Oracle Linux 6513 Published by

Oracle Linux published a series of security advisories addressing critical vulnerabilities across versions 7, 8, and 9. The updates modify core software including the Unbreakable Enterprise Kernel, golang, podman, nginx, and various multimedia plugins to fix dozens of identified CVEs.

ELSA-2026-50387 Important: Oracle Linux 9 Unbreakable Enterprise kernel security update
ELSA-2026-37435 Important: Oracle Linux 9 golang security, bug fix, and enhancement update
ELSA-2026-37410 Important: Oracle Linux 9 buildah security update
ELSA-2026-37123 Important: Oracle Linux 9 podman security, bug fix, and enhancement update
ELSA-2026-37207 Important: Oracle Linux 9 freerdp security update
ELSA-2026-37129 Important: Oracle Linux 9 gstreamer1-plugins-good security update
ELSA-2026-36879 Important: Oracle Linux 9 tomcat security, bug fix, and enhancement update
ELSA-2026-36834 Important: Oracle Linux 9 gstreamer1-plugins-bad-free security update
ELSA-2026-36777 Important: Oracle Linux 9 unbound security update
ELSA-2026-36674 Moderate: Oracle Linux 9 gstreamer1-plugins-ugly-free security update
ELSA-2026-36018 Important: Oracle Linux 9 kernel security, bug fix, and enhancement update
ELSA-2026-36639 Important: Oracle Linux 9 nginx:1.26 security, bug fix, and enhancement update
ELSA-2026-36618 Important: Oracle Linux 9 nginx:1.24 security, bug fix, and enhancement update
ELSA-2026-26567 Moderate: Oracle Linux 7 libexif security update
ELBA-2026-36723 Oracle Linux 8 gnome-shell-extensions bug fix and enhancement update
ELSA-2026-36617 Important: Oracle Linux 9 oci-seccomp-bpf-hook security update
ELSA-2026-35891 Important: Oracle Linux 9 nodejs:24 security, bug fix, and enhancement update
ELSA-2026-35892 Important: Oracle Linux 9 nodejs:22 security, bug fix, and enhancement update
ELSA-2026-26204 Important: Oracle Linux 9 postgresql:18 security update
ELSA-2026-50387 Important: Oracle Linux 9 Unbreakable Enterprise kernel security update
ELSA-2026-50388 Important: Oracle Linux 8 Unbreakable Enterprise kernel security update
ELBA-2026-50378 Oracle Linux 9 fips-provider-next bug fix update
ELSA-2026-50387 Important: Oracle Linux 8 Unbreakable Enterprise kernel security update
ELSA-2026-36734 Low: Oracle Linux 8 libxml2 security update
ELBA-2026-25921 Oracle Linux 8 scap-security-guide bug fix and enhancement update
ELSA-2026-36728 Low: Oracle Linux 8 libtasn1 security update
ELSA-2026-37282 Important: Oracle Linux 8 unbound security update
ELSA-2026-37137 Important: Oracle Linux 8 tomcat security, bug fix, and enhancement update
ELSA-2026-36733 Moderate: Oracle Linux 8 cups security update
ELSA-2026-37130 Important: Oracle Linux 8 gstreamer1-plugins-bad-free security update
ELSA-2026-36774 Important: Oracle Linux 8 gstreamer1-plugins-good security update
ELSA-2026-36732 Moderate: Oracle Linux 8 python-urllib3 security update
ELSA-2026-36730 Moderate: Oracle Linux 8 libsolv security update
ELSA-2026-36201 Important: Oracle Linux 8 389-ds:1.4 security update
ELSA-2026-50388 Important: Oracle Linux 8 Unbreakable Enterprise kernel security update
ELSA-2026-36721 Moderate: Oracle Linux 8 edk2 security, bug fix, and enhancement update
ELSA-2026-50388 Important: Oracle Linux 7 Unbreakable Enterprise kernel security update
ELBA-2026-36731 Oracle Linux 8 libusbx bug fix and enhancement update
ELBA-2026-36725 Oracle Linux 8 nfs-utils bug fix and enhancement update
ELSA-2026-35830 Important: Oracle Linux 8 grafana security update
ELBA-2026-36724 Oracle Linux 8 gdm and gnome-shell bug fix and enhancement update
New Ksplice updates for UEKR8 6.12.0 on OL9 and OL10 (ELSA-2026-50319)



ELSA-2026-50387 Important: Oracle Linux 9 Unbreakable Enterprise kernel security update


Oracle Linux Security Advisory ELSA-2026-50387

http://linux.oracle.com/errata/ELSA-2026-50387.html

The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network:

x86_64:
bpftool-5.15.0-322.203.3.3.el9uek.x86_64.rpm
kernel-uek-5.15.0-322.203.3.3.el9uek.x86_64.rpm
kernel-uek-core-5.15.0-322.203.3.3.el9uek.x86_64.rpm
kernel-uek-debug-5.15.0-322.203.3.3.el9uek.x86_64.rpm
kernel-uek-debug-core-5.15.0-322.203.3.3.el9uek.x86_64.rpm
kernel-uek-debug-devel-5.15.0-322.203.3.3.el9uek.x86_64.rpm
kernel-uek-debug-modules-5.15.0-322.203.3.3.el9uek.x86_64.rpm
kernel-uek-debug-modules-extra-5.15.0-322.203.3.3.el9uek.x86_64.rpm
kernel-uek-devel-5.15.0-322.203.3.3.el9uek.x86_64.rpm
kernel-uek-doc-5.15.0-322.203.3.3.el9uek.noarch.rpm
kernel-uek-modules-5.15.0-322.203.3.3.el9uek.x86_64.rpm
kernel-uek-modules-extra-5.15.0-322.203.3.3.el9uek.x86_64.rpm
kernel-uek-container-5.15.0-322.203.3.3.el9uek.x86_64.rpm
kernel-uek-container-debug-5.15.0-322.203.3.3.el9uek.x86_64.rpm

SRPMS:
http://oss.oracle.com/ol9/SRPMS-updates/kernel-uek-5.15.0-322.203.3.3.el9uek.src.rpm

Related CVEs:

CVE-2026-43499

Description of changes:

[5.15.0-322.203.3.3]
- locking/rtmutex: Skip remove_waiter() when waiter is not enqueued (Davidlohr Bueso) [Orabug: 39706512]
- rtmutex: Use waiter::task instead of current in remove_waiter() (Keenan Dong) [Orabug: 39706512] {CVE-2026-43499}



ELSA-2026-37435 Important: Oracle Linux 9 golang security, bug fix, and enhancement update


Oracle Linux Security Advisory ELSA-2026-37435

http://linux.oracle.com/errata/ELSA-2026-37435.html

The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network:

x86_64:
go-toolset-1.26.5-1.0.1.el9_8.x86_64.rpm
golang-1.26.5-1.0.1.el9_8.x86_64.rpm
golang-bin-1.26.5-1.0.1.el9_8.x86_64.rpm
golang-docs-1.26.5-1.0.1.el9_8.noarch.rpm
golang-misc-1.26.5-1.0.1.el9_8.noarch.rpm
golang-race-1.26.5-1.0.1.el9_8.x86_64.rpm
golang-src-1.26.5-1.0.1.el9_8.noarch.rpm
golang-tests-1.26.5-1.0.1.el9_8.noarch.rpm

aarch64:
go-toolset-1.26.5-1.0.1.el9_8.aarch64.rpm
golang-1.26.5-1.0.1.el9_8.aarch64.rpm
golang-bin-1.26.5-1.0.1.el9_8.aarch64.rpm
golang-docs-1.26.5-1.0.1.el9_8.noarch.rpm
golang-misc-1.26.5-1.0.1.el9_8.noarch.rpm
golang-race-1.26.5-1.0.1.el9_8.aarch64.rpm
golang-src-1.26.5-1.0.1.el9_8.noarch.rpm
golang-tests-1.26.5-1.0.1.el9_8.noarch.rpm

SRPMS:
http://oss.oracle.com/ol9/SRPMS-updates/golang-1.26.5-1.0.1.el9_8.src.rpm

Related CVEs:

CVE-2026-39821
CVE-2026-39822

Description of changes:

[1.26.5-1.0.1]
- EXPERIMENTAL: Introduce fipsnoenforceems GODEBUG var

[1.26.5-1]
- Update to Go 1.26.5 (fips-1)
- Resolves: RHEL-193476

[1.25.7-1]
- Update to Go 1.25.7 (fips-1)
- Resolves: RHEL-146452

[1.25.5-1]
- Update to Go 1.25.5 (fips-1)
- Resolves: RHEL-139364

[1.25.3-2]
- Cleanup lib/ ownership

[1.25.3-1]
- Update to Go 1.25.3
- Resolves: RHEL-121220

[1.25.1-1]
- Update to Go 1.25.1
- Resolves: RHEL-116850

[1.25.0-2]
- Revert DWARF5 defaults
- Add elf5 to rpminspect.yaml
- Related: RHEL-109557

[1.25.0-1]
- Update to Go 1.25.0
- Set GOAMD64 to v2 to align with new architecture baselines
- Modify the modify_go.env.patch to reflect GOAMD64 baseline version change to v2
- Resolves: RHEL-109557

[1.24.6-1]
- Update to Go 1.24.6 (fips-1)
- Resolves: RHEL-106461



ELSA-2026-37410 Important: Oracle Linux 9 buildah security update


Oracle Linux Security Advisory ELSA-2026-37410

http://linux.oracle.com/errata/ELSA-2026-37410.html

The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network:

x86_64:
buildah-1.43.1-3.0.1.el9_8.x86_64.rpm
buildah-tests-1.43.1-3.0.1.el9_8.x86_64.rpm

aarch64:
buildah-1.43.1-3.0.1.el9_8.aarch64.rpm
buildah-tests-1.43.1-3.0.1.el9_8.aarch64.rpm

SRPMS:
http://oss.oracle.com/ol9/SRPMS-updates/buildah-1.43.1-3.0.1.el9_8.src.rpm

Related CVEs:

CVE-2026-39832
CVE-2026-39835

Description of changes:

[1.43.1-3.0.1]
- Drop nmap-ncat requirement and skip ignore-socket test case [Orabug: 34117178]

[2:1.43.1-3]
- bump golang.org/x/crypto to v0.53.0 to fix CVE-2026-39832 and CVE-2026-39835
- Resolves: RHEL-188733 RHEL-190066



ELSA-2026-37123 Important: Oracle Linux 9 podman security, bug fix, and enhancement update


Oracle Linux Security Advisory ELSA-2026-37123

http://linux.oracle.com/errata/ELSA-2026-37123.html

The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network:

x86_64:
podman-5.8.2-4.0.1.el9_8.x86_64.rpm
podman-docker-5.8.2-4.0.1.el9_8.noarch.rpm
podman-plugins-5.8.2-4.0.1.el9_8.x86_64.rpm
podman-remote-5.8.2-4.0.1.el9_8.x86_64.rpm
podman-tests-5.8.2-4.0.1.el9_8.x86_64.rpm

aarch64:
podman-5.8.2-4.0.1.el9_8.aarch64.rpm
podman-docker-5.8.2-4.0.1.el9_8.noarch.rpm
podman-plugins-5.8.2-4.0.1.el9_8.aarch64.rpm
podman-remote-5.8.2-4.0.1.el9_8.aarch64.rpm
podman-tests-5.8.2-4.0.1.el9_8.aarch64.rpm

SRPMS:
http://oss.oracle.com/ol9/SRPMS-updates/podman-5.8.2-4.0.1.el9_8.src.rpm

Related CVEs:

CVE-2026-25681
CVE-2026-27136
CVE-2026-39829
CVE-2026-39832
CVE-2026-39835
CVE-2026-42508
CVE-2026-57231

Description of changes:

[5.8.2-4.0.1]
- Rework CNI/Netavark detection logic [JIRA: EVG-3769]
- Rebuild on new golang to support experimental GODEBUG fipsnoenforceems
- Drop nmap-ncat requirement and skip ignore-socket test case [Orabug: 34117404]

[6:5.8.2-4]
- bump to upstream commit a476c2b2 fixing CVE-2026-39835 CVE-2026-39829
CVE-2026-39832 CVE-2026-42508 CVE-2026-27136 CVE-2026-25681 CVE-2026-57231 and
podman-remote save regression



ELSA-2026-37207 Important: Oracle Linux 9 freerdp security update


Oracle Linux Security Advisory ELSA-2026-37207

http://linux.oracle.com/errata/ELSA-2026-37207.html

The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network:

x86_64:
freerdp-2.11.7-7.el9_8.4.x86_64.rpm
freerdp-devel-2.11.7-7.el9_8.4.i686.rpm
freerdp-devel-2.11.7-7.el9_8.4.x86_64.rpm
freerdp-libs-2.11.7-7.el9_8.4.i686.rpm
freerdp-libs-2.11.7-7.el9_8.4.x86_64.rpm
libwinpr-2.11.7-7.el9_8.4.i686.rpm
libwinpr-2.11.7-7.el9_8.4.x86_64.rpm
libwinpr-devel-2.11.7-7.el9_8.4.i686.rpm
libwinpr-devel-2.11.7-7.el9_8.4.x86_64.rpm

aarch64:
freerdp-2.11.7-7.el9_8.4.aarch64.rpm
freerdp-devel-2.11.7-7.el9_8.4.aarch64.rpm
freerdp-libs-2.11.7-7.el9_8.4.aarch64.rpm
libwinpr-2.11.7-7.el9_8.4.aarch64.rpm
libwinpr-devel-2.11.7-7.el9_8.4.aarch64.rpm

SRPMS:
http://oss.oracle.com/ol9/SRPMS-updates/freerdp-2.11.7-7.el9_8.4.src.rpm

Related CVEs:

CVE-2026-45700

Description of changes:

[2:2.11.7-7.4]
- Fix incorrect bounds checks in planar codec (CVE-2026-45700)
Resolves: RHEL-186991



ELSA-2026-37129 Important: Oracle Linux 9 gstreamer1-plugins-good security update


Oracle Linux Security Advisory ELSA-2026-37129

http://linux.oracle.com/errata/ELSA-2026-37129.html

The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network:

x86_64:
gstreamer1-plugins-good-1.22.12-7.el9_8.1.i686.rpm
gstreamer1-plugins-good-1.22.12-7.el9_8.1.x86_64.rpm
gstreamer1-plugins-good-gtk-1.22.12-7.el9_8.1.i686.rpm
gstreamer1-plugins-good-gtk-1.22.12-7.el9_8.1.x86_64.rpm

aarch64:
gstreamer1-plugins-good-1.22.12-7.el9_8.1.aarch64.rpm
gstreamer1-plugins-good-gtk-1.22.12-7.el9_8.1.aarch64.rpm

SRPMS:
http://oss.oracle.com/ol9/SRPMS-updates/gstreamer1-plugins-good-1.22.12-7.el9_8.1.src.rpm

Related CVEs:

CVE-2026-53705

Description of changes:

[1.22.12-7.1]
- Rebase rhel-9.8.0 from 1.18.4 to 1.22.12 to resync with rhel-9.7.0/c9s
(this branch had regressed to a stale pre-1.22.12 base)
Resolves: RHEL-156269, RHEL-156270
- Fix CVE-2026-53705: integer overflow in wavpack decoder, re-applied
on top of the correct 1.22.12 base
Resolves: RHEL-184477

[1.22.12-5]
- Apply patches for CVE-2026-3083, CVE-2026-3085
Resolves: RHEL-156267, RHEL-156266

[1.22.12-4]
- Apply patches for CVE-2024-47537, CVE-2024-47539, CVE-2024-47540
CVE-2024-47543, CVE-2024-47544, CVE-2024-47545, CVE-2024-47546,
CVE-2024-47596, CVE-2024-47597, CVE-2024-47598, CVE-2024-47599,
CVE-2024-47601, CVE-2024-47602, CVE-2024-47603, CVE-2024-47606,
CVE-2024-47613, CVE-2024-47774, CVE-2024-47775, CVE-2024-47776,
CVE-2024-47777, CVE-2024-47778, CVE-2024-47834
- Resolves: RHEL-70958, RHEL-70971, RHEL-71033, RHEL-71195
- Resolves: RHEL-71210, RHEL-71202, RHEL-71171, RHEL-71200
- Resolves: RHEL-71206, RHEL-71173, RHEL-71198, RHEL-71204
- Resolves: RHEL-71208, RHEL-71031, RHEL-71007, RHEL-71039
- Resolves: RHEL-71169, RHEL-71192, RHEL-71161, RHEL-71167
- Resolves: RHEL-71189

[1.22.12-3]
- Rebuild
- Resolves: RHEL-38511, RHEL-41157

[1.22.12-2]
- Rebuild
- Resolves: RHEL-38511, RHEL-41157



ELSA-2026-36879 Important: Oracle Linux 9 tomcat security, bug fix, and enhancement update


Oracle Linux Security Advisory ELSA-2026-36879

http://linux.oracle.com/errata/ELSA-2026-36879.html

The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network:

x86_64:
tomcat-9.0.117-2.el9_8.noarch.rpm
tomcat-admin-webapps-9.0.117-2.el9_8.noarch.rpm
tomcat-docs-webapp-9.0.117-2.el9_8.noarch.rpm
tomcat-el-3.0-api-9.0.117-2.el9_8.noarch.rpm
tomcat-jsp-2.3-api-9.0.117-2.el9_8.noarch.rpm
tomcat-lib-9.0.117-2.el9_8.noarch.rpm
tomcat-servlet-4.0-api-9.0.117-2.el9_8.noarch.rpm
tomcat-webapps-9.0.117-2.el9_8.noarch.rpm

aarch64:
tomcat-9.0.117-2.el9_8.noarch.rpm
tomcat-admin-webapps-9.0.117-2.el9_8.noarch.rpm
tomcat-docs-webapp-9.0.117-2.el9_8.noarch.rpm
tomcat-el-3.0-api-9.0.117-2.el9_8.noarch.rpm
tomcat-jsp-2.3-api-9.0.117-2.el9_8.noarch.rpm
tomcat-lib-9.0.117-2.el9_8.noarch.rpm
tomcat-servlet-4.0-api-9.0.117-2.el9_8.noarch.rpm
tomcat-webapps-9.0.117-2.el9_8.noarch.rpm

SRPMS:
http://oss.oracle.com/ol9/SRPMS-updates/tomcat-9.0.117-2.el9_8.src.rpm

Related CVEs:

CVE-2026-29146
CVE-2026-34486

Description of changes:

[1:9.0.117-2]
- Resolves: RHEL-183992 Remove tomcat clustering JAR from RPM builds
- Exclude i686 architecture from build



ELSA-2026-36834 Important: Oracle Linux 9 gstreamer1-plugins-bad-free security update


Oracle Linux Security Advisory ELSA-2026-36834

http://linux.oracle.com/errata/ELSA-2026-36834.html

The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network:

x86_64:
gstreamer1-plugins-bad-free-1.22.12-7.el9_8.1.i686.rpm
gstreamer1-plugins-bad-free-1.22.12-7.el9_8.1.x86_64.rpm
gstreamer1-plugins-bad-free-devel-1.22.12-7.el9_8.1.i686.rpm
gstreamer1-plugins-bad-free-devel-1.22.12-7.el9_8.1.x86_64.rpm
gstreamer1-plugins-bad-free-libs-1.22.12-7.el9_8.1.i686.rpm
gstreamer1-plugins-bad-free-libs-1.22.12-7.el9_8.1.x86_64.rpm

aarch64:
gstreamer1-plugins-bad-free-1.22.12-7.el9_8.1.aarch64.rpm
gstreamer1-plugins-bad-free-devel-1.22.12-7.el9_8.1.aarch64.rpm
gstreamer1-plugins-bad-free-libs-1.22.12-7.el9_8.1.aarch64.rpm

SRPMS:
http://oss.oracle.com/ol9/SRPMS-updates/gstreamer1-plugins-bad-free-1.22.12-7.el9_8.1.src.rpm

Related CVEs:

CVE-2026-52718
CVE-2026-52719
CVE-2026-52720
CVE-2026-52722

Description of changes:

[1.22.12-7.1]
- Sync with c9s release -5..-7: fix for CVE-2026-2923, CVE-2026-3082
in dvbsuboverlay and jpegparser
Resolves: RHEL-156242, RHEL-156255

[1.22.12-4.4]
- Fix bytes/bits confusion in AV1 tile data size parsing
(CVE-2026-52718)
Resolves: RHEL-184388

[1.22.12-4.3]
- Fix for CVE-2026-52719: vajpegdecoder out-of-bounds read
Resolves: RHEL-184403

[1.22.12-4.2]
- Fix integer overflows in vmnc decoder (CVE-2026-52722)
Resolves: RHEL-184422

[1.22.12-4.1]
- Fix for CVE-2026-52720: validate framebuffer update rectangles
in librfb plugin
Resolves: RHEL-184459

[1.22.12-4]
- fix for CVE-2025-3887
Resolves: RHEL-93059

[1.22.12-3]
- Rebuild
- Resolves: RHEL-38511, RHEL-41157

[1.22.12-2]
- Rebuild
- Resolves: RHEL-38511, RHEL-41157



ELSA-2026-36777 Important: Oracle Linux 9 unbound security update


Oracle Linux Security Advisory ELSA-2026-36777

http://linux.oracle.com/errata/ELSA-2026-36777.html

The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network:

x86_64:
python3-unbound-1.24.2-3.el9_8.2.x86_64.rpm
unbound-1.24.2-3.el9_8.2.x86_64.rpm
unbound-devel-1.24.2-3.el9_8.2.i686.rpm
unbound-devel-1.24.2-3.el9_8.2.x86_64.rpm
unbound-dracut-1.24.2-3.el9_8.2.x86_64.rpm
unbound-libs-1.24.2-3.el9_8.2.i686.rpm
unbound-libs-1.24.2-3.el9_8.2.x86_64.rpm

aarch64:
python3-unbound-1.24.2-3.el9_8.2.aarch64.rpm
unbound-1.24.2-3.el9_8.2.aarch64.rpm
unbound-devel-1.24.2-3.el9_8.2.aarch64.rpm
unbound-dracut-1.24.2-3.el9_8.2.aarch64.rpm
unbound-libs-1.24.2-3.el9_8.2.aarch64.rpm

SRPMS:
http://oss.oracle.com/ol9/SRPMS-updates/unbound-1.24.2-3.el9_8.2.src.rpm

Related CVEs:

CVE-2026-40622
CVE-2026-41292
CVE-2026-42534
CVE-2026-44390

Description of changes:

[1.24.2-3.2]
- Fix CVE-2026-40622 (RHEL-184840)
Fix CVE-2026-44390 (RHEL-186688)
Fix CVE-2026-41292 (RHEL-187352)
Fix CVE-2026-42534 (RHEL-187095)



ELSA-2026-36674 Moderate: Oracle Linux 9 gstreamer1-plugins-ugly-free security update


Oracle Linux Security Advisory ELSA-2026-36674

http://linux.oracle.com/errata/ELSA-2026-36674.html

The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network:

x86_64:
gstreamer1-plugins-ugly-free-1.22.12-6.el9_8.1.i686.rpm
gstreamer1-plugins-ugly-free-1.22.12-6.el9_8.1.x86_64.rpm

aarch64:
gstreamer1-plugins-ugly-free-1.22.12-6.el9_8.1.aarch64.rpm

SRPMS:
http://oss.oracle.com/ol9/SRPMS-updates/gstreamer1-plugins-ugly-free-1.22.12-6.el9_8.1.src.rpm

Related CVEs:

CVE-2026-53703
CVE-2026-53704

Description of changes:

[1.22.12-6.1]
- Fix CVE-2026-53704: multiple rmdemux security issues
- Resolves: RHEL-184464



ELSA-2026-36018 Important: Oracle Linux 9 kernel security, bug fix, and enhancement update


Oracle Linux Security Advisory ELSA-2026-36018

http://linux.oracle.com/errata/ELSA-2026-36018.html

The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network:

x86_64:
kernel-5.14.0-687.22.1.el9_8.x86_64.rpm
kernel-abi-stablelists-5.14.0-687.22.1.el9_8.noarch.rpm
kernel-core-5.14.0-687.22.1.el9_8.x86_64.rpm
kernel-cross-headers-5.14.0-687.22.1.el9_8.x86_64.rpm
kernel-debug-5.14.0-687.22.1.el9_8.x86_64.rpm
kernel-debug-core-5.14.0-687.22.1.el9_8.x86_64.rpm
kernel-debug-devel-5.14.0-687.22.1.el9_8.x86_64.rpm
kernel-debug-devel-matched-5.14.0-687.22.1.el9_8.x86_64.rpm
kernel-debug-modules-5.14.0-687.22.1.el9_8.x86_64.rpm
kernel-debug-modules-core-5.14.0-687.22.1.el9_8.x86_64.rpm
kernel-debug-modules-extra-5.14.0-687.22.1.el9_8.x86_64.rpm
kernel-debug-uki-virt-5.14.0-687.22.1.el9_8.x86_64.rpm
kernel-devel-5.14.0-687.22.1.el9_8.x86_64.rpm
kernel-devel-matched-5.14.0-687.22.1.el9_8.x86_64.rpm
kernel-doc-5.14.0-687.22.1.el9_8.noarch.rpm
kernel-headers-5.14.0-687.22.1.el9_8.x86_64.rpm
kernel-modules-5.14.0-687.22.1.el9_8.x86_64.rpm
kernel-modules-core-5.14.0-687.22.1.el9_8.x86_64.rpm
kernel-modules-extra-5.14.0-687.22.1.el9_8.x86_64.rpm
kernel-tools-5.14.0-687.22.1.el9_8.x86_64.rpm
kernel-tools-libs-5.14.0-687.22.1.el9_8.x86_64.rpm
kernel-tools-libs-devel-5.14.0-687.22.1.el9_8.x86_64.rpm
kernel-uki-virt-5.14.0-687.22.1.el9_8.x86_64.rpm
kernel-uki-virt-addons-5.14.0-687.22.1.el9_8.x86_64.rpm
libperf-5.14.0-687.22.1.el9_8.x86_64.rpm
perf-5.14.0-687.22.1.el9_8.x86_64.rpm
python3-perf-5.14.0-687.22.1.el9_8.x86_64.rpm
rtla-5.14.0-687.22.1.el9_8.x86_64.rpm
rv-5.14.0-687.22.1.el9_8.x86_64.rpm

aarch64:
kernel-cross-headers-5.14.0-687.22.1.el9_8.aarch64.rpm
kernel-headers-5.14.0-687.22.1.el9_8.aarch64.rpm
kernel-tools-5.14.0-687.22.1.el9_8.aarch64.rpm
kernel-tools-libs-5.14.0-687.22.1.el9_8.aarch64.rpm
kernel-tools-libs-devel-5.14.0-687.22.1.el9_8.aarch64.rpm
libperf-5.14.0-687.22.1.el9_8.aarch64.rpm
perf-5.14.0-687.22.1.el9_8.aarch64.rpm
python3-perf-5.14.0-687.22.1.el9_8.aarch64.rpm
rtla-5.14.0-687.22.1.el9_8.aarch64.rpm
rv-5.14.0-687.22.1.el9_8.aarch64.rpm

SRPMS:
http://oss.oracle.com/ol9/SRPMS-updates/kernel-5.14.0-687.22.1.el9_8.src.rpm

Related CVEs:

CVE-2025-10263
CVE-2026-43112
CVE-2026-43276
CVE-2026-46116
CVE-2026-46155
CVE-2026-46209
CVE-2026-46227
CVE-2026-46244
CVE-2026-46259
CVE-2026-46316
CVE-2026-46323

Description of changes:

[5.14.0-687.22.1]
- Disable UKI signing [Orabug: 36571828]
- Update Oracle Linux certificates (Kevin Lyons)
- Disable signing for aarch64 (Ilya Okomin)
- Oracle Linux RHCK Module Signing Key was added to the kernel trusted keys list (olkmod_signing_key.pem) [Orabug: 29539237]
- Update x509.genkey [Orabug: 24817676]
- Conflict with shim-ia32 and shim-x64 dev is null (Cezar Bulinaru) [Orabug: 39526881] {CVE-2022-50073}
- mmc: dwcmshc_bf3_hw_reset: Log eMMC reset calls (Satyansh Shukla) [Orabug: 39333650]
- arm64: dts: pensando: drop elba penfw firmware node (Tom Saeger) [Orabug: 39522954]
- batman-adv: hold claim backbone gateways by reference (Haoze Xie) [Orabug: 39262374] {CVE-2026-31657}
- rds: Drop rds conn in connect worker if not in down state. (Rohit Nair) [Orabug: 39179363]

[5.15.0-322.203.2]
- LTS version: v5.15.203 (Vijayendra Suman)
- io_uring/poll: correctly handle io_poll_add() return value on update (Jens Axboe)
- ksmbd: Fix dangling pointer in krb_authenticate (Sean Heelan)
- ksmbd: Fix refcount leak when invalid session is found on session lookup (Namjae Jeon)
- Bluetooth: L2CAP: Fix accepting multiple L2CAP_ECRED_CONN_REQ (Luiz Augusto von Dentz)
- i2c: cp2615: fix serial string NULL-deref at probe (Johan Hovold)
- i2c: cp2615: replace deprecated strncpy with strscpy (Justin Stitt)
- ksmbd: replace hardcoded hdr2_len with offsetof() in smb2_calc_max_out_buf_len() (Namjae Jeon)
- ksmbd: fix potencial OOB in get_file_all_info() for compound requests (Namjae Jeon)
- tracing: Fix potential deadlock in cpu hotplug with osnoise (Luo Haiyang)
- x86/cpu: Enable FSGSBASE early in cpu_init_exception_handling() (Nikunj A Dadhania)
- mm/huge_memory: fix folio isn't locked in softleaf_to_folio() (Jinjiang Tu)
- scsi: target: tcm_loop: Drain commands in target_reset handler (Josef Bacik)
- net: macb: Move devm_{free,request}_irq() out of spin lock area (Kevin Hao)
- dmaengine: sh: rz-dmac: Protect the driver specific lists (Claudiu Beznea)
- dmaengine: sh: rz-dmac: Move CHCTRL updates under spinlock (Claudiu Beznea)
- xfs: save ailp before dropping the AIL lock in push callbacks (Yuto Ohnuki)
- ext4: fix use-after-free in update_super_work when racing with umount (Jiayuan Chen)
- ext4: fix the might_sleep() warnings in kvfree() (Zqiang)
- ext4: publish jinode after initialization (Li Chen)
- usb: gadget: uvc: fix NULL pointer dereference during unbind race (Jimmy Hu)
- usb: gadget: u_ether: Fix race between gether_disconnect and eth_stop (Kuen-Han Tsai)
- usb: gadget: f_hid: move list and spinlock inits from bind to alloc (Michael Zimmermann)
- net: rfkill: prevent unlimited numbers of rfkill events from being created (Greg Kroah-Hartman)
- seg6: separate dst_cache for input and output paths in seg6 lwtunnel (Andrea Mayer)
- Revert "mptcp: add needs_id for netlink appending addr" (Matthieu Baerts (NGI0))
- xen/privcmd: unregister xenstore notifier on module exit (GuoHan Zhao)
- netlink: add nla be16/32 types to minlen array (Florian Westphal)
- rxrpc: Fix key/keyring checks in setsockopt(RXRPC_SECURITY_KEY/KEYRING) (David Howells)
- rxrpc: fix reference count leak in rxrpc_server_keyring() (Luxiao Xu)
- net: stmmac: fix integer underflow in chain mode (Tyllis Xu)
- net: qualcomm: qca_uart: report the consumed byte on RX skb allocation failure (Pengpeng Hou)
- mmc: vub300: fix NULL-deref on disconnect (Johan Hovold)
- drm/i915/gt: fix refcount underflow in intel_engine_park_heartbeat (Sebastian Brzezinka)
- net: altera-tse: fix skb leak on DMA mapping error in tse_start_xmit() (David Carlier)
- net/tls: fix use-after-free in -EBUSY error path of tls_do_encryption (Muhammad Alifa Ramdhan)
- batman-adv: reject oversized global TT response buffers (Ruide Cao)
- nfc: pn533: allocate rx skb before consuming bytes (Pengpeng Hou)
- arm64: dts: hisilicon: hi3798cv200: Add missing dma-ranges (Shawn Guo)
- arm64: dts: hisilicon: poplar: Correct PCIe reset GPIO polarity (Shawn Guo)
- wifi: brcmsmac: Fix dma_free_coherent() size (Thomas Fourier)
- tipc: fix bc_ackers underflow on duplicate GRP_ACK_MSG (Oleh Konko)
- netfilter: nft_ct: fix use-after-free in timeout object destroy (Tuan Do)
- apparmor: fix race between freeing data and fs accessing it (John Johansen)
- apparmor: fix race on rawdata dereference (John Johansen)
- apparmor: fix differential encoding verification (John Johansen)
- apparmor: fix unprivileged local user can do privileged policy management (John Johansen)
- apparmor: Fix double free of ns_name in aa_replace_profiles() (John Johansen)
- apparmor: fix missing bounds check on DEFAULT table in verify_dfa() (Massimiliano Pellizzer)
- apparmor: fix side-effect bug in match_char() macro usage (Massimiliano Pellizzer)
- apparmor: fix: limit the number of levels of policy namespaces (John Johansen)
- apparmor: replace recursive profile removal with iterative approach (Massimiliano Pellizzer)
- apparmor: fix memory leak in verify_header (Massimiliano Pellizzer)
- apparmor: validate DFA start states are in bounds in unpack_pdb (Massimiliano Pellizzer)
- iio: adc: ad7923: Fix buffer overflow for tx_buf and ring_xfer (Nuno Sa)
- gpiolib: cdev: fix uninitialised kfifo (Kent Gibson)
- media: uvcvideo: Use heuristic to find stream entity (Ricardo Ribalda)
- media: uvcvideo: Mark invalid entities with id UVC_INVALID_ENTITY_ID (Thadeu Lima de Souza Cascardo)
- Input: uinput - take event lock when submitting FF request "event" (Dmitry Torokhov)
- Input: uinput - fix circular locking dependency with ff-core (Mikhail Gavrilov)
- mptcp: fix slab-use-after-free in __inet_lookup_established (Jiayuan Chen)
- xfrm_user: fix info leak in build_report() (Greg Kroah-Hartman)
- wifi: rt2x00usb: fix devres lifetime (Johan Hovold)
- lib/crypto: chacha: Zeroize permuted_state before it leaves scope (Eric Biggers)
- wifi: virt_wifi: remove SET_NETDEV_DEV to avoid use-after-free (Alexander Popov)
- io_uring/tctx: work around xa_store() allocation error issue (Jens Axboe)
- usb: gadget: f_uac1_legacy: validate control request size (Taegu Ha)
- usb: gadget: f_rndis: Protect RNDIS options with mutex (Kuen-Han Tsai)
- usb: gadget: f_subset: Fix unbalanced refcnt in geth_free (Kuen-Han Tsai)
- staging: rtl8723bs: fix out-of-bounds read in rtw_get_ie() parser (Navaneeth K)
- smb: client: Fix refcount leak for cifs_sb_tlink (Shuhao Fu)
- net: mctp: Don't access ifa_index when missing (Matt Johnston)
- fbcon: Set fb_display[i]->mode to NULL when the mode is released (Quanmin Yan)
- can: gs_usb: gs_usb_receive_bulk_callback(): fix error message (Marc Kleine-Budde)
- can: gs_usb: gs_usb_receive_bulk_callback(): unanchor URL on usb_submit_urb() error (Marc Kleine-Budde)
- can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak (Marc Kleine-Budde)
- usb: gadget: dummy_hcd: fix premature URB completion when ZLP follows partial transfer (Sebastian Urban)
- USB: dummy-hcd: Fix interrupt synchronization error (Alan Stern)
- USB: dummy-hcd: Fix locking/synchronization error (Alan Stern)
- thunderbolt: Fix property read in nhi_wake_supported() (Konrad Dybcio)
- net: ftgmac100: fix ring allocation unwind on open failure (Yufan Chen)
- vxlan: validate ND option lengths in vxlan_na_create (Yang Yang)
- netfilter: ipset: drop logically empty buckets in mtype_del (Yifan Wu)
- comedi: me4000: Fix potential overrun of firmware buffer (Ian Abbott)
- comedi: me_daq: Fix potential overrun of firmware buffer (Ian Abbott)
- comedi: ni_atmio16d: Fix invalid clean-up after failed attach (Ian Abbott)
- comedi: Reinit dev->spinlock between attachments to low-level drivers (Ian Abbott)
- comedi: dt2815: add hardware detection to prevent crash (Deepanshu Kartikey)
- cdc-acm: new quirk for EPSON HMD (Oliver Neukum)
- bridge: br_nd_send: validate ND option lengths (Yang Yang)
- phy: renesas: rcar-gen3-usb2: Assert PLL reset on PHY power off (Claudiu Beznea)
- phy: renesas: rcar-gen3-usb2: Lock around hardware registers and driver data (Claudiu Beznea)
- phy: renesas: rcar-gen3-usb2: Move IRQ request in probe (Claudiu Beznea)
- phy: renesas: rcar-gen3-usb2: Fix role detection on unbind/bind (Claudiu Beznea)
- usb: cdns3: gadget: fix state inconsistency on gadget init failure (Yongchao Wu)
- usb: cdns3: gadget: fix NULL pointer dereference in ep_queue (Yongchao Wu)
- usb: dwc2: gadget: Fix spin_lock/unlock mismatch in dwc2_hsotg_udc_stop() (Juno Choi)
- usb: ehci-brcm: fix sleep during atomic (Justin Chen)
- usb: usbtmc: Flush anchored URBs in usbtmc_release (Heitor Alves de Siqueira)
- usb: ulpi: fix double free in ulpi_register_interface() error path (Guangshuo Li)
- usb: quirks: add DELAY_INIT quirk for another Silicon Motion flash drive (Miao Li)
- iio: gyro: mpu3050: Fix out-of-sequence free_irq() (Ethan Tidmore)
- iio: gyro: mpu3050: Move iio_device_register() to correct location (Ethan Tidmore)
- iio: gyro: mpu3050: Fix irq resource leak (Ethan Tidmore)
- iio: gyro: mpu3050: Fix incorrect free_irq() variable (Ethan Tidmore)
- iio: imu: st_lsm6dsx: Set FIFO ODR for accelerometer and gyroscope only (Francesco Lavra)
- iio: light: vcnl4035: fix scan buffer on big-endian (David Lechner)
- iio: dac: ad5770r: fix error return in ad5770r_read_raw() (Antoniu Miclaus)
- Input: xpad - add support for Razer Wolverine V3 Pro (Zoltan Illes)
- Input: i8042 - add TUXEDO InfinityBook Max 16 Gen10 AMD to i8042 quirk table (Christoffer Sandberg)
- Input: synaptics-rmi4 - fix a locking bug in an error path (Bart Van Assche)
- USB: core: add NO_LPM quirk for Razer Kiyo Pro webcam (JP Hein)
- USB: serial: option: add support for Rolling Wireless RW135R-GL (Wanquan Zhong)
- USB: serial: io_edgeport: add support for Blackbox IC135A (Frej Drejhammar)
- drm/ast: dp501: Fix initialization of SCU2C (Thomas Zimmermann)
- hwmon: (occ) Fix division by zero in occ_show_power_1() (Sanman Pradhan)
- MIPS: Fix the GCC version check for __multi3' workaround (Maciej W. Rozycki)
- Bluetooth: SMP: force responder MITM requirements before building the pairing response (Oleh Konko)
- Bluetooth: SMP: derive legacy responder STK authentication from MITM state (Oleh Konko)
- ALSA: ctxfi: Fix missing SPDIFI1 index handling (Takashi Iwai)
- ALSA: caiaq: fix stack out-of-bounds read in init_card (Berk Cem Goksel)
- USB: serial: option: add MeiG Smart SRM825WN (Ernestas Kulik)
- wifi: wilc1000: fix u8 overflow in SSID scan buffer size calculation (Yasuaki Torimaru)
- drm/ioc32: stop speculation on the drm_compat_ioctl path (Greg Kroah-Hartman)
- riscv: kgdb: fix several debug register assignment bugs (Paul Walmsley)
- hwmon: (occ) Fix missing newline in occ_show_extended() (Sanman Pradhan)
- hwmon: (tps53679) Fix device ID comparison and printing in tps53676_identify() (Sanman Pradhan)
- hwmon: (pxe1610) Check return value of page-select write in probe (Sanman Pradhan)
- bpf: reject direct access to nullable PTR_TO_BUF pointers (Qi Tang)
- ipv6: avoid overflows in ip6_datagram_send_ctl() (Eric Dumazet)
- net/sched: cls_flow: fix NULL pointer dereference on shared blocks (Xiang Mei)
- net/sched: cls_fw: fix NULL pointer dereference on shared blocks (Xiang Mei)
- net/x25: Fix overflow when accumulating packets (Martin Schiller)
- net/x25: Fix potential double free of skb (Martin Schiller)
- net/mlx5: Avoid "No data available" when FW version queries fail (Saeed Mahameed)
- net: macb: properly unregister fixed rate clocks (Fedor Pchelkin)
- net: macb: fix clk handling on PCI glue driver removal (Fedor Pchelkin)
- Bluetooth: MGMT: validate LTK enc_size on load (Keenan Dong)
- netfilter: nf_tables: reject immediate NF_QUEUE verdict (Pablo Neira Ayuso)
- netfilter: x_tables: restrict xt_check_match/xt_check_target extensions for NFPROTO_ARP (Pablo Neira Ayuso)
- netfilter: ctnetlink: zero expect NAT fields when CTA_EXPECT_NAT absent (Qi Tang)
- netfilter: nf_conntrack_helper: pass helper to expect cleanup (Qi Tang)
- netfilter: ipset: use nla_strcmp for IPSET_ATTR_NAME attr (Florian Westphal)
- netfilter: x_tables: ensure names are nul-terminated (Florian Westphal)
- netfilter: nfnetlink_log: account for netlink header size (Florian Westphal)
- netfilter: flowtable: strictly check for maximum number of actions (Pablo Neira Ayuso)
- net: ipv6: flowlabel: defer exclusive option free until RCU teardown (Zhengchuan Liang)
- bpf: Fix regsafe() for pointers to packet (Alexei Starovoitov)
- net: xilinx: axienet: Correct BD length masks to match AXIDMA IP spec (Suraj Gupta)
- NFC: pn533: bound the UART receive buffer (Pengpeng Hou)
- net: sched: cls_api: fix tc_chain_fill_node to initialize tcm_info to zero to prevent an info-leak (Yochai Eisenrich)
- ipv6: prevent possible UaF in addrconf_permanent_addr() (Paolo Abeni)
- net/sched: sch_hfsc: fix divide-by-zero in rtsc_min() (Xiang Mei)
- bridge: br_nd_send: linearize skb before parsing ND options (Yang Yang)
- ip6_tunnel: clear skb2->cb[] in ip4ip6_err() (Eric Dumazet)
- ipv6: icmp: clear skb2->cb[] in ip6_err_gen_icmpv6_unreach() (Eric Dumazet)
- tg3: Fix race for querying speed/duplex (Thomas Bogendoerfer)
- net: ipv6: ndisc: fix ndisc_ra_useropt to initialize nduseropt_padX fields to zero to prevent an info-leak (Yochai Eisenrich)
- net: qrtr: replace qrtr_tx_flow radix_tree with xarray to fix memory leak (Jiayuan Chen)
- crypto: af-alg - fix NULL pointer dereference in scatterwalk (Norbert Szetei)
- dt-bindings: auxdisplay: ht16k33: Use unevaluatedProperties to fix common property warning (Frank Li)
- btrfs: reject root items with drop_progress and zero drop_level (ZhengYuan Huang)
- HID: multitouch: Check to ensure report responses match the request (Lee Jones)
- objtool: Fix Clang jump table detection (Josh Poimboeuf)
- btrfs: don't take device_list_mutex when querying zone info (Johannes Thumshirn)
- atm: lec: fix use-after-free in sock_def_readable() (Deepanshu Kartikey)
- HID: wacom: fix out-of-bounds read in wacom_intuos_bt_irq (Benoît Sevens)
- futex: Clear stale exiting pointer in futex_lock_pi() retry path (Davidlohr Bueso)
- dmaengine: xilinx_dma: Fix reset related timeout with two-channel AXIDMA (Tomi Valkeinen)
- dmaengine: xilinx_dma: Program interrupt delay timeout (Radhey Shyam Pandey)
- dmaengine: idxd: Fix freeing the allocated ida too late (Vinicius Costa Gomes)
- btrfs: fix lost error when running device stats on multiple devices fs (Filipe Manana)
- btrfs: fix super block offset in error message in btrfs_validate_super() (Mark Harmstone)
- dmaengine: xilinx: xilinx_dma: Fix unmasked residue subtraction (Marek Vasut)
- dmaengine: xilinx: xilinx_dma: Fix residue calculation for cyclic DMA (Marek Vasut)
- dmaengine: xilinx: xilinx_dma: Fix dma_device directions (Marek Vasut)
- phy: ti: j721e-wiz: Fix device node reference leak in wiz_get_lane_phy_types() (Felix Gu)
- ext4: always drain queued discard work in ext4_mb_release() (Theodore Ts'o)
- ext4: fix iloc.bh leak in ext4_fc_replay_inode() error paths (Baokun Li)
- ext4: reject mount if bigalloc with s_first_data_block != 0 (Helen Koike)
- ext4: avoid allocate block from corrupted group in ext4_mb_find_by_goal() (Ye Bin)
- ext4: make recently_deleted() properly work with lazy itable initialization (Jan Kara)
- ext4: convert inline data to extents when truncate exceeds inline size (Deepanshu Kartikey)
- xfs: stop reclaim before pushing AIL during unmount (Yuto Ohnuki)
- jbd2: gracefully abort on checkpointing state corruptions (Milos Nikic)
- scsi: ses: Handle positive SCSI error from ses_recv_diag() (Greg Kroah-Hartman)
- scsi: ibmvfc: Fix OOB access in ibmvfc_discover_targets_done() (Tyllis Xu)
- alarmtimer: Fix argument order in alarm_timer_forward() (Zhan Xusheng)
- erofs: add GFP_NOIO in the bio completion if needed (Jiucheng Xu)
- virtio_net: Fix UAF on dst_ops when IFF_XMIT_DST_RELEASE is cleared and napi_tx is false (xietangxin)
- media: mc, v4l2: serialize REINIT and REQBUFS with req_queue_mutex (Yuchan Nam)
- cpufreq: conservative: Reset requested_freq on limits change (Viresh Kumar)
- can: gw: fix OOB heap access in cgw_csum_crc8_rel() (Ali Norouzi)
- s390/barrier: Make array_index_mask_nospec() __always_inline (Vasily Gorbik)
- s390/syscalls: Add spectre boundary for syscall dispatch table (Greg Kroah-Hartman)
- spi: spi-fsl-lpspi: fix teardown order issue (UAF) (Marc Kleine-Budde)
- ASoC: adau1372: Fix clock leak on PLL lock failure (Jihed Chaibi)
- ASoC: adau1372: Fix unchecked clk_prepare_enable() return value (Jihed Chaibi)
- sysctl: fix uninitialized variable in proc_do_large_bitmap (Marc Buerg)
- hwmon: (adm1177) fix sysfs ABI violation and current unit conversion (Sanman Pradhan)
- ACPI: EC: Fix ECDT probe ordering issues (Hans de Goede)
- ACPI: EC: Fix EC address space handler unregistration (Hans de Goede)
- ACPICA: Allow address_space_handler Install and _REG execution as 2 separate steps (Hans de Goede)
- ACPICA: include/acpi/acpixf.h: Fix indentation (Hans de Goede)
- ASoC: Intel: catpt: Fix the device initialization (Cezary Rojewski)
- drm/i915/gmbus: fix spurious timeout on 512-byte burst reads (Samasth Norway Ananda)
- x86/efi: efi_unmap_boot_services: fix calculation of ranges_to_free size (Mike Rapoport (Microsoft))
- scsi: scsi_transport_sas: Fix the maximum channel scanning issue (Yihang Li)
- RDMA/irdma: Return EINVAL for invalid arp index error (Tatyana Nikolova)
- RDMA/irdma: Fix deadlock during netdev reset with active connections (Anil Samal)
- RDMA/irdma: Remove reset check from irdma_modify_qp_to_err() (Tatyana Nikolova)
- RDMA/irdma: Clean up unnecessary dereference of event->cm_node (Ivan Barrera)
- RDMA/irdma: Remove a NOP wait_event() in irdma_modify_qp_roce() (Tatyana Nikolova)
- RDMA/irdma: Update ibqp state to error if QP is already in error state (Tatyana Nikolova)
- RDMA/rw: Fall back to direct SGE on MR pool exhaustion (Chuck Lever)
- regmap: Synchronize cache for the page selector (Andy Shevchenko)
- net: macb: use the current queue number for stats (Paolo Valerio)
- netfilter: ctnetlink: use netlink policy range checks (David Carlier)
- netlink: allow be16 and be32 types in all uint policy checks (Florian Westphal)
- netlink: introduce bigendian integer types (Florian Westphal)
- netfilter: nft_payload: reject out-of-range attributes via policy (Florian Westphal)
- netlink: introduce NLA_POLICY_MAX_BE (Florian Westphal)
- netfilter: nf_conntrack_sip: fix use of uninitialized rtp_addr in process_sdp (Weiming Shi)
- netfilter: ip6t_rt: reject oversized addrnr in rt_mt6_check() (Ren Wei)
- netfilter: nfnetlink_log: fix uninitialized padding leak in NFULA_PAYLOAD (Weiming Shi)
- Bluetooth: btusb: clamp SCO altsetting table indices (Pengpeng Hou)
- Bluetooth: L2CAP: Fix ERTM re-init and zero pdu_len infinite loop (Hyunwoo Kim)
- dma-mapping: add missing inline for dma_free_attrs (Miguel Ojeda)
- net: enetc: fix the output issue of 'ethtool --show-ring' (Wei Fang)
- net: fix fanout UAF in packet_release() via NETDEV_UP race (Yochai Eisenrich)
- platform/olpc: olpc-xo175-ec: Fix overflow error message to print inlen (Alok Tiwari)
- rtnetlink: count IFLA_INFO_SLAVE_KIND in if_nlmsg_size (Sabrina Dubroca)
- net/smc: fix double-free of smc_spd_priv when tee() duplicates splice pipe buffer (Qi Tang)
- openvswitch: validate MPLS set/set_masked payload length (Yang Yang)
- nfc: nci: fix circular locking dependency in nci_close_device (Jakub Kicinski)
- ionic: fix persistent MAC address override on PF (Mohammad Heib)
- pinctrl: mediatek: common: Fix probe failure for devices without EINT (Luca Leonardo Scorcia)
- Bluetooth: L2CAP: Fix null-ptr-deref on l2cap_sock_ready_cb (Helen Koike)
- Bluetooth: hci_ll: Fix firmware leak on error path (Anas Iqbal)
- Bluetooth: SCO: Fix use-after-free in sco_recv_frame() due to missing sock_hold (Hyunwoo Kim)
- Bluetooth: L2CAP: Validate PDU length before reading SDU length in l2cap_ecred_data_rcv() (Hyunwoo Kim)
- can: statistics: add missing atomic access in hot path (Oliver Hartkopp)
- af_key: validate families in pfkey_send_migrate() (Eric Dumazet)
- esp: fix skb leak with espintcp and async crypto (Sabrina Dubroca)
- xfrm: Fix the usage of skb->sk (Steffen Klassert)
- xfrm: call xdo_dev_state_delete during state update (Sabrina Dubroca)
- ALSA: hda/realtek: Add headset jack quirk for Thinkpad X390 (Uzair Mughal)
- dma-buf: Include ioctl.h in UAPI header (Isaac J. Manjarres)
- ASoC: fsl_easrc: Fix event generation in fsl_easrc_iec958_put_bits() (Mark Brown)
- ASoC: fsl_easrc: Fix event generation in fsl_easrc_iec958_set_reg() (Mark Brown)
- module: Fix kernel panic when a symbol st_shndx is out of bounds (Ihor Solodrai)
- HID: mcp2221: cancel last I2C command on read error (Romain Sioen)
- net: usb: r8152: add TRENDnet TUC-ET2G (Valentin Spreckels)
- HID: magicmouse: avoid memory leak in magicmouse_report_fixup() (Günther Noack)
- HID: magicmouse: fix battery reporting for Apple Magic Trackpad 2 (Julius Lehmann)
- nvme-pci: ensure we're polling a polled queue (Keith Busch)
- platform/x86: touchscreen_dmi: Add quirk for y-inverted Goodix touchscreen on SUPI S10 (Hans de Goede)
- platform/x86: intel-hid: Enable 5-button array on ThinkPad X1 Fold 16 Gen 1 (Leif Skunberg)
- nvme-pci: cap queue creation to used queues (Keith Busch)
- platform/x86: intel-hid: Add Dell 14 Plus 2-in-1 to dmi_vgbs_allow_list (Peter Metz)
- HID: asus: avoid memory leak in asus_report_fixup() (Günther Noack)
- bpf: Release module BTF IDR before module unload (Kumar Kartikeya Dwivedi)
- sh: platform_early: remove pdev->driver_override check (Danilo Krummrich)
- xen/privcmd: add boot control for restricted usage in domU (Juergen Gross)
- xen/privcmd: restrict usage in unprivileged domU (Juergen Gross)
- netfilter: nft_set_pipapo: split gc into unlink and reclaim phase (Florian Westphal)
- netfilter: nf_tables: de-constify set commit ops function argument (Florian Westphal)
- tools/bootconfig: fix fd leak in load_xbc_file() on fstat failure (Josh Law)
- lib/bootconfig: check xbc_init_node() return in override path (Josh Law)
- drm/i915/gt: Check set_default_submission() before deferencing (Rahul Bukte)
- ksmbd: fix use-after-free of share_conf in compound request (Hyunwoo Kim)
- mtd: rawnand: brcmnand: skip DMA during panic write (Kamal Dasu)
- mtd: rawnand: serialize lock/unlock against other NAND operations (Kamal Dasu)
- i2c: fsi: Fix a potential leak in fsi_i2c_probe() (Christophe JAILLET)
- hwmon: (pmbus/isl68137) Fix unchecked return value and use sysfs_emit() (Sanman Pradhan)
- icmp: fix NULL pointer dereference in icmp_tag_validation() (Weiming Shi)
- net: dsa: bcm_sf2: fix missing clk_disable_unprepare() in error paths (Anas Iqbal)
- net: mvpp2: guard flow control update with global_tx_fc in buffer switching (Muhammad Hammad Ijaz)
- nfnetlink_osf: validate individual option lengths in fingerprints (Weiming Shi)
- net: bonding: fix NULL deref in bond_debug_rlb_hash_show (Xiang Mei)
- udp_tunnel: fix NULL deref caused by udp_sock_create6 when CONFIG_IPV6=n (Xiang Mei)
- net: macb: fix uninitialized rx_fs_lock (Fedor Pchelkin)
- wifi: mac80211: fix NULL deref in mesh_matches_local() (Xiang Mei)
- igc: fix missing update of skb->tail in igc_xmit_frame() (Kohei Enju)
- net: usb: aqc111: Do not perform PM inside suspend callback (Nikola Z. Ivanov)
- net/smc: fix NULL dereference and UAF in smc_tcp_syn_recv_sock() (Jiayuan Chen)
- net/smc: Fix slab-out-of-bounds issue in fallback (Wen Gu)
- net/smc: Only save the original clcsock callback functions (Wen Gu)
- PM: runtime: Fix a race condition related to device removal (Bart Van Assche)
- sched: idle: Consolidate the handling of two special cases (Rafael J. Wysocki)
- net: mana: fix use-after-free in mana_hwc_destroy_channel() by reordering teardown (Dipayaan Roy)
- net: bcmgenet: increase WoL poll timeout (Justin Chen)
- netfilter: nf_conntrack_h323: check for zero length in DecodeQ931() (Jenny Guanni Qu)
- netfilter: xt_time: use unsigned int for monthday bit shift (Jenny Guanni Qu)
- netfilter: xt_CT: drop pending enqueued packets on template removal (Pablo Neira Ayuso)
- netfilter: nft_ct: drop pending enqueued packets on removal (Pablo Neira Ayuso)
- netfilter: nft_ct: add seqadj extension for natted connections (Andrii Melnychenko)
- netfilter: nf_conntrack_h323: fix OOB read in decode_int() CONS case (Jenny Guanni Qu)
- netfilter: nf_conntrack_sip: fix Content-Length u32 truncation in sip_help_tcp() (Lukas Johannes Möller)
- netfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct() (Hyunwoo Kim)
- netfilter: ctnetlink: remove refcounting in expectation dumpers (Florian Westphal)
- net/rose: fix NULL pointer dereference in rose_transmit_link on reconnect (Jiayuan Chen)
- Bluetooth: qca: fix ROM version reading on WCN3998 chips (Dmitry Baryshkov)
- Bluetooth: HIDP: Fix possible UAF (Luiz Augusto von Dentz)
- Bluetooth: SMP: make SM/PER/KDU/BI-04-C happy (Christian Eggers)
- Bluetooth: LE L2CAP: Disconnect if sum of payload sizes exceed SDU (Christian Eggers)
- Bluetooth: LE L2CAP: Disconnect if received packet's SDU exceeds IMTU (Christian Eggers)
- firmware: arm_scpi: Fix device_node reference leak in probe path (Felix Gu)
- of: Add cleanup.h based auto release via __free(device_node) markings (Jonathan Cameron)
- wifi: mac80211: Fix static_branch_dec() underflow for aql_disable. (Kuniyuki Iwashima)
- soc: fsl: qbman: fix race condition in qman_destroy_fq (Richard Genoud)
- btrfs: tree-checker: fix misleading root drop_level error message (ZhengYuan Huang)
- batman-adv: avoid OGM aggregation when skb tailroom is insufficient (Yang Yang)
- pmdomain: bcm: bcm2835-power: Increase ASB control timeout (Maíra Canal)
- mptcp: pm: avoid sending RM_ADDR over same subflow (Matthieu Baerts (NGI0))
- drm/amd/display: Use GFP_ATOMIC in dc_create_stream_for_sink (Natalie Vock)
- net: phy: register phy led_triggers during probe to avoid AB-BA deadlock (Andrew Lunn)
- smb: client: Don't log plaintext credentials in cifs_set_cifscreds (Thorsten Blum)
- RDMA/irdma: Fix kernel stack leak in irdma_create_user_ah() (Jason Gunthorpe)
- wifi: cfg80211: cancel rfkill_block work in wiphy_unregister() (Daniil Dulov)
- wifi: cfg80211: move scan done work to wiphy work (Johannes Berg)
- wifi: libertas: fix use-after-free in lbs_free_adapter() (Daniel Hodges)
- ext4: always allocate blocks only from groups inode can use (Jan Kara)
- ksmbd: fix null pointer dereference error in generate_encryptionkey (Namjae Jeon)
- ext4: fix dirtyclusters double decrement on fs shutdown (Brian Foster)
- ext4: drop extent cache when splitting extent fails (Zhang Yi)
- ext4: don't set EXT4_GET_BLOCKS_CONVERT when splitting before submitting I/O (Zhang Yi)
- ksmbd: call ksmbd_vfs_kern_path_end_removing() on some error paths (Fedor Pchelkin)
- drm/exynos: vidi: use ctx->lock to protect struct vidi_context member variables related to memory alloc/free (Jeongjun Park)
- drm/exynos: vidi: fix to avoid directly dereferencing user pointer (Jeongjun Park)
- drm/exynos: vidi: use priv->vidi_dev for ctx lookup in vidi_connection_ioctl() (Jeongjun Park)
- net: Handle napi_schedule() calls from non-interrupt (Frederic Weisbecker)
- net: stmmac: dwmac-loongson: Set clk_csr_i to 100-150MHz (Huacai Chen)
- drm/radeon: apply state adjust rules to some additional HAINAN vairants (Alex Deucher)
- serial: uartlite: fix PM runtime usage count underflow on probe (Maciej Andrzejewski ICEYE)
- serial: 8250: Add late synchronize_irq() to shutdown to handle DW UART BUSY (Ilpo Järvinen)
- serial: 8250: Fix TX deadlock when using DMA (Raul E Rangel)
- serial: 8250_pci: add support for the AX99100 (Martin Roukala (né Peres))
- iommu/vt-d: Fix intel iommu iotlb sync hardlockup and retry (Guanghui Feng)
- mtd: Avoid boot crash in RedBoot partition table parser (Finn Thain)
- mtd: rawnand: cadence: Fix error check for dma_alloc_coherent() in cadence_nand_init() (Chen Ni)
- mtd: rawnand: pl353: make sure optimal timings are applied (Olivier Sobrie)
- mmc: sdhci: fix timing selection for 1-bit bus width (Luke Wang)
- mmc: sdhci-pci-gli: fix GL9750 DMA write corruption (Matthew Schwartz)
- Bluetooth: L2CAP: Validate L2CAP_INFO_RSP payload length before access (Lukas Johannes Möller)
- Bluetooth: L2CAP: Fix type confusion in l2cap_ecred_reconf_rsp() (Lukas Johannes Möller)
- net: macb: fix use-after-free access to PTP clock (Fedor Pchelkin)
- NFC: nxp-nci: allow GPIOs to sleep (Ian Ray)
- nvdimm/bus: Fix potential use after free in asynchronous initialization (Ira Weiny)
- sunrpc: fix cache_request leak in cache_release (Jeff Layton)
- driver: iio: add missing checks on iio_info's callback access (Julien Stephan)
- io_uring/io-wq: check IO_WQ_BIT_EXIT inside work run loop (Jens Axboe)
- l2tp: do not use sock_hold() in pppol2tp_session_get_sock() (Eric Dumazet)
- bpf: Forget ranges when refining tnum after JSET (Paul Chaignon)
- i3c: mipi-i3c-hci: Add missing TID field to no-op command descriptor (Adrian Hunter)
- i3c: mipi-i3c-hci: Restart DMA ring correctly after dequeue abort (Adrian Hunter)
- i3c: mipi-i3c-hci: Use ETIMEDOUT instead of ETIME for timeout errors (Adrian Hunter)
- iio: imu: inv_icm42600: fix odr switch to the same value (Jean-Baptiste Maneyrol)
- iio: gyro: mpu3050-i2c: fix pm_runtime error handling (Antoniu Miclaus)
- iio: gyro: mpu3050-core: fix pm_runtime error handling (Antoniu Miclaus)
- iio: chemical: bme680: Fix measurement wait duration calculation (Chris Spencer)
- iio: potentiometer: mcp4131: fix double application of wiper shift (Lukas Schmid)
- iio: chemical: sps30_i2c: fix buffer size in sps30_i2c_read_meas() (Antoniu Miclaus)
- iio: chemical: sps30_serial: fix buffer size in sps30_serial_read_meas() (Antoniu Miclaus)
- iio: dac: ds4424: reject -128 RAW value (Oleksij Rempel)
- btrfs: abort transaction on failure to update root in the received subvol ioctl (Filipe Manana)
- lib/bootconfig: check bounds before writing in __xbc_open_brace() (Josh Law)
- lib/bootconfig: fix snprintf truncation check in xbc_node_compose_key_after() (Josh Law)
- x86/apic: Disable x2apic on resume if the kernel expects so (Shashank Balaji)
- lib/bootconfig: fix off-by-one in xbc_verify_tree() unclosed brace error (Josh Law)
- xfs: fix undersized l_iclog_roundoff values (Darrick J. Wong)
- tracing: Fix trace_buf_size= cmdline parameter with sizes >= 2G (Calvin Owens)
- drm/amdgpu: Fix use-after-free race in VM acquire (Alysa Liu)
- net: ethernet: arc: emac: quiesce interrupts before requesting IRQ (Fan Wu)
- net: ncsi: fix skb leak in error paths (Jian Zhang)
- parisc: Fix initial page table creation for boot (Helge Deller)
- hwmon: (pmbus/q54sj108a2) fix stack overflow in debugfs read (Sanman Pradhan)
- nouveau/dpcd: return EBUSY for aux xfer if the device is asleep (Dave Airlie)
- parisc: Increase initial mapping to 64 MB with KALLSYMS (Helge Deller)
- batman-adv: Avoid double-rtnl_lock ELP metric worker (Sven Eckelmann)
- ice: fix retry for AQ command 0x06EE (Jakub Staniszewski)
- net: mana: Ring doorbell at 4 CQ wraparounds (Long Li)
- media: dvb-net: fix OOB access in ULE extension header tables (Ariel Silver)
- staging: rtl8723bs: properly validate the data in rtw_get_ie_ex() (Greg Kroah-Hartman)
- staging: rtl8723bs: fix potential out-of-bounds read in rtw_restruct_wmm_ie (Luka Gejak)
- irqchip/gic-v3-its: Limit number of per-device MSIs to the range the ITS supports (Marc Zyngier)
- device property: Allow secondary lookup in fwnode_get_next_child_node() (Andy Shevchenko)
- time/jiffies: Mark jiffies_64_to_clock_t() notrace (Steven Rostedt)
- time: add kernel-doc in time.c (Randy Dunlap)
- ceph: fix i_nlink underrun during async unlink (Max Kellermann)
- libceph: admit message frames only in CEPH_CON_S_OPEN state (Ilya Dryomov)
- libceph: Use u32 for non-negative values in ceph_monmap_decode() (Raphael Zimmer)
- libceph: prevent potential out-of-bounds reads in process_message_header() (Ilya Dryomov)
- libceph: reject preamble if control segment is empty (Ilya Dryomov)
- libceph: Fix potential out-of-bounds access in ceph_handle_auth_reply() (Raphael Zimmer)
- tipc: fix divide-by-zero in tipc_sk_filter_connect() (Mehul Rao)
- mmc: core: Avoid bitfield RMW for claim/retune flags (Penghe Geng)
- mmc: mmci: Fix device_node reference leak in of_get_dml_pipe_index() (Felix Gu)
- mm/tracing: rss_stat: ensure curr is false from kthread context (Kalesh Singh)
- usb: image: mdc800: kill download URB on timeout (Ziyi Guo)
- usb: mdc800: handle signal and read racing (Oliver Neukum)
- usb: renesas_usbhs: fix use-after-free in ISR during device removal (Fan Wu)
- usb: class: cdc-wdm: fix reordering issue in read code path (Oliver Neukum)
- USB: core: Limit the length of unkillable synchronous timeouts (Alan Stern)
- USB: usbtmc: Use usb_bulk_msg_killable() with user-specified timeouts (Alan Stern)
- USB: usbcore: Introduce usb_bulk_msg_killable() (Alan Stern)
- usb: cdc-acm: Restore CAP_BRK functionnality to CH343 (Marc Zyngier)
- usb: core: don't power off roothub PHYs if phy_set_mode() fails (Gabor Juhos)
- usb: misc: uss720: properly clean up reference in uss720_probe() (Greg Kroah-Hartman)
- usb: yurex: fix race in probe (Oliver Neukum)
- usb: xhci: Fix memory leak in xhci_disable_slot() (Zilin Guan)
- usb/core/quirks: Add Huawei ME906S-device to wakeup quirk (Christoffer Sandberg)
- net: usb: lan78xx: skip LTM configuration for LAN7850 (Oleksij Rempel)
- net: usb: lan78xx: fix silent drop of packets with checksum errors (Oleksij Rempel)
- cgroup: fix race between task migration and iteration (Qingye Zhao)
- octeontx2-af: devlink: fix NIX RAS reporter recovery condition (Alok Tiwari)
- ASoC: detect empty DMI strings (Casey Connolly)
- ASoC: amd: acp3x-rt5682-max9836: Add missing error check for clock acquisition (Chen Ni)
- ACPI: OSL: fix __iomem type on return from acpi_os_map_generic_address() (Ben Dooks)
- e1000/e1000e: Fix leak in DMA error cleanup (Matt Vollrath)
- i40e: fix src IP mask checks and memcpy argument names in cloud filter (Alok Tiwari)
- nvme-pci: Fix slab-out-of-bounds in nvme_dbbuf_set (Sungwoo Kim)
- regulator: pca9450: Correct interrupt type (Peng Fan)
- regulator: pca9450: Make IRQ optional (Frieder Schrempf)
- netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels (Yuan Tan)
- netfilter: nfnetlink_cthelper: fix OOB read in nfnl_cthelper_dump_table() (Hyunwoo Kim)
- netfilter: nfnetlink_queue: fix entry leak in bridge verdict error path (Hyunwoo Kim)
- netfilter: x_tables: guard option walkers against 1-byte tail reads (David Dull)
- netfilter: nft_set_pipapo: fix stack out-of-bounds read in pipapo_drop() (Jenny Guanni Qu)
- can: hi311x: hi3110_open(): add check for hi3110_power_enable() return value (Wenyuan Li)
- serial: caif: hold tty->link reference in ldisc_open and ser_release (Shuangpeng Bai)
- ASoC: soc-core: flush delayed work before removing DAIs and widgets (matteo.cotifava)
- ASoC: core: Do not call link_exit() on uninitialized rtd objects (Amadeusz Sławiński)
- ASoC: core: Exit all links before removing their components (Cezary Rojewski)
- ASoC: soc-core: accept zero format at snd_soc_runtime_set_dai_fmt() (Kuninori Morimoto)
- ASoC: soc-core: drop delayed_work_pending() check before flush (matteo.cotifava)
- net/sched: teql: fix NULL pointer dereference in iptunnel_xmit on TEQL slave xmit (Weiming Shi)
- net/mlx5e: Fix DMA FIFO desync on error CQE SQ recovery (Gal Pressman)
- bonding: handle BOND_LINK_FAIL, BOND_LINK_BACK as valid link states (Hangbin Liu)
- xprtrdma: Decrement re_receiving on the early exit paths (Eric Badger)
- powerpc: 83xx: km83xx: Fix keymile vendor prefix (J. Neuschäfer)
- remoteproc: sysmon: Correct subsys_name_len type in QMI request (Bjorn Andersson)
- powerpc/uaccess: Fix inline assembly for clang build on PPC32 (Christophe Leroy (CS GROUP))
- ALSA: usb-audio: Check max frame size for implicit feedback mode, too (Takashi Iwai)
- ALSA: usb-audio: Avoid implicit feedback mode on DIYINHK USB Audio 2.0 (Takashi Iwai)
- scsi: ses: Fix devices attaching to different hosts (Tomas Henzl)
- ACPI: OSI: Add DMI quirk for Acer Aspire One D255 (Sofia Schneider)
- unshare: fix unshare_fs() handling (Al Viro)
- scsi: mpi3mr: Add NULL checks when resetting request and reply queues (Ranjan Kumar)
- ACPI: PM: Save NVS memory on Lenovo G70-35 (Piotr Mazek)
- scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT (Jan Kiszka)
- net/sched: Only allow act_ct to bind to clsact/ingress qdiscs and shared blocks (Victor Nogueira)
- net: ipv6: fix panic when IPv4 route references loopback IPv6 nexthop (Jiayuan Chen)
- net: vxlan: fix nd_tbl NULL dereference when IPv6 is disabled (Fernando Fernandez Mancera)
- net: stmmac: Fix error handling in VLAN add and delete paths (Ovidiu Panait)
- nfc: rawsock: cancel tx_work before socket teardown (Jakub Kicinski)
- nfc: nci: clear NCI_DATA_EXCHANGE before calling completion callback (Jakub Kicinski)
- nfc: nci: free skb on nci_transceive early error paths (Jakub Kicinski)
- net: nfc: nci: Fix zero-length proprietary notifications (Ian Ray)
- net: sched: avoid qdisc_reset_all_tx_gt() vs dequeue race for lockless qdiscs (Koichiro Den)
- amd-xgbe: fix sleep while atomic on suspend/resume (Raju Rangoju)
- ipv6: fix NULL pointer deref in ip6_rt_get_dev_rcu() (Jakub Kicinski)
- xen/acpi-processor: fix _CST detection using undersized evaluation buffer (David Thomson)
- indirect_call_wrapper: do not reevaluate function pointer (Eric Dumazet)
- wifi: wlcore: Fix a locking bug (Bart Van Assche)
- can: mcp251x: fix deadlock in error path of mcp251x_open (Alban Bedel)
- can: bcm: fix locking for bcm_op runtime updates (Oliver Hartkopp)
- atm: lec: fix null-ptr-deref in lec_arp_clear_vccs (Jiayuan Chen)
- dpaa2-switch: do not clear any interrupts automatically (Ioana Ciornei)
- net: dpaa2-switch: serialize changes to priv->mac with a mutex (Vladimir Oltean)
- net: dpaa2-switch replace direct MAC access with dpaa2_switch_port_has_mac() (Vladimir Oltean)
- net: dpaa2-switch: assign port_priv->mac after dpaa2_mac_connect() call (Vladimir Oltean)
- net: dpaa2: replace dpaa2_mac_is_type_fixed() with dpaa2_mac_is_type_phy() (Vladimir Oltean)
- net: ethernet: ti: am65-cpsw-nuss/cpsw-ale: Fix multicast entry handling in ALE table (Chintan Vankar)
- platform/x86: thinkpad_acpi: Fix errors reading battery thresholds (Jonathan Teh)
- selftests: mptcp: more stable simult_flows tests (Paolo Abeni)
- drbd: fix "LOGIC BUG" in drbd_al_begin_io_nonblock() (Lars Ellenberg)
- Squashfs: check metadata block offset is within range (Phillip Lougher)
- net/sched: ets: fix divide by zero in the offload path (Davide Caratti)
- IB/mthca: Add missed mthca_unmap_user_db() for mthca_create_srq() (Jason Gunthorpe)
- wifi: mac80211: fix NULL pointer dereference in mesh_rx_csa_frame() (Vahagn Vardanian)
- wifi: radiotap: reject radiotap with unknown bits (Johannes Berg)
- ALSA: usb-audio: Use correct version for UAC3 header validation (Jun Seo)
- platform/x86: dell-wmi: Add audio/mic mute key codes (Kurt Borja)
- platform/x86: dell-wmi-sysman: Don't hex dump plaintext password data (Thorsten Blum)
- x86/efi: defer freeing of boot services memory (Mike Rapoport (Microsoft))
- HID: Add HID_CLAIMED_INPUT guards in raw_event callbacks missing them (Greg Kroah-Hartman)
- can: usb: etas_es58x: correctly anchor the urb in the read bulk callback (Greg Kroah-Hartman)
- can: ucan: Fix infinite loop from zero-length messages (Greg Kroah-Hartman)
- can: ems_usb: ems_usb_read_bulk_callback(): check the proper length of a message (Greg Kroah-Hartman)
- net: usb: pegasus: validate USB endpoints (Greg Kroah-Hartman)
- net: usb: kalmia: validate USB endpoints (Greg Kroah-Hartman)
- net: usb: kaweth: validate USB endpoints (Greg Kroah-Hartman)
- nfc: pn533: properly drop the usb interface reference on disconnect (Greg Kroah-Hartman)
- media: dvb-core: fix wrong reinitialization of ringbuffer on reopen (Jens Axboe)
- eventpoll: Fix integer overflow in ep_loop_check_proc() (Jann Horn)
- net: arcnet: com20020-pci: fix support for 2.5Mbit cards (Ethan Nelson-Moore)
- ALSA: hda/conexant: Fix headphone jack handling on Acer Swift SF314 (Takashi Iwai)
- fbcon: check return value of con2fb_acquire_newinfo() (Andrey Vatoropin)
- fbcon: move more common code into fb_open() (Daniel Vetter)
- fbcon: Extract fbcon_open/release helpers (Daniel Vetter)
- fbcon: Use delayed work for cursor (Daniel Vetter)
- ksmbd: fix infinite loop caused by next_smb2_rcv_hdr_off reset in error paths (Namjae Jeon)
- ALSA: hda/conexant: Add quirk for HP ZBook Studio G4 (Takashi Iwai)
- usb: cdns3: fix role switching during resume (Thomas Richard (TI))
- usb: cdns3: call cdns_power_is_lost() only once in cdns_resume() (Théo Lebrun)
- usb: cdns3: remove redundant if branch (Hongyu Xie)
- clk: tegra: tegra124-emc: fix device leak on set_rate() (Johan Hovold)
- mfd: omap-usb-host: Fix OF populate on driver rebind (Johan Hovold)
- mfd: omap-usb-host: Convert to platform remove callback returning void (Uwe Kleine-König)
- mfd: qcom-pm8xxx: Fix OF populate on driver rebind (Johan Hovold)
- mfd: qcom-pm8xxx: Convert to platform remove callback returning void (Uwe Kleine-König)
- mfd: qcom-pm8xxx: switch away from using chained IRQ handlers (Dmitry Baryshkov)
- drm/tegra: dsi: fix device leak on probe (Johan Hovold)
- ata: libata-scsi: refactor ata_scsi_translate() (Damien Le Moal)
- ata: libata: remove pointless VPRINTK() calls (Hannes Reinecke)
- ata: libata-scsi: drop DPRINTK calls for cdb translation (Hannes Reinecke)
- scsi: ata: Call scsi_done() directly (Bart Van Assche)
- ARM: omap2: Fix reference count leaks in omap_control_init() (Wentao Liang)
- ARM: OMAP2+: add missing of_node_put before break and return (Wang Qing)
- memory: mtk-smi: fix device leak on larb probe (Johan Hovold)
- memory: mtk-smi: Convert to platform remove callback returning void (Uwe Kleine-König)
- bpf: Fix stack-out-of-bounds write in devmap (Kohei Enju)
- btrfs: fix incorrect key offset in error message in check_dev_extent_item() (Mark Harmstone)
- ALSA: usb-audio: Use inclusive terms (Takashi Iwai)
- ALSA: usb-audio: Cap the packet size pre-calculations (Takashi Iwai)
- scsi: ufs: core: Move link recovery for hibern8 exit failure to wl_resume (Peter Wang)
- scsi: ufs: core: Always initialize the UIC done completion (Bart Van Assche)
- scsi: lpfc: Properly set WC for DPP mapping (Mathias Krause)
- ARM: clean up the memset64() C wrapper (Thomas Weißschuh)

[5.15.0-322.202.1]
- scsi: fcoe: Reject FIP descriptors with zero fip_dlen in CVL walker (Michael Bommarito) [Orabug: 39446044]
- scsi: scsi_transport_fc: Widen FPIN pname walker counter to u32 (Michael Bommarito) [Orabug: 39446044]
- scsi: target: iscsi: Fix CRC overread and double-free in iscsit_handle_text_cmd() (Michael Bommarito) [Orabug: 39446044]
- scsi: target: iscsi: Bound iscsi_encode_text_output() appends to rsp_buf (Michael Bommarito) [Orabug: 39446044]
- ima: process_measurement() needlessly takes inode_lock() on MAY_READ (Frederick Lawler) [Orabug: 39390378]
- net: sched: act_api: implement generic walker and search for tc action (Zhengchao Shao) [Orabug: 39342047]
- btrfs: reserve extra space for the free space tree (Josef Bacik) [Orabug: 39281379]
- btrfs: include the free space tree in the global rsv minimum calculation (Josef Bacik) [Orabug: 39281379]

[5.15.0-321.202.5]
- Revert "ip6_tunnel: Fix usage of skb_vlan_inet_prepare()" (Harshit Mogalapalli) [Orabug: 39476647]
- smb: client: reject userspace cifs.spnego descriptions (Asim Viladi Oglu Manizada) [Orabug: 39463672]

[5.15.0-321.202.4]
- tun: free page on build_skb failure in tun_xdp_one() (Weiming Shi) [Orabug: 39429143]
- tap: free page on error paths in tap_get_user_xdp() (Weiming Shi) [Orabug: 39429143]
- tun: free page on short-frame rejection in tun_xdp_one() (Weiming Shi) [Orabug: 39429143]

[5.15.0-321.202.3]
- net: skbuff: propagate shared-frag marker through frag-transfer helpers (Hyunwoo Kim) [Orabug: 39368827] {CVE-2026-46300}
- net: skbuff: preserve shared-frag marker during coalescing (William Bowling) [Orabug: 39368827]
- ptrace: slightly saner 'get_dumpable()' logic (Linus Torvalds) [Orabug: 39384274] {CVE-2026-46333}
- mm/hugetlb: fix excessive IPI broadcasts when unsharing PMD tables using mmu_gather (David Hildenbrand (Red Hat)) [Orabug: 38474901]
- Revert "mm/hugetlb: add option to allows disabling CVE-2025-38085 mitigation" (Samasth Norway Ananda) [Orabug: 38474901]
- mm/rmap: fix two comments related to huge_pmd_unshare() (David Hildenbrand (Red Hat)) [Orabug: 38474901]
- mm/hugetlb: fix two comments related to huge_pmd_unshare() (David Hildenbrand (Red Hat)) [Orabug: 38474901]
- mm/hugetlb: fix hugetlb_pmd_shared() (David Hildenbrand (Red Hat)) [Orabug: 38474901]

[5.15.0-321.202.2]
- dpaa2-switch: Fix interrupt storm after receiving bad if_id in IRQ handler (Guenter Roeck)
- Revert "arm64: dts: qcom: sdm845-oneplus: Mark l14a regulator as boot-on" (Sasha Levin)
- ip6_tunnel: Fix usage of skb_vlan_inet_prepare() (Ben Hutchings)
- hwmon: (max16065) Use READ/WRITE_ONCE to avoid compiler optimization induced race (Gui-Dong Han)
- wifi: wlcore: Return -ENOMEM instead of -EAGAIN if there is not enough headroom (Guenter Roeck)
- sched: idle: Make skipping governor callbacks more consistent (Rafael J. Wysocki)
- nvmet-tcp: fix use-before-check of sg in bounds validation (Cengiz Can)
- remoteproc: mediatek: Unprepare SCP clock during system suspend (Tzung-Bi Shih)
- net: openvswitch: Avoid releasing netdev before teardown completes (Toke Høiland-Jørgensen)
- ACPI: processor: Fix previous acpi_processor_errata_piix4() fix (Rafael J. Wysocki)
- net: hsr: fix VLAN add unwind on slave errors (Luka Gejak)
- x86/CPU/AMD: Add a fix for AMD-SB-7052 (Prathyushi Nangia) [Orabug: 39327141] {CVE-2025-54518}
- xfrm: esp: ipv4: fix up flags setting (Greg Kroah-Hartman) [Orabug: 39342679] {CVE-2026-43284}
- xfrm: esp: avoid in-place decrypt on shared skb frags (Kuan-Ting Chen) [Orabug: 39342679] {CVE-2026-43284}
- KVM: x86: disable preemption around the call to kvm_arch_vcpu_{un|}blocking (Maxim Levitsky) [Orabug: 39334996]
- KVM: Don't block+unblock when halt-polling is successful (Sean Christopherson) [Orabug: 39334996]
- nfsd: fix heap overflow in NFSv4.0 LOCK replay cache (Jeff Layton) [Orabug: 39167616] {CVE-2026-31402}
- net/sched: Only allow act_ct to bind to clsact/ingress qdiscs and shared blocks (Victor Nogueira) [Orabug: 39103230] {CVE-2026-23270}
- exadata: tools: perf: update column to comm_nodigit (Stephen Brennan) [Orabug: 39327019]
- perf report: Add comm_nodigit sort key (Stephen Brennan) [Orabug: 39327019]
- Revert "tools: perf: add comm_ignore_digit column" (Stephen Brennan) [Orabug: 39327019]



ELSA-2026-50388 Important: Oracle Linux 8 Unbreakable Enterprise kernel security update


Oracle Linux Security Advisory ELSA-2026-50388

http://linux.oracle.com/errata/ELSA-2026-50388.html

The following updated rpms for Oracle Linux 8 have been uploaded to the Unbreakable Linux Network:

x86_64:
kernel-uek-5.4.17-2136.357.3.2.el8uek.x86_64.rpm
kernel-uek-container-5.4.17-2136.357.3.2.el8uek.x86_64.rpm
kernel-uek-container-debug-5.4.17-2136.357.3.2.el8uek.x86_64.rpm
kernel-uek-debug-5.4.17-2136.357.3.2.el8uek.x86_64.rpm
kernel-uek-debug-devel-5.4.17-2136.357.3.2.el8uek.x86_64.rpm
kernel-uek-devel-5.4.17-2136.357.3.2.el8uek.x86_64.rpm
kernel-uek-doc-5.4.17-2136.357.3.2.el8uek.noarch.rpm

SRPMS:
http://oss.oracle.com/ol8/SRPMS-updates/kernel-uek-5.4.17-2136.357.3.2.el8uek.src.rpm

Related CVEs:

CVE-2026-43499

Description of changes:

[5.4.17-2136.357.3.2]
- locking/rtmutex: Skip remove_waiter() when waiter is not enqueued (Davidlohr Bueso) [Orabug: 39706958]
- rtmutex: Use waiter::task instead of current in remove_waiter() (Keenan Dong) [Orabug: 39706958] {CVE-2026-43499}



ELBA-2026-50378 Oracle Linux 9 fips-provider-next bug fix update


Oracle Linux Bug Fix Advisory ELBA-2026-50378

http://linux.oracle.com/errata/ELBA-2026-50378.html

The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network:

x86_64:
fips-provider-next-1.2.0-5.0.2.el9.x86_64.rpm

aarch64:
fips-provider-next-1.2.0-5.0.2.el9.aarch64.rpm

SRPMS:
http://oss.oracle.com/ol9/SRPMS-updates/fips-provider-next-1.2.0-5.0.2.el9.src.rpm

Description of changes:

[1.2.0-5.0.2]
- Fix FIPS module name/version [Orabug: 39680808]



ELSA-2026-50387 Important: Oracle Linux 8 Unbreakable Enterprise kernel security update


Oracle Linux Security Advisory ELSA-2026-50387

http://linux.oracle.com/errata/ELSA-2026-50387.html

The following updated rpms for Oracle Linux 8 have been uploaded to the Unbreakable Linux Network:

x86_64:
bpftool-5.15.0-322.203.3.3.el8uek.x86_64.rpm
kernel-uek-5.15.0-322.203.3.3.el8uek.x86_64.rpm
kernel-uek-core-5.15.0-322.203.3.3.el8uek.x86_64.rpm
kernel-uek-debug-5.15.0-322.203.3.3.el8uek.x86_64.rpm
kernel-uek-debug-core-5.15.0-322.203.3.3.el8uek.x86_64.rpm
kernel-uek-debug-devel-5.15.0-322.203.3.3.el8uek.x86_64.rpm
kernel-uek-debug-modules-5.15.0-322.203.3.3.el8uek.x86_64.rpm
kernel-uek-debug-modules-extra-5.15.0-322.203.3.3.el8uek.x86_64.rpm
kernel-uek-devel-5.15.0-322.203.3.3.el8uek.x86_64.rpm
kernel-uek-doc-5.15.0-322.203.3.3.el8uek.noarch.rpm
kernel-uek-modules-5.15.0-322.203.3.3.el8uek.x86_64.rpm
kernel-uek-modules-extra-5.15.0-322.203.3.3.el8uek.x86_64.rpm
kernel-uek-container-5.15.0-322.203.3.3.el8uek.x86_64.rpm
kernel-uek-container-debug-5.15.0-322.203.3.3.el8uek.x86_64.rpm

aarch64:
bpftool-5.15.0-322.203.3.3.el8uek.aarch64.rpm
kernel-uek-5.15.0-322.203.3.3.el8uek.aarch64.rpm
kernel-uek-core-5.15.0-322.203.3.3.el8uek.aarch64.rpm
kernel-uek-debug-5.15.0-322.203.3.3.el8uek.aarch64.rpm
kernel-uek-debug-core-5.15.0-322.203.3.3.el8uek.aarch64.rpm
kernel-uek-debug-devel-5.15.0-322.203.3.3.el8uek.aarch64.rpm
kernel-uek-debug-modules-5.15.0-322.203.3.3.el8uek.aarch64.rpm
kernel-uek-debug-modules-extra-5.15.0-322.203.3.3.el8uek.aarch64.rpm
kernel-uek-devel-5.15.0-322.203.3.3.el8uek.aarch64.rpm
kernel-uek-doc-5.15.0-322.203.3.3.el8uek.noarch.rpm
kernel-uek-modules-5.15.0-322.203.3.3.el8uek.aarch64.rpm
kernel-uek-modules-extra-5.15.0-322.203.3.3.el8uek.aarch64.rpm
kernel-uek-container-5.15.0-322.203.3.3.el8uek.aarch64.rpm
kernel-uek-container-debug-5.15.0-322.203.3.3.el8uek.aarch64.rpm

SRPMS:
http://oss.oracle.com/ol8/SRPMS-updates/kernel-uek-5.15.0-322.203.3.3.el8uek.src.rpm

Related CVEs:

CVE-2026-43499

Description of changes:

[5.15.0-322.203.3.3]
- locking/rtmutex: Skip remove_waiter() when waiter is not enqueued (Davidlohr Bueso) [Orabug: 39706512]
- rtmutex: Use waiter::task instead of current in remove_waiter() (Keenan Dong) [Orabug: 39706512] {CVE-2026-43499}



ELSA-2026-36734 Low: Oracle Linux 8 libxml2 security update


Oracle Linux Security Advisory ELSA-2026-36734

http://linux.oracle.com/errata/ELSA-2026-36734.html

The following updated rpms for Oracle Linux 8 have been uploaded to the Unbreakable Linux Network:

x86_64:
libxml2-2.9.7-21.el8_10.6.i686.rpm
libxml2-2.9.7-21.el8_10.6.x86_64.rpm
libxml2-devel-2.9.7-21.el8_10.6.i686.rpm
libxml2-devel-2.9.7-21.el8_10.6.x86_64.rpm
python3-libxml2-2.9.7-21.el8_10.6.x86_64.rpm

aarch64:
libxml2-2.9.7-21.el8_10.6.aarch64.rpm
libxml2-devel-2.9.7-21.el8_10.6.aarch64.rpm
python3-libxml2-2.9.7-21.el8_10.6.aarch64.rpm

SRPMS:
http://oss.oracle.com/ol8/SRPMS-updates/libxml2-2.9.7-21.el8_10.6.src.rpm

Related CVEs:

CVE-2025-6170

Description of changes:

[2.9.7-21.6]
- Fix CVE-2025-6170 (RHEL-182012)



ELBA-2026-25921 Oracle Linux 8 scap-security-guide bug fix and enhancement update


Oracle Linux Bug Fix Advisory ELBA-2026-25921

http://linux.oracle.com/errata/ELBA-2026-25921.html

The following updated rpms for Oracle Linux 8 have been uploaded to the Unbreakable Linux Network:

x86_64:
scap-security-guide-0.1.81-1.0.1.el8_10.noarch.rpm
scap-security-guide-doc-0.1.81-1.0.1.el8_10.noarch.rpm

aarch64:
scap-security-guide-0.1.81-1.0.1.el8_10.noarch.rpm
scap-security-guide-doc-0.1.81-1.0.1.el8_10.noarch.rpm

SRPMS:
http://oss.oracle.com/ol8/SRPMS-updates/scap-security-guide-0.1.81-1.0.1.el8_10.src.rpm

Description of changes:

[0.1.81-1.0.1]
- Update OL8 STIG to V2R8 [Orabug: 39500191]
- Update OL9 STIG to V1R5 [Orabug: 39500191]
- Fix RH rerefences for OL10 [Orabug: 39500191]

[0.1.81.openela.1.0]
- Make OpenELA a derivative of RHEL

[0.1.81-1]
- Rebase scap-security-guide to 0.1.81 (RHEL-177640)



ELSA-2026-36728 Low: Oracle Linux 8 libtasn1 security update


Oracle Linux Security Advisory ELSA-2026-36728

http://linux.oracle.com/errata/ELSA-2026-36728.html

The following updated rpms for Oracle Linux 8 have been uploaded to the Unbreakable Linux Network:

x86_64:
libtasn1-4.13-6.el8_10.i686.rpm
libtasn1-4.13-6.el8_10.x86_64.rpm
libtasn1-devel-4.13-6.el8_10.i686.rpm
libtasn1-devel-4.13-6.el8_10.x86_64.rpm
libtasn1-tools-4.13-6.el8_10.x86_64.rpm

aarch64:
libtasn1-4.13-6.el8_10.aarch64.rpm
libtasn1-devel-4.13-6.el8_10.aarch64.rpm
libtasn1-tools-4.13-6.el8_10.aarch64.rpm

SRPMS:
http://oss.oracle.com/ol8/SRPMS-updates/libtasn1-4.13-6.el8_10.src.rpm

Related CVEs:

CVE-2025-13151

Description of changes:

[4.13-6]
- Backport the fix for CVE-2025-13151 (RHEL-139546)



ELSA-2026-37282 Important: Oracle Linux 8 unbound security update


Oracle Linux Security Advisory ELSA-2026-37282

http://linux.oracle.com/errata/ELSA-2026-37282.html

The following updated rpms for Oracle Linux 8 have been uploaded to the Unbreakable Linux Network:

x86_64:
python3-unbound-1.16.2-5.12.el8_10.x86_64.rpm
unbound-1.16.2-5.12.el8_10.x86_64.rpm
unbound-devel-1.16.2-5.12.el8_10.i686.rpm
unbound-devel-1.16.2-5.12.el8_10.x86_64.rpm
unbound-libs-1.16.2-5.12.el8_10.i686.rpm
unbound-libs-1.16.2-5.12.el8_10.x86_64.rpm

aarch64:
python3-unbound-1.16.2-5.12.el8_10.aarch64.rpm
unbound-1.16.2-5.12.el8_10.aarch64.rpm
unbound-devel-1.16.2-5.12.el8_10.aarch64.rpm
unbound-libs-1.16.2-5.12.el8_10.aarch64.rpm

SRPMS:
http://oss.oracle.com/ol8/SRPMS-updates/unbound-1.16.2-5.12.el8_10.src.rpm

Related CVEs:

CVE-2026-40622
CVE-2026-41292
CVE-2026-42534
CVE-2026-44390

Description of changes:

[1.16.2-5.12]
- Fix CVE-2026-40622 (RHEL-184832)
- Fix CVE-2026-44390 (RHEL-186680)
- Fix CVE-2026-41292 (RHEL-187346)
- Fix CVE-2026-42534 (RHEL-187081)



ELSA-2026-37137 Important: Oracle Linux 8 tomcat security, bug fix, and enhancement update


Oracle Linux Security Advisory ELSA-2026-37137

http://linux.oracle.com/errata/ELSA-2026-37137.html

The following updated rpms for Oracle Linux 8 have been uploaded to the Unbreakable Linux Network:

x86_64:
tomcat-9.0.87-2.el8_10.noarch.rpm
tomcat-admin-webapps-9.0.87-2.el8_10.noarch.rpm
tomcat-docs-webapp-9.0.87-2.el8_10.noarch.rpm
tomcat-el-3.0-api-9.0.87-2.el8_10.noarch.rpm
tomcat-jsp-2.3-api-9.0.87-2.el8_10.noarch.rpm
tomcat-lib-9.0.87-2.el8_10.noarch.rpm
tomcat-servlet-4.0-api-9.0.87-2.el8_10.noarch.rpm
tomcat-webapps-9.0.87-2.el8_10.noarch.rpm

aarch64:
tomcat-9.0.87-2.el8_10.noarch.rpm
tomcat-admin-webapps-9.0.87-2.el8_10.noarch.rpm
tomcat-docs-webapp-9.0.87-2.el8_10.noarch.rpm
tomcat-el-3.0-api-9.0.87-2.el8_10.noarch.rpm
tomcat-jsp-2.3-api-9.0.87-2.el8_10.noarch.rpm
tomcat-lib-9.0.87-2.el8_10.noarch.rpm
tomcat-servlet-4.0-api-9.0.87-2.el8_10.noarch.rpm
tomcat-webapps-9.0.87-2.el8_10.noarch.rpm

SRPMS:
http://oss.oracle.com/ol8/SRPMS-updates/tomcat-9.0.87-2.el8_10.src.rpm

Related CVEs:

CVE-2026-29146
CVE-2026-34486

Description of changes:

[1:9.0.87-2]
- Resolves: RHEL-183993 Remove tomcat clustering JAR from RPM builds



ELSA-2026-36733 Moderate: Oracle Linux 8 cups security update


Oracle Linux Security Advisory ELSA-2026-36733

http://linux.oracle.com/errata/ELSA-2026-36733.html

The following updated rpms for Oracle Linux 8 have been uploaded to the Unbreakable Linux Network:

x86_64:
cups-2.2.6-68.el8_10.x86_64.rpm
cups-client-2.2.6-68.el8_10.x86_64.rpm
cups-devel-2.2.6-68.el8_10.i686.rpm
cups-devel-2.2.6-68.el8_10.x86_64.rpm
cups-filesystem-2.2.6-68.el8_10.noarch.rpm
cups-ipptool-2.2.6-68.el8_10.x86_64.rpm
cups-libs-2.2.6-68.el8_10.i686.rpm
cups-libs-2.2.6-68.el8_10.x86_64.rpm
cups-lpd-2.2.6-68.el8_10.x86_64.rpm

aarch64:
cups-2.2.6-68.el8_10.aarch64.rpm
cups-client-2.2.6-68.el8_10.aarch64.rpm
cups-devel-2.2.6-68.el8_10.aarch64.rpm
cups-filesystem-2.2.6-68.el8_10.noarch.rpm
cups-ipptool-2.2.6-68.el8_10.aarch64.rpm
cups-libs-2.2.6-68.el8_10.aarch64.rpm
cups-lpd-2.2.6-68.el8_10.aarch64.rpm

SRPMS:
http://oss.oracle.com/ol8/SRPMS-updates/cups-2.2.6-68.el8_10.src.rpm

Related CVEs:

CVE-2026-34980

Description of changes:

[1:2.2.6-68]
- RHEL-177947 CVE-2026-34980 cups: control character injection in option values



ELSA-2026-37130 Important: Oracle Linux 8 gstreamer1-plugins-bad-free security update


Oracle Linux Security Advisory ELSA-2026-37130

http://linux.oracle.com/errata/ELSA-2026-37130.html

The following updated rpms for Oracle Linux 8 have been uploaded to the Unbreakable Linux Network:

x86_64:
gstreamer1-plugins-bad-free-1.16.1-8.0.1.el8_10.i686.rpm
gstreamer1-plugins-bad-free-1.16.1-8.0.1.el8_10.x86_64.rpm
gstreamer1-plugins-bad-free-devel-1.16.1-8.0.1.el8_10.i686.rpm
gstreamer1-plugins-bad-free-devel-1.16.1-8.0.1.el8_10.x86_64.rpm

aarch64:
gstreamer1-plugins-bad-free-1.16.1-8.0.1.el8_10.aarch64.rpm
gstreamer1-plugins-bad-free-devel-1.16.1-8.0.1.el8_10.aarch64.rpm

SRPMS:
http://oss.oracle.com/ol8/SRPMS-updates/gstreamer1-plugins-bad-free-1.16.1-8.0.1.el8_10.src.rpm

Related CVEs:

CVE-2026-52720
CVE-2026-52722

Description of changes:

[1.16.1-8.0.1]
- Update origin URL [Orabug: 36209826]

[1.16.1-8]
- Fix for CVE-2026-52720: librfb framebuffer update rectangle
validation
Resolves: RHEL-184455

[1.16.1-7]
- Fix integer overflow in vmncdec (CVE-2026-52722)
Resolves: RHEL-184414



ELSA-2026-36774 Important: Oracle Linux 8 gstreamer1-plugins-good security update


Oracle Linux Security Advisory ELSA-2026-36774

http://linux.oracle.com/errata/ELSA-2026-36774.html

The following updated rpms for Oracle Linux 8 have been uploaded to the Unbreakable Linux Network:

x86_64:
gstreamer1-plugins-good-1.16.1-7.el8_10.i686.rpm
gstreamer1-plugins-good-1.16.1-7.el8_10.x86_64.rpm
gstreamer1-plugins-good-gtk-1.16.1-7.el8_10.i686.rpm
gstreamer1-plugins-good-gtk-1.16.1-7.el8_10.x86_64.rpm

aarch64:
gstreamer1-plugins-good-1.16.1-7.el8_10.aarch64.rpm
gstreamer1-plugins-good-gtk-1.16.1-7.el8_10.aarch64.rpm

SRPMS:
http://oss.oracle.com/ol8/SRPMS-updates/gstreamer1-plugins-good-1.16.1-7.el8_10.src.rpm

Related CVEs:

CVE-2026-53705

Description of changes:

[1.16.1-7]
- Fix integer overflow vulnerabilities in wavpackdec (CVE-2026-53705)
Resolves: RHEL-184473



ELSA-2026-36732 Moderate: Oracle Linux 8 python-urllib3 security update


Oracle Linux Security Advisory ELSA-2026-36732

http://linux.oracle.com/errata/ELSA-2026-36732.html

The following updated rpms for Oracle Linux 8 have been uploaded to the Unbreakable Linux Network:

x86_64:
python3-urllib3-1.24.2-10.el8_10.noarch.rpm

aarch64:
python3-urllib3-1.24.2-10.el8_10.noarch.rpm

SRPMS:
http://oss.oracle.com/ol8/SRPMS-updates/python-urllib3-1.24.2-10.el8_10.src.rpm

Related CVEs:

CVE-2026-44431

Description of changes:

[1.24.2-10]
- Security fix for CVE-2026-44431
Resolves: RHEL-184858



ELSA-2026-36730 Moderate: Oracle Linux 8 libsolv security update


Oracle Linux Security Advisory ELSA-2026-36730

http://linux.oracle.com/errata/ELSA-2026-36730.html

The following updated rpms for Oracle Linux 8 have been uploaded to the Unbreakable Linux Network:

x86_64:
libsolv-0.7.20-7.el8_10.i686.rpm
libsolv-0.7.20-7.el8_10.x86_64.rpm
libsolv-devel-0.7.20-7.el8_10.i686.rpm
libsolv-devel-0.7.20-7.el8_10.x86_64.rpm
libsolv-tools-0.7.20-7.el8_10.x86_64.rpm
python3-solv-0.7.20-7.el8_10.x86_64.rpm

aarch64:
libsolv-0.7.20-7.el8_10.aarch64.rpm
libsolv-devel-0.7.20-7.el8_10.aarch64.rpm
libsolv-tools-0.7.20-7.el8_10.aarch64.rpm
python3-solv-0.7.20-7.el8_10.aarch64.rpm

SRPMS:
http://oss.oracle.com/ol8/SRPMS-updates/libsolv-0.7.20-7.el8_10.src.rpm

Related CVEs:

CVE-2026-48864

Description of changes:

[0.7.20-7]
- Fix a buffer overflow when decompressing solv pages (CVE-2026-48864)
(RHEL-178970)



ELSA-2026-36201 Important: Oracle Linux 8 389-ds:1.4 security update


Oracle Linux Security Advisory ELSA-2026-36201

http://linux.oracle.com/errata/ELSA-2026-36201.html

The following updated rpms for Oracle Linux 8 have been uploaded to the Unbreakable Linux Network:

x86_64:
389-ds-base-1.4.3.39-25.module+el8.10.0+90949+c5bfd23c.x86_64.rpm
389-ds-base-devel-1.4.3.39-25.module+el8.10.0+90949+c5bfd23c.x86_64.rpm
389-ds-base-legacy-tools-1.4.3.39-25.module+el8.10.0+90949+c5bfd23c.x86_64.rpm
389-ds-base-libs-1.4.3.39-25.module+el8.10.0+90949+c5bfd23c.x86_64.rpm
389-ds-base-snmp-1.4.3.39-25.module+el8.10.0+90949+c5bfd23c.x86_64.rpm
python3-lib389-1.4.3.39-25.module+el8.10.0+90949+c5bfd23c.noarch.rpm

aarch64:
389-ds-base-1.4.3.39-25.module+el8.10.0+90949+c5bfd23c.aarch64.rpm
389-ds-base-devel-1.4.3.39-25.module+el8.10.0+90949+c5bfd23c.aarch64.rpm
389-ds-base-legacy-tools-1.4.3.39-25.module+el8.10.0+90949+c5bfd23c.aarch64.rpm
389-ds-base-libs-1.4.3.39-25.module+el8.10.0+90949+c5bfd23c.aarch64.rpm
389-ds-base-snmp-1.4.3.39-25.module+el8.10.0+90949+c5bfd23c.aarch64.rpm
python3-lib389-1.4.3.39-25.module+el8.10.0+90949+c5bfd23c.noarch.rpm

SRPMS:
http://oss.oracle.com/ol8/SRPMS-updates/389-ds-base-1.4.3.39-25.module+el8.10.0+90949+c5bfd23c.src.rpm

Related CVEs:

CVE-2026-11610
CVE-2026-11774

Description of changes:

[1.4.3.39-25]
- Bump version to 1.4.3.39-25
- Resolves: RHEL-182162 - EMBARGOED CVE-2026-11610 389-ds-base: 389-ds-base: Heap buffer overflow in sasl_io_recv() via padded SASL UNBIND [rhel-8.10.z]
- Resolves: RHEL-183102 - CVE-2026-11774 389-ds-base: 389-ds-base: integer overflow in SASL packet length bypasses size limit

[1.4.3.39-24]
- Bump version to 1.4.3.39-24
- Resolves: RHEL-170278 - Memory leaks in syncrepl plugin during persistent search operations [rhel-8.10.z]
- Resolves: RHEL-163375 - WARN - keys2idl - received NULL idl from index_read_ext_allids
- Resolves: RHEL-159306 - ns-slapd crash in libdb possible memory corruption [rhel-8.10.z]
- Resolves: RHEL-170284 - access log - suspicious wtime optime negative and large values in internal op [rhel-8.10.z]
- Resolves: RHEL-170507 - ns-slapd fails to shutdown when deferred memberof update is in progress [rhel-8.10.z]
- Resolves: RHEL-170509 - Crash in trim_changelog() during the Retro Changelog trimming [rhel-8.10.z]
- Resolves: RHEL-170514 - Possible memory leak when using the Retro Changelog plugin [rhel-8.10.z]
- Resolves: RHEL-170512 - Crash in replica_config_add when manually configuring a replica with an incorrect nsds5ReplicaRoot [rhel-8.10.z]
- Resolves: RHEL-174523 - [RFE] Add OS-level thread names to all server threads [rhel-8.10.z]
- Resolves: RHEL-170483 - test_vlv_recreation_reindex fails on LMDB [rhel-8.10.z]
- Resolves: RHEL-178076 - CVE-2026-9064 389-ds:1.4/389-ds-base: unbounded LDAP controls count in get_ldapmessage_controls_ext() causes CPU and heap amplification (remote DoS) [rhel-8.10.z]

[1.4.3.39-23]
- Resolves: RHEL-137074 - CVE-2025-14905 389-ds:1.4/389-ds-base: 389-ds-base: Remote Code Execution and Denial of Service via heap buffer overflow [rhel-8.10.z]
- Resolves: RHEL-152098 - Scalability issue of replication online initialization with large database [rhel-8.10.z]

[1.4.3.39-22]
- Resolves: RHEL-148485 - Upgrading IDM to latest version: 389-ds-base and ipa-server breaks replication [rhel-8.10.z]

[1.4.3.39-21]
- Resolves: RHEL-141419 - (&(cn:dn:=groups)) no longer returns results [rhel-8.10.z]
- Resolves: RHEL-140272 - ipa-healthcheck is complaining about missing or
incorrectly configured system indexes. [rhel-8.10.z]

[1.4.3.39-20]
- Resolves: RHEL-140086 - Upgrading IDM to latest version: 389-ds-base and ipa-server breaks replication [rhel-8.10.z]

[1.4.3.39-19]
- Resolves: RHEL-117759 - Replication online reinitialization of a large database gets stalled. [rhel-8.10.z]

[1.4.3.39-18]
- Reverts: RHEL-123241 - Attribute uniqueness is not enforced upon modrdn operation [rhel-8.10.z]

[1.4.3.39-17]
- Resolves: RHEL-80491 - Can't rename users member of automember rule [rhel-8.10.z]
- Resolves: RHEL-87191 - Some replication status data are reset upon a restart. [rhel-8.10.z]
- Resolves: RHEL-89785 - Extend log of operations statistics in access log
- Resolves: RHEL-111226 - Error showing local password policy on web UI [rhel-8.10.z]
- Resolves: RHEL-113976 - AddressSanitizer: memory leak in memberof_add_memberof_attr [rhel-8.10.z]
- Resolves: RHEL-117457 - subtree search statistics for index lookup does not report ancestorid/entryrdn lookups
- Resolves: RHEL-117752 - Crash if repl keep alive entry can not be created [rhel-8.10.z]
- Resolves: RHEL-117759 - Replication online reinitialization of a large database gets stalled. [rhel-8.10.z]
- Resolves: RHEL-117765 - Statistics about index lookup report a wrong duration [rhel-8.10.z]
- Resolves: RHEL-123228 - Improve the way to detect asynchronous operations in the access logs [rhel-8.10.z]
- Resolves: RHEL-123241 - Attribute uniqueness is not enforced upon modrdn operation [rhel-8.10.z]
- Resolves: RHEL-123254 - Typo in errors log after a Memberof fixup task. [rhel-8.10.z]
- Resolves: RHEL-123269 - LDAP high CPU usage while handling indexes with IDL scan limit at INT_MAX [rhel-8.10.z]
- Resolves: RHEL-123276 - The new ipahealthcheck test ipahealthcheck.ds.backends.BackendsCheck raises CRITICAL issue [rhel-8.10.z]
- Resolves: RHEL-123363 - When deferred memberof update is enabled after the server crashed it should not launch memberof fixup task by default [rhel-8.10.z]
- Resolves: RHEL-123365 - IPA health check up script shows time skew is over 24 hours [rhel-8.10.z]
- Resolves: RHEL-123920 - Changelog trimming - add number of scanned entries to the log [rhel-8.10.z]
- Resolves: RHEL-126512 - Created user password hash available to see in audit log [rhel-8.10.z]
- Resolves: RHEL-129578 - Fix paged result search locking [rhel-8.10.z]
- Resolves: RHEL-130900 - On RHDS 12.6 The user password policy for a user was created, but the pwdpolicysubentry attribute for this user incorrectly points to the People OU password policy instead of the specific user policy. [rhel-8.10.z]

[1.4.3.39-15]
- Resolves: RHEL-109028 - Allow Uniqueness plugin to search uniqueness attributes using custom matching rules [rhel-8.10.z]



ELSA-2026-50388 Important: Oracle Linux 8 Unbreakable Enterprise kernel security update


Oracle Linux Security Advisory ELSA-2026-50388

http://linux.oracle.com/errata/ELSA-2026-50388.html

The following updated rpms for Oracle Linux 8 have been uploaded to the Unbreakable Linux Network:

aarch64:
kernel-uek-5.4.17-2136.357.3.2.el8uek.aarch64.rpm
kernel-uek-debug-5.4.17-2136.357.3.2.el8uek.aarch64.rpm
kernel-uek-debug-devel-5.4.17-2136.357.3.2.el8uek.aarch64.rpm
kernel-uek-devel-5.4.17-2136.357.3.2.el8uek.aarch64.rpm
kernel-uek-doc-5.4.17-2136.357.3.2.el8uek.noarch.rpm

SRPMS:
http://oss.oracle.com/ol8/SRPMS-updates/kernel-uek-5.4.17-2136.357.3.2.el8uek.src.rpm

Related CVEs:

CVE-2026-43499

Description of changes:

[5.4.17-2136.357.3.2]
- locking/rtmutex: Skip remove_waiter() when waiter is not enqueued (Davidlohr Bueso) [Orabug: 39706958]
- rtmutex: Use waiter::task instead of current in remove_waiter() (Keenan Dong) [Orabug: 39706958] {CVE-2026-43499}

[5.4.17-2136.357.3.1]
- KVM: x86: Fix shadow paging use-after-free due to unexpected role (Paolo Bonzini) [Orabug: 39673892]
- KVM: x86: Fix shadow paging use-after-free due to unexpected GFN (Sean Christopherson) [Orabug: 39673892]
- KVM: x86/MMU: Recursively zap nested TDP SPs when zapping last/only parent (Ben Gardon) [Orabug: 39673892]
- KVM: x86/mmu: Move flush logic from mmu_page_zap_pte() to FNAME(invlpg) (Sean Christopherson) [Orabug: 39673892]
- KVM: x86/mmu: pull call to drop_large_spte() into __link_shadow_page() (Paolo Bonzini) [Orabug: 39673892]
- KVM: x86/mmu: Passing up the error state of mmu_alloc_shadow_roots() (Like Xu) [Orabug: 39673892]
- KVM: MMU: load PDPTRs outside mmu_lock (Paolo Bonzini) [Orabug: 39673892]
- KVM: x86/mmu: Check PDPTRs before allocating PAE roots (Sean Christopherson) [Orabug: 39673892]
- KVM: x86/mmu: Always pass 0 for @quadrant when gptes are 8 bytes (David Matlack) [Orabug: 39673892]
- KVM: x86/mmu: Derive shadow MMU page role from parent (David Matlack) [Orabug: 39673892]
- KVM: X86: Remove useless code to set role.gpte_is_8_bytes when role.direct (Lai Jiangshan) [Orabug: 39673892]
- KVM: X86: Synchronize the shadow pagetable before link it (Lai Jiangshan) [Orabug: 39673892]
- KVM: X86: Fix missed remote tlb flush in rmap_write_protect() (Lai Jiangshan) [Orabug: 39673892]
- KVM: x86/mmu: Refactor shadow walk in __direct_map() to reduce indentation (Sean Christopherson) [Orabug: 39673892]
- KVM: x86/mmu: Stop passing "direct" to mmu_alloc_root() (David Matlack) [Orabug: 39673892]
- KVM: x86/mmu: Use a bool for direct (David Matlack) [Orabug: 39673892]
- kvm: mmu: Replace unsigned with unsigned int for PTE access (Ben Gardon) [Orabug: 39673892]
- KVM: x86/mmu: Ensure MMU pages are available when allocating roots (Sean Christopherson) [Orabug: 39673892]
- KVM: x86/mmu: Allocate pae_root and lm_root pages in dedicated helper (Sean Christopherson) [Orabug: 39673892]
- KVM: x86/mmu: Allocate the lm_root before allocating PAE roots (Sean Christopherson) [Orabug: 39673892]
- KVM: x86/mmu: Capture 'mmu' in a local variable when allocating roots (Sean Christopherson) [Orabug: 39673892]
- KVM: x86/mmu: Alloc page for PDPTEs when shadowing 32-bit NPT with 64-bit (Sean Christopherson) [Orabug: 39673892]
- KVM: x86/mmu: Stash 'kvm' in a local variable in kvm_mmu_free_roots() (Sean Christopherson) [Orabug: 39673892]
- KVM: x86/mmu: Add a helper to consolidate root sp allocation (Sean Christopherson) [Orabug: 39673892]
- net/sched: act_pedit: fix action bind logic (Pedro Tammela) [Orabug: 39680880]
- net/sched: act_pedit: free pedit keys on bail from offset check (Pedro Tammela) [Orabug: 39680880]
- net/sched: fix pedit partial COW leading to page cache corruption (Rajat Gupta) [Orabug: 39680880] {CVE-2026-46331}
- net/sched: act_pedit: Parse L3 Header for L4 offset (Max Tottenham) [Orabug: 39680880]
- net/sched: act_pedit: rate limit datapath messages (Pedro Tammela) [Orabug: 39680880]
- net/sched: act_pedit: check static offsets a priori (Pedro Tammela) [Orabug: 39680880]
- net/sched: act_pedit: remove extra check for key type (Pedro Tammela) [Orabug: 39680880]
- net/sched: simplify tcf_pedit_act (Pedro Tammela) [Orabug: 39680880]
- net/sched: transition act_pedit to rcu and percpu stats (Pedro Tammela) [Orabug: 39680880]
- net/sched: act_pedit: use NLA_POLICY for parsing 'ex' keys (Pedro Tammela) [Orabug: 39680880]

[5.4.17-2136.357.3]
- net: skbuff: fix missing zerocopy reference in pskb_carve helpers (Minh Nguyen) [Orabug: 39619389] {CVE-2026-52943}

[5.4.17-2136.357.2]
- net: fix fanout UAF in packet_release() via NETDEV_UP race (Yochai Eisenrich) [Orabug: 39250953] {CVE-2026-31504}
- x86/kaslr: Recognize all ZONE_DEVICE users as physaddr consumers (Dan Williams) [Orabug: 39429802]
- x86/kaslr: Reduce KASLR entropy on most x86 systems (Balbir Singh) [Orabug: 39429802]
- net: tap: NULL pointer derefence in dev_parse_header_protocol when skb->dev is null (Cezar Bulinaru) [Orabug: 39526882] {CVE-2022-50073}
- arm64: errata: Mitigate TLBI errata on various Arm CPUs (Mark Rutland) [Orabug: 39548666] {CVE-2025-10263}
- arm64: tlb: Add ARM64_WORKAROUND_REPEAT_TLBI_SYNC (Mark Rutland) [Orabug: 39548666]
- ARM: uek: Disable CONFIG_QCOM_FALKOR_ERRATUM_1003 (Boris Ostrovsky) [Orabug: 39548666]
- arm64: tlb: allow XZR argument to TLBI ops (Mark Rutland) [Orabug: 39548666]
- arm64: cputype: Add C1-Premium definitions (Mark Rutland) [Orabug: 39548666]
- arm64: cputype: Add C1-Ultra definitions (Mark Rutland) [Orabug: 39548666]
- ip6_tunnel: clear skb2->cb[] in ip4ip6_err() (Eric Dumazet) [Orabug: 39300926] {CVE-2026-43037}

[5.4.17-2136.357.1]
- batman-adv: hold claim backbone gateways by reference (Haoze Xie) [Orabug: 39262375] {CVE-2026-31657}
- scsi: fcoe: Reject FIP descriptors with zero fip_dlen in CVL walker (Michael Bommarito) [Orabug: 39446045]
- scsi: target: iscsi: Fix CRC overread and double-free in iscsit_handle_text_cmd() (Michael Bommarito) [Orabug: 39446045]
- scsi: target: iscsi: Bound iscsi_encode_text_output() appends to rsp_buf (Michael Bommarito) [Orabug: 39446045]
- rds: Drop rds conn in connect worker if not in down state. (Rohit Nair) [Orabug: 39152239]

[5.4.17-2136.356.4.1]
- smb: client: reject userspace cifs.spnego descriptions (Asim Viladi Oglu Manizada) [Orabug: 39463669] {CVE-2026-46243}

[5.4.17-2136.356.4]
- tun: free page on build_skb failure in tun_xdp_one() (Weiming Shi) [Orabug: 39429147]
- tap: free page on error paths in tap_get_user_xdp() (Weiming Shi) [Orabug: 39429147]
- tun: free page on short-frame rejection in tun_xdp_one() (Weiming Shi) [Orabug: 39429147]

[5.4.17-2136.356.3]
- ptrace: slightly saner 'get_dumpable()' logic (Linus Torvalds) [Orabug: 39384275,39391459] {CVE-2026-46333}
- net: skbuff: propagate shared-frag marker through frag-transfer helpers (Hyunwoo Kim) [Orabug: 39368828,39441326] {CVE-2026-43503,CVE-2026-46300}
- net: skbuff: preserve shared-frag marker during coalescing (William Bowling) [Orabug: 39368828] {CVE-2026-46300}

[5.4.17-2136.356.2]
- nfsd: fix heap overflow in NFSv4.0 LOCK replay cache (Jeff Layton) [Orabug: 39167617,39368718] {CVE-2026-31402}
- scsi: target: iscsi: Fix use-after-free in iscsit_dec_conn_usage_count() (Maurizio Lombardi) [Orabug: 38985173,39368732] {CVE-2026-23216}
- scsi: target: iscsi: Fix use-after-free in iscsit_dec_session_usage_count() (Maurizio Lombardi) [Orabug: 38970455,39368774] {CVE-2026-23193}
- xfrm: esp: avoid in-place decrypt on shared skb frags (Kuan-Ting Chen) [Orabug: 39334580,39367147] {CVE-2026-43284}
- x86/CPU/AMD: Add a fix for AMD-SB-7052 (Prathyushi Nangia) [Orabug: 39218897] {CVE-2025-54518}

[5.4.17-2136.356.1]
- arm64/kvm: Include linux/random.h in trng.c (Siddh Raman Pant) [Orabug: 39327096]
- i2c: designware: Disable TX_EMPTY irq while waiting for block length byte (Tam Nguyen) [Orabug: 39174662]
- i2c: designware: Handle invalid SMBus block data response length value (Tam Nguyen) [Orabug: 39174662]
- i2c: designware: fix __i2c_dw_disable() in case master is holding SCL low (Yann Sionneau) [Orabug: 39174662]



ELSA-2026-36721 Moderate: Oracle Linux 8 edk2 security, bug fix, and enhancement update


Oracle Linux Security Advisory ELSA-2026-36721

http://linux.oracle.com/errata/ELSA-2026-36721.html

The following updated rpms for Oracle Linux 8 have been uploaded to the Unbreakable Linux Network:

x86_64:
edk2-ovmf-20220126gitbb1bba3d77-13.el8_10.10.noarch.rpm

aarch64:
edk2-aarch64-20220126gitbb1bba3d77-13.el8_10.10.noarch.rpm

SRPMS:
http://oss.oracle.com/ol8/SRPMS-updates/edk2-20220126gitbb1bba3d77-13.el8_10.10.src.rpm

Related CVEs:

CVE-2025-9230

Description of changes:

[20220126gitbb1bba3d77-13.el8.10]
- edk2-OvmfPkg-Expand-EnrollDefaultKeys-with-Microsoft-2023.patch [RHEL-151949]
- Resolves: RHEL-151949
([FJ8.10 Bug] How to Update Secure Boot Certificates with Microsoft 2023 in KVM Guests)

[20220126gitbb1bba3d77-13.el8.9]
- edk2-openssl-flatten-contents-of-openssl-tarball.patch [RHEL-115901]
- edk2-Bumped-openssl-submodule-to-rhel-8-main.patch [RHEL-115901]
- Resolves: RHEL-115901
(CVE-2025-9230 edk2: Out-of-bounds read & write in RFC 3211 KEK Unwrap [rhel-8.10.z])

[20220126gitbb1bba3d77-13.el8.8]
- edk2-ArmVirtPkg-Add-Hash2DxeCrypto-to-ArmVirtPkg.patch [RHEL-71687]
- Resolves: RHEL-71687
([Regression] HTTP boot not available [aarch64] [rhel-8.10.z])

[20220126gitbb1bba3d77-13.el8.7]
- edk2-redhat-Fix-ovmf-vars-generator-RH-only.patch [RHEL-66236]
- Resolves: RHEL-66236
([Regression] HTTP Boot fails to work with edk2-ovmf-20231122-6.el9_4.2 and greater [rhel-8.10])

[20220126gitbb1bba3d77-13.el8.6]
- edk2-OvmfPkg-Rerun-dispatcher-after-initializing-virtio-r.patch [RHEL-66188]
- Resolves: RHEL-66188
([Regression] HTTP Boot fails to work with edk2-ovmf-20231122-6.el9_4.2 and greater [rhel-8.10])

[20220126gitbb1bba3d77-13.el8.5]
- edk2-OvmfPkg-Add-a-Fallback-RNG-RH-only.patch [RHEL-66236]
- edk2-OvmfPkg-ArmVirtPkg-Add-a-Fallback-RNG-RH-only.patch [RHEL-66236]
- Resolves: RHEL-66236
([Regression] HTTP Boot not working on old vCPU without virtio-rng device present [rhel-8.10])

[20220126gitbb1bba3d77-13.el8.4]
- edk2-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch [RHEL-60830]
- Resolves: RHEL-60830
(CVE-2024-38796 edk2: Integer overflows in PeCoffLoaderRelocateImage [rhel-8.10.z])

[20220126gitbb1bba3d77-13.el8.3]
- edk2-OvmfPkg-Add-Hash2DxeCrypto-to-OvmfPkg.patch [RHEL-53009]
- Resolves: RHEL-53009
(No http boot support on edk2-ovmf-20231122-6.el9_4.2 [rhel-8.10.z])

[20220126gitbb1bba3d77-13.el8_10.2]
[20220126gitbb1bba3d77-13.el8_10.1]
- edk2-MdeModulePkg-Change-use-of-EFI_D_-to-DEBUG_.patch [RHEL-21854 RHEL-21856 RHEL-40099]
- edk2-MdeModulePkg-Potential-UINT32-overflow-in-S3-ResumeC.patch [RHEL-21854 RHEL-21856 RHEL-40099]
- edk2-MdePkg-Apply-uncrustify-changes.patch [RHEL-21854 RHEL-21856 RHEL-40099]
- edk2-NetworkPkg-Apply-uncrustify-changes.p2.patch [RHEL-21854 RHEL-21856 RHEL-40099]
- edk2-SecurityPkg-RngDxe-Rename-RdRandGenerateEntropy-to-g.patch [RHEL-21854 RHEL-21856 RHEL-40099]
- edk2-SecurityPkg-RngDxe-Remove-ArchGetSupportedRngAlgorit.patch [RHEL-21854 RHEL-21856 RHEL-40099]
- edk2-SecurityPkg-RngDxe-Documentation-include-parameter-c.patch [RHEL-21854 RHEL-21856 RHEL-40099]
- edk2-SecurityPkg-RngDxe-Check-before-advertising-Cpu-Rng-.patch [RHEL-21854 RHEL-21856 RHEL-40099]
- edk2-SecurityPkg-RngDxe-Add-AArch64-RawAlgorithm-support-.patch [RHEL-21854 RHEL-21856 RHEL-40099]
- edk2-SecurityPkg-RngDxe-Add-debug-warning-for-NULL-PcdCpu.patch [RHEL-21854 RHEL-21856 RHEL-40099]
- edk2-SecurityPkg-RngDxe-Rename-AArch64-RngDxe.c.patch [RHEL-21854 RHEL-21856 RHEL-40099]
- edk2-SecurityPkg-RngDxe-Add-Arm-support-of-RngDxe.patch [RHEL-21854 RHEL-21856 RHEL-40099]
- edk2-SecurityPkg-RngDxe-Correctly-update-mAvailableAlgoAr.patch [RHEL-21854 RHEL-21856 RHEL-40099]
- edk2-SecurityPkg-RngDxe-Conditionally-install-EFI_RNG_PRO.patch [RHEL-21854 RHEL-21856 RHEL-40099]
- edk2-MdeModulePkg-Duplicate-BaseRngLibTimerLib-to-MdeModu.patch [RHEL-21854 RHEL-21856 RHEL-40099]
- edk2-MdePkg-Add-deprecated-warning-to-BaseRngLibTimer.patch [RHEL-21854 RHEL-21856 RHEL-40099]
- edk2-SecurityPkg-SecurityPkg.dec-Move-PcdCpuRngSupportedA.patch [RHEL-21854 RHEL-21856 RHEL-40099]
- edk2-MdePkg-DxeRngLib-Request-raw-algorithm-instead-of-de.patch [RHEL-21854 RHEL-21856 RHEL-40099]
- edk2-MdePkg-Rng-Add-GUID-to-describe-Arm-Rndr-Rng-algorit.patch [RHEL-21854 RHEL-21856 RHEL-40099]
- edk2-MdeModulePkg-Rng-Add-GUID-to-describe-unsafe-Rng-alg.patch [RHEL-21854 RHEL-21856 RHEL-40099]
- edk2-MdePkg-Rng-Add-GetRngGuid-to-RngLib.patch [RHEL-21854 RHEL-21856 RHEL-40099]
- edk2-SecurityPkg-RngDxe-Use-GetRngGuid-when-probing-RngLi.patch [RHEL-21854 RHEL-21856 RHEL-40099]
- edk2-SecurityPkg-RngDxe-Simplify-Rng-algorithm-selection-.patch [RHEL-21854 RHEL-21856 RHEL-40099]
- edk2-NetworkPkg-SECURITY-PATCH-CVE-2023-45237.patch [RHEL-21854 RHEL-21856 RHEL-40099]
- edk2-MdePkg-BaseRngLib-Add-a-smoketest-for-RDRAND-and-che.patch [RHEL-21854 RHEL-21856 RHEL-40099]
- edk2-SecurityPkg-RngDxe-add-rng-test.patch [RHEL-21854 RHEL-21856 RHEL-40099]
- edk2-OvmfPkg-wire-up-RngDxe.patch [RHEL-21854 RHEL-21856 RHEL-40099]
- edk2-CryptoPkg-Test-call-ProcessLibraryConstructorList.patch [RHEL-21854 RHEL-21856 RHEL-40099]
- edk2-MdePkg-X86UnitTestHost-set-rdrand-cpuid-bit.patch [RHEL-21854 RHEL-21856 RHEL-40099]
- edk2-NetworkPkg-TcpDxe-SECURITY-PATCH-CVE-2023-45236.patch [RHEL-21854 RHEL-21856 RHEL-40099]
- edk2-NetworkPkg-TcpDxe-Fixed-system-stuck-on-PXE-boot-flo.patch [RHEL-21854 RHEL-21856 RHEL-40099]
- Resolves: RHEL-21854
(CVE-2023-45236 edk2: Predictable TCP Initial Sequence Numbers [rhel-8])
- Resolves: RHEL-21856
(CVE-2023-45237 edk2: Use of a Weak PseudoRandom Number Generator [rhel-8])
- Resolves: RHEL-40099
(CVE-2024-1298 edk2: Temporary DoS vulnerability [rhel-8.10.z])



ELSA-2026-50388 Important: Oracle Linux 7 Unbreakable Enterprise kernel security update


Oracle Linux Security Advisory ELSA-2026-50388

http://linux.oracle.com/errata/ELSA-2026-50388.html

The following updated rpms for Oracle Linux 7 have been uploaded to the Unbreakable Linux Network:

x86_64:
kernel-uek-5.4.17-2136.357.3.2.el7uek.x86_64.rpm
kernel-uek-container-5.4.17-2136.357.3.2.el7uek.x86_64.rpm
kernel-uek-container-debug-5.4.17-2136.357.3.2.el7uek.x86_64.rpm
kernel-uek-debug-5.4.17-2136.357.3.2.el7uek.x86_64.rpm
kernel-uek-debug-devel-5.4.17-2136.357.3.2.el7uek.x86_64.rpm
kernel-uek-devel-5.4.17-2136.357.3.2.el7uek.x86_64.rpm
kernel-uek-doc-5.4.17-2136.357.3.2.el7uek.noarch.rpm
kernel-uek-tools-5.4.17-2136.357.3.2.el7uek.x86_64.rpm

SRPMS:
http://oss.oracle.com/ol7/SRPMS-updates/kernel-uek-5.4.17-2136.357.3.2.el7uek.src.rpm

Related CVEs:

CVE-2026-43499

Description of changes:

[5.4.17-2136.357.3.2]
- locking/rtmutex: Skip remove_waiter() when waiter is not enqueued (Davidlohr Bueso) [Orabug: 39706958]
- rtmutex: Use waiter::task instead of current in remove_waiter() (Keenan Dong) [Orabug: 39706958] {CVE-2026-43499}

[5.4.17-2136.357.3.1]
- KVM: x86: Fix shadow paging use-after-free due to unexpected role (Paolo Bonzini) [Orabug: 39673892]
- KVM: x86: Fix shadow paging use-after-free due to unexpected GFN (Sean Christopherson) [Orabug: 39673892]
- KVM: x86/MMU: Recursively zap nested TDP SPs when zapping last/only parent (Ben Gardon) [Orabug: 39673892]
- KVM: x86/mmu: Move flush logic from mmu_page_zap_pte() to FNAME(invlpg) (Sean Christopherson) [Orabug: 39673892]
- KVM: x86/mmu: pull call to drop_large_spte() into __link_shadow_page() (Paolo Bonzini) [Orabug: 39673892]
- KVM: x86/mmu: Passing up the error state of mmu_alloc_shadow_roots() (Like Xu) [Orabug: 39673892]
- KVM: MMU: load PDPTRs outside mmu_lock (Paolo Bonzini) [Orabug: 39673892]
- KVM: x86/mmu: Check PDPTRs before allocating PAE roots (Sean Christopherson) [Orabug: 39673892]
- KVM: x86/mmu: Always pass 0 for @quadrant when gptes are 8 bytes (David Matlack) [Orabug: 39673892]
- KVM: x86/mmu: Derive shadow MMU page role from parent (David Matlack) [Orabug: 39673892]
- KVM: X86: Remove useless code to set role.gpte_is_8_bytes when role.direct (Lai Jiangshan) [Orabug: 39673892]
- KVM: X86: Synchronize the shadow pagetable before link it (Lai Jiangshan) [Orabug: 39673892]
- KVM: X86: Fix missed remote tlb flush in rmap_write_protect() (Lai Jiangshan) [Orabug: 39673892]
- KVM: x86/mmu: Refactor shadow walk in __direct_map() to reduce indentation (Sean Christopherson) [Orabug: 39673892]
- KVM: x86/mmu: Stop passing "direct" to mmu_alloc_root() (David Matlack) [Orabug: 39673892]
- KVM: x86/mmu: Use a bool for direct (David Matlack) [Orabug: 39673892]
- kvm: mmu: Replace unsigned with unsigned int for PTE access (Ben Gardon) [Orabug: 39673892]
- KVM: x86/mmu: Ensure MMU pages are available when allocating roots (Sean Christopherson) [Orabug: 39673892]
- KVM: x86/mmu: Allocate pae_root and lm_root pages in dedicated helper (Sean Christopherson) [Orabug: 39673892]
- KVM: x86/mmu: Allocate the lm_root before allocating PAE roots (Sean Christopherson) [Orabug: 39673892]
- KVM: x86/mmu: Capture 'mmu' in a local variable when allocating roots (Sean Christopherson) [Orabug: 39673892]
- KVM: x86/mmu: Alloc page for PDPTEs when shadowing 32-bit NPT with 64-bit (Sean Christopherson) [Orabug: 39673892]
- KVM: x86/mmu: Stash 'kvm' in a local variable in kvm_mmu_free_roots() (Sean Christopherson) [Orabug: 39673892]
- KVM: x86/mmu: Add a helper to consolidate root sp allocation (Sean Christopherson) [Orabug: 39673892]
- net/sched: act_pedit: fix action bind logic (Pedro Tammela) [Orabug: 39680880]
- net/sched: act_pedit: free pedit keys on bail from offset check (Pedro Tammela) [Orabug: 39680880]
- net/sched: fix pedit partial COW leading to page cache corruption (Rajat Gupta) [Orabug: 39680880] {CVE-2026-46331}
- net/sched: act_pedit: Parse L3 Header for L4 offset (Max Tottenham) [Orabug: 39680880]
- net/sched: act_pedit: rate limit datapath messages (Pedro Tammela) [Orabug: 39680880]
- net/sched: act_pedit: check static offsets a priori (Pedro Tammela) [Orabug: 39680880]
- net/sched: act_pedit: remove extra check for key type (Pedro Tammela) [Orabug: 39680880]
- net/sched: simplify tcf_pedit_act (Pedro Tammela) [Orabug: 39680880]
- net/sched: transition act_pedit to rcu and percpu stats (Pedro Tammela) [Orabug: 39680880]
- net/sched: act_pedit: use NLA_POLICY for parsing 'ex' keys (Pedro Tammela) [Orabug: 39680880]

[5.4.17-2136.357.3]
- net: skbuff: fix missing zerocopy reference in pskb_carve helpers (Minh Nguyen) [Orabug: 39619389] {CVE-2026-52943}

[5.4.17-2136.357.2]
- net: fix fanout UAF in packet_release() via NETDEV_UP race (Yochai Eisenrich) [Orabug: 39250953] {CVE-2026-31504}
- x86/kaslr: Recognize all ZONE_DEVICE users as physaddr consumers (Dan Williams) [Orabug: 39429802]
- x86/kaslr: Reduce KASLR entropy on most x86 systems (Balbir Singh) [Orabug: 39429802]
- net: tap: NULL pointer derefence in dev_parse_header_protocol when skb->dev is null (Cezar Bulinaru) [Orabug: 39526882] {CVE-2022-50073}
- arm64: errata: Mitigate TLBI errata on various Arm CPUs (Mark Rutland) [Orabug: 39548666] {CVE-2025-10263}
- arm64: tlb: Add ARM64_WORKAROUND_REPEAT_TLBI_SYNC (Mark Rutland) [Orabug: 39548666]
- ARM: uek: Disable CONFIG_QCOM_FALKOR_ERRATUM_1003 (Boris Ostrovsky) [Orabug: 39548666]
- arm64: tlb: allow XZR argument to TLBI ops (Mark Rutland) [Orabug: 39548666]
- arm64: cputype: Add C1-Premium definitions (Mark Rutland) [Orabug: 39548666]
- arm64: cputype: Add C1-Ultra definitions (Mark Rutland) [Orabug: 39548666]
- ip6_tunnel: clear skb2->cb[] in ip4ip6_err() (Eric Dumazet) [Orabug: 39300926] {CVE-2026-43037}

[5.4.17-2136.357.1]
- batman-adv: hold claim backbone gateways by reference (Haoze Xie) [Orabug: 39262375] {CVE-2026-31657}
- scsi: fcoe: Reject FIP descriptors with zero fip_dlen in CVL walker (Michael Bommarito) [Orabug: 39446045]
- scsi: target: iscsi: Fix CRC overread and double-free in iscsit_handle_text_cmd() (Michael Bommarito) [Orabug: 39446045]
- scsi: target: iscsi: Bound iscsi_encode_text_output() appends to rsp_buf (Michael Bommarito) [Orabug: 39446045]
- rds: Drop rds conn in connect worker if not in down state. (Rohit Nair) [Orabug: 39152239]

[5.4.17-2136.356.4.1]
- smb: client: reject userspace cifs.spnego descriptions (Asim Viladi Oglu Manizada) [Orabug: 39463669] {CVE-2026-46243}

[5.4.17-2136.356.4]
- tun: free page on build_skb failure in tun_xdp_one() (Weiming Shi) [Orabug: 39429147]
- tap: free page on error paths in tap_get_user_xdp() (Weiming Shi) [Orabug: 39429147]
- tun: free page on short-frame rejection in tun_xdp_one() (Weiming Shi) [Orabug: 39429147]

[5.4.17-2136.356.3]
- ptrace: slightly saner 'get_dumpable()' logic (Linus Torvalds) [Orabug: 39384275,39391459] {CVE-2026-46333}
- net: skbuff: propagate shared-frag marker through frag-transfer helpers (Hyunwoo Kim) [Orabug: 39368828,39441326] {CVE-2026-43503,CVE-2026-46300}
- net: skbuff: preserve shared-frag marker during coalescing (William Bowling) [Orabug: 39368828] {CVE-2026-46300}

[5.4.17-2136.356.2]
- nfsd: fix heap overflow in NFSv4.0 LOCK replay cache (Jeff Layton) [Orabug: 39167617,39368718] {CVE-2026-31402}
- scsi: target: iscsi: Fix use-after-free in iscsit_dec_conn_usage_count() (Maurizio Lombardi) [Orabug: 38985173,39368732] {CVE-2026-23216}
- scsi: target: iscsi: Fix use-after-free in iscsit_dec_session_usage_count() (Maurizio Lombardi) [Orabug: 38970455,39368774] {CVE-2026-23193}
- xfrm: esp: avoid in-place decrypt on shared skb frags (Kuan-Ting Chen) [Orabug: 39334580,39367147] {CVE-2026-43284}
- x86/CPU/AMD: Add a fix for AMD-SB-7052 (Prathyushi Nangia) [Orabug: 39218897] {CVE-2025-54518}

[5.4.17-2136.356.1]
- arm64/kvm: Include linux/random.h in trng.c (Siddh Raman Pant) [Orabug: 39327096]
- i2c: designware: Disable TX_EMPTY irq while waiting for block length byte (Tam Nguyen) [Orabug: 39174662]
- i2c: designware: Handle invalid SMBus block data response length value (Tam Nguyen) [Orabug: 39174662]
- i2c: designware: fix __i2c_dw_disable() in case master is holding SCL low (Yann Sionneau) [Orabug: 39174662]



ELBA-2026-36731 Oracle Linux 8 libusbx bug fix and enhancement update


Oracle Linux Bug Fix Advisory ELBA-2026-36731

http://linux.oracle.com/errata/ELBA-2026-36731.html

The following updated rpms for Oracle Linux 8 have been uploaded to the Unbreakable Linux Network:

x86_64:
libusbx-1.0.30-1.el8_10.i686.rpm
libusbx-1.0.30-1.el8_10.x86_64.rpm
libusbx-devel-1.0.30-1.el8_10.i686.rpm
libusbx-devel-1.0.30-1.el8_10.x86_64.rpm
libusbx-devel-doc-1.0.30-1.el8_10.noarch.rpm

aarch64:
libusbx-1.0.30-1.el8_10.aarch64.rpm
libusbx-devel-1.0.30-1.el8_10.aarch64.rpm
libusbx-devel-doc-1.0.30-1.el8_10.noarch.rpm

SRPMS:
http://oss.oracle.com/ol8/SRPMS-updates/libusbx-1.0.30-1.el8_10.src.rpm

Description of changes:

[1.0.30-1]
- The release 1.0.30 resolves major bugs
- Include the new API for fwupd backporting
Resovles: RHEL-184258



ELBA-2026-36725 Oracle Linux 8 nfs-utils bug fix and enhancement update


Oracle Linux Bug Fix Advisory ELBA-2026-36725

http://linux.oracle.com/errata/ELBA-2026-36725.html

The following updated rpms for Oracle Linux 8 have been uploaded to the Unbreakable Linux Network:

x86_64:
libnfsidmap-2.3.3-69.0.1.el8_10.i686.rpm
libnfsidmap-2.3.3-69.0.1.el8_10.x86_64.rpm
libnfsidmap-devel-2.3.3-69.0.1.el8_10.i686.rpm
libnfsidmap-devel-2.3.3-69.0.1.el8_10.x86_64.rpm
nfs-utils-2.3.3-69.0.1.el8_10.x86_64.rpm

aarch64:
libnfsidmap-2.3.3-69.0.1.el8_10.aarch64.rpm
libnfsidmap-devel-2.3.3-69.0.1.el8_10.aarch64.rpm
nfs-utils-2.3.3-69.0.1.el8_10.aarch64.rpm

SRPMS:
http://oss.oracle.com/ol8/SRPMS-updates/nfs-utils-2.3.3-69.0.1.el8_10.src.rpm

Description of changes:

[2.3.3-69.0.1]
- nfsd: allow more than 64 backlogged connections
- spec: remove multiple warnings when upgrading nfs-utils with gssproxy [Orabug: 35173372]

[2.3.3-69]
- nfsrahead: enable event-driven mountinfo monitoring and skip non-NFS devices (RHEL-150760)
- nfsrahead: zero-initialise device_info struct (RHEL-150760)
- nfsrahead: quieten misleading error for non-NFS block devices (RHEL-150760)



ELSA-2026-35830 Important: Oracle Linux 8 grafana security update


Oracle Linux Security Advisory ELSA-2026-35830

http://linux.oracle.com/errata/ELSA-2026-35830.html

The following updated rpms for Oracle Linux 8 have been uploaded to the Unbreakable Linux Network:

x86_64:
grafana-9.2.10-31.0.1.el8_10.x86_64.rpm
grafana-selinux-9.2.10-31.0.1.el8_10.x86_64.rpm

aarch64:
grafana-9.2.10-31.0.1.el8_10.aarch64.rpm
grafana-selinux-9.2.10-31.0.1.el8_10.aarch64.rpm

SRPMS:
http://oss.oracle.com/ol8/SRPMS-updates/grafana-9.2.10-31.0.1.el8_10.src.rpm

Related CVEs:

CVE-2026-39821

Description of changes:

[9.2.10-31.0.1]
- Fixes CVE-2024-1442 Add email verification when updating user email [Orabug: 38550520]

[9.2.10-31]
- Resolves RHEL-183728: CVE-2026-39821



ELBA-2026-36724 Oracle Linux 8 gdm and gnome-shell bug fix and enhancement update


Oracle Linux Bug Fix Advisory ELBA-2026-36724

http://linux.oracle.com/errata/ELBA-2026-36724.html

The following updated rpms for Oracle Linux 8 have been uploaded to the Unbreakable Linux Network:

x86_64:
gdm-40.0-28.el8_10.i686.rpm
gdm-40.0-28.el8_10.x86_64.rpm
gdm-devel-40.0-28.el8_10.i686.rpm
gdm-devel-40.0-28.el8_10.x86_64.rpm
gdm-pam-extensions-devel-40.0-28.el8_10.i686.rpm
gdm-pam-extensions-devel-40.0-28.el8_10.x86_64.rpm
gnome-shell-3.32.2-60.el8_10.x86_64.rpm

aarch64:
gdm-40.0-28.el8_10.aarch64.rpm
gdm-devel-40.0-28.el8_10.aarch64.rpm
gdm-pam-extensions-devel-40.0-28.el8_10.aarch64.rpm
gnome-shell-3.32.2-60.el8_10.aarch64.rpm

SRPMS:
http://oss.oracle.com/ol8/SRPMS-updates/gdm-40.0-28.el8_10.src.rpm
http://oss.oracle.com/ol8/SRPMS-updates/gnome-shell-3.32.2-60.el8_10.src.rpm

Description of changes:

gdm
[40.0-28]
- Fix recovering client proxies
Resolves: RHEL-185770

gnome-shell
[3.32.2-60]
- Backport fix to recover userVerifier
Resolves: RHEL-185731



New Ksplice updates for UEKR8 6.12.0 on OL9 and OL10 (ELSA-2026-50319)


Synopsis: ELSA-2026-50319 can now be patched using Ksplice
CVEs: CVE-2026-23272 CVE-2026-31419 CVE-2026-31504 CVE-2026-31533 CVE-2026-31657 CVE-2026-31669 CVE-2026-43037 CVE-2026-43074 CVE-2026-43499 CVE-2026-46113 CVE-2026-46116 CVE-2026-53163

Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Security Advisory, ELSA-2026-50319.
More information about this errata can be found at
https://linux.oracle.com/errata/ELSA-2026-50319.html

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running UEKR8 6.12.0 on
OL9 and OL10 install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

DESCRIPTION

* CVE-2026-23272: Use-after-free in Netfilter driver.

Orabug: 39562729

* CVE-2026-31419: Use-after-free in Bonding driver.

Orabug: 39556377

* CVE-2026-31504: Use-after-free in Packet socket driver.

Orabug: 39556380

* CVE-2026-31533: Use-after-free in Transport Layer Security driver.

Orabug: 39556386

* CVE-2026-31657: Use-after-free in Bridge Loop Avoidance driver.

Orabug: 39556388

* CVE-2026-31669: Use-after-free in MPTCP: Multipath TCP driver.

Orabug: 39556381

* CVE-2026-43037: Out-of-bounds write in IPv6: IP-in-IPv6 tunnel (RFC2473) driver.

Orabug: 39556341

* CVE-2026-43074: Use-after-free in epoll.

Orabug: 39556391

* CVE-2026-43499, CVE-2026-53163: Use-after-free in core kernel RT-mutex.

Orabug: 39556379

* CVE-2026-46113: Use-after-free in KVM shadow paging.

Orabug: 39673880

* CVE-2026-46116: Use-after-free in XFRM.

Orabug: 39556375

SUPPORT

Ksplice support is available at ksplice-support_ww@oracle.com.