CVSS: 5.6EPSS: %CPEs: 5EXPL: 0CVE-2025-71136 – media: adv7842: Avoid possible out-of-bounds array accesses in adv7842_cp_log_status()
https://notcve.org/view.php?id=CVE-2025-71136
14 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: media: adv7842: Avoid possible out-of-bounds array accesses in adv7842_cp_log_status() It's possible for cp_read() and hdmi_read() to return -EIO. Those values are further used as indexes for accessing arrays. Fix that by checking return values where it's needed. Found by Linux Verification Center (linuxtesting.org) with SVACE. In the Linux kernel, the following vulnerability has been resolved: media: adv7842: Avoid possible out-of-bounds a... • https://git.kernel.org/stable/c/a89bcd4c6c2023615a89001b5a11b0bb77eb9491 •
CVSS: 6.6EPSS: %CPEs: 5EXPL: 0CVE-2025-71131 – crypto: seqiv - Do not use req->iv after crypto_aead_encrypt
https://notcve.org/view.php?id=CVE-2025-71131
14 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: crypto: seqiv - Do not use req->iv after crypto_aead_encrypt As soon as crypto_aead_encrypt is called, the underlying request may be freed by an asynchronous completion. Thus dereferencing req->iv after it returns is invalid. Instead of checking req->iv against info, create a new variable unaligned_info and use it for that purpose instead. In the Linux kernel, the following vulnerability has been resolved: crypto: seqiv - Do not use req->iv... • https://git.kernel.org/stable/c/0a270321dbf948963aeb0e8382fe17d2c2eb3771 •
CVSS: 5.5EPSS: %CPEs: 5EXPL: 0CVE-2025-71118 – ACPICA: Avoid walking the Namespace if start_node is NULL
https://notcve.org/view.php?id=CVE-2025-71118
14 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: ACPICA: Avoid walking the Namespace if start_node is NULL Although commit 0c9992315e73 ("ACPICA: Avoid walking the ACPI Namespace if it is not there") fixed the situation when both start_node and acpi_gbl_root_node are NULL, the Linux kernel mainline now still crashed on Honor Magicbook 14 Pro [1]. That happens due to the access to the member of parent_node in acpi_ns_get_next_node(). The NULL pointer dereference will always happen, no matt... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 7.5EPSS: %CPEs: 5EXPL: 0CVE-2025-71116 – libceph: make decode_pool() more resilient against corrupted osdmaps
https://notcve.org/view.php?id=CVE-2025-71116
14 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: libceph: make decode_pool() more resilient against corrupted osdmaps If the osdmap is (maliciously) corrupted such that the encoded length of ceph_pg_pool envelope is less than what is expected for a particular encoding version, out-of-bounds reads may ensue because the only bounds check that is there is based on that length value. This patch adds explicit bounds checks for each field that is decoded or skipped. In the Linux kernel, the fol... • https://git.kernel.org/stable/c/4f6a7e5ee1393ec4b243b39dac9f36992d161540 •
CVSS: 7.1EPSS: %CPEs: 5EXPL: 0CVE-2025-71114 – via_wdt: fix critical boot hang due to unnamed resource allocation
https://notcve.org/view.php?id=CVE-2025-71114
14 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: via_wdt: fix critical boot hang due to unnamed resource allocation The VIA watchdog driver uses allocate_resource() to reserve a MMIO region for the watchdog control register. However, the allocated resource was not given a name, which causes the kernel resource tree to contain an entry marked as "
CVSS: 6.4EPSS: %CPEs: 5EXPL: 0CVE-2025-71113 – crypto: af_alg - zero initialize memory allocated via sock_kmalloc
https://notcve.org/view.php?id=CVE-2025-71113
14 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: crypto: af_alg - zero initialize memory allocated via sock_kmalloc Several crypto user API contexts and requests allocated with sock_kmalloc() were left uninitialized, relying on callers to set fields explicitly. This resulted in the use of uninitialized data in certain error paths or when new fields are added in the future. The ACVP patches also contain two user-space interface files: algif_kpp.c and algif_akcipher.c. These too rely on pro... • https://git.kernel.org/stable/c/fe869cdb89c95d060c77eea20204d6c91f233b53 •
CVSS: 6.9EPSS: %CPEs: 5EXPL: 0CVE-2025-71111 – hwmon: (w83791d) Convert macros to functions to avoid TOCTOU
https://notcve.org/view.php?id=CVE-2025-71111
14 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: hwmon: (w83791d) Convert macros to functions to avoid TOCTOU The macro FAN_FROM_REG evaluates its arguments multiple times. When used in lockless contexts involving shared driver data, this leads to Time-of-Check to Time-of-Use (TOCTOU) race conditions, potentially causing divide-by-zero errors. Convert the macro to a static function. This guarantees that arguments are evaluated only once (pass-by-value), preventing the race conditions. Add... • https://git.kernel.org/stable/c/9873964d6eb24bd0205394f9b791de9eddbcb855 •
CVSS: 7.8EPSS: %CPEs: 3EXPL: 0CVE-2025-71109 – MIPS: ftrace: Fix memory corruption when kernel is located beyond 32 bits
https://notcve.org/view.php?id=CVE-2025-71109
14 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: MIPS: ftrace: Fix memory corruption when kernel is located beyond 32 bits Since commit e424054000878 ("MIPS: Tracing: Reduce the overhead of dynamic Function Tracer"), the macro UASM_i_LA_mostly has been used, and this macro can generate more than 2 instructions. At the same time, the code in ftrace assumes that no more than 2 instructions can be generated, which is why it stores them in an int[2] array. However, as previously noted, the ma... • https://git.kernel.org/stable/c/e424054000878d7eb11e44289242886d6e219d22 •
CVSS: 6.6EPSS: %CPEs: 5EXPL: 0CVE-2025-71108 – usb: typec: ucsi: Handle incorrect num_connectors capability
https://notcve.org/view.php?id=CVE-2025-71108
14 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: usb: typec: ucsi: Handle incorrect num_connectors capability The UCSI spec states that the num_connectors field is 7 bits, and the 8th bit is reserved and should be set to zero. Some buggy FW has been known to set this bit, and it can lead to a system not booting. Flag that the FW is not behaving correctly, and auto-fix the value so that the system boots correctly. Found on Lenovo P1 G8 during Linux enablement program. The FW will be fixed,... • https://git.kernel.org/stable/c/f72f97d0aee4a993a35f2496bca5efd24827235d •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-71098 – ip6_gre: make ip6gre_header() robust
https://notcve.org/view.php?id=CVE-2025-71098
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: ip6_gre: make ip6gre_header() robust Over the years, syzbot found many ways to crash the kernel in ip6gre_header() [1]. This involves team or bonding drivers ability to dynamically change their dev->needed_headroom and/or dev->hard_header_len In this particular crash mld_newpack() allocated an skb with a too small reserve/headroom, and by the time mld_sendpack() was called, syzbot managed to attach an ip6gre device. [1] skbuff: skb_under_pa... • https://git.kernel.org/stable/c/c12b395a46646bab69089ce7016ac78177f6001f •