A use-after-free issue was discovered in the cfg80211 subsystem, caused by freeing beacon_ies structures even when they were still referenced through hidden_beacon_bss.

tcp_disconnect() failed to clear tcp_sk(sk)->fastopen_rsk when reusing a TFO socket (e.g., after accept() → connect(AF_UNSPEC) → connect() sequence). This left a stale reference, allowing the retransmit timer to access a freed request_sock, triggering a kernel warning or potential UAF.

A vulnerability has been identified in the Linux kernel's Network File System (NFS) daemon that could allow for a Denial of Service and in worst case scenario Arbitrary Code Execution. This Use-After-Free flaw arises from a race condition when the kernel handles the confirmation of an NFS client identifier. If an NFS client is expiring while this confirmation is in progress, the system can attempt to use memory that is no longer allocated.

n the Linux kernel, the following vulnerability has been resolved: e1000e: fix heap overflow in e1000_set_eeprom.

In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: fix linked list corruption.

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Fix possible UAFs.

In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Disallow dirty tracking if incoherent page walk.

In the Linux kernel, the following vulnerability has been resolved: ice: ice_adapter: release xa entry on adapter allocation failure.