CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-68794 – iomap: adjust read range correctly for non-block-aligned positions
https://notcve.org/view.php?id=CVE-2025-68794
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: iomap: adjust read range correctly for non-block-aligned positions iomap_adjust_read_range() assumes that the position and length passed in are block-aligned. This is not always the case however, as shown in the syzbot generated case for erofs. This causes too many bytes to be skipped for uptodate blocks, which results in returning the incorrect position and length to read in. If all the blocks are uptodate, this underflows length and retur... • https://git.kernel.org/stable/c/9dc55f1389f9569acf9659e58dd836a9c70df217 •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2025-68788 – fsnotify: do not generate ACCESS/MODIFY events on child for special files
https://notcve.org/view.php?id=CVE-2025-68788
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: fsnotify: do not generate ACCESS/MODIFY events on child for special files inotify/fanotify do not allow users with no read access to a file to subscribe to events (e.g. IN_ACCESS/IN_MODIFY), but they do allow the same user to subscribe for watching events on children when the user has access to the parent directory (e.g. /dev). Users with no read access to a file but with read access to its parent directory can still stat the file and see i... • https://git.kernel.org/stable/c/72acc854427948efed7a83da27f7dc3239ac9afc •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2025-68787 – netrom: Fix memory leak in nr_sendmsg()
https://notcve.org/view.php?id=CVE-2025-68787
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: netrom: Fix memory leak in nr_sendmsg() syzbot reported a memory leak [1]. When function sock_alloc_send_skb() return NULL in nr_output(), the original skb is not freed, which was allocated in nr_sendmsg(). Fix this by freeing it before return. [1] BUG: memory leak unreferenced object 0xffff888129f35500 (size 240): comm "syz.0.17", pid 6119, jiffies 4294944652 hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ......... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2025-68785 – net: openvswitch: fix middle attribute validation in push_nsh() action
https://notcve.org/view.php?id=CVE-2025-68785
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: net: openvswitch: fix middle attribute validation in push_nsh() action The push_nsh() action structure looks like this: OVS_ACTION_ATTR_PUSH_NSH(OVS_KEY_ATTR_NSH(OVS_NSH_KEY_ATTR_BASE,...)) The outermost OVS_ACTION_ATTR_PUSH_NSH attribute is OK'ed by the nla_for_each_nested() inside __ovs_nla_copy_actions(). The innermost OVS_NSH_KEY_ATTR_BASE/MD1/MD2 are OK'ed by the nla_for_each_nested() inside nsh_key_put_from_nlattr(). But nothing check... • https://git.kernel.org/stable/c/b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3 •
CVSS: 7.2EPSS: 0%CPEs: 7EXPL: 0CVE-2025-68783 – ALSA: usb-mixer: us16x08: validate meter packet indices
https://notcve.org/view.php?id=CVE-2025-68783
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-mixer: us16x08: validate meter packet indices get_meter_levels_from_urb() parses the 64-byte meter packets sent by the device and fills the per-channel arrays meter_level[], comp_level[] and master_level[] in struct snd_us16x08_meter_store. Currently the function derives the channel index directly from the meter packet (MUB2(meter_urb, s) - 1) and uses it to index those arrays without validating the range. If the packet contains a... • https://git.kernel.org/stable/c/d2bb390a2081a36ffe906724d2848d846f2aeb29 •
CVSS: 7.0EPSS: 0%CPEs: 5EXPL: 0CVE-2025-68781 – usb: phy: fsl-usb: Fix use-after-free in delayed work during device removal
https://notcve.org/view.php?id=CVE-2025-68781
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: usb: phy: fsl-usb: Fix use-after-free in delayed work during device removal The delayed work item otg_event is initialized in fsl_otg_conf() and scheduled under two conditions: 1. When a host controller binds to the OTG controller. 2. When the USB ID pin state changes (cable insertion/removal). A race condition occurs when the device is removed via fsl_otg_remove(): the fsl_otg instance may be freed while the delayed work is still pending o... • https://git.kernel.org/stable/c/0807c500a1a6d7fa20cbd7bbe7fea14a66112463 •
CVSS: 7.1EPSS: 0%CPEs: 6EXPL: 0CVE-2025-68780 – sched/deadline: only set free_cpus for online runqueues
https://notcve.org/view.php?id=CVE-2025-68780
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: sched/deadline: only set free_cpus for online runqueues Commit 16b269436b72 ("sched/deadline: Modify cpudl::free_cpus to reflect rd->online") introduced the cpudl_set/clear_freecpu functions to allow the cpu_dl::free_cpus mask to be manipulated by the deadline scheduler class rq_on/offline callbacks so the mask would also reflect this state. Commit 9659e1eeee28 ("sched/deadline: Remove cpu_active_mask from cpudl_find()") removed the check o... • https://git.kernel.org/stable/c/9659e1eeee28f7025b6545934d644d19e9c6e603 •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2025-68778 – btrfs: don't log conflicting inode if it's a dir moved in the current transaction
https://notcve.org/view.php?id=CVE-2025-68778
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: btrfs: don't log conflicting inode if it's a dir moved in the current transaction We can't log a conflicting inode if it's a directory and it was moved from one parent directory to another parent directory in the current transaction, as this can result an attempt to have a directory with two hard links during log replay, one for the old parent directory and another for the new parent directory. The following scenario triggers that issue: 1)... • https://git.kernel.org/stable/c/44f714dae50a2e795d3268a6831762aa6fa54f55 •
CVSS: 8.5EPSS: 0%CPEs: 7EXPL: 0CVE-2025-68777 – Input: ti_am335x_tsc - fix off-by-one error in wire_order validation
https://notcve.org/view.php?id=CVE-2025-68777
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: Input: ti_am335x_tsc - fix off-by-one error in wire_order validation The current validation 'wire_order[i] > ARRAY_SIZE(config_pins)' allows wire_order[i] to equal ARRAY_SIZE(config_pins), which causes out-of-bounds access when used as index in 'config_pins[wire_order[i]]'. Since config_pins has 4 elements (indices 0-3), the valid range for wire_order should be 0-3. Fix the off-by-one error by using >= instead of > in the validation check. ... • https://git.kernel.org/stable/c/bb76dc09ddfc135c6c5e8eb7d3c583bfa8bdd439 •
CVSS: 7.1EPSS: 0%CPEs: 7EXPL: 0CVE-2025-68776 – net/hsr: fix NULL pointer dereference in prp_get_untagged_frame()
https://notcve.org/view.php?id=CVE-2025-68776
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: net/hsr: fix NULL pointer dereference in prp_get_untagged_frame() prp_get_untagged_frame() calls __pskb_copy() to create frame->skb_std but doesn't check if the allocation failed. If __pskb_copy() returns NULL, skb_clone() is called with a NULL pointer, causing a crash: Oops: general protection fault, probably for non-canonical address 0xdffffc000000000f: 0000 [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000078-0x0000000... • https://git.kernel.org/stable/c/f266a683a4804dc499efc6c2206ef68efed029d0 •