-
Tue May 19 2026 Natalya Naumova <natalya.naumova@oracle.com> [5.14.0-687.5.3.el9_8.OL9]
- Disable UKI signing [Orabug: 36571828]
- Update Oracle Linux certificates (Kevin Lyons)
- Disable signing for aarch64 (Ilya Okomin)
- Oracle Linux RHCK Module Signing Key was added to the kernel trusted keys list (olkmod_signing_key.pem) [Orabug: 29539237]
- Update x509.genkey [Orabug: 24817676]
- Conflict with shim-ia32 and shim-x64 <= 15.3-1.0.5.el9
- Remove upstream reference during boot (Kevin Lyons) [Orabug: 34729535]
- Add Oracle Linux IMA certificates
- Add new Oracle Linux Driver Signing (key 1) certificate [Orabug: 37985764]
-
Sat May 09 2026 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [5.14.0-687.5.3.el9_8]
- xfrm: esp: avoid in-place decrypt on shared skb frags (Sabrina Dubroca) [RHEL-174563] {CVE-2026-43284}
-
Fri May 01 2026 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [5.14.0-687.5.2.el9_8]
- crypto: algif_aead - snapshot IV for async AEAD requests (Herbert Xu) [RHEL-172543]
- crypto: algif_aead - Fix minimum RX size check for decryption (Herbert Xu) [RHEL-172543]
- crypto: authencesn - reject short ahash digests during instance creation (Herbert Xu) [RHEL-172543]
- crypto: authencesn - Fix src offset when decrypting in-place (Herbert Xu) [RHEL-172543]
- crypto: authencesn - Do not place hiseq at end of dst for out-of-place decryption (Herbert Xu) [RHEL-172543] {CVE-2026-31431}
- crypto: authencesn - reject too-short AAD (assoclen<8) to match ESP/ESN spec (Herbert Xu) [RHEL-172543] {CVE-2026-23060}
- crypto: af_alg - Fix page reassignment overflow in af_alg_pull_tsgl (Herbert Xu) [RHEL-172543]
- crypto: af_alg - limit RX SG extraction by receive buffer budget (Herbert Xu) [RHEL-172543] {CVE-2026-31677}
- crypto: algif_aead - Revert to operating out-of-place (Herbert Xu) [RHEL-172543] {CVE-2026-31431}
- crypto: af-alg - fix NULL pointer dereference in scatterwalk (Herbert Xu) [RHEL-172543]
-
Wed Apr 01 2026 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [5.14.0-687.5.1.el9_8]
- kabi: enable check-kabi (Čestmír Kalina) [RHEL-153672]
- kabi: add symbols to stablelist (Čestmír Kalina) [RHEL-153672]
- RDMA/umad: Reject negative data_len in ib_umad_write (CKI Backport Bot) [RHEL-156878] {CVE-2026-23243}
- net/mlx5: Fix ECVF vports unload on shutdown flow (CKI Backport Bot) [RHEL-154538] {CVE-2025-38109}
- iavf: fix PTP use-after-free during reset (Petr Oros) [RHEL-112567]
-
Fri Mar 27 2026 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [5.14.0-687.4.1.el9_8]
- mm/damon/sysfs: cleanup attrs subdirs on context dir setup failure (Audra Mitchell) [RHEL-150478] {CVE-2026-23144}
- ixgbevf: add missing negotiate_features op to Hyper-V ops table (CKI Backport Bot) [RHEL-155365]
- libceph: adapt ceph_x_challenge_blob hashing and msgr1 message signing (Ilya Dryomov) [RHEL-155611]
- libceph: add support for CEPH_CRYPTO_AES256KRB5 (Ilya Dryomov) [RHEL-155611]
- libceph: introduce ceph_crypto_key_prepare() (Ilya Dryomov) [RHEL-155611]
- libceph: generalize ceph_x_encrypt_offset() and ceph_x_encrypt_buflen() (Ilya Dryomov) [RHEL-155611]
- libceph: define and enforce CEPH_MAX_KEY_LEN (Ilya Dryomov) [RHEL-155611]
- libceph: Remove unused ceph_crypto_key_encode (Ilya Dryomov) [RHEL-155611]
- redhat/configs: disable CONFIG_CRYPTO_KRB5_SELFTESTS (Ilya Dryomov) [RHEL-155611]
- redhat/configs: enable CONFIG_CRYPTO_KRB5[ENC] (Ilya Dryomov) [RHEL-155611]
- crypto: krb5 - Fix memory leak in krb5_test_one_prf() (Ilya Dryomov) [RHEL-155611]
- crypto/krb5: Fix change to use SG miter to use offset (Ilya Dryomov) [RHEL-155611]
- crypto: krb5 - Use SG miter instead of doing it by hand (Ilya Dryomov) [RHEL-155611]
- crypto/krb5: Implement crypto self-testing (Ilya Dryomov) [RHEL-155611]
- crypto/krb5: Implement the Camellia enctypes from rfc6803 (Ilya Dryomov) [RHEL-155611]
- crypto/krb5: Implement the AES enctypes from rfc8009 (Ilya Dryomov) [RHEL-155611]
- crypto/krb5: Implement the AES enctypes from rfc3962 (Ilya Dryomov) [RHEL-155611]
- crypto/krb5: Implement the Kerberos5 rfc3961 get_mic and verify_mic (Ilya Dryomov) [RHEL-155611]
- crypto/krb5: Implement the Kerberos5 rfc3961 encrypt and decrypt functions (Ilya Dryomov) [RHEL-155611]
- crypto/krb5: Provide RFC3961 setkey packaging functions (Ilya Dryomov) [RHEL-155611]
- crypto/krb5: Implement the Kerberos5 rfc3961 key derivation (Ilya Dryomov) [RHEL-155611]
- crypto/krb5: Provide infrastructure and key derivation (Ilya Dryomov) [RHEL-155611]
- crypto/krb5: Add an API to perform requests (Ilya Dryomov) [RHEL-155611]
- crypto/krb5: Add an API to alloc and prepare a crypto object (Ilya Dryomov) [RHEL-155611]
- crypto/krb5: Add an API to query the layout of the crypto section (Ilya Dryomov) [RHEL-155611]
- crypto/krb5: Implement Kerberos crypto core (Ilya Dryomov) [RHEL-155611]
- crypto/krb5: Add some constants out of sunrpc headers (Ilya Dryomov) [RHEL-155611]
- crypto/krb5: Test manager data (Ilya Dryomov) [RHEL-155611]
- crypto: Add 'krb5enc' hash and cipher AEAD algorithm (Ilya Dryomov) [RHEL-155611]
- ice: Fix PTP NULL pointer dereference during VSI rebuild (CKI Backport Bot) [RHEL-150246] {CVE-2026-23210}
- smb: client: fix oops due to uninitialised var in smb2_unlink() (Paulo Alcantara) [RHEL-154396]
- wifi: mac80211_hwsim: fix typo in frequency notification (CKI Backport Bot) [RHEL-148653] {CVE-2026-23040}
-
Fri Mar 20 2026 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [5.14.0-687.3.1.el9_8]
- HID: intel-thc-hid: intel-thc: Fix incorrect pointer arithmetic in I2C regs save (Benjamin Tissoires) [RHEL-142234] {CVE-2025-39818}
- NFSv4: Check for delegation validity in nfs_start_delegation_return_locked() (Scott Mayhew) [RHEL-151415]
- perf/amd/ibs: Avoid calling perf_allow_kernel() from the IBS NMI handler (Michael Petlan) [RHEL-155340]
- perf: Extend the bit width of the arch-specific flag (Michael Petlan) [RHEL-155340]
- perf: Remove unnecessary parameter of security check (Michael Petlan) [RHEL-155340]
- scsi: target: iscsi: Fix use-after-free in iscsit_dec_session_usage_count() (CKI Backport Bot) [RHEL-150423] {CVE-2026-23193}
- nfsd: add list_head nf_gc to struct nfsd_file (Roberto Bergantinos Corpas) [RHEL-152552]
- redhat: genlog: add new JIRA cloud server hostname (Jan Stancek)
- gfs2: less aggressive low-memory log flushing (Andreas Gruenbacher) [RHEL-153055]
- io_uring: graduate to full support (Jeff Moyer) [RHEL-120699]
- netfilter: nf_tables: fix use-after-free in nf_tables_addchain() (CKI Backport Bot) [RHEL-153270] {CVE-2026-23231}
- net: atm: fix /proc/net/atm/lec handling (Hangbin Liu) [RHEL-146424] {CVE-2025-38180}
- net: atm: add lec_mutex (Hangbin Liu) [RHEL-146424]
- macvlan: observe an RCU grace period in macvlan_common_newlink() error path (Hangbin Liu) [RHEL-150227]
- macvlan: fix error recovery in macvlan_common_newlink() (Hangbin Liu) [RHEL-150227] {CVE-2026-23209}
- spi: tegra210-quad: Protect curr_xfer check in IRQ handler (Charles Mirabile) [RHEL-145814]
- spi: tegra210-quad: Protect curr_xfer clearing in tegra_qspi_non_combined_seq_xfer (Charles Mirabile) [RHEL-145814]
- spi: tegra210-quad: Protect curr_xfer in tegra_qspi_combined_seq_xfer (Charles Mirabile) [RHEL-145814]
- spi: tegra210-quad: Protect curr_xfer assignment in tegra_qspi_setup_transfer_one (Charles Mirabile) [RHEL-145814]
- spi: tegra210-quad: Move curr_xfer read inside spinlock (Charles Mirabile) [RHEL-145814]
- spi: tegra210-quad: Return IRQ_HANDLED when timeout already processed transfer (Charles Mirabile) [RHEL-145814]
- migrate: correct lock ordering for hugetlb file folios (Luiz Capitulino) [RHEL-147267] {CVE-2026-23097}
- ALSA: aloop: Fix racy access at PCM trigger (Jaroslav Kysela) [RHEL-150131] {CVE-2026-23191}
-
Wed Mar 11 2026 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [5.14.0-687.2.1.el9_8]
- netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate() (CKI Backport Bot) [RHEL-149749] {CVE-2026-23111}
- bonding: fix use-after-free due to enslave fail after slave array update (CKI Backport Bot) [RHEL-152386] {CVE-2026-23171}
- Add signing key for Nvidia Jetson and Bluefield GPU signing keys (Enrique Belarte Luque) [RHEL-145938]
- Add NVIDIA Jetson signing key for OOT modules (Enrique Belarte Luque) [RHEL-145938]
- vsock: lock down child_ns_mode as write-once (Stefano Garzarella) [RHEL-117126]
- vsock: Use container_of() to get net namespace in sysctl handlers (Stefano Garzarella) [RHEL-117126]
- vsock: prevent child netns mode switch from local to global (Stefano Garzarella) [RHEL-117126]
- vsock: fix child netns mode initialization (Stefano Garzarella) [RHEL-117126]
- vsock: add netns support to virtio transports (Stefano Garzarella) [RHEL-117126]
- virtio: set skb owner of virtio_transport_reset_no_sock() reply (Stefano Garzarella) [RHEL-117126]
- vsock: add netns to vsock core (Stefano Garzarella) [RHEL-117126]
- vhost/vsock: improve RCU read sections around vhost_vsock_get() (Stefano Garzarella) [RHEL-117126]
- vsock: fix lock inversion in vsock_assign_transport() (Stefano Garzarella) [RHEL-117126]
- vsock: Do not allow binding to VMADDR_PORT_ANY (Stefano Garzarella) [RHEL-117126]
- vsock: reset socket state when de-assigning the transport (Stefano Garzarella) [RHEL-117126]
- vsock/virtio: cancel close work in the destructor (Stefano Garzarella) [RHEL-117126]
- dpll: zl3073x: Fix output pin phase adjustment sign (Ivan Vecera) [RHEL-149693]
-
Wed Mar 04 2026 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [5.14.0-687.1.1.el9_8]
- mm/hugetlb: fix excessive IPI broadcasts when unsharing PMD tables using mmu_gather (Rafael Aquini) [RHEL-150765]
- mm/hugetlb: add missing hugetlb_lock in __unmap_hugepage_range() (Rafael Aquini) [RHEL-150765]
- mm/hugetlb: convert use of struct page to folio in __unmap_hugepage_range() (Rafael Aquini) [RHEL-150765]
- mm/hugetlb: refactor __unmap_hugepage_range() to take folio instead of page (Rafael Aquini) [RHEL-150765]
- mm/hugetlb: refactor unmap_hugepage_range() to take folio instead of page (Rafael Aquini) [RHEL-150765]
- mm/hugetlb: pass folio instead of page to unmap_ref_private() (Rafael Aquini) [RHEL-150765]
- mm/hugetlb: fix two comments related to huge_pmd_unshare() (Rafael Aquini) [RHEL-150765]
- mm/hugetlb: fix hugetlb_pmd_shared() (Rafael Aquini) [RHEL-150765] {CVE-2026-23100}
- mm/hugetlb: fix copy_hugetlb_page_range() to use ->pt_share_count (Rafael Aquini) [RHEL-150765]
- mm: hugetlb: independent PMD page table shared count (Rafael Aquini) [RHEL-150765] {CVE-2024-57883}
- mm/rmap: fix two comments related to huge_pmd_unshare() (Rafael Aquini) [RHEL-150765]
- mm/rmap: introduce and use hugetlb_remove_rmap() (Rafael Aquini) [RHEL-150765]
- x86/mm/64: define ARCH_PAGE_TABLE_SYNC_MASK and arch_sync_kernel_mappings() (Rafael Aquini) [RHEL-150765] {CVE-2025-39845}
- mm: introduce and use {pgd,p4d}_populate_kernel() (Rafael Aquini) [RHEL-150765]
- mm: move page table sync declarations to linux/pgtable.h (Rafael Aquini) [RHEL-150765] {CVE-2025-39844}
- redhat: update self-test data (Patrick Talbert)
- redhat: set defaults for 9.8 (Patrick Talbert)
- gitlab-ci: disttag override for 9.8 (Patrick Talbert)
- ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr() (CKI Backport Bot) [RHEL-143546] {CVE-2025-71085}
-
Mon Feb 23 2026 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [5.14.0-687.el9]
- cifs: some missing initializations on replay (Paulo Alcantara) [RHEL-148619]
- cifs: remove unnecessary tracing after put tcon (Paulo Alcantara) [RHEL-148619]
- smb: client: fix data corruption due to racy lease checks (Paulo Alcantara) [RHEL-148619]
- smb: client: fix regression with mount options parsing (Paulo Alcantara) [RHEL-148619]
- Revert: ipmi:msghandler: Move timer handling into a work queue (Tony Camuso) [RHEL-149762]
- Revert: ipmi:si: Move SI type information into an info structure (Tony Camuso) [RHEL-149762]
- Revert: ipmi:msghandler: Use READ_ONCE on run_to_completion (Tony Camuso) [RHEL-149762]
- Revert: ipmi:msghandler: Rename recv_work to smi_work (Tony Camuso) [RHEL-149762]
- Revert: ipmi:msghandler: Deliver user messages in a work queue (Tony Camuso) [RHEL-149762]
- Revert: ipmi_msghandler: Change the events lock to a mutex (Tony Camuso) [RHEL-149762]
- Revert: ipmi:msghandler: Use the system_wq, not system_bh_wq (Tony Camuso) [RHEL-149762]
- Revert: ipmi:msghandler: Remove srcu from the ipmi user structure (Tony Camuso) [RHEL-149762]
- Revert: ipmi:msghandler: Remove srcu for the ipmi_interfaces list (Tony Camuso) [RHEL-149762]
- Revert: ipmi:watchdog: Change lock to mutex (Tony Camuso) [RHEL-149762]
- Revert: ipmi: Add a note about the pretimeout callback (Tony Camuso) [RHEL-149762]
- Revert: ipmi:msghandler: Remove some user level processing in panic mode (Tony Camuso) [RHEL-149762]
- Revert: ipmi:msghandler: Fix locking around users and interfaces (Tony Camuso) [RHEL-149762]
- Revert: ipmi:msghandler: Don't acquire a user refcount for queued messages (Tony Camuso) [RHEL-149762]
- Revert: ipmi:msghandler: Don't check for shutdown when returning responses (Tony Camuso) [RHEL-149762]
- Revert: ipmi:msghandler: Remove proc_fs.h (Tony Camuso) [RHEL-149762]
- Revert: ipmi:msghandler: Shut down lower layer first at unregister (Tony Camuso) [RHEL-149762]
- Revert: ipmi:msghandler: Add a error return from unhandle LAN cmds (Tony Camuso) [RHEL-149762]
- Revert: ipmi:si: Rework startup of IPMI devices (Tony Camuso) [RHEL-149762]
- Revert: ipmi:msghandler: Don't deliver messages to deleted users (Tony Camuso) [RHEL-149762]
- Revert: ipmi:ssif: Fix a shutdown race (Tony Camuso) [RHEL-149762]
- Revert: ipmi:msghandler: Export and fix panic messaging capability (Tony Camuso) [RHEL-149762]
- Revert: ipmi:watchdog: Use the new interface for panic messages (Tony Camuso) [RHEL-149762]
- Revert: ipmi:msghandler: Fix potential memory corruption in ipmi_create_user() (Tony Camuso) [RHEL-149762]
- Revert: ipmi: Fix strcpy source and destination the same (Tony Camuso) [RHEL-149762]
- Revert: char: ipmi: remove redundant variable 'type' and check (Tony Camuso) [RHEL-149762]
- Revert: ipmi: Use dev_warn_ratelimited() for incorrect message warnings (Tony Camuso) [RHEL-149762]
- Revert: ipmi:msghandler:Change seq_lock to a mutex (Tony Camuso) [RHEL-149762]
- Revert: Revert "ipmi: fix msg stack when IPMI is disconnected" (Tony Camuso) [RHEL-149762]
- Revert: ipmi: Rework user message limit handling (Tony Camuso) [RHEL-149762]
- Revert: ipmi: Differentiate between reset and firmware update in maintenance (Tony Camuso) [RHEL-149762]
- Revert: ipmi: Disable sysfs access and requests in maintenance mode (Tony Camuso) [RHEL-149762]
- Revert: ipmi: Add a maintenance mode sysfs file (Tony Camuso) [RHEL-149762]
- Revert: ipmi: Set a timer for maintenance mode (Tony Camuso) [RHEL-149762]
- Revert: ipmi:si: Merge some if statements (Tony Camuso) [RHEL-149762]
- Revert: ipmi:si: Move flags get start to its own function (Tony Camuso) [RHEL-149762]
- Revert: ipmi: Allow an SMI sender to return an error (Tony Camuso) [RHEL-149762]
- Revert: ipmi: Rename "user_data" to "recv_msg" in an SMI message (Tony Camuso) [RHEL-149762]
- Revert: ipmi:si: Gracefully handle if the BMC is non-functional (Tony Camuso) [RHEL-149762]
- Revert: ipmi: Add Loongson-2K BMC support (Tony Camuso) [RHEL-149762]
- Revert: ipmi: Fix handling of messages with provided receive message pointer (Tony Camuso) [RHEL-149762]
- nvme: fix memory leak in quirks_param_set() (Maurizio Lombardi) [RHEL-148489]
-
Thu Feb 19 2026 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [5.14.0-686.el9]
- pmdomain: core: Move the unused cleanup to a _sync initcall (Rupinderjit Singh) [RHEL-147489]
- net/ipv4: Use nested-BH locking for ipv4_tcp_sk. (Davide Caratti) [RHEL-82508]
- ipv4/tcp: do not use per netns ctl sockets (Davide Caratti) [RHEL-82508]
- cpuidle: menu: Use residency threshold in polling state override decisions (Mark Langsdorf) [RHEL-135548]
- spi: tegra210-qspi: Remove cache operations (Charles Mirabile) [RHEL-127129]
- spi: tegra210-quad: Check hardware status on timeout (Charles Mirabile) [RHEL-127129]
- spi: tegra210-quad: Refactor error handling into helper functions (Charles Mirabile) [RHEL-127129]
- spi: tegra210-quad: Fix timeout handling (Charles Mirabile) [RHEL-127129]
- spi: tegra210-quad: Add support for internal DMA (Charles Mirabile) [RHEL-127129]
- spi: tegra210-quad: Update dummy sequence configuration (Charles Mirabile) [RHEL-127129]
- spi: tegra210-quad: add rate limiting and simplify timeout error message (Charles Mirabile) [RHEL-127129]
- spi: tegra210-quad: use WARN_ON_ONCE instead of WARN_ON for timeouts (Charles Mirabile) [RHEL-127129]
- spi: tegra210-quad: modify chip select (CS) deactivation (Charles Mirabile) [RHEL-127129]