kernel_range: refresh tables from Debian tracker — 5 MISSING adds + 4 off-by-one harmonisations

First batch of fixes surfaced by tools/refresh-kernel-ranges.py.
Drift drops from 18 actionable findings (5 MISSING + 13 TOO_TIGHT)
to 13 (now only 1 MISSING + 12 TOO_TIGHT). The remaining
TOO_TIGHT findings all involve threshold-version drops of 2+
patch versions; those need per-commit verification against
git.kernel.org/linus before applying (saving for a follow-up).

MISSING adds — branches Debian has fixed that we had no entry for:

  af_unix_gc (CVE-2023-4622):
    + {6, 4, 13}   stable 6.4.x (forky/sid/trixie all at this version)

  dirtydecrypt (CVE-2026-31635):
    + {6, 19, 13}  stable 6.19.x (forky/sid) — our previous table
                   only listed mainline 7.0.0; Debian is shipping
                   the fix on the 6.19 branch ahead of 7.0 release.

  overlayfs_setuid (CVE-2023-0386):
    + {5, 10, 179} stable 5.10.x (bullseye)

  vmwgfx (CVE-2023-2008):
    + {5, 10, 127} stable 5.10.x (bullseye)
    + {5, 18, 14}  stable 5.18.x (bookworm/forky/sid/trixie)

TOO_TIGHT harmonisations — single-patch-version differences,
almost certainly off-by-one curation errors on our side:

  nf_tables (CVE-2024-1086):
    {5, 10, 210} -> {5, 10, 209}    (Debian bullseye)

  nft_payload (CVE-2023-0179):
    {5, 10, 163} -> {5, 10, 162}    (Debian bullseye)

  nft_set_uaf (CVE-2023-32233):
    {5, 10, 180} -> {5, 10, 179}    (Debian bullseye)
    {6,  1,  28} -> {6,  1,  27}    (Debian bookworm)

Larger TOO_TIGHT diffs deferred:
  - cgroup_release_agent (5.16.9 -> 5.16.7, diff 2)
  - cls_route4           (5.18.18 -> 5.18.16, diff 2; 5.10.143 -> 5.10.136, diff 7)
  - dirty_cow            (4.7.10 -> 4.7.8, diff 2)
  - dirty_pipe           (5.10.102 -> 5.10.92, diff 10)
  - netfilter_xtcompat   (5.10.46 -> 5.10.38, diff 8)
  - overlayfs_setuid     (6.1.27 -> 6.1.11, diff 16)
  - ptrace_traceme       (4.19.58 -> 4.19.37, diff 21)
  - sequoia              (5.10.52 -> 5.10.46, diff 6)

These need per-commit confirmation against the upstream-stable
kernel changelog before lowering our threshold. Conservatively
keeping the current (more strict) values until each is verified.

Verification:
- Linux (docker gcc:latest + libglib2.0-dev + sudo): 44/44 tests
  pass, full build clean.
- macOS (local): 31-module build clean.
- tools/refresh-kernel-ranges.py rerun: drift reduced 18 -> 13.

modules/af_unix_gc_cve_2023_4622/skeletonkey_modules.c

@@ -105,6 +105,7 @@ static const struct kernel_patched_from af_unix_gc_patched_branches[] = {
     {5, 10, 197},
     {5, 15, 130},
     {6,  1,  51},   /* 6.1 LTS */
+    {6,  4,  13},   /* 6.4.x stable (per Debian tracker — forky/sid/trixie) */
     {6,  5,   0},   /* mainline fix landed in 6.5 (technically 6.6-rc1
                        but stable 6.5.x carries the patch) */
 };

modules/dirtydecrypt_cve_2026_31635/skeletonkey_modules.c

@@ -673,7 +673,8 @@ static int dd_active_probe(void)
  *                    or weird distro rebuilds the version check missed)
  */
 static const struct kernel_patched_from dirtydecrypt_patched_branches[] = {
-	{7, 0, 0},   /* mainline fix commit a2567217 landed in Linux 7.0 */
+	{6, 19, 13}, /* 6.19.x stable backport (per Debian tracker — forky/sid) */
+	{7,  0,  0}, /* mainline fix commit a2567217 landed in Linux 7.0 */
 };
 static const struct kernel_range dirtydecrypt_range = {
 	.patched_from = dirtydecrypt_patched_branches,

modules/nf_tables_cve_2024_1086/skeletonkey_modules.c

@@ -95,7 +95,7 @@
 
 static const struct kernel_patched_from nf_tables_patched_branches[] = {
     {5,  4, 269},   /* 5.4.x */
-    {5, 10, 210},   /* 5.10.x */
+    {5, 10, 209},   /* 5.10.x (harmonised with Debian bullseye fix-version) */
     {5, 15, 149},   /* 5.15.x */
     {6,  1,  74},   /* 6.1.x */
     {6,  6,  13},   /* 6.6.x */

modules/nft_payload_cve_2023_0179/skeletonkey_modules.c

@@ -89,7 +89,7 @@ static const struct kernel_patched_from nft_payload_patched_branches[] = {
     {4, 14, 302},   /* 4.14.x */
     {4, 19, 269},   /* 4.19.x */
     {5,  4, 229},   /* 5.4.x */
-    {5, 10, 163},   /* 5.10.x */
+    {5, 10, 162},   /* 5.10.x (harmonised with Debian bullseye fix-version) */
     {5, 15,  88},   /* 5.15.x */
     {6,  1,   6},   /* 6.1.x */
     {6,  2,   0},   /* mainline fix in 6.2-rc4 */

modules/nft_set_uaf_cve_2023_32233/skeletonkey_modules.c

@@ -97,9 +97,9 @@
 static const struct kernel_patched_from nft_set_uaf_patched_branches[] = {
     {4, 19, 283},   /* 4.19.x safety patch (bug never reached this branch) */
     {5,  4, 243},   /* 5.4.x   */
-    {5, 10, 180},   /* 5.10.x  */
+    {5, 10, 179},   /* 5.10.x (harmonised with Debian bullseye fix-version) */
     {5, 15, 111},   /* 5.15.x  */
-    {6,  1,  28},   /* 6.1.x   */
+    {6,  1,  27},   /* 6.1.x (harmonised with Debian bookworm fix-version) */
     {6,  2,  15},   /* 6.2.x   */
     {6,  3,   2},   /* 6.3.x   */
     {6,  4,   0},   /* mainline 6.4-rc4 */

modules/overlayfs_setuid_cve_2023_0386/skeletonkey_modules.c

@@ -60,6 +60,7 @@
 #include <sys/wait.h>
 
 static const struct kernel_patched_from overlayfs_setuid_patched_branches[] = {
+    {5, 10, 179},   /* 5.10.x stable backport (per Debian tracker — bullseye) */
     {5, 15, 110},
     {6,  1,  27},
     {6,  2,  13},

modules/vmwgfx_cve_2023_2008/skeletonkey_modules.c

@@ -119,9 +119,11 @@ union drm_vmw_alloc_dmabuf_arg {
 /* ---- kernel range ------------------------------------------------- */
 
 static const struct kernel_patched_from vmwgfx_patched_branches[] = {
-    {6,  1, 23},   /* 6.1 LTS backport */
+    {5, 10, 127},  /* 5.10.x stable (per Debian tracker — bullseye) */
-    {6,  2, 10},   /* 6.2.x stable backport */
+    {5, 18,  14},  /* 5.18.x stable (per Debian tracker — bookworm/forky/sid/trixie) */
-    {6,  3,  0},   /* mainline (6.3-rc6) */
+    {6,  1,  23},  /* 6.1 LTS backport */
+    {6,  2,  10},  /* 6.2.x stable backport */
+    {6,  3,   0},  /* mainline (6.3-rc6) */
 };
 
 static const struct kernel_range vmwgfx_range = {