dm_table_create in drivers/md/dm-table.c in the Linux kernel through 6.7.4 can attempt to allocate more than INT_MAX bytes, and crash, because of a missing check for struct dm_ioctl.target_count. A flaw was found in the ATA over Ethernet driver in the Linux kernel. The aoecmd_cfg_pkts function improperly updates the refcnt on `struct net_device`, and a use-after-free can be triggered by racing between the free on the struct and the access through the `skbtxq` global queue. This could lead to a denial of service condition or potential code execution. In rds_recv_track_latency in net/rds/af_rds.c in the Linux kernel through 6.7.1, there is an off-by-one error for an RDS_MSG_RX_DGRAM_TRACE_MAX comparison, resulting in out-of-bounds access