The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * use-after-free in l2cap_connect and l2cap_le_connect_req in net/bluetooth/l2cap_core.c * net/ulp: use-after-free in listening ULP sockets * cpu: AMD CPUs may transiently execute beyond unconditional direct branch * malicious data for FBIOPUT_VSCREENINFO ioctl may cause OOB write memory * possible race condition in drivers/tty/tty_buffers.c * KVM: NULL pointer dereference in kvm_mmu_invpcid_gva * use-after-free in free_pipe_info could lead to privilege escalation * KVM: nVMX: missing IBPB when exiting from nested guest can lead to Spectre v2 attacks * netfilter: nf_conntrack_irc message handling issue * race condition in xfrm_probe_algs can lead to OOB read/write * out-of-bounds read in fib_nh_match of the file net/ipv4/fib_semantics.c * race condition in hugetlb_no_page in mm/hugetlb.c * memory leak in ipv6_renew_options * data races around icsk-gt;icsk_af_ops in do_ipv6_setsockopt * data races around sk-gt;sk_prot * memory leak in l2cap_recv_acldata of the file net/bluetooth/l2cap_core.c * denial of service in follow_page_pte in mm/gup.c due to poisoned pte entry * use-after-free after failed devlink reload in devlink_param_get * USB-accessible buffer overflow in brcmfmac * use after free flaw in l2cap_conn_del in net/bluetooth/l2cap_core.c * Double-free in split_2MB_gtt_entry when function intel_gvt_dma_map_guest_page failed * mptcp: NULL pointer dereference in subflow traversal at disconnect time * l2tp: missing lock when clearing sk_user_data can lead to NULL pointer dereference * igmp: use-after-free in ip_check_mc_rcu when opening and closing inet sockets * lockdown bypass using IMA * double free in usb_8dev_start_xmit in drivers/net/can/usb/usb_8dev.c * network backend may cause Linux netfront to use freed SKBs * unmap_mapping_range race with munmap on VM_PFNMAP mappings leads to stale TLB entry * TLB flush operations are mishandled in certain KVM_VCPU_PREEMPTED leading to guest malfunctioning * u8 overflow problem in cfg80211_update_notlisted_nontrans * use-after-free related to leaf anon_vma double reuse * use-after-free in bss_ref_get in net/wireless/scan.c * BSS list corruption in cfg80211_add_nontrans_list in net/wireless/scan.c * Denial of service in beacon protection for P2P-device * memory corruption in usbmon driver * NULL pointer dereference in traffic control subsystem * NULL pointer dereference in rawv6_push_pending_frames * use-after-free due to race condition in qdisc_graft * use-after-free caused by invalid pointer hostname in fs/cifs/connect.c * denial of service in tipc_conn_close For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.2 Release Notes linked from the References section.