- libceph: make decode_pool() more resilient against corrupted osdmaps {CVE-2025-71116} - scsi: target: iscsi: Fix use-after-free in iscsit_dec_conn_usage_count() {CVE-2026-23216} - e1000: fix OOB in e1000_tbi_should_accept() {CVE-2025-71093} - ALSA: usb-audio: Use correct version for UAC3 header validation {CVE-2026-23318} - nfnetlink_osf: validate individual option lengths in fingerprints {CVE-2026-23397} - Squashfs: check metadata block offset is within range {CVE-2026-23388} - net: bridge: fix nd_tbl NULL dereference when IPv6 is disabled {CVE-2026-23381} - wifi: mac80211: fix NULL deref in mesh_matches_local() {CVE-2026-23396} - icmp: fix NULL pointer dereference in icmp_tag_validation() {CVE-2026-23398} - HID: Add HID_CLAIMED_INPUT guards in raw_event callbacks missing them {CVE-2026-23382} - net: usb: kalmia: validate USB endpoints {CVE-2026-23365} - wifi: radiotap: reject radiotap with unknown bits {CVE-2026-23367} - drbd: fix "LOGIC BUG" in drbd_al_begin_io_nonblock() {CVE-2026-23356} - batman-adv: reject oversized global TT response buffers {CVE-2026-31659} - drm/amdkfd: Fix out-of-bounds write in kfd_event_page_set() {CVE-2026-43206} - net: ipv6: ndisc: fix ndisc_ra_useropt to initialize nduseropt_padX fields to zero to prevent an info-leak {CVE-2026-43040} - ALSA: ctxfi: Limit PTP to a single page {CVE-2026-31602} - nvdimm/bus: Fix potential use after free in asynchronous initialization {CVE-2026-31399} - usb: class: cdc-wdm: fix reordering issue in read code path {CVE-2026-43427} - media: dvb-net: fix OOB access in ULE extension header tables {CVE-2026-31405} - sysctl: Fix data races in proc_douintvec(). {CVE-2022-49641} - netfilter: nfnetlink_cthelper: fix OOB read in nfnl_cthelper_dump_table() {CVE-2026-43450} - smb: client: reject userspace cifs.spnego descriptions - ALSA: caiaq: fix stack out-of-bounds read in init_card {CVE-2026-31778} - atm: lec: fix use-after-free in sock_def_readable() {CVE-2026-43050}