[El-errata] ELSA-2026-50144 Important: Unbreakable Enterprise kernel security update

[Errata Announcements for Oracle Linux]

Oracle Linux Security Advisory ELSA-2026-50144

http://linux.oracle.com/errata/ELSA-2026-50144.html

The following updated rpms for have been uploaded to the Unbreakable Linux Network:

x86_64:
kernel-uek-6.12.0-109.67.6.el10uek.x86_64.rpm
kernel-uek-core-6.12.0-109.67.6.el10uek.x86_64.rpm
kernel-uek-devel-6.12.0-109.67.6.el10uek.x86_64.rpm
kernel-uek-doc-6.12.0-109.67.6.el10uek.noarch.rpm
kernel-uek-modules-6.12.0-109.67.6.el10uek.x86_64.rpm
kernel-uek-modules-core-6.12.0-109.67.6.el10uek.x86_64.rpm
kernel-uek-modules-deprecated-6.12.0-109.67.6.el10uek.x86_64.rpm
kernel-uek-modules-desktop-6.12.0-109.67.6.el10uek.x86_64.rpm
kernel-uek-modules-extra-6.12.0-109.67.6.el10uek.x86_64.rpm
kernel-uek-modules-extra-netfilter-6.12.0-109.67.6.el10uek.x86_64.rpm
kernel-uek-modules-usb-6.12.0-109.67.6.el10uek.x86_64.rpm
kernel-uek-modules-wireless-6.12.0-109.67.6.el10uek.x86_64.rpm
kernel-uek-tools-6.12.0-109.67.6.el10uek.x86_64.rpm
kernel-uek-debug-6.12.0-109.67.6.el10uek.x86_64.rpm
kernel-uek-debug-core-6.12.0-109.67.6.el10uek.x86_64.rpm
kernel-uek-debug-devel-6.12.0-109.67.6.el10uek.x86_64.rpm
kernel-uek-debug-modules-6.12.0-109.67.6.el10uek.x86_64.rpm
kernel-uek-debug-modules-core-6.12.0-109.67.6.el10uek.x86_64.rpm
kernel-uek-debug-modules-deprecated-6.12.0-109.67.6.el10uek.x86_64.rpm
kernel-uek-debug-modules-desktop-6.12.0-109.67.6.el10uek.x86_64.rpm
kernel-uek-debug-modules-extra-6.12.0-109.67.6.el10uek.x86_64.rpm
kernel-uek-debug-modules-extra-netfilter-6.12.0-109.67.6.el10uek.x86_64.rpm
kernel-uek-debug-modules-usb-6.12.0-109.67.6.el10uek.x86_64.rpm
kernel-uek-debug-modules-wireless-6.12.0-109.67.6.el10uek.x86_64.rpm

aarch64:
kernel-uek-6.12.0-109.67.6.el10uek.aarch64.rpm
kernel-uek-core-6.12.0-109.67.6.el10uek.aarch64.rpm
kernel-uek-devel-6.12.0-109.67.6.el10uek.aarch64.rpm
kernel-uek-modules-6.12.0-109.67.6.el10uek.aarch64.rpm
kernel-uek-modules-core-6.12.0-109.67.6.el10uek.aarch64.rpm
kernel-uek-modules-deprecated-6.12.0-109.67.6.el10uek.aarch64.rpm
kernel-uek-modules-desktop-6.12.0-109.67.6.el10uek.aarch64.rpm
kernel-uek-modules-extra-6.12.0-109.67.6.el10uek.aarch64.rpm
kernel-uek-modules-extra-netfilter-6.12.0-109.67.6.el10uek.aarch64.rpm
kernel-uek-modules-usb-6.12.0-109.67.6.el10uek.aarch64.rpm
kernel-uek-modules-wireless-6.12.0-109.67.6.el10uek.aarch64.rpm
kernel-uek-tools-6.12.0-109.67.6.el10uek.aarch64.rpm
kernel-uek-debug-6.12.0-109.67.6.el10uek.aarch64.rpm
kernel-uek-debug-core-6.12.0-109.67.6.el10uek.aarch64.rpm
kernel-uek-debug-devel-6.12.0-109.67.6.el10uek.aarch64.rpm
kernel-uek-debug-modules-6.12.0-109.67.6.el10uek.aarch64.rpm
kernel-uek-debug-modules-core-6.12.0-109.67.6.el10uek.aarch64.rpm
kernel-uek-debug-modules-deprecated-6.12.0-109.67.6.el10uek.aarch64.rpm
kernel-uek-debug-modules-desktop-6.12.0-109.67.6.el10uek.aarch64.rpm
kernel-uek-debug-modules-extra-6.12.0-109.67.6.el10uek.aarch64.rpm
kernel-uek-debug-modules-extra-netfilter-6.12.0-109.67.6.el10uek.aarch64.rpm
kernel-uek-debug-modules-usb-6.12.0-109.67.6.el10uek.aarch64.rpm
kernel-uek-debug-modules-wireless-6.12.0-109.67.6.el10uek.aarch64.rpm
kernel-uek64k-6.12.0-109.67.6.el10uek.aarch64.rpm
kernel-uek64k-core-6.12.0-109.67.6.el10uek.aarch64.rpm
kernel-uek64k-devel-6.12.0-109.67.6.el10uek.aarch64.rpm
kernel-uek64k-modules-6.12.0-109.67.6.el10uek.aarch64.rpm
kernel-uek64k-modules-core-6.12.0-109.67.6.el10uek.aarch64.rpm
kernel-uek64k-modules-deprecated-6.12.0-109.67.6.el10uek.aarch64.rpm
kernel-uek64k-modules-desktop-6.12.0-109.67.6.el10uek.aarch64.rpm
kernel-uek64k-modules-extra-6.12.0-109.67.6.el10uek.aarch64.rpm
kernel-uek64k-modules-extra-netfilter-6.12.0-109.67.6.el10uek.aarch64.rpm
kernel-uek64k-modules-usb-6.12.0-109.67.6.el10uek.aarch64.rpm
kernel-uek64k-modules-wireless-6.12.0-109.67.6.el10uek.aarch64.rpm


SRPMS:
http://oss.oracle.com/ol10/SRPMS-updates/kernel-uek-6.12.0-109.67.6.el10uek.src.rpm

Related CVEs:

CVE-2025-22111
CVE-2025-38248
CVE-2025-38591
CVE-2025-68792
CVE-2025-71088
CVE-2025-71127
CVE-2025-71134
CVE-2025-71144
CVE-2025-71160
CVE-2025-71182
CVE-2025-71183
CVE-2025-71184
CVE-2025-71190
CVE-2025-71194
CVE-2026-22976
CVE-2026-22977
CVE-2026-22978
CVE-2026-22979
CVE-2026-22980
CVE-2026-22984
CVE-2026-22988
CVE-2026-22989
CVE-2026-22990
CVE-2026-22991
CVE-2026-22992
CVE-2026-22994
CVE-2026-22996
CVE-2026-22997
CVE-2026-22998
CVE-2026-22999
CVE-2026-23000
CVE-2026-23001
CVE-2026-23002
CVE-2026-23003
CVE-2026-23005
CVE-2026-23010
CVE-2026-23011
CVE-2026-23020
CVE-2026-23021
CVE-2026-23023
CVE-2026-23025
CVE-2026-23030
CVE-2026-23031
CVE-2026-23032
CVE-2026-23035
CVE-2026-23038
CVE-2026-23047
CVE-2026-23049
CVE-2026-23050
CVE-2026-23053
CVE-2026-23054
CVE-2026-23136
CVE-2026-23139
CVE-2026-23140
CVE-2026-23141
CVE-2026-23142
CVE-2026-23144
CVE-2026-23145




Description of changes:

[6.12.0-109.67.6]
- net: tunnel: make skb_vlan_inet_prepare() return drop reasons (Menglong Dong)  [Orabug: 39027305]

[6.12.0-109.67.5]
- uek-rpm: fixed specs to explicitly call python3 as set as a requirement (Mark Nicholson) [Orabug: 38933158]
- Revert "net/rds: fix crash by expanding kref coverage to rds_incoming.i_conn" (Sharath Srinivasan) [Orabug: 38945524]
- Revert "net/rds: expand kref coverage to rds_notifier->n_conn" (Sharath Srinivasan) [Orabug: 38945524]

[6.12.0-109.67.4]
- KVM: x86: conditionally clear masterclock request for uek=exadata (Dongli Zhang) [Orabug: 38905553]
- Partial backport of "KVM: x86: Fix software TSC upscaling in kvm_update_guest_time()" (Dongli Zhang) [Orabug: 38905553]
- ext4/jbd2: skip sb flush when EIO happened (Wengang Wang) [Orabug: 38916907]
- jbd2: store more accurate errno in superblock when possible (Wengang Wang) [Orabug: 38916907]
- net/rds: fix rds_message memleak in rds_send_xmit (Sharath Srinivasan) [Orabug: 38923495]
- Revert "IB/mlx5: Implement clear counters" (Sharath Srinivasan) [Orabug: 38923518]
- Revert "IB/core: Implement clear counters" (Sharath Srinivasan) [Orabug: 38923518]
- net/rds: fix rds_message memleak in rds_send_queue_rm (Sharath Srinivasan) [Orabug: 38928269]
- net/rds: rds_send_xmit should INIT_LIST_HEAD(&to_be_dropped) on restart (Sharath Srinivasan) [Orabug: 38928271]
- net/rds: wait_event_timeout until zero connections during rmmod (Sharath Srinivasan) [Orabug: 38928273]

[6.12.0-109.67.3]
- RAS/AMD/ATL: Require PRM support for future systems (Yazen Ghannam) [Orabug: 38869580]
- ACPI: PRM: Add acpi_prm_handler_available() (Yazen Ghannam) [Orabug: 38869580]
- Documentation: add documentation for MFD_MF_KEEP_UE_MAPPED (William Roche) [Orabug: 38768984]
- selftests/mm: test userspace MFR for HugeTLB hugepage (William Roche) [Orabug: 38768984]
- mm: memfd/hugetlb: introduce memfd-based userspace MFR policy (William Roche) [Orabug: 38768984]
- mm/memory-failure: teach kill_accessing_process to accept hugetlb tail page pfn (Jane Chu) [Orabug: 38768984]
- mm/memory-failure: fix missing ->mf_stats count in hugetlb poison (Jane Chu) [Orabug: 38768984]
- Reapply "cpuidle: menu: Avoid discarding useful information" (Harshvardhan Jha) [Orabug: 38741180]

[6.12.0-109.67.2]
- net: mana: Reduce waiting time if HWC not responding (Haiyang Zhang) [Orabug: 38881615]

[6.12.0-109.67.1]
- LTS version: v6.12.67 (Jack Vogel)
- mm/fake-numa: handle cases with no SRAT info (Bruno Faccini)
- mm/page_alloc: prevent pcp corruption with SMP=n (Vlastimil Babka) [Orabug: 38914772] {CVE-2026-23025}
- mm/page_alloc: batch page freeing in decay_pcp_high (Joshua Hahn)
- mm/page_alloc/vmstat: simplify refresh_cpu_vm_stats change detection (Joshua Hahn)
- dmaengine: fsl-edma: Fix clk leak on alloc_chan_resources failure (Zhen Ni)
- phy: rockchip: inno-usb2: Fix a double free bug in rockchip_usb2phy_probe() (Xu Wang) [Orabug: 38914781] {CVE-2026-23030}
- phy: phy-rockchip-inno-usb2: Use dev_err_probe() in the probe path (Dragan Simic)
for 'numa_nodes_parsed' (Ben Dooks)
- mm/fake-numa: allow later numa node hotplug (Bruno Faccini)
- mm: kmsan: fix poisoning of high-order non-compound pages (Ryan Roberts)
- selftests/bpf: Test invalid narrower ctx load (Paul Chaignon)
- bpf: Reject narrower access to pointer ctx fields (Paul Chaignon) [Orabug: 38335080] {CVE-2025-38591}
- mm/damon/sysfs-scheme: cleanup access_pattern subdirs on scheme dir setup failure (Seongjae Park) [Orabug: 38970289] {CVE-2026-23142}
- mm/damon/sysfs-scheme: cleanup quotas subdirs on scheme dir setup failure (Seongjae Park)
- xfs: set max_agbno to allow sparse alloc of last full inode chunk (Brian Foster)
- btrfs: fix deadlock in wait_current_trans() due to ignored transaction type (Robbie Ko) [Orabug: 38930778] {CVE-2025-71194}
- HID: intel-ish-hid: Fix -Wcast-function-type-strict in devm_ishtp_alloc_workqueue() (Nathan Chancellor)
- HID: intel-ish-hid: Use dedicated unbound workqueues to prevent resume blocking (Zhang Lixu)
- dmaengine: ti: k3-udma: fix device leak on udma lookup (Johan Hovold)
- dmaengine: ti: dma-crossbar: fix device leak on am335x route allocation (Johan Hovold)
- dmaengine: ti: dma-crossbar: fix device leak on dra7x route allocation (Johan Hovold)
- dmaengine: stm32: dmamux: fix OF node leak on route allocation failure (Johan Hovold)
- dmaengine: stm32: dmamux: fix device leak on route allocation (Johan Hovold)
- dmaengine: sh: rz-dmac: Fix rz_dmac_terminate_all() (Biju Das)
- dmaengine: qcom: gpi: Fix memory leak in gpi_peripheral_config() (Miaoqian Lin)
- dmaengine: lpc32xx-dmamux: fix device leak on route allocation (Johan Hovold)
- dmaengine: lpc18xx-dmamux: fix device leak on route allocation (Johan Hovold)
- dmaengine: idxd: fix device leaks on compat bind and unbind (Johan Hovold)
- dmaengine: dw: dmamux: fix OF node leak on route allocation failure (Johan Hovold)
- dmaengine: bcm-sba-raid: fix device leak on probe (Johan Hovold) [Orabug: 38914727] {CVE-2025-71190}
- dmaengine: at_hdmac: fix device leak on of_dma_xlate() (Johan Hovold)
- dmaengine: apple-admac: Add "apple,t8103-admac" compatible (Janne Grunau)
- LoongArch: dts: loongson-2k2000: Add default interrupt controller address cells (Binbin Zhou)
- LoongArch: dts: loongson-2k1000: Fix i2c-gpio node names (Binbin Zhou)
- LoongArch: dts: loongson-2k1000: Add default interrupt controller address cells (Binbin Zhou)
- LoongArch: dts: loongson-2k0500: Add default interrupt controller address cells (Binbin Zhou)
- drm/vmwgfx: Fix an error return check in vmw_compat_shader_add() (Haoxiang Li)
- drm/panel-simple: fix connector type for DataImage SCF0700C48GGU18 panel (Marek Vasut) [Orabug: 38930828] {CVE-2026-23049}
- drm/nouveau/disp/nv50-: Set lock_core in curs507a_prepare (Lyude Paul)
- drm/amdkfd: fix a memory leak in device_queue_manager_init() (Haoxiang Li)
- drm/amd: Clean up kfd node on surprise disconnect (Mario Limonciello)
- drm/amd/display: Bump the HDMI clock to 340MHz (Mario Limonciello)
- LoongArch: Fix PMU counter allocation for mixed-type event groups (Lisa Robinson)
- mm/damon/sysfs: cleanup attrs subdirs on context dir setup failure (Seongjae Park) [Orabug: 38970294] {CVE-2026-23144}
- mm/page_alloc: make percpu_pagelist_high_fraction reads lock-free (Aboorva Devarajan)
- mm/zswap: fix error pointer free in zswap_cpu_comp_prepare() (Pavel Butsykin)
- nvme: fix PCIe subsystem reset controller state transition (Nilay Shroff)
- x86/resctrl: Fix memory bandwidth counter width for Hygon (Xiaochen Shen)
- x86/resctrl: Add missing resctrl initialization for Hygon (Xiaochen Shen)
- i2c: riic: Move suspend handling to NOIRQ phase (Tommaso Merciai)
- tcpm: allow looking for role_sw device in the main node (Arnaud Ferraris)
- EDAC/i3200: Fix a resource leak in i3200_probe1() (Haoxiang Li)
- EDAC/x38: Fix a resource leak in x38_probe1() (Haoxiang Li)
- hrtimer: Fix softirq base check in update_needs_ipi() (Thomas Weißschuh)
- ext4: fix iloc.bh leak in ext4_xattr_inode_update_ref (Yangerkun) [Orabug: 38970600] {CVE-2026-23145}
- ASoC: codecs: wsa881x: fix unnecessary initialisation (Johan Hovold)
- nvme-pci: disable secondary temp for Wodposit WPBSNM8 (Ilikara Zheng)
- USB: serial: ftdi_sio: add support for PICAXE AXE027 cable (Ethan Nelson-Moore)
- USB: serial: option: add Telit LE910 MBIM composition (Ulrich Mohr)
- USB: OHCI/UHCI: Add soft dependencies on ehci_platform (Huacai Chen)
- usb: core: add USB_QUIRK_NO_BOS for devices that hang on BOS descriptor (Johannes Brüderl)
- usb: dwc3: Check for USB4 IP_NAME (Thinh Nguyen)
- phy: tegra: xusb: Explicitly configure HS_DISCON_LEVEL to 0x7 (Wayne Chang)
- phy: rockchip: inno-usb2: fix disconnection in gadget mode (Louis Chauvet)
- phy: freescale: imx8m-pcie: assert phy reset during power on (Rafael Beims)
- phy: ti: gmii-sel: fix regmap leak on probe failure (Johan Hovold)
- phy: rockchip: inno-usb2: fix communication disruption in gadget mode (Luca Ceresoli)
- x86/kaslr: Recognize all ZONE_DEVICE users as physaddr consumers (Dan Williams)
- lib/buildid: use __kernel_read() for sleepable context (Shakeel Butt) [Orabug: 38887735] {CVE-2026-23002}
- xfs: Fix the return value of xfs_rtcopy_summary() (Nirjhar Roy)
- net: can: j1939: j1939_xtp_rx_rts_session_active(): deactivate session upon receiving the second rts (Tetsuo Handa) [Orabug: 38887709] {CVE-2026-22997}
- can: ctucanfd: fix SSP_SRC in cases when bit-rate is higher than 1 MBit. (Ondrej Ille)
- can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak (Marc Kleine-Budde) [Orabug: 38914785] {CVE-2026-23031}
- null_blk: fix kmemleak by releasing references to fault configfs items (Nilay Shroff) [Orabug: 38914794] {CVE-2026-23032}
- ALSA: pcm: Improve the fix for race of buffer access at PCM OSS layer (Jaroslav Kysela)
- scsi: core: Fix error handler encryption support (Brian Kao)
- io_uring: move local task_work in exit cancel loop (Ming Lei)
- drm/amd/display: mark static functions noinline_for_stack (Tzung-Bi Shih)
- ASoC: codecs: wsa883x: fix unnecessary initialisation (Johan Hovold)
- bridge: mcast: Fix use-after-free during router port configuration (Ido Schimmel) [Orabug: 38175058] {CVE-2025-38248}
- HID: usbhid: paper over wrong bNumDescriptor field (Benjamin Tissoires)
- i2c: qcom-geni: make sure I2C hub controllers can't use SE DMA (Neil Armstrong)
- dmaengine: omap-dma: fix dma_pool resource leak in error paths (Xu Wang)
- selftests/landlock: Properly close a file descriptor (Günther Noack)
- phy: broadcom: ns-usb3: Fix Wvoid-pointer-to-enum-cast warning (again) (Krzysztof Kozlowski)
- selftests/landlock: Remove invalid unix socket bind() (Matthieu Buffet)
- selftests/landlock: Fix TCP bind(AF_UNSPEC) test case (Matthieu Buffet)
- phy: ti: da8xx-usb: Handle devm_pm_runtime_enable() errors (Xu Wang)
- phy: stm32-usphyc: Fix off by one in probe() (Dan Carpenter)
- phy: qcom-qusb2: Fix NULL pointer dereference on early suspend (Loic Poulain)
- phy: drop probe registration printks (Johan Hovold)
- phy: phy-snps-eusb2: refactor constructs names (Ivaylo Ivanov)
- phy: fsl-imx8mq-usb: Clear the PCS_TX_SWING_FULL field before using it (Stefano Radaelli)
- dmaengine: xilinx_dma: Fix uninitialized addr_width when "xlnx,addrwidth" property is missing (Suraj Gupta)
- dmaengine: tegra-adma: Fix use-after-free (Sheetal)
- dmaengine: xilinx: xdma: Fix regmap max_register (Anthony Brandon)
- mm, kfence: describe @slab parameter in __kfence_obj_info() (Bagas Sanjaya)
- textsearch: describe @list member in ts_ops search (Bagas Sanjaya)
- mm: describe @flags parameter in memalloc_flags_save() (Bagas Sanjaya)
- drm/amd/pm: fix smu overdrive data type wrong issue on smu 14.0.2 (Yang Wang)
- ASoC: tlv320adcx140: fix word length (Emil Svendsen)
- ASoC: tlv320adcx140: fix null pointer (Emil Svendsen)
- ASoC: sdw_utils: cs42l43: Enable Headphone pin for LINEOUT jack type (Cole Leavitt)
- net/sched: sch_qfq: do not free existing class in qfq_change_class() (Eric Dumazet) [Orabug: 38887717] {CVE-2026-22999}
- selftests: drv-net: fix RPS mask handling for high CPU numbers (Gal Pressman)
- ipv6: Fix use-after-free in inet6_addr_del(). (Kuniyuki Iwashima) [Orabug: 38887755] {CVE-2026-23010}
- net: hv_netvsc: reject RSS hash key programming without RX indirection table (Aditya Garg) [Orabug: 38930846] {CVE-2026-23054}
- ALSA: hda/cirrus_scodec_test: Fix incorrect setup of gpiochip (Richard Fitzgerald)
- net: octeon_ep_vf: fix free_irq dev_id mismatch in IRQ rollback (Kery Qi)
- btrfs: fix memory leaks in create_space_info() error paths (Jiasheng Jiang)
- btrfs: introduce btrfs_space_info sub-group (Naohiro Aota)
- btrfs: factor out check_removing_space_info() from btrfs_free_block_groups() (Naohiro Aota)
- btrfs: factor out init_space_info() from create_space_info() (Naohiro Aota)
- net/mlx5e: Restore destroying state bit after profile cleanup (Saeed Mahameed)
- net/mlx5e: Pass netdev to mlx5e_destroy_netdev instead of priv (Saeed Mahameed) [Orabug: 38914806] {CVE-2026-23035}
- net/mlx5e: Don't store mlx5e_priv in mlx5e_dev devlink priv (Saeed Mahameed) [Orabug: 38887705] {CVE-2026-22996}
- net/mlx5e: Fix crash on profile change rollback failure (Saeed Mahameed) [Orabug: 38887724] {CVE-2026-23000}
- vsock/test: add a final full barrier after run all tests (Stefano Garzarella)
- ipv4: ip_gre: make ipgre_header() robust (Eric Dumazet) [Orabug: 38887757] {CVE-2026-23011}
- macvlan: fix possible UAF in macvlan_forward_source() (Eric Dumazet) [Orabug: 38887729] {CVE-2026-23001}
- net: update netdev_lock_{type,name} (Eric Dumazet)
- ip6_tunnel: use skb_vlan_inet_prepare() in __ip6_tnl_rcv() (Eric Dumazet) [Orabug: 38887737] {CVE-2026-23003}
- net: bridge: annotate data-races around fdb->{updated,used} (Eric Dumazet)
- btrfs: send: check for inline extents in range_is_hole_in_parent() (Qu Wenruo) [Orabug: 38970283] {CVE-2026-23141}
- nvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec (Shivam Kumar) [Orabug: 38887713] {CVE-2026-22998}
- can: etas_es58x: allow partial RX URB allocation to succeed (Szymon Wilczek)
- PM: EM: Fix incorrect description of the cost field in struct em_perf_state (Yaxiong Tian)
- drm/vmwgfx: Merge vmw_bo_release and vmw_bo_free functions (Ian Forbes)
- pnfs/blocklayout: Fix memory leak in bl_parse_scsi() (Zilin Guan)
- pnfs/flexfiles: Fix memory leak in nfs4_ff_alloc_deviceid_node() (Zilin Guan) [Orabug: 38914815] {CVE-2026-23038}
- NFS: Fix a deadlock involving nfs_release_folio() (Trond Myklebust) [Orabug: 38930844] {CVE-2026-23053}
- pNFS: Fix a deadlock when returning a delegation during open() (Trond Myklebust) [Orabug: 38930834] {CVE-2026-23050}
- xfrm: set ipv4 no_pmtu_disc flag only on output sa when direction is set (Antony Antony)
- xfrm: Fix inner mode lookup in tunnel mode GSO segmentation (Jianbo Liu)
- ASoC: codecs: wsa884x: fix codec initialisation (Johan Hovold)
- x86/fpu: Clear XSTATE_BV[i] in guest XSAVE state whenever XFD[i]=1 (Sean Christopherson) [Orabug: 38887746] {CVE-2026-23005}
- Revert "gfs2: Fix use of bio_chain" (Andreas Gruenbacher)
- efi/cper: Fix cper_bits_to_str buffer handling and return value (Dandan Zhang)
- firmware: imx: scu-irq: Set mu_resource_id before get handle (Peng Fan)
- LTS version: v6.12.66 (Jack Vogel)
- bpf: test_run: Fix ctx leak in bpf_prog_test_run_xdp error path (Shardul Bankar)
- ALSA: hda: intel-dsp-config: Prefer legacy driver as fallback (Takashi Iwai)
- tpm2-sessions: Fix out of range indexing in name_size (Jarkko Sakkinen) [Orabug: 38847816] {CVE-2025-68792}
- spi: cadence-quadspi: Prevent lost complete() call during indirect read (Mateusz Litwin)
- scsi: sg: Fix occasional bogus elapsed time that exceeds timeout (Michal Rábek)
- ASoC: fsl_sai: Add missing registers to cache default (Alexander Stein)
- ALSA: hda/realtek: enable woofer speakers on Medion NM14LNL (Kai Vehmanen)
- ASoC: amd: yc: Add quirk for Honor MagicBook X16 2025 (Andrew Elantsev)
- ALSA: usb-audio: Update for native DSD support quirks (Jussi Laako)
- can: j1939: make j1939_session_activate() fail if device is no longer registered (Tetsuo Handa) [Orabug: 38914674] {CVE-2025-71182}
- drm/amdkfd: Fix improper NULL termination of queue restore SMI event string (Brian Kocoloski)
- spi: mt65xx: Use IRQF_ONESHOT with threaded IRQ (Fei Shao)
- drm/amd/display: Fix DP no audio issue (Charlene Liu)
- ata: libata-core: Disable LPM on ST2000DM008-2FR102 (Niklas Cassel)
- netfilter: nf_tables: avoid chain re-validation if possible (Florian Westphal) [Orabug: 38887632] {CVE-2025-71160}
- powercap: fix sscanf() error return value handling (Sumeet Pawnikar)
- powercap: fix race condition in register_control_type() (Sumeet Pawnikar)
- net: sfp: extend Potron XGSPON quirk to cover additional EEPROM variant (Marcus Hughes)
- bpf: Fix reference count leak in bpf_prog_test_run_xdp() (Tetsuo Handa) [Orabug: 38887701] {CVE-2026-22994}
- bpf, test_run: Subtract size of xdp_frame from allowed metadata size (Toke Høiland-Jørgensen) [Orabug: 38970281] {CVE-2026-23140}
- bpf: Support specifying linear xdp packet data size for BPF_PROG_TEST_RUN (Amery Hung)
- bpf: Make variables in bpf_prog_test_run_xdp less confusing (Amery Hung)
- bpf: Fix an issue in bpf_prog_test_run_xdp when page size greater than 4K (Yonghong Song)
- btrfs: fix beyond-EOF write handling (Qu Wenruo)
- btrfs: use variable for end offset in extent_writepage_io() (Filipe Manana)
- btrfs: truncate ordered extent when skipping writeback past i_size (Filipe Manana)
- btrfs: remove btrfs_fs_info::sectors_per_page (Qu Wenruo)
- btrfs: add extra error messages for delalloc range related errors (Qu Wenruo)
- btrfs: subpage: dump the involved bitmap when ASSERT() failed (Qu Wenruo)
- btrfs: fix error handling of submit_uncompressed_range() (Qu Wenruo)
- ALSA: ac97: fix a double free in snd_ac97_controller_register() (Haoxiang Li)
- ALSA: ac97bus: Use guard() for mutex locks (Takashi Iwai)
- erofs: fix file-backed mounts no longer working on EROFS partitions (Gao Xiang)
- erofs: don't bother with s_stack_depth increasing for now (Gao Xiang)
- arp: do not assume dev_hard_header() does not change skb->head (Eric Dumazet) [Orabug: 38887789] {CVE-2026-22988}
- net: enetc: fix build warning when PAGE_SIZE is greater than 128K (Wei Fang)
- net: usb: pegasus: fix memory leak in update_eth_regs_async() (Petko Manolov) [Orabug: 38914760] {CVE-2026-23021}
- net/sched: sch_qfq: Fix NULL deref when deactivating inactive aggregate in qfq_reset (Xiang Mei) [Orabug: 38872324] {CVE-2026-22976}
- HID: quirks: work around VID/PID conflict for appledisplay (René Rebe)
- net: netdevsim: fix inconsistent carrier state after link/unlink (Yohei Kojima)
- idpf: cap maximum Rx buffer size (Joshua Hay)
- idpf: fix memory leak in idpf_vport_rel() (Emil Tantilov) [Orabug: 38914769] {CVE-2026-23023}
- idpf: keep the netdev when a reset fails (Emil Tantilov)
- net: fix memory leak in skb_segment_list for GRO packets (Mohammad Heib) [Orabug: 38887655] {CVE-2026-22979}
- riscv: pgtable: Cleanup useless VA_USER_XXX definitions (Guo Ren)
- btrfs: only enforce free space tree if v1 cache is required for bs < ps cases (Qu Wenruo)
- vsock: Make accept()ed sockets use custom setsockopt() (Michal Luczaj)
- bnxt_en: Fix potential data corruption with HW GRO/LRO (Srijit Bose)
- net: wwan: iosm: Fix memory leak in ipc_mux_deinit() (Zilin Guan)
- net/mlx5e: Don't print error message due to invalid module (Gal Pressman)
- netdev: preserve NETIF_F_ALL_FOR_ALL across TSO updates (Di Zhu)
- net: sock: fix hardened usercopy panic in sock_recv_errqueue (Weiming Shi) [Orabug: 38877945] {CVE-2026-22977}
- inet: ping: Fix icmp out counting (Yuan Gao)
- net: mscc: ocelot: Fix crash when adding interface under a lag (Jerry Wu)
- bridge: fix C-VLAN preservation in 802.1ad vlan_tunnel egress (Alexandre Knecht)
- net: marvell: prestera: fix NULL dereference on devlink_alloc() failure (Alok Tiwari)
- netfilter: nf_conncount: update last_gc only when GC has been performed (Fernando Fernandez Mancera) [Orabug: 38970277] {CVE-2026-23139}
- netfilter: nf_tables: fix memory leak in nf_tables_newrule() (Zilin Guan)
- gpio: pca953x: handle short interrupt pulses on PCAL devices (Ernest Van Hoecke)
- gpio: pca953x: Add support for level-triggered interrupts (Potin Lai)
- netfilter: nft_synproxy: avoid possible data-race on update operation (Fernando Fernandez Mancera)
- netfilter: nft_set_pipapo: fix range overlap detection (Florian Westphal)
- arm64: dts: mba8mx: Fix Ethernet PHY IRQ support (Alexander Stein)
- arm64: dts: imx8qm-ss-dma: correct the dma channels of lpuart (Sherry Sun)
- arm64: dts: imx8mp: Fix LAN8740Ai PHY reference clock on DH electronics i.MX8M Plus DHCOM (Marek Vasut)
- ARM: dts: imx6q-ba16: fix RTC interrupt level (Ian Ray)
- arm64: dts: add off-on-delay-us for usdhc2 regulator (Haibo Chen)
- crypto: qat - fix duplicate restarting msg during AER error (Harshita Bhilwaria)
- arm64: dts: ti: k3-am62-lp-sk-nand: Rename pinctrls to fix schema warnings (Wadim Egorov)
- drm/amd/display: Apply e4479aecf658 to dml (Nathan Chancellor)
- drm/amd/display: Respect user's CONFIG_FRAME_WARN more for dml files (Nathan Chancellor)
- btrfs: fix NULL dereference on root when tracing inode eviction (Miquel Sabaté Solà) [Orabug: 38914692] {CVE-2025-71184}
- btrfs: tracepoints: use btrfs_root_id() to get the id of a root (Filipe Manana)
- btrfs: qgroup: update all parent qgroups when doing quick inherit (Qu Wenruo)
- btrfs: fix qgroup_snapshot_quick_inherit() squota bug (Boris Burkov)
- scsi: Revert "scsi: libsas: Fix exp-attached device scan after probe failure scanned in again after probe failed" (Xingui Yang)
- scsi: ufs: core: Fix EH failure after W-LUN resume error (Brian Kao)
- scsi: ipr: Enable/disable IRQD_NO_BALANCING during reset (Wen Xiong)
- smb/client: fix NT_STATUS_NO_DATA_DETECTED value (Chenxiaosong)
- smb/client: fix NT_STATUS_DEVICE_DOOR_OPEN value (Chenxiaosong)
- smb/client: fix NT_STATUS_UNABLE_TO_FREE_VM value (Chenxiaosong)
- drm/amd/display: shrink struct members (Rosen Penev)
- NFS: Fix up the automount fs_context to use the correct cred (Trond Myklebust)
- ASoC: rockchip: Fix Wvoid-pointer-to-enum-cast warning (again) (Krzysztof Kozlowski)
- NFSv4: ensure the open stateid seqid doesn't go backwards (Scott Mayhew)
- dm-snapshot: fix 'scheduling while atomic' on real-time kernels (Mikulas Patocka)
- alpha: don't reference obsolete termio struct for TC* constants (Sam James)
- ARM: 9461/1: Disable HIGHPTE on PREEMPT_RT kernels (Sebastian Andrzej Siewior)
- csky: fix csky_cmpxchg_fixup not working (Yang Li)
- drm/xe: Ensure GT is in C0 during resumes (Xin Wang)
- drm/xe: make xe_gt_idle_disable_c6() handle the forcewake internally (Xin Wang)
- libceph: make calc_target() set t->paused, not just clear it (Ilya Dryomov) [Orabug: 38930820] {CVE-2026-23047}
- libceph: reset sparse-read state in osd_fault() (Sam Edwards) [Orabug: 38970263] {CVE-2026-23136}
- libceph: return the handler error from mon_handle_auth_done() (Ilya Dryomov) [Orabug: 38887696] {CVE-2026-22992}
- libceph: make free_choose_arg_map() resilient to partial allocation (Tuo Li) [Orabug: 38887690] {CVE-2026-22991}
- libceph: replace overzealous BUG_ON in osdmap_apply_incremental() (Ilya Dryomov) [Orabug: 38887684] {CVE-2026-22990}
- libceph: prevent potential out-of-bounds reads in handle_auth_done() (Ziming Zhang) [Orabug: 38887672] {CVE-2026-22984}
- wifi: mac80211: restore non-chanctx injection behaviour (Johannes Berg)
- wifi: avoid kernel-infoleak from struct iw_point (Eric Dumazet) [Orabug: 38887649] {CVE-2026-22978}
- pinctrl: qcom: lpass-lpi: mark the GPIO controller as sleeping (Bartosz Golaszewski)
- gpio: rockchip: mark the GPIO controller as sleeping (Bartosz Golaszewski)
- drm/radeon: Remove __counted_by from ClockInfoArray.clockInfo[] (Alex Deucher)
- drm/pl111: Fix error handling in pl111_amba_probe (Miaoqian Lin)
- drm/amdgpu: Fix query for VPE block_type and ip_count (Alan Liu)
- counter: interrupt-cnt: Drop IRQF_NO_THREAD flag (Alexander Sverdlin)
- counter: 104-quad-8: Fix incorrect return value in IRQ handler (Xu Wang)
- lib/crypto: aes: Fix missing MMU protection for AES S-box (Eric Biggers)
- mei: me: add nova lake point S DID (Alexander Usyskin)
- btrfs: always detect conflicting inodes when logging inode refs (Filipe Manana) [Orabug: 38914680] {CVE-2025-71183}
- arm64: Fix cleared E0POE bit after cpu_suspend()/resume() (Levi Yun)
- net: 3com: 3c59x: fix possible null dereference in vortex_probe1() (Thomas Fourier) [Orabug: 38914754] {CVE-2026-23020}
- atm: Fix dma_free_coherent() size (Thomas Fourier)
- NFSD: Remove NFSERR_EAGAIN (Chuck Lever)
- NFSD: net ref data still needs to be freed even if net hasn't startup (Edward Adam Davis)
- nfsd: check that server is running in unlock_filesystem (Olga Kornievskaia) [Orabug: 38887681] {CVE-2026-22989}
- nfsd: use correct loop termination in nfsd4_revoke_states() (Neil Brown)
- nfsd: provide locking for v4_end_grace (Neil Brown) [Orabug: 38887658] {CVE-2026-22980}
- NFSD: Fix permission check for read access to executable-only files (Scott Mayhew)
- LTS version: v6.12.65 (Jack Vogel)
- pwm: stm32: Always program polarity (Sean Nyekjaer)
- virtio_console: fix order of fields cols and rows (Maximilian Immanuel Brandtner)
- sched/fair: Small cleanup to update_newidle_cost() (Peter Zijlstra)
- sched/fair: Small cleanup to sched_balance_newidle() (Peter Zijlstra)
- net: Remove RTNL dance for SIOCBRADDIF and SIOCBRDELIF. (Thadeu Lima de Souza Cascardo) [Orabug: 37844499] {CVE-2025-22111}
- cpufreq: intel_pstate: Check IDA only before MSR_IA32_PERF_CTL writes (Richa Bharti)
- drm/amdgpu: Forward VMID reservation errors (Natalie Vock)
- net: phy: mediatek: fix nvmem cell reference leak in mt798x_phy_calibration (Miaoqian Lin)
- wifi: mac80211: Discard Beacon frames to non-broadcast address (Jouni Malinen) [Orabug: 38852360] {CVE-2025-71127}
- mptcp: ensure context reset on disconnect() (Paolo Abeni) [Orabug: 38852416] {CVE-2025-71144}
- mm: consider non-anon swap cache folios in folio_expected_ref_count() (Bijan Tabatabai)
- mm: simplify folio_expected_ref_count() (David Hildenbrand)
- mm/page_alloc: change all pageblocks migrate type on coalescing (Alexander Gordeev) [Orabug: 38852382] {CVE-2025-71134}
- mptcp: fallback earlier on simult connection (Paolo Abeni) [Orabug: 38848079] {CVE-2025-71088}