancellor) - drm/amd/display: Respect user's CONFIG_FRAME_WARN more for dml files (Nathan Chancellor) - btrfs: fix NULL dereference on root when tracing inode eviction (Miquel Sabaté Solà) [Orabug: 38914692] {CVE-2025-71184} - btrfs: tracepoints: use btrfs_root_id() to get the id of a root (Filipe Manana) - btrfs: qgroup: update all parent qgroups when doing quick inherit (Qu Wenruo) - btrfs: fix qgroup_snapshot_quick_inherit() squota bug (Boris Burkov) - scsi: Revert "scsi: libsas: Fix exp-attached device scan after probe failure scanned in again after probe failed" (Xingui Yang) - scsi: ufs: core: Fix EH failure after W-LUN resume error (Brian Kao) - scsi: ipr: Enable/disable IRQD_NO_BALANCING during reset (Wen Xiong) - smb/client: fix NT_STATUS_NO_DATA_DETECTED value (Chenxiaosong) - smb/client: fix NT_STATUS_DEVICE_DOOR_OPEN value (Chenxiaosong) - smb/client: fix NT_STATUS_UNABLE_TO_FREE_VM value (Chenxiaosong) - drm/amd/display: shrink struct members (Rosen Penev) - NFS: Fix up the automount fs_context to use the correct cred (Trond Myklebust) - ASoC: rockchip: Fix Wvoid-pointer-to-enum-cast warning (again) (Krzysztof Kozlowski) - NFSv4: ensure the open stateid seqid doesn't go backwards (Scott Mayhew) - dm-snapshot: fix 'scheduling while atomic' on real-time kernels (Mikulas Patocka) - alpha: don't reference obsolete termio struct for TC* constants (Sam James) - ARM: 9461/1: Disable HIGHPTE on PREEMPT_RT kernels (Sebastian Andrzej Siewior) - csky: fix csky_cmpxchg_fixup not working (Yang Li) - drm/xe: Ensure GT is in C0 during resumes (Xin Wang) - drm/xe: make xe_gt_idle_disable_c6() handle the forcewake internally (Xin Wang) - libceph: make calc_target() set t->paused, not just clear it (Ilya Dryomov) [Orabug: 38930820] {CVE-2026-23047} - libceph: reset sparse-read state in osd_fault() (Sam Edwards) [Orabug: 38970263] {CVE-2026-23136} - libceph: return the handler error from mon_handle_auth_done() (Ilya Dryomov) [Orabug: 38887696] {CVE-2026-22992} - libceph: make free_choose_arg_map() resilient to partial allocation (Tuo Li) [Orabug: 38887690] {CVE-2026-22991} - libceph: replace overzealous BUG_ON in osdmap_apply_incremental() (Ilya Dryomov) [Orabug: 38887684] {CVE-2026-22990} - libceph: prevent potential out-of-bounds reads in handle_auth_done() (Ziming Zhang) [Orabug: 38887672] {CVE-2026-22984} - wifi: mac80211: restore non-chanctx injection behaviour (Johannes Berg) - wifi: avoid kernel-infoleak from struct iw_point (Eric Dumazet) [Orabug: 38887649] {CVE-2026-22978} - pinctrl: qcom: lpass-lpi: mark the GPIO controller as sleeping (Bartosz Golaszewski) - gpio: rockchip: mark the GPIO controller as sleeping (Bartosz Golaszewski) - drm/radeon: Remove __counted_by from ClockInfoArray.clockInfo[] (Alex Deucher) - drm/pl111: Fix error handling in pl111_amba_probe (Miaoqian Lin) - drm/amdgpu: Fix query for VPE block_type and ip_count (Alan Liu) - counter: interrupt-cnt: Drop IRQF_NO_THREAD flag (Alexander Sverdlin) - counter: 104-quad-8: Fix incorrect return value in IRQ handler (Xu Wang) - lib/crypto: aes: Fix missing MMU protection for AES S-box (Eric Biggers) - mei: me: add nova lake point S DID (Alexander Usyskin) - btrfs: always detect conflicting inodes when logging inode refs (Filipe Manana) [Orabug: 38914680] {CVE-2025-71183} - arm64: Fix cleared E0POE bit after cpu_suspend()/resume() (Levi Yun) - net: 3com: 3c59x: fix possible null dereference in vortex_probe1() (Thomas Fourier) [Orabug: 38914754] {CVE-2026-23020} - atm: Fix dma_free_coherent() size (Thomas Fourier) - NFSD: Remove NFSERR_EAGAIN (Chuck Lever) - NFSD: net ref data still needs to be freed even if net hasn't startup (Edward Adam Davis) - nfsd: check that server is running in unlock_filesystem (Olga Kornievskaia) [Orabug: 38887681] {CVE-2026-22989} - nfsd: use correct loop termination in nfsd4_revoke_states() (Neil Brown) - nfsd: provide locking for v4_end_grace (Neil Brown) [Orabug: 38887658] {CVE-2026-22980} - NFSD: Fix permission check for read access to executable-only files (Scott Mayhew) - LTS version: v6.12.65 (Jack Vogel) - pwm: stm32: Always program polarity (Sean Nyekjaer) - virtio_console: fix order of fields cols and rows (Maximilian Immanuel Brandtner) - sched/fair: Small cleanup to update_newidle_cost() (Peter Zijlstra) - sched/fair: Small cleanup to sched_balance_newidle() (Peter Zijlstra) - net: Remove RTNL dance for SIOCBRADDIF and SIOCBRDELIF. (Thadeu Lima de Souza Cascardo) [Orabug: 37844499] {CVE-2025-22111} - cpufreq: intel_pstate: Check IDA only before MSR_IA32_PERF_CTL writes (Richa Bharti) - drm/amdgpu: Forward VMID reservation errors (Natalie Vock) - net: phy: mediatek: fix nvmem cell reference leak in mt798x_phy_calibration (Miaoqian Lin) - wifi: mac80211: Discard Beacon frames to non-broadcast address (Jouni Malinen) [Orabug: 38852360] {CVE-2025-71127} - mptcp: ensure context reset on disconnect() (Paolo Abeni) [Orabug: 38852416] {CVE-2025-71144} - mm: consider non-anon swap cache folios in folio_expected_ref_count() (Bijan Tabatabai) - mm: simplify folio_expected_ref_count() (David Hildenbrand) - mm/page_alloc: change all pageblocks migrate type on coalescing (Alexander Gordeev) [Orabug: 38852382] {CVE-2025-71134} - mptcp: fallback earlier on simult connection (Paolo Abeni) [Orabug: 38848079] {CVE-2025-71088} _______________________________________________ El-errata mailing list [email protected] https://oss.oracle.com/mailman/listinfo/el-errata
