Unprivileged root via an out-of-bounds write in the FUSE readdir cache (CVE-2026-31694)

Unprivileged root via a use-after-free in DRM GEM change_handle (CVE-2026-46215)