diff --git a/packages/base/any/kernels/3.2.65-1+deb7u2/patches/CVE-2016-5195.patch b/packages/base/any/kernels/3.2.65-1+deb7u2/patches/CVE-2016-5195.patch
new file mode 100644
index 00000000..199eb2ce
--- /dev/null
+++ b/packages/base/any/kernels/3.2.65-1+deb7u2/patches/CVE-2016-5195.patch
@@ -0,0 +1,75 @@
+diff -urpN a/include/linux/mm.h b/include/linux/mm.h
+--- a/include/linux/mm.h	2016-11-02 14:46:33.278862661 -0700
++++ b/include/linux/mm.h	2016-11-02 14:47:01.338863270 -0700
+@@ -1526,6 +1526,7 @@ struct page *follow_page(struct vm_area_
+ #define FOLL_MLOCK	0x40	/* mark page as mlocked */
+ #define FOLL_SPLIT	0x80	/* don't return transhuge pages, split them */
+ #define FOLL_HWPOISON	0x100	/* check page is hwpoisoned */
++#define FOLL_COW	0x4000	/* internal GUP flag */
+ 
+ typedef int (*pte_fn_t)(pte_t *pte, pgtable_t token, unsigned long addr,
+ 			void *data);
+diff -urpN a/mm/memory.c b/mm/memory.c
+--- a/mm/memory.c	2016-11-02 14:46:33.938862676 -0700
++++ b/mm/memory.c	2016-11-02 14:50:52.086868277 -0700
+@@ -1427,6 +1427,23 @@ int zap_vma_ptes(struct vm_area_struct *
+ }
+ EXPORT_SYMBOL_GPL(zap_vma_ptes);
+ 
++static inline bool can_follow_write_pte(pte_t pte, struct page *page,
++					unsigned int flags)
++{
++	if (pte_write(pte))
++		return true;
++
++	/*
++	 * Make sure that we are really following CoWed page. We do not really
++	 * have to care about exclusiveness of the page because we only want
++	 * to ensure that once COWed page hasn't disappeared in the meantime
++	 * or it hasn't been merged to a KSM page.
++	 */
++	if ((flags & FOLL_FORCE) && (flags & FOLL_COW))
++		return page && PageAnon(page) && !PageKsm(page);
++
++	return false;
++}
+ /**
+  * follow_page - look up a page descriptor from a user-virtual address
+  * @vma: vm_area_struct mapping @address
+@@ -1509,10 +1526,12 @@ split_fallthrough:
+ 	pte = *ptep;
+ 	if (!pte_present(pte))
+ 		goto no_page;
+-	if ((flags & FOLL_WRITE) && !pte_write(pte))
+-		goto unlock;
+ 
+ 	page = vm_normal_page(vma, address, pte);
++	if ((flags & FOLL_WRITE) && !can_follow_write_pte(pte, page, flags)) {
++		pte_unmap_unlock(ptep, ptl);
++		return NULL;
++	}
+ 	if (unlikely(!page)) {
+ 		if ((flags & FOLL_DUMP) ||
+ 		    !is_zero_pfn(pte_pfn(pte)))
+@@ -1789,17 +1808,13 @@ int __get_user_pages(struct task_struct
+ 				 * The VM_FAULT_WRITE bit tells us that
+ 				 * do_wp_page has broken COW when necessary,
+ 				 * even if maybe_mkwrite decided not to set
+-				 * pte_write. We can thus safely do subsequent
+-				 * page lookups as if they were reads. But only
+-				 * do so when looping for pte_write is futile:
+-				 * in some cases userspace may also be wanting
+-				 * to write to the gotten user page, which a
+-				 * read fault here might prevent (a readonly
+-				 * page might get reCOWed by userspace write).
++				 * pte_write. We cannot simply drop FOLL_WRITE
++				 * here because the COWed page might be gone by
++				 * the time we do the subsequent page lookups.
+ 				 */
+ 				if ((ret & VM_FAULT_WRITE) &&
+ 				    !(vma->vm_flags & VM_WRITE))
+-					foll_flags &= ~FOLL_WRITE;
++					foll_flags |= FOLL_COW;
+ 
+ 				cond_resched();
+ 			}
diff --git a/packages/base/any/kernels/3.2.65-1+deb7u2/patches/series b/packages/base/any/kernels/3.2.65-1+deb7u2/patches/series
index f93799e2..e3e983f4 100644
--- a/packages/base/any/kernels/3.2.65-1+deb7u2/patches/series
+++ b/packages/base/any/kernels/3.2.65-1+deb7u2/patches/series
@@ -253,3 +253,4 @@ mgmt-port-init-config.patch
 arch-intel-reboot-cf9-cold.patch
 drivers-hwmon-adm1021-detect.patch
 drivers-i2c-busses-i2c-isch-timeout.patch
+CVE-2016-5195.patch
diff --git a/packages/base/any/kernels/legacy/linux-3.8.13 b/packages/base/any/kernels/legacy/linux-3.8.13
index 7cdec99d..6c803ff8 160000
--- a/packages/base/any/kernels/legacy/linux-3.8.13
+++ b/packages/base/any/kernels/legacy/linux-3.8.13
@@ -1 +1 @@
-Subproject commit 7cdec99d7aea20e8afa83771350bdae699d79ffc
+Subproject commit 6c803ff857ba52549de43c52f47b714e623ed9d4
diff --git a/packages/base/any/kernels/legacy/linux-3.9.6 b/packages/base/any/kernels/legacy/linux-3.9.6
index 0106373d..34603c6e 160000
--- a/packages/base/any/kernels/legacy/linux-3.9.6
+++ b/packages/base/any/kernels/legacy/linux-3.9.6
@@ -1 +1 @@
-Subproject commit 0106373d79ecf4df3f8867c214ce180f4993c442
+Subproject commit 34603c6ec26840ad19991e62fcc617eee2ffec27