CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2025-68286 – drm/amd/display: Check NULL before accessing
https://notcve.org/view.php?id=CVE-2025-68286
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check NULL before accessing [WHAT] IGT kms_cursor_legacy's long-nonblocking-modeset-vs-cursor-atomic fails with NULL pointer dereference. This can be reproduced with both an eDP panel and a DP monitors connected. BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 13 UID: 0 PID: ... • https://git.kernel.org/stable/c/4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c •
CVSS: 6.3EPSS: 0%CPEs: 7EXPL: 0CVE-2025-68285 – libceph: fix potential use-after-free in have_mon_and_osd_map()
https://notcve.org/view.php?id=CVE-2025-68285
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: libceph: fix potential use-after-free in have_mon_and_osd_map() The wait loop in __ceph_open_session() can race with the client receiving a new monmap or osdmap shortly after the initial map is received. Both ceph_monc_handle_map() and handle_one_map() install a new map immediately after freeing the old one kfree(monc->monmap); monc->monmap = monmap; ceph_osdmap_destroy(osdc->osdmap); osdc->osdmap = newmap; under client->monc.mutex and clie... • https://git.kernel.org/stable/c/6822d00b5462e7a9dfa11dcc60cc25823a2107c5 •
CVSS: 6.6EPSS: 0%CPEs: 6EXPL: 0CVE-2025-68284 – libceph: prevent potential out-of-bounds writes in handle_auth_session_key()
https://notcve.org/view.php?id=CVE-2025-68284
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: libceph: prevent potential out-of-bounds writes in handle_auth_session_key() The len field originates from untrusted network packets. Boundary checks have been added to prevent potential out-of-bounds writes when decrypting the connection secret or processing service tickets. [ idryomov: changelog ] In the Linux kernel, the following vulnerability has been resolved: libceph: prevent potential out-of-bounds writes in handle_auth_session_key(... • https://git.kernel.org/stable/c/285ea34fc876aa0a2c5e65d310c4a41269e2e5f2 •
CVSS: 7.2EPSS: 0%CPEs: 5EXPL: 0CVE-2025-68283 – libceph: replace BUG_ON with bounds check for map->max_osd
https://notcve.org/view.php?id=CVE-2025-68283
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: libceph: replace BUG_ON with bounds check for map->max_osd OSD indexes come from untrusted network packets. Boundary checks are added to validate these against map->max_osd. [ idryomov: drop BUG_ON in ceph_get_primary_affinity(), minor cosmetic edits ] In the Linux kernel, the following vulnerability has been resolved: libceph: replace BUG_ON with bounds check for map->max_osd OSD indexes come from untrusted network packets. Boundary checks... • https://git.kernel.org/stable/c/f24e9980eb860d8600cbe5ef3d2fd9295320d229 •
CVSS: 6.9EPSS: 0%CPEs: 7EXPL: 0CVE-2025-68282 – usb: gadget: udc: fix use-after-free in usb_gadget_state_work
https://notcve.org/view.php?id=CVE-2025-68282
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: usb: gadget: udc: fix use-after-free in usb_gadget_state_work A race condition during gadget teardown can lead to a use-after-free in usb_gadget_state_work(), as reported by KASAN: BUG: KASAN: invalid-access in sysfs_notify+0x2c/0xd0 Workqueue: events usb_gadget_state_work The fundamental race occurs because a concurrent event (e.g., an interrupt) can call usb_gadget_set_state() and schedule gadget->work at any time during the cleanup proce... • https://git.kernel.org/stable/c/5702f75375aa9ecf8ad3431aef3fe6ce8c8dbd15 •
CVSS: 7.1EPSS: 0%CPEs: 7EXPL: 0CVE-2025-68266 – bfs: Reconstruct file type when loading from disk
https://notcve.org/view.php?id=CVE-2025-68266
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: bfs: Reconstruct file type when loading from disk syzbot is reporting that S_IFMT bits of inode->i_mode can become bogus when the S_IFMT bits of the 32bits "mode" field loaded from disk are corrupted or when the 32bits "attributes" field loaded from disk are corrupted. A documentation says that BFS uses only lower 9 bits of the "mode" field. But I can't find an explicit explanation that the unused upper 23 bits (especially, the S_IFMT bits)... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 8.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-68265 – nvme: fix admin request_queue lifetime
https://notcve.org/view.php?id=CVE-2025-68265
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: nvme: fix admin request_queue lifetime The namespaces can access the controller's admin request_queue, and stale references on the namespaces may exist after tearing down the controller. Ensure the admin request_queue is active by moving the controller's 'put' to after all controller references have been released to ensure no one is can access the request_queue. This fixes a reported use-after-free bug: BUG: KASAN: slab-use-after-free in bl... • https://git.kernel.org/stable/c/fe60e8c534118a288cd251a59d747cbf5c03e160 •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2025-68264 – ext4: refresh inline data size before write operations
https://notcve.org/view.php?id=CVE-2025-68264
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: ext4: refresh inline data size before write operations The cached ei->i_inline_size can become stale between the initial size check and when ext4_update_inline_data()/ext4_create_inline_data() use it. Although ext4_get_max_inline_size() reads the correct value at the time of the check, concurrent xattr operations can modify i_inline_size before ext4_write_lock_xattr() is acquired. This causes ext4_update_inline_data() and ext4_create_inline... • https://git.kernel.org/stable/c/67cf5b09a46f72e048501b84996f2f77bc42e947 •
CVSS: 9.3EPSS: 0%CPEs: 6EXPL: 0CVE-2025-68263 – ksmbd: ipc: fix use-after-free in ipc_msg_send_request
https://notcve.org/view.php?id=CVE-2025-68263
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: ipc: fix use-after-free in ipc_msg_send_request ipc_msg_send_request() waits for a generic netlink reply using an ipc_msg_table_entry on the stack. The generic netlink handler (handle_generic_event()/handle_response()) fills entry->response under ipc_msg_table_lock, but ipc_msg_send_request() used to validate and free entry->response without holding the same lock. Under high concurrency this allows a race where handle_response() is c... • https://git.kernel.org/stable/c/0626e6641f6b467447c81dd7678a69c66f7746cf •
CVSS: 7.3EPSS: 0%CPEs: 13EXPL: 0CVE-2025-68261 – ext4: add i_data_sem protection in ext4_destroy_inline_data_nolock()
https://notcve.org/view.php?id=CVE-2025-68261
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: ext4: add i_data_sem protection in ext4_destroy_inline_data_nolock() Fix a race between inline data destruction and block mapping. The function ext4_destroy_inline_data_nolock() changes the inode data layout by clearing EXT4_INODE_INLINE_DATA and setting EXT4_INODE_EXTENTS. At the same time, another thread may execute ext4_map_blocks(), which tests EXT4_INODE_EXTENTS to decide whether to call ext4_ext_map_blocks() or ext4_ind_map_blocks(). ... • https://git.kernel.org/stable/c/c755e251357a0cee0679081f08c3f4ba797a8009 •