CVSS: 6.3EPSS: 0%CPEs: 7EXPL: 0CVE-2025-71091 – team: fix check for port enabled in team_queue_override_port_prio_changed()
https://notcve.org/view.php?id=CVE-2025-71091
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: team: fix check for port enabled in team_queue_override_port_prio_changed() There has been a syzkaller bug reported recently with the following trace: list_del corruption, ffff888058bea080->prev is LIST_POISON2 (dead000000000122) ------------[ cut here ]------------ kernel BUG at lib/list_debug.c:59! Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI CPU: 3 UID: 0 PID: 21246 Comm: syz.0.2928 Not tainted syzkaller #0 PREEMPT(full) Hardware name... • https://git.kernel.org/stable/c/6c31ff366c1116823e77019bae3e92e9d77a49f4 •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2025-71089 – iommu: disable SVA when CONFIG_X86 is set
https://notcve.org/view.php?id=CVE-2025-71089
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: iommu: disable SVA when CONFIG_X86 is set Patch series "Fix stale IOTLB entries for kernel address space", v7. This proposes a fix for a security vulnerability related to IOMMU Shared Virtual Addressing (SVA). In an SVA context, an IOMMU can cache kernel page table entries. When a kernel page table page is freed and reallocated for another purpose, the IOMMU might still hold stale, incorrect entries. This can be exploited to cause a use-aft... • https://git.kernel.org/stable/c/26b25a2b98e45aeb40eedcedc586ad5034cbd984 •
CVSS: 7.1EPSS: 0%CPEs: 7EXPL: 0CVE-2025-71087 – iavf: fix off-by-one issues in iavf_config_rss_reg()
https://notcve.org/view.php?id=CVE-2025-71087
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: iavf: fix off-by-one issues in iavf_config_rss_reg() There are off-by-one bugs when configuring RSS hash key and lookup table, causing out-of-bounds reads to memory [1] and out-of-bounds writes to device registers. Before commit 43a3d9ba34c9 ("i40evf: Allow PF driver to configure RSS"), the loop upper bounds were: i <= I40E_VFQF_{HKEY,HLUT}_MAX_INDEX which is safe since the value is the last valid index. That commit changed the bounds to: i... • https://git.kernel.org/stable/c/43a3d9ba34c9ca313573201d3f45de5ab3494cec •
CVSS: 5.5EPSS: 0%CPEs: 9EXPL: 0CVE-2025-71086 – net: rose: fix invalid array index in rose_kill_by_device()
https://notcve.org/view.php?id=CVE-2025-71086
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: net: rose: fix invalid array index in rose_kill_by_device() rose_kill_by_device() collects sockets into a local array[] and then iterates over them to disconnect sockets bound to a device being brought down. The loop mistakenly indexes array[cnt] instead of array[i]. For cnt < ARRAY_SIZE(array), this reads an uninitialized entry; for cnt == ARRAY_SIZE(array), it is an out-of-bounds read. Either case can lead to an invalid socket pointer der... • https://git.kernel.org/stable/c/12e5a4719c99d7f4104e7e962393dfb8baa1c591 •
CVSS: 7.1EPSS: 0%CPEs: 7EXPL: 0CVE-2025-71085 – ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr()
https://notcve.org/view.php?id=CVE-2025-71085
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr() There exists a kernel oops caused by a BUG_ON(nhead < 0) at net/core/skbuff.c:2232 in pskb_expand_head(). This bug is triggered as part of the calipso_skbuff_setattr() routine when skb_cow() is passed headroom > INT_MAX (i.e. (int)(skb_headroom(skb) + len_delta) < 0). The root cause of the bug is due to an implicit integer cast in __skb_cow(). The check (headroom > skb_he... • https://git.kernel.org/stable/c/2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-71084 – RDMA/cm: Fix leaking the multicast GID table reference
https://notcve.org/view.php?id=CVE-2025-71084
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: RDMA/cm: Fix leaking the multicast GID table reference If the CM ID is destroyed while the CM event for multicast creating is still queued the cancel_work_sync() will prevent the work from running which also prevents destroying the ah_attr. This leaks a refcount and triggers a WARN: GID entry ref leak for dev syz1 index 2 ref=573 WARNING: CPU: 1 PID: 655 at drivers/infiniband/core/cache.c:809 release_gid_table drivers/infiniband/core/cache.... • https://git.kernel.org/stable/c/60d613b39e8d0c9f3b526e9c96445422b4562d76 •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2025-71083 – drm/ttm: Avoid NULL pointer deref for evicted BOs
https://notcve.org/view.php?id=CVE-2025-71083
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: drm/ttm: Avoid NULL pointer deref for evicted BOs It is possible for a BO to exist that is not currently associated with a resource, e.g. because it has been evicted. When devcoredump tries to read the contents of all BOs for dumping, we need to expect this as well -- in this case, ENODATA is recorded instead of the buffer contents. In the Linux kernel, the following vulnerability has been resolved: drm/ttm: Avoid NULL pointer deref for evi... • https://git.kernel.org/stable/c/09ac4fcb3f255e9225967c75f5893325c116cdbe •
CVSS: 7.1EPSS: 0%CPEs: 6EXPL: 0CVE-2025-71082 – Bluetooth: btusb: revert use of devm_kzalloc in btusb
https://notcve.org/view.php?id=CVE-2025-71082
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btusb: revert use of devm_kzalloc in btusb This reverts commit 98921dbd00c4e ("Bluetooth: Use devm_kzalloc in btusb.c file"). In btusb_probe(), we use devm_kzalloc() to allocate the btusb data. This ties the lifetime of all the btusb data to the binding of a driver to one interface, INTF. In a driver that binds to other interfaces, ISOC and DIAG, this is an accident waiting to happen. The issue is revealed in btusb_disconnect(), ... • https://git.kernel.org/stable/c/98921dbd00c4e2e4bdd56423cb5edf98d57b45f7 •
CVSS: 7.1EPSS: 0%CPEs: 6EXPL: 0CVE-2025-71081 – ASoC: stm32: sai: fix OF node leak on probe
https://notcve.org/view.php?id=CVE-2025-71081
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: ASoC: stm32: sai: fix OF node leak on probe The reference taken to the sync provider OF node when probing the platform device is currently only dropped if the set_sync() callback fails during DAI probe. Make sure to drop the reference on platform probe failures (e.g. probe deferral) and on driver unbind. This also avoids a potential use-after-free in case the DAI is ever reprobed without first rebinding the platform driver. In the Linux ker... • https://git.kernel.org/stable/c/5914d285f6b782892a91d6621723fdc41a775b15 •
CVSS: 6.6EPSS: 0%CPEs: 12EXPL: 0CVE-2025-71079 – net: nfc: fix deadlock between nfc_unregister_device and rfkill_fop_write
https://notcve.org/view.php?id=CVE-2025-71079
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: net: nfc: fix deadlock between nfc_unregister_device and rfkill_fop_write A deadlock can occur between nfc_unregister_device() and rfkill_fop_write() due to lock ordering inversion between device_lock and rfkill_global_mutex. The problematic lock order is: Thread A (rfkill_fop_write): rfkill_fop_write() mutex_lock(&rfkill_global_mutex) rfkill_set_block() nfc_rfkill_set_block() nfc_dev_down() device_lock(&dev->dev) <- waits for device_lock T... • https://git.kernel.org/stable/c/73a0d12114b4bc1a9def79a623264754b9df698e •