CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2023-54293 – bcache: fixup btree_cache_wait list damage
https://notcve.org/view.php?id=CVE-2023-54293
30 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: bcache: fixup btree_cache_wait list damage We get a kernel crash about "list_add corruption. next->prev should be prev (ffff9c801bc01210), but was ffff9c77b688237c. (next=ffffae586d8afe68)." crash> struct list_head 0xffff9c801bc01210 struct list_head { next = 0xffffae586d8afe68, prev = 0xffffae586d8afe68 } crash> struct list_head 0xffff9c77b688237c struct list_head { next = 0x0, prev = 0x0 } crash> struct list_head 0xffffae586d8afe68 struct... • https://git.kernel.org/stable/c/8e7102273f597dbb38af43da874f8c123f8e6dbe •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2023-54289 – scsi: qedf: Fix NULL dereference in error handling
https://notcve.org/view.php?id=CVE-2023-54289
30 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: scsi: qedf: Fix NULL dereference in error handling Smatch reported: drivers/scsi/qedf/qedf_main.c:3056 qedf_alloc_global_queues() warn: missing unwind goto? At this point in the function, nothing has been allocated so we can return directly. In particular the "qedf->global_queues" have not been allocated so calling qedf_free_global_queues() will lead to a NULL dereference when we check if (!gl[i]) and "gl" is NULL. • https://git.kernel.org/stable/c/61d8658b4a435eac729966cc94cdda077a8df5cd •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2023-54287 – tty: serial: imx: disable Ageing Timer interrupt request irq
https://notcve.org/view.php?id=CVE-2023-54287
30 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: tty: serial: imx: disable Ageing Timer interrupt request irq There maybe pending USR interrupt before requesting irq, however uart_add_one_port has not executed, so there will be kernel panic: [ 0.795668] Unable to handle kernel NULL pointer dereference at virtual addre ss 0000000000000080 [ 0.802701] Mem abort info: [ 0.805367] ESR = 0x0000000096000004 [ 0.808950] EC = 0x25: DABT (current EL), IL = 32 bits [ 0.814033] SET = 0, FnV = 0 [ 0.... • https://git.kernel.org/stable/c/8a61f0c70ae65c6b70d13228c3120c73d7425a60 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2023-54286 – wifi: iwlwifi: dvm: Fix memcpy: detected field-spanning write backtrace
https://notcve.org/view.php?id=CVE-2023-54286
30 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: dvm: Fix memcpy: detected field-spanning write backtrace A received TKIP key may be up to 32 bytes because it may contain MIC rx/tx keys too. These are not used by iwl and copying these over overflows the iwl_keyinfo.key field. Add a check to not copy more data to iwl_keyinfo.key then will fit. This fixes backtraces like this one: memcpy: detected field-spanning write (size 32) of single field "sta_cmd.key.key" at drivers/net... • https://git.kernel.org/stable/c/5a3d9882b84edf5fa8e8ca33a5d6df25e2e727a5 •
CVSS: -EPSS: 0%CPEs: 9EXPL: 0CVE-2023-54284 – media: av7110: prevent underflow in write_ts_to_decoder()
https://notcve.org/view.php?id=CVE-2023-54284
30 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: media: av7110: prevent underflow in write_ts_to_decoder() The buf[4] value comes from the user via ts_play(). It is a value in the u8 range. The final length we pass to av7110_ipack_instant_repack() is "len - (buf[4] + 1) - 4" so add a check to ensure that the length is not negative. It's not clear that passing a negative len value does anything bad necessarily, but it's not best practice. With the new bounds checking the "if (! • https://git.kernel.org/stable/c/fd46d16d602ab7fd53cef7ff55b9dcb0b47ad3bf •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2023-54283 – bpf: Address KCSAN report on bpf_lru_list
https://notcve.org/view.php?id=CVE-2023-54283
30 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: bpf: Address KCSAN report on bpf_lru_list KCSAN reported a data-race when accessing node->ref. Although node->ref does not have to be accurate, take this chance to use a more common READ_ONCE() and WRITE_ONCE() pattern instead of data_race(). There is an existing bpf_lru_node_is_ref() and bpf_lru_node_set_ref(). This patch also adds bpf_lru_node_clear_ref() to do the WRITE_ONCE(node->ref, 0) also. ===========================================... • https://git.kernel.org/stable/c/3a08c2fd763450a927d1130de078d6f9e74944fb •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2023-54282 – media: tuners: qt1010: replace BUG_ON with a regular error
https://notcve.org/view.php?id=CVE-2023-54282
30 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: media: tuners: qt1010: replace BUG_ON with a regular error BUG_ON is unnecessary here, and in addition it confuses smatch. Replacing this with an error return help resolve this smatch warning: drivers/media/tuners/qt1010.c:350 qt1010_init() error: buffer overflow 'i2c_data' 34 <= 34 • https://git.kernel.org/stable/c/4682b58e5af01ee856a706083eac71238fb69cd0 •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2023-54281 – btrfs: release path before inode lookup during the ino lookup ioctl
https://notcve.org/view.php?id=CVE-2023-54281
30 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: btrfs: release path before inode lookup during the ino lookup ioctl During the ino lookup ioctl we can end up calling btrfs_iget() to get an inode reference while we are holding on a root's btree. If btrfs_iget() needs to lookup the inode from the root's btree, because it's not currently loaded in memory, then it will need to lock another or the same path in the same root btree. This may result in a deadlock and trigger the following lockde... • https://git.kernel.org/stable/c/23d0b79dfaed2305b500b0215b0421701ada6b1a •
CVSS: -EPSS: 0%CPEs: 12EXPL: 0CVE-2022-50881 – wifi: ath9k: Fix use-after-free in ath9k_hif_usb_disconnect()
https://notcve.org/view.php?id=CVE-2022-50881
30 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: ath9k: Fix use-after-free in ath9k_hif_usb_disconnect() This patch fixes a use-after-free in ath9k that occurs in ath9k_hif_usb_disconnect() when ath9k_destroy_wmi() is trying to access 'drv_priv' that has already been freed by ieee80211_free_hw(), called by ath9k_htc_hw_deinit(). The patch moves ath9k_destroy_wmi() before ieee80211_free_hw(). Note that urbs from the driver should be killed before freeing 'wmi' with ath9k_destroy_wmi(... • https://git.kernel.org/stable/c/abeaa85054ff8cfe8b99aafc5c70ea067e5d0908 •
CVSS: -EPSS: 0%CPEs: 9EXPL: 0CVE-2022-50880 – wifi: ath10k: add peer map clean up for peer delete in ath10k_sta_state()
https://notcve.org/view.php?id=CVE-2022-50880
30 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: ath10k: add peer map clean up for peer delete in ath10k_sta_state() When peer delete failed in a disconnect operation, use-after-free detected by KFENCE in below log. It is because for each vdev_id and address, it has only one struct ath10k_peer, it is allocated in ath10k_peer_map_event(). When connected to an AP, it has more than one HTT_T2H_MSG_TYPE_PEER_MAP reported from firmware, then the array peer_map of struct ath10k will be se... • https://git.kernel.org/stable/c/d0eeafad118940fe445ca00f45be5624fea2ec34 •