KVM: x86: Acquire SRCU in KVM_GET_MP_STATE to protect guest memory accesses

misc: pci_endpoint_test: Avoid issue of interrupts remaining after request_irq error

thermal: int340x: Add NULL check for adev

RISC-V: KVM: Teardown riscv specific bits after kvm_exit

wifi: ath11k: update channel list in reg notifier instead reg worker

f2fs: quota: fix to avoid warning in dquot_writeback_dquots()

dlm: prevent NPD when writing a positive value to event_done

f2fs: fix to avoid panic once fallocation fails for pinfile

cifs.upcall makes an upcall to the wrong namespace in containerized environments

wifi: ath11k: Clear affinity hint before calling ath11k_pcic_free_irq() in error path

HDF5 Metadata Attribute Decoder H5MM_strndup heap-based overflow

HDF5 Type Conversion Logic H5T__bit_copy heap-based overflow

Rejected reason: This CVE record has been withdrawn due to a duplicate entry CVE-2025-23083.

HDF5 Scale-Offset Filter H5Z__scaleoffset_decompress_one_byte heap-based overflow

A vulnerability has been identified in Node.js, specifically affecting the handling of drive names in the Windows environment. Certain Node.js functions do not treat drive names as special on Windows. As a result, although Node.js assumes a relative path, it actually refers to the root directory. On Windows, a path that does not start with the file separator is treated as relative to the current directory. This vulnerability affects Windows users of `path.join` API.

Apache HTTP Server: mod_ssl access control bypass with session resumption

FastCGI fcgi2 (aka fcgi) 2.x through 2.4.4 has an integer overflow (and resultant heap-based buffer overflow) via crafted nameLen or valueLen values in data to the IPC socket. This occurs in ReadParams in fcgiapp.c.

Un-verified kernel bypass Secure Boot mechanism in direct boot mode