It looks like the fixes were merged in 6.18, 6.19, and 7.0. But all older (but supported) LTS kernels didn’t have the fix, like 6.12, which is used in Debian 13. And it also seems that Ubuntu, RHEL, and SUSE had not picked up the patches in their kernel versions.

That may be true for personal computers, but the impact of this vulnerability is mainly on servers. And those typically run distros like Debian, Ubuntu, RHEL that didn’t have a patch at that time.

It seems that most LTS distros didn’t get a heads up and there are no patches available. Uh oh.