Accepted linux 6.12.86-1 (source) into stable-security

Kurzinfo

Veroeffentlicht: 2026-05-08 15:18 UTC Importiert: 2026-05-14 23:39 UTC Quelle-ID: debian_pts_linux uid_hash: 930873b43a0e188440bee913fbcd6cbec63a52b172fbe42164ba975a1b1bcb2d
Debian PTS — linux (Quellpaket)

Inhalt

From:

        Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To:

         <>

Subject:

    Accepted linux 6.12.86-1 (source) into stable-security

Date:

    Fri, 08 May 2026 14:53:07 +0000

Signed by: Salvatore Bonaccorso carnil@debian.org

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512

Format: 1.8 Date: Fri, 08 May 2026 08:54:02 +0200 Source: linux Architecture: source Version: 6.12.86-1 Distribution: trixie-security Urgency: high Maintainer: Debian Kernel Team debian-kernel@lists.debian.org Changed-By: Salvatore Bonaccorso carnil@debian.org Closes: 1113728 Changes: linux (6.12.86-1) trixie-security; urgency=high .

  • New upstream stable update: https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.12.86
    • ALSA: usb-audio: stop parsing UAC2 rates at MAX_NR_RATES
    • ALSA: usb-audio: Avoid false E-MU sample-rate notifications
    • ALSA: usb-audio: Fix Audio Advantage Micro II SPDIF switch
    • usb: xhci: Make usb_host_endpoint.hcpriv survive endpoint_disable()
    • usb: chipidea: otg: not wait vbus drop if use role_switch
    • usb: chipidea: core: allow ci_irq_handler() handle both ID and VBUS change
    • ALSA: usb-audio: Evaluate packsize caps at the right place
    • LoongArch: Add spectre boundry for syscall dispatch table
    • drm/nouveau: fix u32 overflow in pushbuf reloc bounds check
    • leds: qcom-lpg: Check for array overflow when selecting the high resolution
    • greybus: gb-beagleplay: bound bootloader receive buffering
    • greybus: gb-beagleplay: fix sleep in atomic context in hdlc_tx_frames()
    • misc: ibmasm: fix OOB MMIO read in ibmasm_handle_mouse_interrupt()
    • ibmasm: fix OOB reads in command_file_write due to missing size checks
    • ibmasm: fix heap over-read in ibmasm_send_i2o_message()
    • driver core: Don't let a device probe until it's ready
    • drm/nouveau: fix nvkm_device leak on aperture removal failure
    • kbuild: rust: allow clippy::uninlined_format_args
    • firmware: google: framebuffer: Do not mark framebuffer as busy
    • arm64/mm: Enable batched TLB flush in unmap_hotplug_range()
    • padata: Fix pd UAF once and for all (CVE-2025-38584)
    • padata: Remove comment for reorder_work
    • rust: init: fix clippy::undocumented_unsafe_blocks warnings
    • drm/amdgpu: Use vmemdup_array_user in amdgpu_bo_create_list_entry_array
    • drm/amdgpu: Limit BO list entry count to prevent resource exhaustion (CVE-2026-23468)
    • device property: Make modifications of fwnode "flags" thread safe
    • ocfs2: split transactions in dio completion to avoid credit exhaustion
    • zram: do not forget to endio for partial discard requests
    • wifi: rtw88: check for PCI upstream bridge existence
    • vfio/cdx: Serialize VFIO_DEVICE_SET_IRQS with a per-device mutex
    • vfio/cdx: Fix NULL pointer dereference in interrupt trigger path
    • um: drivers: call kernel_strrchr() explicitly in cow_user.c
    • spi: imx: fix use-after-free on unbind
    • spi: ch341: fix memory leaks on probe failures
    • mm/memory_hotplug: fix hwpoisoned large folio handling in do_migrate_range()
    • crypto: pcrypt - Fix handling of MAY_BACKLOG requests
    • of: unittest: fix use-after-free in of_unittest_changeset()
    • of: unittest: fix use-after-free in testdrv_probe()
    • hwmon: (powerz) Fix missing usb_kill_urb() on signal interrupt
    • media: amphion: Fix race between m2m job_abort and device_run
    • ALSA: control: Validate buf_len before strnlen() in snd_ctl_elem_init_enum_names()
    • net: caif: clear client service pointer on teardown
    • net: strparser: fix skb_head leak in strp_abort_strp()
    • media: mtk-jpeg: fix use-after-free in release path due to uncancelled work
    • crypto: atmel-sha204a - Fix OTP sysfs read and error handling
    • PCI: endpoint: pci-epf-ntb: Remove duplicate resource teardown
    • Revert "ALSA: usb: Increase volume range that triggers a warning"
    • PCI: epf-mhi: Return 0, not remaining timeout, when eDMA ops complete
    • lib/ts_kmp: fix integer overflow in pattern length calculation
    • media: i2c: imx219: Check return value of devm_gpiod_get_optional() in imx219_probe()
    • net: qrtr: ns: Fix use-after-free in driver remove()
    • ext2: reject inodes with zero i_nlink and valid mode in ext2_iget()
    • ALSA: aoa: i2sbus: fix OF node lifetime handling
    • ALSA: ctxfi: Add fallback to default RSR for S/PDIF
    • ALSA: seq_oss: return full count for successful SEQ_FULLSIZE writes
    • erofs: fix the out-of-bounds nameoff handling for trailing dirents
    • jbd2: fix deadlock in jbd2_journal_cancel_revoke()
    • md/raid10: fix deadlock with check operation and nowait requests
    • mfd: stpmic1: Attempt system shutdown twice in case PMIC is confused
    • mtd: docg3: fix use-after-free in docg3_release()
    • nvme-pci: add NVME_QUIRK_DISABLE_WRITE_ZEROES for Kingston OM3SGP4
    • nvme: respect NVME_QUIRK_DISABLE_WRITE_ZEROES when wzsl is set
    • parisc: _llseek syscall is only available for 32-bit userspace
    • remoteproc: xlnx: Only access buffer information if IPI is buffered
    • sched: Use u64 for bandwidth ratio calculations
    • rbd: fix null-ptr-deref when device_add_disk() fails
    • block: fix zone write plugs refcount handling in disk_zone_wplug_schedule_bio_work()
    • io_uring/timeout: check unused sqe fields
    • iio: adc: ti-ads7950: use iio_push_to_buffers_with_ts_unaligned()
    • io_uring/poll: fix signed comparison in io_poll_get_ownership()
    • io_uring/poll: ensure EPOLL_ONESHOT is propagated for EPOLL_URING_WAKE
    • ALSA: core: Fix potential data race at fasync handling
    • ALSA: caiaq: Fix control_put() result and cache rollback
    • ALSA: caiaq: Handle probe errors properly
    • ALSA: 6fire: Fix input volume change detection
    • ALSA: pcmtest: fix reference leak on failed device registration
    • ALSA: pcmtest: Fix resource leaks in module init error paths
    • iio: adc: ad7768-1: fix one-shot mode data acquisition
    • rxrpc: Fix memory leaks in rxkad_verify_response()
    • rxrpc: Fix rxkad crypto unalignment handling
    • rxrpc: Fix re-decryption of RESPONSE packets
    • tools/accounting: handle truncated taskstats netlink messages
    • arm64: dts: marvell: uDPU: add ethernet aliases
    • net: qrtr: ns: Free the node during ctrl_cmd_bye()
    • net: rds: fix MR cleanup on copy error
    • net: txgbe: fix firmware version check
    • net/smc: avoid early lgr access in smc_clc_wait_msg
    • net: ks8851: Reinstate disabling of BHs around IRQ handler
    • netconsole: avoid out-of-bounds access on empty string in trim_newline()
    • net: ks8851: Avoid excess softirq scheduling
    • drm/arcpgu: fix device node leak
    • RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv
    • ipv4: icmp: validate reply type before using icmp_pointers
    • libceph: Prevent potential null-ptr-deref in ceph_handle_auth_reply()
    • extract-cert: Wrap key_pass with '#ifdef USE_PKCS11_ENGINE'
    • tpm: avoid -Wunused-but-set-variable
    • LoongArch: Show CPU vulnerabilites correctly
    • power: supply: axp288_charger: Do not cancel work before initializing it
    • hwmon: (pt5161l) Fix bugs in pt5161l_read_block_data()
    • randomize_kstack: Maintain kstack_offset per task
    • mmc: block: use single block write in retry
    • mmc: sdhci-of-dwcmshc: Disable clock before DLL configuration
    • arm64: dts: ti: am62-verdin: Enable pullup for eMMC data pins
    • xfs: fix a resource leak in xfs_alloc_buftarg()
    • firmware: google: framebuffer: Do not unregister platform device
    • crypto: talitos - fix SEC1 32k ahash request limitation
    • crypto: talitos - rename first/last to first_desc/last_desc
    • pwm: imx-tpm: Count the number of enabled channels in probe
    • tpm: Fix auth session leak in tpm2_get_random() error path
    • tpm: Use kfree_sensitive() to free auth session in tpm_dev_release()
    • tpm: tpm_tis: add error logging for data transfer
    • tpm: tpm_tis: stop transmit if retries are exhausted
    • rtc: ntxec: fix OF node reference imbalance
    • mm/damon/core: use time_in_range_open() for damos quota window start
    • userfaultfd: allow registration of ranges below mmap_min_addr
    • KVM: x86: Defer non-architectural deliver of exception payload to userspace read
    • KVM: nSVM: Mark all of vmcb02 dirty when restoring nested state
    • KVM: nSVM: Sync NextRIP to cached vmcb12 after VMRUN of L2
    • KVM: nSVM: Sync interrupt shadow to cached vmcb12 after VMRUN of L2
    • KVM: SVM: Inject #UD for INVLPGA if EFER.SVME=0
    • KVM: SVM: Explicitly mark vmcb01 dirty after modifying VMCB intercepts
    • KVM: nSVM: Ensure AVIC is inhibited when restoring a vCPU to guest mode
    • KVM: nSVM: Use vcpu->arch.cr2 when updating vmcb12 on nested #VMEXIT
    • KVM: nSVM: Always inject a #GP if mapping VMCB12 fails on nested VMRUN
    • KVM: nSVM: Clear GIF on nested #VMEXIT(INVALID)
    • KVM: nSVM: Clear EVENTINJ fields in vmcb12 on nested #VMEXIT
    • KVM: nSVM: Clear tracking of L1->L2 NMI and soft IRQ on nested #VMEXIT
    • KVM: nSVM: Add missing consistency check for EFER, CR0, CR4, and CS
    • KVM: nSVM: Add missing consistency check for nCR3 validity
    • KVM: nSVM: Raise #UD if unhandled VMMCALL isn't intercepted by L1
    • KVM: nSVM: Always intercept VMMCALL when L2 is active
    • io_uring/poll: fix multishot recv missing EOF on wakeup race
    • perf annotate: Use jump__delete when freeing LoongArch jumps
    • ext4: fix bounds check in check_xattrs() to prevent out-of-bounds access
    • ext4: fix missing brelse() in ext4_xattr_inode_dec_ref_all()
    • mtd: spi-nor: sst: Fix write enable before AAI sequence
    • amdgpu/jpeg: fix deepsleep register for jpeg 5_0_0 and 5_0_2
    • md/raid5: fix soft lockup in retry_aligned_read()
    • md/raid5: validate payload size before accessing journal metadata
    • check-uapi: link into shared objects
    • HID: apple: ensure the keyboard backlight is off if suspending
    • inotify: fix watch count leak when fsnotify_add_inode_mark_locked() fails
    • x86/cpu: Disable FRED when PTI is forced on
    • wifi: rtl8xxxu: fix potential use of uninitialized value
    • tcp: call sk_data_ready() after listener migration
    • taskstats: set version in TGID exit notifications
    • mfd: core: Preserve OF node when ACPI handle is present
    • apparmor: use target task's context in apparmor_getprocattr()
    • Bluetooth: hci_event: fix potential UAF in SSP passkey handlers
    • bus: mhi: host: pci_generic: Switch to async power up to avoid boot delays
    • can: ucan: fix devres lifetime
    • crypto: arm64/aes - Fix 32-bit aes_mac_update() arg treated as 64-bit
    • crypto: atmel-aes - Fix 3-page memory leak in atmel_aes_buff_cleanup
    • crypto: atmel-ecc - Release client on allocation failure
    • crypto: hisilicon - Fix dma_unmap_single() direction
    • crypto: ccree - fix a memory leak in cc_mac_digest()
    • crypto: atmel-tdes - fix DMA sync direction
    • crypto: atmel-sha204a - Fix error codes in OTP reads
    • crypto: atmel-sha204a - Fix potential UAF and memory leak in remove path
    • crypto: atmel-sha204a - Fix uninitialized data access on OTP read error
    • crypto: nx - Fix packed layout in struct nx842_crypto_header
    • dm mirror: fix integer overflow in create_dirty_log()
    • ceph: only d_add() negative dentries when they are unhashed
    • IB/core: Fix zero dmac race in neighbor resolution
    • ktest: Fix the month in the name of the failure directory
    • ntfs3: add buffer boundary checks to run_unpack()
    • ntfs3: fix integer overflow in run_unpack() volume boundary check
    • rtmutex: Use waiter::task instead of current in remove_waiter()
    • scsi: sd: fix missing put_disk() when device_add(&disk_dev) fails
    • seg6: fix seg6 lwtunnel output redirect for L2 reduced encap mode
    • smb: client: validate the whole DACL before rewriting it in cifsacl (CVE-2026-31709)
    • f2fs: fix UAF caused by decrementing sbi->nr_pages[] in f2fs_write_end_io() (CVE-2026-31715)
    • lib: test_hmm: evict device pages on file close to avoid use-after-free
    • f2fs: fix to do sanity check on dcc->discard_cmd_cnt conditionally
    • ksmbd: use msleep instaed of schedule_timeout_interruptible()
    • ksmbd: replace connection list with hash table
    • ksmbd: reset rcount per connection in ksmbd_conn_wait_idle_sess_id()
    • thermal: core: Fix thermal zone governor cleanup issues
    • wifi: mt76: mt792x: describe USB WFSYS reset with a descriptor
    • wifi: mt76: mt792x: fix mt7925u USB WFSYS reset handling
    • wifi: mwifiex: fix use-after-free in mwifiex_adapter_cleanup()
    • mm/migrate: factor out movable_ops page handling into migrate_movable_ops_page()
    • mm/migrate: move movable_ops page handling out of move_to_new_folio()
    • mm: migrate: requeue destination folio on deferred split queue
    • ALSA: aoa: Use guard() for mutex locks
    • ALSA: aoa: i2sbus: clear stale prepared state
    • mm/zsmalloc: copy KMSAN metadata in zs_page_migrate()
    • media: rc: ttusbir: respect DMA coherency rules
    • ALSA: aoa: Skip devices with no codecs in i2sbus_resume()
    • media: rc: igorplugusb: heed coherency rules
    • RDMA/mana_ib: Disable RX steering on RSS QP destroy
    • block: relax pgmap check in bio_add_page for compatible zone device pages
    • iio: frequency: admv1013: add dev variable
    • iio: frequency: admv1013: fix NULL pointer dereference on str
    • rxrpc: Fix potential UAF after skb_unshare() failure
    • net: qrtr: ns: Limit the maximum server registration per node
    • net: qrtr: ns: Limit the maximum number of lookups
    • net: bridge: use a stable FDB dst snapshot in RCU readers
    • net: mctp: fix don't require received header reserved bits to be zero
    • net: qrtr: ns: Limit the total number of nodes
    • spi: fix resource leaks on device setup failure
    • mm: prevent droppable mappings from being locked
    • crypto: authencesn - reject short ahash digests during instance creation
    • net: bonding: fix use-after-free in bond_xmit_broadcast() (CVE-2026-31419)
    • driver core: Add kernel-doc for DEV_FLAG_COUNT enum value
    • ALSA: caiaq: Fix potentially leftover ep1_in_urb at error path
    • ALSA: caiaq: Don't abort when no input device is available
    • rxrpc: Fix rxrpc_input_call_event() to only unshare DATA packets
    • ipv6: rpl: reserve mac_len headroom when recompressed SRH grows
    • drm/amdgpu: fix zero-size GDS range init on RDNA4
    • ALSA: caiaq: fix usb_dev refcount leak on probe failure
    • net: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels
    • netfilter: reject zero shift in nft_bitwise . [ Ben Hutchings ]
  • Fix ordering of kernel version strings for multiple Debian revisions (Closes: #1113728)
  • rxrpc: Fix conn-level packet handling to unshare RESPONSE packets . [ Salvatore Bonaccorso ]
  • xfrm: esp: avoid in-place decrypt on shared skb frags
  • rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present Checksums-Sha1: 4fde1397005d6cee29beb38a203be3f3cf5bea20 288306 linux_6.12.86-1.dsc d3ada79b0c43803bb5f47a92b1301b2632586d4f 151247248 linux_6.12.86.orig.tar.xz fc832a98addda060f326cb25325b20f0b373541f 1812972 linux_6.12.86-1.debian.tar.xz 60e6591527003428a39abbe3987536b3f581df4b 6923 linux_6.12.86-1_source.buildinfo Checksums-Sha256: fc5315f4946bc6749aa0bf1df9bf0901b3fe0344876e1e08e0bdf67556aeb106 288306 linux_6.12.86-1.dsc 74ae12a1a62311e096d05a0b006c8447d9007809b0b7604a643293914871982b 151247248 linux_6.12.86.orig.tar.xz 81d68f571ad15a2d4697a6552f2d8ac16b0b6942e453138a8ec58cc927d3673e 1812972 linux_6.12.86-1.debian.tar.xz 9cbe45e8cf58db4f49d515c05015d9efdcf1ff0d4d0b48beabf802d460941cfa 6923 linux_6.12.86-1_source.buildinfo Files: 914b33321c5af8b16d552e2a240c8f24 288306 kernel optional linux_6.12.86-1.dsc 226b32053b554dde2373ff5a5bd318d7 151247248 kernel optional linux_6.12.86.orig.tar.xz bd70aa9ae2b6efa695beb4e4c589ac68 1812972 kernel optional linux_6.12.86-1.debian.tar.xz 4bd4d6deb36744c6f01e6eea1cb7197d 6923 kernel optional linux_6.12.86-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmn9inNfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89Em/0P/josPevlpDgn9imOHRsrONoz2hXPZnZj t+Huhj4mvciynueJUl2mhoR1pIK0GpO2wlQsKWr++GOewtlcgM99C85Fh1bK/97c O77ucp9eExIe1ItyXrcTapDQPVgInThAh3mcBLkCv77nWRJqV6cmjsC+AldLlIEv gQvaVv7zaoi9zkavaxSV7xrud1Ptu8kHi3xT8mj8nU6uA5UE7CBzcsPcxhA6REbB 4IhSGQX19jLz45bYggcUyzwpkjR8QrKYneb22xH97v3lploV1BIjaXOFKM92qPfc xm/s8y8VlfelVOelENyvwO0X5I2ef5lBSUcYwLk/HAnW8EDM3JZ7TeCRvNVQJu6q TTorzeczyKs5S92ubGi5+wRJoKpit2A5IVoYRAkce0AE4ROfPvYkA5pR4yyjlekN 7F8woOHNQ067d98nTa+h22sJlk/3HrDbNVCQsXO/vuLWUGHZ5ymJlHrlZckc6Eq3 SnwuQ2R2kFx8gI/eRR1GcPHPDnfP9OqHm6Znm6DvFfHC5jR52O4b6q4PPE7uvbdA okJf8qJ9kNcRqfVIZnlyJvdt+XrkkthOnBM5jn8QSGyS5JsiIXc5kXg97KiU9ghn hkpuzffli6vVOHDe7swfZJxhC6zIGKp/zsaci/8/i4FRfc91Cfr/hCbyHQdQSgf2 dQ4FU/NJAGCm =lI0G -----END PGP SIGNATURE-----

Verknuepfte CVEs

CVE-ID Severity (CVE.org) CVSS (CVE.org) EPSS EPSS-% Veroeffentlicht (CVE.org)

CVE-2025-38584

 - - - -

CVE-2026-23468

 - - - -

CVE-2026-31419

 - - - -

CVE-2026-31709

 - - - -

CVE-2026-31715

 - - - -

Quellen-Details

Bezeichnung Name Kategorie Tags Zielgruppe Sprache Feed-URL
Debian PTS — linux (Quellpaket)

debian_pts_linux

 package_tracker debian, linux, kernel - de https://tracker.debian.org/pkg/linux/rss
Zurueck zur Eintrags-Liste