tcp_disconnect() failed to clear tcp_sk(sk)->fastopen_rsk when reusing a TFO socket (e.g., after accept() → connect(AF_UNSPEC) → connect() sequence). This left a stale reference, allowing the retransmit timer to access a freed request_sock, triggering a kernel warning or potential UAF.

A vulnerability has been identified in the Linux kernel's Network File System (NFS) daemon that could allow for a Denial of Service and in worst case scenario Arbitrary Code Execution. This Use-After-Free flaw arises from a race condition when the kernel handles the confirmation of an NFS client identifier. If an NFS client is expiring while this confirmation is in progress, the system can attempt to use memory that is no longer allocated.

n the Linux kernel, the following vulnerability has been resolved: e1000e: fix heap overflow in e1000_set_eeprom.

In the Linux kernel, the following vulnerability has been resolved: nbd: fix incomplete validation of ioctl arg.

In the Linux kernel, the following vulnerability has been resolved: smb: client: fix race with concurrent opens in rename.

In the Linux kernel, the following vulnerability has been resolved: mm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison memory.