CVSS: 7.1EPSS: 0%CPEs: 7EXPL: 0CVE-2025-71096 – RDMA/core: Check for the presence of LS_NLA_TYPE_DGID correctly
https://notcve.org/view.php?id=CVE-2025-71096
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: RDMA/core: Check for the presence of LS_NLA_TYPE_DGID correctly The netlink response for RDMA_NL_LS_OP_IP_RESOLVE should always have a LS_NLA_TYPE_DGID attribute, it is invalid if it does not. Use the nl parsing logic properly and call nla_parse_deprecated() to fill the nlattrs array and then directly index that array to get the data for the DGID. Just fail if it is NULL. Remove the for loop searching for the nla, and squash the validation ... • https://git.kernel.org/stable/c/ae43f8286730d1f2d241c34601df59f6d2286ac4 •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2025-71095 – net: stmmac: fix the crash issue for zero copy XDP_TX action
https://notcve.org/view.php?id=CVE-2025-71095
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: net: stmmac: fix the crash issue for zero copy XDP_TX action There is a crash issue when running zero copy XDP_TX action, the crash log is shown below. [ 216.122464] Unable to handle kernel paging request at virtual address fffeffff80000000 [ 216.187524] Internal error: Oops: 0000000096000144 [#1] SMP [ 216.301694] Call trace: [ 216.304130] dcache_clean_poc+0x20/0x38 (P) [ 216.308308] __dma_sync_single_for_device+0x1bc/0x1e0 [ 216.313351] s... • https://git.kernel.org/stable/c/bba2556efad66e7eaa56fece13f7708caa1187f8 •
CVSS: 7.2EPSS: 0%CPEs: 7EXPL: 0CVE-2025-71094 – net: usb: asix: validate PHY address before use
https://notcve.org/view.php?id=CVE-2025-71094
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: net: usb: asix: validate PHY address before use The ASIX driver reads the PHY address from the USB device via asix_read_phy_addr(). A malicious or faulty device can return an invalid address (>= PHY_MAX_ADDR), which causes a warning in mdiobus_get_phy(): addr 207 out of range WARNING: drivers/net/phy/mdio_bus.c:76 Validate the PHY address in asix_read_phy_addr() and remove the now-redundant check in ax88172a.c. In the Linux kernel, the foll... • https://git.kernel.org/stable/c/7e88b11a862afe59ee0c365123ea5fb96a26cb3b •
CVSS: 7.1EPSS: 0%CPEs: 7EXPL: 0CVE-2025-71093 – e1000: fix OOB in e1000_tbi_should_accept()
https://notcve.org/view.php?id=CVE-2025-71093
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: e1000: fix OOB in e1000_tbi_should_accept() In e1000_tbi_should_accept() we read the last byte of the frame via 'data[length - 1]' to evaluate the TBI workaround. If the descriptor- reported length is zero or larger than the actual RX buffer size, this read goes out of bounds and can hit unrelated slab objects. The issue is observed from the NAPI receive path (e1000_clean_rx_irq): ============================================================... • https://git.kernel.org/stable/c/2037110c96d5f1dd71453fcd0d54e79be12a352b •
CVSS: 6.3EPSS: 0%CPEs: 7EXPL: 0CVE-2025-71091 – team: fix check for port enabled in team_queue_override_port_prio_changed()
https://notcve.org/view.php?id=CVE-2025-71091
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: team: fix check for port enabled in team_queue_override_port_prio_changed() There has been a syzkaller bug reported recently with the following trace: list_del corruption, ffff888058bea080->prev is LIST_POISON2 (dead000000000122) ------------[ cut here ]------------ kernel BUG at lib/list_debug.c:59! Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI CPU: 3 UID: 0 PID: 21246 Comm: syz.0.2928 Not tainted syzkaller #0 PREEMPT(full) Hardware name... • https://git.kernel.org/stable/c/6c31ff366c1116823e77019bae3e92e9d77a49f4 •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2025-71089 – iommu: disable SVA when CONFIG_X86 is set
https://notcve.org/view.php?id=CVE-2025-71089
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: iommu: disable SVA when CONFIG_X86 is set Patch series "Fix stale IOTLB entries for kernel address space", v7. This proposes a fix for a security vulnerability related to IOMMU Shared Virtual Addressing (SVA). In an SVA context, an IOMMU can cache kernel page table entries. When a kernel page table page is freed and reallocated for another purpose, the IOMMU might still hold stale, incorrect entries. This can be exploited to cause a use-aft... • https://git.kernel.org/stable/c/26b25a2b98e45aeb40eedcedc586ad5034cbd984 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-71088 – mptcp: fallback earlier on simult connection
https://notcve.org/view.php?id=CVE-2025-71088
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: mptcp: fallback earlier on simult connection Syzkaller reports a simult-connect race leading to inconsistent fallback status: WARNING: CPU: 3 PID: 33 at net/mptcp/subflow.c:1515 subflow_data_ready+0x40b/0x7c0 net/mptcp/subflow.c:1515 Modules linked in: CPU: 3 UID: 0 PID: 33 Comm: ksoftirqd/3 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:sub... • https://git.kernel.org/stable/c/01b7822700f2256900089e00390e119e1ad545df •
CVSS: 7.1EPSS: 0%CPEs: 7EXPL: 0CVE-2025-71087 – iavf: fix off-by-one issues in iavf_config_rss_reg()
https://notcve.org/view.php?id=CVE-2025-71087
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: iavf: fix off-by-one issues in iavf_config_rss_reg() There are off-by-one bugs when configuring RSS hash key and lookup table, causing out-of-bounds reads to memory [1] and out-of-bounds writes to device registers. Before commit 43a3d9ba34c9 ("i40evf: Allow PF driver to configure RSS"), the loop upper bounds were: i <= I40E_VFQF_{HKEY,HLUT}_MAX_INDEX which is safe since the value is the last valid index. That commit changed the bounds to: i... • https://git.kernel.org/stable/c/43a3d9ba34c9ca313573201d3f45de5ab3494cec •
CVSS: 5.5EPSS: 0%CPEs: 9EXPL: 0CVE-2025-71086 – net: rose: fix invalid array index in rose_kill_by_device()
https://notcve.org/view.php?id=CVE-2025-71086
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: net: rose: fix invalid array index in rose_kill_by_device() rose_kill_by_device() collects sockets into a local array[] and then iterates over them to disconnect sockets bound to a device being brought down. The loop mistakenly indexes array[cnt] instead of array[i]. For cnt < ARRAY_SIZE(array), this reads an uninitialized entry; for cnt == ARRAY_SIZE(array), it is an out-of-bounds read. Either case can lead to an invalid socket pointer der... • https://git.kernel.org/stable/c/12e5a4719c99d7f4104e7e962393dfb8baa1c591 •
CVSS: 7.1EPSS: 0%CPEs: 7EXPL: 0CVE-2025-71085 – ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr()
https://notcve.org/view.php?id=CVE-2025-71085
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr() There exists a kernel oops caused by a BUG_ON(nhead < 0) at net/core/skbuff.c:2232 in pskb_expand_head(). This bug is triggered as part of the calipso_skbuff_setattr() routine when skb_cow() is passed headroom > INT_MAX (i.e. (int)(skb_headroom(skb) + len_delta) < 0). The root cause of the bug is due to an implicit integer cast in __skb_cow(). The check (headroom > skb_he... • https://git.kernel.org/stable/c/2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3 •