CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2025-71109 – MIPS: ftrace: Fix memory corruption when kernel is located beyond 32 bits
https://notcve.org/view.php?id=CVE-2025-71109
14 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: MIPS: ftrace: Fix memory corruption when kernel is located beyond 32 bits Since commit e424054000878 ("MIPS: Tracing: Reduce the overhead of dynamic Function Tracer"), the macro UASM_i_LA_mostly has been used, and this macro can generate more than 2 instructions. At the same time, the code in ftrace assumes that no more than 2 instructions can be generated, which is why it stores them in an int[2] array. However, as previously noted, the ma... • https://git.kernel.org/stable/c/e424054000878d7eb11e44289242886d6e219d22 •
CVSS: 6.6EPSS: 0%CPEs: 7EXPL: 0CVE-2025-71108 – usb: typec: ucsi: Handle incorrect num_connectors capability
https://notcve.org/view.php?id=CVE-2025-71108
14 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: usb: typec: ucsi: Handle incorrect num_connectors capability The UCSI spec states that the num_connectors field is 7 bits, and the 8th bit is reserved and should be set to zero. Some buggy FW has been known to set this bit, and it can lead to a system not booting. Flag that the FW is not behaving correctly, and auto-fix the value so that the system boots correctly. Found on Lenovo P1 G8 during Linux enablement program. The FW will be fixed,... • https://git.kernel.org/stable/c/c1b0bc2dabfa884dea49c02adaf3cd6b52b33d2f •
CVSS: 7.1EPSS: 0%CPEs: 7EXPL: 0CVE-2025-71105 – f2fs: use global inline_xattr_slab instead of per-sb slab cache
https://notcve.org/view.php?id=CVE-2025-71105
14 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: f2fs: use global inline_xattr_slab instead of per-sb slab cache As Hong Yun reported in mailing list: loop7: detected capacity change from 0 to 131072 ------------[ cut here ]------------ kmem_cache of name 'f2fs_xattr_entry-7:7' already exists WARNING: CPU: 0 PID: 24426 at mm/slab_common.c:110 kmem_cache_sanity_check mm/slab_common.c:109 [inline] WARNING: CPU: 0 PID: 24426 at mm/slab_common.c:110 __kmem_cache_create_args+0xa6/0x320 mm/slab... • https://git.kernel.org/stable/c/a999150f4fe3abbb7efd05411fd5b460be699943 •
CVSS: 8.4EPSS: 0%CPEs: 9EXPL: 0CVE-2025-71104 – KVM: x86: Fix VM hard lockup after prolonged inactivity with periodic HV timer
https://notcve.org/view.php?id=CVE-2025-71104
14 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Fix VM hard lockup after prolonged inactivity with periodic HV timer When advancing the target expiration for the guest's APIC timer in periodic mode, set the expiration to "now" if the target expiration is in the past (similar to what is done in update_target_expiration()). Blindly adding the period to the previous target expiration can result in KVM generating a practically unbounded number of hrtimer IRQs due to programming an ... • https://git.kernel.org/stable/c/d8f2f498d9ed0c5010bc1bbc1146f94c8bf9f8cc •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2025-71102 – scs: fix a wrong parameter in __scs_magic
https://notcve.org/view.php?id=CVE-2025-71102
14 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: scs: fix a wrong parameter in __scs_magic __scs_magic() needs a 'void *' variable, but a 'struct task_struct *' is given. 'task_scs(tsk)' is the starting address of the task's shadow call stack, and '__scs_magic(task_scs(tsk))' is the end address of the task's shadow call stack. Here should be '__scs_magic(task_scs(tsk))'. The user-visible effect of this bug is that when CONFIG_DEBUG_STACK_USAGE is enabled, the shadow call stack usage check... • https://git.kernel.org/stable/c/5bbaf9d1fcb9be696ee9a61636ab6803556c70f2 •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2025-71098 – ip6_gre: make ip6gre_header() robust
https://notcve.org/view.php?id=CVE-2025-71098
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: ip6_gre: make ip6gre_header() robust Over the years, syzbot found many ways to crash the kernel in ip6gre_header() [1]. This involves team or bonding drivers ability to dynamically change their dev->needed_headroom and/or dev->hard_header_len In this particular crash mld_newpack() allocated an skb with a too small reserve/headroom, and by the time mld_sendpack() was called, syzbot managed to attach an ip6gre device. [1] skbuff: skb_under_pa... • https://git.kernel.org/stable/c/c12b395a46646bab69089ce7016ac78177f6001f •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2025-71097 – ipv4: Fix reference count leak when using error routes with nexthop objects
https://notcve.org/view.php?id=CVE-2025-71097
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: ipv4: Fix reference count leak when using error routes with nexthop objects When a nexthop object is deleted, it is marked as dead and then fib_table_flush() is called to flush all the routes that are using the dead nexthop. The current logic in fib_table_flush() is to only flush error routes (e.g., blackhole) when it is called as part of network namespace dismantle (i.e., with flush_all=true). Therefore, error routes are not flushed when t... • https://git.kernel.org/stable/c/493ced1ac47c48bb86d9d4e8e87df8592be85a0e •
CVSS: 7.1EPSS: 0%CPEs: 7EXPL: 0CVE-2025-71096 – RDMA/core: Check for the presence of LS_NLA_TYPE_DGID correctly
https://notcve.org/view.php?id=CVE-2025-71096
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: RDMA/core: Check for the presence of LS_NLA_TYPE_DGID correctly The netlink response for RDMA_NL_LS_OP_IP_RESOLVE should always have a LS_NLA_TYPE_DGID attribute, it is invalid if it does not. Use the nl parsing logic properly and call nla_parse_deprecated() to fill the nlattrs array and then directly index that array to get the data for the DGID. Just fail if it is NULL. Remove the for loop searching for the nla, and squash the validation ... • https://git.kernel.org/stable/c/ae43f8286730d1f2d241c34601df59f6d2286ac4 •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2025-71095 – net: stmmac: fix the crash issue for zero copy XDP_TX action
https://notcve.org/view.php?id=CVE-2025-71095
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: net: stmmac: fix the crash issue for zero copy XDP_TX action There is a crash issue when running zero copy XDP_TX action, the crash log is shown below. [ 216.122464] Unable to handle kernel paging request at virtual address fffeffff80000000 [ 216.187524] Internal error: Oops: 0000000096000144 [#1] SMP [ 216.301694] Call trace: [ 216.304130] dcache_clean_poc+0x20/0x38 (P) [ 216.308308] __dma_sync_single_for_device+0x1bc/0x1e0 [ 216.313351] s... • https://git.kernel.org/stable/c/bba2556efad66e7eaa56fece13f7708caa1187f8 •
CVSS: 7.2EPSS: 0%CPEs: 7EXPL: 0CVE-2025-71094 – net: usb: asix: validate PHY address before use
https://notcve.org/view.php?id=CVE-2025-71094
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: net: usb: asix: validate PHY address before use The ASIX driver reads the PHY address from the USB device via asix_read_phy_addr(). A malicious or faulty device can return an invalid address (>= PHY_MAX_ADDR), which causes a warning in mdiobus_get_phy(): addr 207 out of range WARNING: drivers/net/phy/mdio_bus.c:76 Validate the PHY address in asix_read_phy_addr() and remove the now-redundant check in ax88172a.c. In the Linux kernel, the foll... • https://git.kernel.org/stable/c/7e88b11a862afe59ee0c365123ea5fb96a26cb3b •