- crypto: algif_aead - Fix minimum RX size check for decryption - crypto: af_alg - Fix page reassignment overflow in af_alg_pull_tsgl - crypto: authencesn - Fix src offset when decrypting in-place - crypto: authencesn - Do not place hiseq at end of dst for out-of-place decryption - crypto: authenc - use memcpy_sglist() instead of null skcipher - crypto: algif_aead - snapshot IV for async AEAD requests - crypto: algif_aead - Revert to operating out-of-place - crypto: algif_aead - use memcpy_sglist() instead of null skcipher - crypto: scatterwalk - Backport memcpy_sglist() - crypto: authencesn - reject too-short AAD (assoclen<8) to match ESP/ESN spec - macvlan: fix possible UAF in macvlan_forward_source() {CVE-2026-23001} - tls: Use __sk_dst_get() and dst_dev_rcu() in get_netdev_for_sock(). {CVE-2025-40149} - bpf, cpumap: Make sure kthread is running before map update returns {CVE-2023-53577} - net: qrtr: Fix an uninit variable access bug in qrtr_tx_resume() {CVE-2023-53578} - migrate: correct lock ordering for hugetlb file folios {CVE-2026-23097} - net/sched: sch_hfsc: upgrade 'rt' to 'sc' when it becomes a inner curve {CVE-2023-4623} - e1000e: fix heap overflow in e1000_set_eeprom {CVE-2025-39898} - ALSA: hda/ca0132: Fix buffer overflow in add_tuning_control {CVE-2025-39751} - md/raid10: fix null-ptr-deref of mreplace in raid10_sync_request {CVE-2023-53380} - HID: usbhid: Eliminate recurrent out-of-bounds bug in usbhid_parse() {CVE-2025-38103} - tls: separate no-async decryption request handling from async {CVE-2024-58240} - ftrace: Also allocate and copy hash for reading of filter files {CVE-2025-39689} - HID: uclogic: Correct devm device reference for hidinput input_dev name {CVE-2023-54207} - ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr() {CVE-2025-71085} - ALSA: usb-audio: Fix use-after-free in snd_usb_mixer_free() {CVE-2026-23089} - nfsd: provide locking for v4_end_grace {CVE-2026-22980} - ext4: fix uninititialized value in 'ext4_evict_inode' {CVE-2022-50546} - ip_vti: fix potential slab-use-after-free in decode_session6 {CVE-2023-53559} - dm flakey: don't corrupt the zero page {CVE-2023-54317} - net: add dst_dev_rcu() helper for safe dst->dev access {CVE-2025-40135} - xhci: simplify event ring dequeue tracking for transfer events - i40e: increase max descriptors for XL710 - perf/core: Prevent VMA split of buffer mappings {CVE-2025-38563} - net/sched: sch_qfq: Avoid triggering might_sleep in atomic context in qfq_delete_class - KVM: x86: Reset IRTE to host control if *new* route isn't postable {CVE-2025-37885} - ipvlan: add ipvlan_route_v6_outbound() helper {CVE-2023-52796} - net: phylink: add lock for serializing concurrent pl->phydev writes with resolver {CVE-2025-39905} - kyber: fix out of bounds access when preempted {CVE-2021-46984} - page_pool: Fix use-after-free in page_pool_recycle_in_ring {CVE-2025-38129} - scsi: mpi3mr: Use number of bits to manage bitmap sizes {CVE-2023-53376} - crypto: lzo - Fix compression buffer overrun {CVE-2025-38068} - ipv6: use RCU for dst->dev access in ip6_xmit, ip6_output, ip6_finish_output2 {CVE-2025-40135} {CVE-2025-40158} - HID: hyperv: Correctly access fields declared as __le16 {CVE-2025-38103} - i40e: add validation for ring_len param {CVE-2025-39973} - mmc: core: use sysfs_emit() instead of sprintf() {CVE-2022-49267} - cacheinfo: Fix shared_cpu_map to handle shared caches at different levels {CVE-2023-53254} - drm/amdkfd: Fix double release compute pasid {CVE-2022-50303} - drm/amd/display: Check dce_hwseq before dereferencing it {CVE-2025-38361} - RDMA/rxe: Fix mr->map double free {CVE-2022-50543} - virtio-net: ensure the received length does not exceed allocated size {CVE-2025-38375} - crypto: qat - resolve race condition during AER recovery {CVE-2024-26974}