In the Linux kernel, the following vulnerability has been resolved: firmware: arm_scpi: Ensure scpi_info is not assigned if the probe fails.

A remotely reachable flaw in the SUNRPC NFS-over-TLS server could allow a client to trigger a kernel crash by sending a crafted TLS alert. The issue lies in how the kernel processes TLS control messages, which can lead to use-after-free or invalid memory accesses during alert handling.

The flaw is in the seqiv IV generator and can lead to a use-after-free when backlogged crypto requests return -EBUSY. Triggering it is easier locally by flooding the kernel crypto API (e.g. via AF_ALG or many concurrent AEAD requests) because the attacker must create backlog conditions. Remote triggering is much harder and only realistic for specific configurations (for example an in-kernel IPsec/TLS path that uses seqiv for AEAD). In practice this means an unprivileged local user with access to the kernel crypto interface is the most likely threat vector, while a remote attacker would need the target to both use seqiv and be inducible into heavy crypto backlog.

In the Linux kernel, the following vulnerability has been resolved: sunrpc: fix client side handling of tls alerts.

In the Linux kernel, the following vulnerability has been resolved: efivarfs: Fix slab-out-of-bounds in efivarfs_d_compare.

In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Fix buffer free/clear order in deferred receive path.

In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: sme: cap SSID length in __cfg80211_connect_result().

In the Linux kernel, the following vulnerability has been resolved: pstore/ram: Check start of empty przs during init.

In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: Validate length in packet header before skb_put().

In the Linux kernel, the following vulnerability has been resolved: fs: fix UAF/GPF bug in nilfs_mdt_destroy.

A use-after-free in the XTS skcipher template where -EBUSY from the crypto backend (with MAY_BACKLOG) was not treated like -EINPROGRESS, causing request data to be freed while still referenced. Impact is kernel memory corruption (high integrity/availability impact).

Linux Kernel could allow a local authenticated attacker to obtain sensitive information, caused by timing attack in MAC comparison.

Linux Kernel could allow a local attacker to obtain secrets from a hypervisor in a cloud environment, caused by a flaw in the handling of the branch target buffer (BTB) entries. This vulnerability is known as VMSCAPE.