Integer overflow in netfilter's do_replace() function, memory corruption in usb/gadget driver. Kernel memory content leak through sockaddr_in.sin_zero.
vulners.com/securityvulns/securityvulns:doc:11906
vulners.com/securityvulns/securityvulns:doc:11922