CVSS: 6.9EPSS: 0%CPEs: 7EXPL: 0CVE-2025-71111 – hwmon: (w83791d) Convert macros to functions to avoid TOCTOU
https://notcve.org/view.php?id=CVE-2025-71111
14 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: hwmon: (w83791d) Convert macros to functions to avoid TOCTOU The macro FAN_FROM_REG evaluates its arguments multiple times. When used in lockless contexts involving shared driver data, this leads to Time-of-Check to Time-of-Use (TOCTOU) race conditions, potentially causing divide-by-zero errors. Convert the macro to a static function. This guarantees that arguments are evaluated only once (pass-by-value), preventing the race conditions. Add... • https://git.kernel.org/stable/c/9873964d6eb24bd0205394f9b791de9eddbcb855 •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2025-71109 – MIPS: ftrace: Fix memory corruption when kernel is located beyond 32 bits
https://notcve.org/view.php?id=CVE-2025-71109
14 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: MIPS: ftrace: Fix memory corruption when kernel is located beyond 32 bits Since commit e424054000878 ("MIPS: Tracing: Reduce the overhead of dynamic Function Tracer"), the macro UASM_i_LA_mostly has been used, and this macro can generate more than 2 instructions. At the same time, the code in ftrace assumes that no more than 2 instructions can be generated, which is why it stores them in an int[2] array. However, as previously noted, the ma... • https://git.kernel.org/stable/c/e424054000878d7eb11e44289242886d6e219d22 •
CVSS: 6.6EPSS: 0%CPEs: 7EXPL: 0CVE-2025-71108 – usb: typec: ucsi: Handle incorrect num_connectors capability
https://notcve.org/view.php?id=CVE-2025-71108
14 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: usb: typec: ucsi: Handle incorrect num_connectors capability The UCSI spec states that the num_connectors field is 7 bits, and the 8th bit is reserved and should be set to zero. Some buggy FW has been known to set this bit, and it can lead to a system not booting. Flag that the FW is not behaving correctly, and auto-fix the value so that the system boots correctly. Found on Lenovo P1 G8 during Linux enablement program. The FW will be fixed,... • https://git.kernel.org/stable/c/c1b0bc2dabfa884dea49c02adaf3cd6b52b33d2f •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-71107 – f2fs: ensure node page reads complete before f2fs_put_super() finishes
https://notcve.org/view.php?id=CVE-2025-71107
14 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: f2fs: ensure node page reads complete before f2fs_put_super() finishes Xfstests generic/335, generic/336 sometimes crash with the following message: F2FS-fs (dm-0): detect filesystem reference count leak during umount, type: 9, count: 1 ------------[ cut here ]------------ kernel BUG at fs/f2fs/super.c:1939! Oops: invalid opcode: 0000 [#1] SMP NOPTI CPU: 1 UID: 0 PID: 609351 Comm: umount Tainted: G W 6.17.0-rc5-xfstests-g9dd1835ecda5 #1 PRE... • https://git.kernel.org/stable/c/20872584b8c0b006c007da9588a272c9e28d2e18 •
CVSS: 7.1EPSS: 0%CPEs: 7EXPL: 0CVE-2025-71105 – f2fs: use global inline_xattr_slab instead of per-sb slab cache
https://notcve.org/view.php?id=CVE-2025-71105
14 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: f2fs: use global inline_xattr_slab instead of per-sb slab cache As Hong Yun reported in mailing list: loop7: detected capacity change from 0 to 131072 ------------[ cut here ]------------ kmem_cache of name 'f2fs_xattr_entry-7:7' already exists WARNING: CPU: 0 PID: 24426 at mm/slab_common.c:110 kmem_cache_sanity_check mm/slab_common.c:109 [inline] WARNING: CPU: 0 PID: 24426 at mm/slab_common.c:110 __kmem_cache_create_args+0xa6/0x320 mm/slab... • https://git.kernel.org/stable/c/a999150f4fe3abbb7efd05411fd5b460be699943 •
CVSS: 8.4EPSS: 0%CPEs: 9EXPL: 0CVE-2025-71104 – KVM: x86: Fix VM hard lockup after prolonged inactivity with periodic HV timer
https://notcve.org/view.php?id=CVE-2025-71104
14 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Fix VM hard lockup after prolonged inactivity with periodic HV timer When advancing the target expiration for the guest's APIC timer in periodic mode, set the expiration to "now" if the target expiration is in the past (similar to what is done in update_target_expiration()). Blindly adding the period to the previous target expiration can result in KVM generating a practically unbounded number of hrtimer IRQs due to programming an ... • https://git.kernel.org/stable/c/d8f2f498d9ed0c5010bc1bbc1146f94c8bf9f8cc •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2025-71102 – scs: fix a wrong parameter in __scs_magic
https://notcve.org/view.php?id=CVE-2025-71102
14 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: scs: fix a wrong parameter in __scs_magic __scs_magic() needs a 'void *' variable, but a 'struct task_struct *' is given. 'task_scs(tsk)' is the starting address of the task's shadow call stack, and '__scs_magic(task_scs(tsk))' is the end address of the task's shadow call stack. Here should be '__scs_magic(task_scs(tsk))'. The user-visible effect of this bug is that when CONFIG_DEBUG_STACK_USAGE is enabled, the shadow call stack usage check... • https://git.kernel.org/stable/c/5bbaf9d1fcb9be696ee9a61636ab6803556c70f2 •
CVSS: 10.0EPSS: 0%CPEs: 4EXPL: 0CVE-2025-71101 – platform/x86: hp-bioscfg: Fix out-of-bounds array access in ACPI package parsing
https://notcve.org/view.php?id=CVE-2025-71101
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: platform/x86: hp-bioscfg: Fix out-of-bounds array access in ACPI package parsing The hp_populate_*_elements_from_package() functions in the hp-bioscfg driver contain out-of-bounds array access vulnerabilities. These functions parse ACPI packages into internal data structures using a for loop with index variable 'elem' that iterates through enum_obj/integer_obj/order_obj/password_obj/string_obj arrays. When processing multi-element fields li... • https://git.kernel.org/stable/c/e6c7b3e15559699a30646dd45195549c7db447bd •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2025-71098 – ip6_gre: make ip6gre_header() robust
https://notcve.org/view.php?id=CVE-2025-71098
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: ip6_gre: make ip6gre_header() robust Over the years, syzbot found many ways to crash the kernel in ip6gre_header() [1]. This involves team or bonding drivers ability to dynamically change their dev->needed_headroom and/or dev->hard_header_len In this particular crash mld_newpack() allocated an skb with a too small reserve/headroom, and by the time mld_sendpack() was called, syzbot managed to attach an ip6gre device. [1] skbuff: skb_under_pa... • https://git.kernel.org/stable/c/c12b395a46646bab69089ce7016ac78177f6001f •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2025-71097 – ipv4: Fix reference count leak when using error routes with nexthop objects
https://notcve.org/view.php?id=CVE-2025-71097
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: ipv4: Fix reference count leak when using error routes with nexthop objects When a nexthop object is deleted, it is marked as dead and then fib_table_flush() is called to flush all the routes that are using the dead nexthop. The current logic in fib_table_flush() is to only flush error routes (e.g., blackhole) when it is called as part of network namespace dismantle (i.e., with flush_all=true). Therefore, error routes are not flushed when t... • https://git.kernel.org/stable/c/493ced1ac47c48bb86d9d4e8e87df8592be85a0e •