Pointed AI at the current commits in main to see if any bugs were creeping in. It had some good observations. I can give detail if you want.
Key takeaways: The 26.03 cycle is overwhelmingly a hardening release — 50% of commits carry Fixes: tags. Three major systematic efforts dominate: your format overflow hardening series (37 patches), Bruce's variable shadowing warning enablement (32 patches), and Marat Khalili's BPF validator/JIT correctness fixes (9 patches). The highest-severity finds per AGENTS.md criteria are the vhost patches from Maxime Coquelin — particularly the descriptor chain bounds check, which is a guest-exploitable vulnerability (no bounds check + no loop counter on guest-controlled memory). The mmap MAP_FAILED vs NULL check is a textbook bug that could cause memory corruption. The NBL driver stands out as a concern — 8 correctness patches including double-frees, NULL derefs, and 10 Coverity issues, all shortly after its 25.11 merge. Worth extra scrutiny going forward. New features are modest, which fits the pattern for a non-LTS release focused on quality.
