CVSS: 6.6EPSS: 0%CPEs: 6EXPL: 0CVE-2025-68759 – wifi: rtl818x: Fix potential memory leaks in rtl8180_init_rx_ring()
https://notcve.org/view.php?id=CVE-2025-68759
05 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: wifi: rtl818x: Fix potential memory leaks in rtl8180_init_rx_ring() In rtl8180_init_rx_ring(), memory is allocated for skb packets and DMA allocations in a loop. When an allocation fails, the previously successful allocations are not freed on exit. Fix that by jumping to err_free_rings label on error, which calls rtl8180_free_rx_ring() to free the allocations. Remove the free of rx_ring in rtl8180_init_rx_ring() error path, and set the free... • https://git.kernel.org/stable/c/f653211197f3841f383fa9757ef8ce182c6cf627 •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2023-54324 – dm: fix a race condition in retrieve_deps
https://notcve.org/view.php?id=CVE-2023-54324
30 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: dm: fix a race condition in retrieve_deps There's a race condition in the multipath target when retrieve_deps races with multipath_message calling dm_get_device and dm_put_device. retrieve_deps walks the list of open devices without holding any lock but multipath may add or remove devices to the list while it is running. The end result may be memory corruption or use-after-free memory access. See this description of a UAF with multipath_mes... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: -EPSS: 0%CPEs: 9EXPL: 0CVE-2022-50887 – regulator: core: fix unbalanced of node refcount in regulator_dev_lookup()
https://notcve.org/view.php?id=CVE-2022-50887
30 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: regulator: core: fix unbalanced of node refcount in regulator_dev_lookup() I got the the following report: OF: ERROR: memory leak, expected refcount 1 instead of 2, of_node_get()/of_node_put() unbalanced - destroy cset entry: attach overlay node /i2c/pmic@62/regulators/exten In of_get_regulator(), the node is returned from of_parse_phandle() with refcount incremented, after using it, of_node_put() need be called. • https://git.kernel.org/stable/c/69511a452e6dc6b74fe4f3671a51b1b44b9c57e3 •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2023-54321 – driver core: fix potential null-ptr-deref in device_add()
https://notcve.org/view.php?id=CVE-2023-54321
30 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: driver core: fix potential null-ptr-deref in device_add() I got the following null-ptr-deref report while doing fault injection test: BUG: kernel NULL pointer dereference, address: 0000000000000058 CPU: 2 PID: 278 Comm: 37-i2c-ds2482 Tainted: G B W N 6.1.0-rc3+ RIP: 0010:klist_put+0x2d/0xd0 Call Trace:
CVSS: -EPSS: 0%CPEs: 9EXPL: 0CVE-2022-50884 – drm: Prevent drm_copy_field() to attempt copying a NULL pointer
https://notcve.org/view.php?id=CVE-2022-50884
30 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: drm: Prevent drm_copy_field() to attempt copying a NULL pointer There are some struct drm_driver fields that are required by drivers since drm_copy_field() attempts to copy them to user-space via DRM_IOCTL_VERSION. But it can be possible that a driver has a bug and did not set some of the fields, which leads to drm_copy_field() attempting to copy a NULL pointer: [ +10.395966] Unable to handle kernel access to user memory outside uaccess rou... • https://git.kernel.org/stable/c/22eae947bf76e236ba972f2f11cfd1b083b736ad •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2023-54314 – media: af9005: Fix null-ptr-deref in af9005_i2c_xfer
https://notcve.org/view.php?id=CVE-2023-54314
30 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: media: af9005: Fix null-ptr-deref in af9005_i2c_xfer In af9005_i2c_xfer, msg is controlled by user. When msg[i].buf is null and msg[i].len is zero, former checks on msg[i].buf would be passed. Malicious data finally reach af9005_i2c_xfer. If accessing msg[i].buf[0] without sanity check, null ptr deref would happen. We add check on msg[i].len to prevent crash. Similar commit: commit 0ed554fd769a ("media: dvb-usb: az6027: fix null-ptr-deref i... • https://git.kernel.org/stable/c/af4e067e1dcf926d9523dff11e46c45fd9fa9da2 •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2023-54311 – ext4: fix deadlock when converting an inline directory in nojournal mode
https://notcve.org/view.php?id=CVE-2023-54311
30 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: ext4: fix deadlock when converting an inline directory in nojournal mode In no journal mode, ext4_finish_convert_inline_dir() can self-deadlock by calling ext4_handle_dirty_dirblock() when it already has taken the directory lock. There is a similar self-deadlock in ext4_incvert_inline_data_nolock() for data files which we'll fix at the same time. A simple reproducer demonstrating the problem: mke2fs -Fq -t ext2 -O inline_data -b 4k /dev/vdc... • https://git.kernel.org/stable/c/3c47d54170b6a678875566b1b8d6dcf57904e49b •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2023-54310 – scsi: message: mptlan: Fix use after free bug in mptlan_remove() due to race condition
https://notcve.org/view.php?id=CVE-2023-54310
30 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: scsi: message: mptlan: Fix use after free bug in mptlan_remove() due to race condition mptlan_probe() calls mpt_register_lan_device() which initializes the &priv->post_buckets_task workqueue. A call to mpt_lan_wake_post_buckets_task() will subsequently start the work. During driver unload in mptlan_remove() the following race may occur: CPU0 CPU1 |mpt_lan_post_receive_buckets_work() mptlan_remove() | free_netdev() | kfree(dev); | | | dev->m... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: -EPSS: 0%CPEs: 9EXPL: 0CVE-2023-54300 – wifi: ath9k: avoid referencing uninit memory in ath9k_wmi_ctrl_rx
https://notcve.org/view.php?id=CVE-2023-54300
30 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: ath9k: avoid referencing uninit memory in ath9k_wmi_ctrl_rx For the reasons also described in commit b383e8abed41 ("wifi: ath9k: avoid uninit memory read in ath9k_htc_rx_msg()"), ath9k_htc_rx_msg() should validate pkt_len before accessing the SKB. For example, the obtained SKB may have been badly constructed with pkt_len = 8. In this case, the SKB can only contain a valid htc_frame_hdr but after being processed in ath9k_htc_rx_msg() a... • https://git.kernel.org/stable/c/fb9987d0f748c983bb795a86f47522313f701a08 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2023-54286 – wifi: iwlwifi: dvm: Fix memcpy: detected field-spanning write backtrace
https://notcve.org/view.php?id=CVE-2023-54286
30 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: dvm: Fix memcpy: detected field-spanning write backtrace A received TKIP key may be up to 32 bytes because it may contain MIC rx/tx keys too. These are not used by iwl and copying these over overflows the iwl_keyinfo.key field. Add a check to not copy more data to iwl_keyinfo.key then will fit. This fixes backtraces like this one: memcpy: detected field-spanning write (size 32) of single field "sta_cmd.key.key" at drivers/net... • https://git.kernel.org/stable/c/5a3d9882b84edf5fa8e8ca33a5d6df25e2e727a5 •