CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2025-68286 – drm/amd/display: Check NULL before accessing
https://notcve.org/view.php?id=CVE-2025-68286
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check NULL before accessing [WHAT] IGT kms_cursor_legacy's long-nonblocking-modeset-vs-cursor-atomic fails with NULL pointer dereference. This can be reproduced with both an eDP panel and a DP monitors connected. BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 13 UID: 0 PID: ... • https://git.kernel.org/stable/c/781f2f32e9c19eb791b52af283c96f9a9677a7f2 •
CVSS: 6.3EPSS: 0%CPEs: 7EXPL: 0CVE-2025-68285 – libceph: fix potential use-after-free in have_mon_and_osd_map()
https://notcve.org/view.php?id=CVE-2025-68285
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: libceph: fix potential use-after-free in have_mon_and_osd_map() The wait loop in __ceph_open_session() can race with the client receiving a new monmap or osdmap shortly after the initial map is received. Both ceph_monc_handle_map() and handle_one_map() install a new map immediately after freeing the old one kfree(monc->monmap); monc->monmap = monmap; ceph_osdmap_destroy(osdc->osdmap); osdc->osdmap = newmap; under client->monc.mutex and clie... • https://git.kernel.org/stable/c/bb4910c5fd436701faf367e1b5476a5a6d2aff1c •
CVSS: 6.6EPSS: 0%CPEs: 6EXPL: 0CVE-2025-68284 – libceph: prevent potential out-of-bounds writes in handle_auth_session_key()
https://notcve.org/view.php?id=CVE-2025-68284
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: libceph: prevent potential out-of-bounds writes in handle_auth_session_key() The len field originates from untrusted network packets. Boundary checks have been added to prevent potential out-of-bounds writes when decrypting the connection secret or processing service tickets. [ idryomov: changelog ] In the Linux kernel, the following vulnerability has been resolved: libceph: prevent potential out-of-bounds writes in handle_auth_session_key(... • https://git.kernel.org/stable/c/f22c55a20a2d9ffbbac57408d5d488cef8201e9d •
CVSS: 7.2EPSS: 0%CPEs: 5EXPL: 0CVE-2025-68283 – libceph: replace BUG_ON with bounds check for map->max_osd
https://notcve.org/view.php?id=CVE-2025-68283
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: libceph: replace BUG_ON with bounds check for map->max_osd OSD indexes come from untrusted network packets. Boundary checks are added to validate these against map->max_osd. [ idryomov: drop BUG_ON in ceph_get_primary_affinity(), minor cosmetic edits ] In the Linux kernel, the following vulnerability has been resolved: libceph: replace BUG_ON with bounds check for map->max_osd OSD indexes come from untrusted network packets. Boundary checks... • https://git.kernel.org/stable/c/57f5fbae9f1024aba17ff75e00433324115c548a •
CVSS: 6.9EPSS: 0%CPEs: 5EXPL: 0CVE-2025-68282 – usb: gadget: udc: fix use-after-free in usb_gadget_state_work
https://notcve.org/view.php?id=CVE-2025-68282
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: usb: gadget: udc: fix use-after-free in usb_gadget_state_work A race condition during gadget teardown can lead to a use-after-free in usb_gadget_state_work(), as reported by KASAN: BUG: KASAN: invalid-access in sysfs_notify+0x2c/0xd0 Workqueue: events usb_gadget_state_work The fundamental race occurs because a concurrent event (e.g., an interrupt) can call usb_gadget_set_state() and schedule gadget->work at any time during the cleanup proce... • https://git.kernel.org/stable/c/5702f75375aa9ecf8ad3431aef3fe6ce8c8dbd15 •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2025-68281 – ASoC: SDCA: bug fix while parsing mipi-sdca-control-cn-list
https://notcve.org/view.php?id=CVE-2025-68281
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: ASoC: SDCA: bug fix while parsing mipi-sdca-control-cn-list "struct sdca_control" declares "values" field as integer array. But the memory allocated to it is of char array. This causes crash for sdca_parse_function API. This patch addresses the issue by allocating correct data size. In the Linux kernel, the following vulnerability has been resolved: ASoC: SDCA: bug fix while parsing mipi-sdca-control-cn-list "struct sdca_control" declares "... • https://git.kernel.org/stable/c/fcd5786b506c51cbabc2560c68e040d8dba22a0d •
CVSS: 7.1EPSS: 0%CPEs: 3EXPL: 0CVE-2025-68266 – bfs: Reconstruct file type when loading from disk
https://notcve.org/view.php?id=CVE-2025-68266
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: bfs: Reconstruct file type when loading from disk syzbot is reporting that S_IFMT bits of inode->i_mode can become bogus when the S_IFMT bits of the 32bits "mode" field loaded from disk are corrupted or when the 32bits "attributes" field loaded from disk are corrupted. A documentation says that BFS uses only lower 9 bits of the "mode" field. But I can't find an explicit explanation that the unused upper 23 bits (especially, the S_IFMT bits)... • https://git.kernel.org/stable/c/77899444d46162aeb65f229590c26ba266864223 •
CVSS: 8.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-68265 – nvme: fix admin request_queue lifetime
https://notcve.org/view.php?id=CVE-2025-68265
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: nvme: fix admin request_queue lifetime The namespaces can access the controller's admin request_queue, and stale references on the namespaces may exist after tearing down the controller. Ensure the admin request_queue is active by moving the controller's 'put' to after all controller references have been released to ensure no one is can access the request_queue. This fixes a reported use-after-free bug: BUG: KASAN: slab-use-after-free in bl... • https://git.kernel.org/stable/c/e8061d02b49c5c901980f58d91e96580e9a14acf •
CVSS: 7.1EPSS: 0%CPEs: 4EXPL: 0CVE-2025-68264 – ext4: refresh inline data size before write operations
https://notcve.org/view.php?id=CVE-2025-68264
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: ext4: refresh inline data size before write operations The cached ei->i_inline_size can become stale between the initial size check and when ext4_update_inline_data()/ext4_create_inline_data() use it. Although ext4_get_max_inline_size() reads the correct value at the time of the check, concurrent xattr operations can modify i_inline_size before ext4_write_lock_xattr() is acquired. This causes ext4_update_inline_data() and ext4_create_inline... • https://git.kernel.org/stable/c/210ac60a86a3ad2c76ae60e0dc71c34af6e7ea0b •
CVSS: 9.3EPSS: 0%CPEs: 4EXPL: 0CVE-2025-68263 – ksmbd: ipc: fix use-after-free in ipc_msg_send_request
https://notcve.org/view.php?id=CVE-2025-68263
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: ipc: fix use-after-free in ipc_msg_send_request ipc_msg_send_request() waits for a generic netlink reply using an ipc_msg_table_entry on the stack. The generic netlink handler (handle_generic_event()/handle_response()) fills entry->response under ipc_msg_table_lock, but ipc_msg_send_request() used to validate and free entry->response without holding the same lock. Under high concurrency this allows a race where handle_response() is c... • https://git.kernel.org/stable/c/5ac763713a1ef8f9a8bda1dbd81f0318d67baa4e •