New Spectre-v2 attack classes have been discovered within CPU architectures that enable self-training exploitation of speculative execution within the same privilege domain. These novel techniques bypass existing hardware and software mitigations, including IBPB, eIBRS, and BHI_NO, by leveraging in-kernel gadgets (potentially accessible via SECCOMP/cBPF), Branch Target Buffer (BTB) aliasing, and direct-to-indirect branch predictor training. While the root cause lies in CPU architectural behavior, the vulnerability manifests through kernel-level speculation paths, allowing attackers to potentially leak sensitive memory.

In the Linux kernel, the following vulnerability has been resolved: mm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race.

In the Linux kernel, the following vulnerability has been resolved: wifi: rtw88: fix the 'para' buffer size to avoid reading out of bounds.

In the Linux kernel, the following vulnerability has been resolved: bpf, test_run: Fix use-after-free issue in eth_skb_pkt_type().

In the Linux kernel, the following vulnerability has been resolved: mm/hugetlb: unshare page tables during VMA split, not before.

A denial of service vulnerability has been discovered in the Linux kernel's UDP Generic Segmentation Offload (GSO) functionality. This flaw allows a local, unprivileged user to trigger a kernel crash by generating UDP packets with a specially malformed frag_list geometry. Successful exploitation of this vulnerability could lead to a system crash, severely impacting the availability and stability of the affected system.

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_core: Fix use-after-free in vhci_flush().

In the Linux kernel, the following vulnerability has been resolved: i2c/designware: Fix an initialization issue.

In the Linux kernel, the following vulnerability has been resolved: tls: always refresh the queue when reading sock.