The vulnerability in nf_conntrack can be triggered by an unprivileged user under typical configurations where user and network namespaces are available (e.g., via unshare or CLONE_NEWNET). This enables the user to initiate Netfilter-based networking operations (such as NAT or connection tracking) even if the system had no prior active conntrack entries. Since exploitation does not require elevated privileges beyond what is granted in the default namespace setup with CAP_NET_RAW or similar, the Privileges Required (PR) is assessed as Low. The primary attack vector is remote-triggered packets from user-controlled namespaces that cause conntrack allocation and destruction races, leading to a potential kernel panic.

In the Linux kernel, the following vulnerability has been resolved: smb: client: fix use-after-free in cifs_oplock_break.

A flaw in the SCTP receive path failed to linearize cloned GSO sk_buffs before accessing fraglists, leading to reads of uninitialized memory as reported by KMSAN. An attacker sending SCTP traffic can trigger incorrect processing and potentially cause a kernel denial of service on the target under specific RX conditions. Stream Control Transmission Protocol (SCTP) is a transport-layer protocol (like TCP or UDP) primarily used in telecom signaling and some specialized applications. On most Linux systems it is disabled by default, and remote connectivity is only possible if SCTP support is enabled and listening services are configured (commonly using the IANA-assigned port 2905/tcp for M3UA or other protocol-specific ports). Therefore, the vulnerability is only exploitable when SCTP is enabled and reachable on the target system. Although KMSAN reports this issue as use of uninitialized memory (which deterministically crashes with KMSAN enabled), on production kernels the impact is still availability-related.

A logic bug in the kTLS receive path mishandles zero-length records taken from the rx_list, allowing a mixed record-type sequence to slip past the per-recvmsg() type constraint and proceed to data processing. The fix initializes and checks the per-call content type (using 0 as “unset”) and bails out when a non-DATA record is encountered after DATA. This can be remotely triggered only when kernel TLS (CONFIG_TLS with the TLS ULP) is in use. This issue can only be triggered when the kernel TLS ULP (kTLS, enabled via CONFIG_TLS and attached to TCP sockets with SOL_TLS) is in use.

A flaw in io_uring’s futex path freed io_futex_data on error but left req->async_data and the REQ_F_ASYNC_DATA flag inconsistent, creating a window for use-after-free. This issue is reachable by any unprivileged local user via io_uring futex operations. The most plausible impact is denial of service, since the freed structure is small and not directly attacker-controlled, making exploitation for privilege escalation very unlikely. Still, as with any use-after-free in kernel space, a worst-case impact would be privileges escalation.