CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2025-68811 – svcrdma: use rc_pageoff for memcpy byte offset
https://notcve.org/view.php?id=CVE-2025-68811
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: svcrdma: use rc_pageoff for memcpy byte offset svc_rdma_copy_inline_range added rc_curpage (page index) to the page base instead of the byte offset rc_pageoff. Use rc_pageoff so copies land within the current page. Found by ZeroPath (https://zeropath.com) In the Linux kernel, the following vulnerability has been resolved: svcrdma: use rc_pageoff for memcpy byte offset svc_rdma_copy_inline_range added rc_curpage (page index) to the page base... • https://git.kernel.org/stable/c/8e122582680c6f8acd686a5a2af9c0e46fe90f2d •
CVSS: 7.1EPSS: 0%CPEs: 3EXPL: 0CVE-2025-68810 – KVM: Disallow toggling KVM_MEM_GUEST_MEMFD on an existing memslot
https://notcve.org/view.php?id=CVE-2025-68810
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: KVM: Disallow toggling KVM_MEM_GUEST_MEMFD on an existing memslot Reject attempts to disable KVM_MEM_GUEST_MEMFD on a memslot that was initially created with a guest_memfd binding, as KVM doesn't support toggling KVM_MEM_GUEST_MEMFD on existing memslots. KVM prevents enabling KVM_MEM_GUEST_MEMFD, but doesn't prevent clearing the flag. Failure to reject the new memslot results in a use-after-free due to KVM not unbinding from the guest_memfd... • https://git.kernel.org/stable/c/a7800aa80ea4d5356b8474c2302812e9d4926fa6 •
CVSS: 6.3EPSS: 0%CPEs: 4EXPL: 0CVE-2025-68809 – ksmbd: vfs: fix race on m_flags in vfs_cache
https://notcve.org/view.php?id=CVE-2025-68809
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: vfs: fix race on m_flags in vfs_cache ksmbd maintains delete-on-close and pending-delete state in ksmbd_inode->m_flags. In vfs_cache.c this field is accessed under inconsistent locking: some paths read and modify m_flags under ci->m_lock while others do so without taking the lock at all. Examples: - ksmbd_query_inode_status() and __ksmbd_inode_close() use ci->m_lock when checking or updating m_flags. - ksmbd_inode_pending_delete(), k... • https://git.kernel.org/stable/c/f44158485826c076335d6860d35872271a83791d •
CVSS: 7.1EPSS: 0%CPEs: 7EXPL: 0CVE-2025-68808 – media: vidtv: initialize local pointers upon transfer of memory ownership
https://notcve.org/view.php?id=CVE-2025-68808
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: media: vidtv: initialize local pointers upon transfer of memory ownership vidtv_channel_si_init() creates a temporary list (program, service, event) and ownership of the memory itself is transferred to the PAT/SDT/EIT tables through vidtv_psi_pat_program_assign(), vidtv_psi_sdt_service_assign(), vidtv_psi_eit_event_assign(). The problem here is that the local pointer where the memory ownership transfer was completed is not initialized to NU... • https://git.kernel.org/stable/c/3be8037960bccd13052cfdeba8805ad785041d70 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-68806 – ksmbd: fix buffer validation by including null terminator size in EA length
https://notcve.org/view.php?id=CVE-2025-68806
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix buffer validation by including null terminator size in EA length The smb2_set_ea function, which handles Extended Attributes (EA), was performing buffer validation checks that incorrectly omitted the size of the null terminating character (+1 byte) for EA Name. This patch fixes the issue by explicitly adding '+ 1' to EaNameLength where the null terminator is expected to be present in the buffer, ensuring the validation accurately... • https://git.kernel.org/stable/c/d070c4dd2a5bed4e9832eec5b6c029c7d14892ea •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2025-68804 – platform/chrome: cros_ec_ishtp: Fix UAF after unbinding driver
https://notcve.org/view.php?id=CVE-2025-68804
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: platform/chrome: cros_ec_ishtp: Fix UAF after unbinding driver After unbinding the driver, another kthread `cros_ec_console_log_work` is still accessing the device, resulting an UAF and crash. The driver doesn't unregister the EC device in .remove() which should shutdown sub-devices synchronously. Fix it. In the Linux kernel, the following vulnerability has been resolved: platform/chrome: cros_ec_ishtp: Fix UAF after unbinding driver After ... • https://git.kernel.org/stable/c/26a14267aff218c60b89007fdb44ca392ba6122c •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2025-68803 – NFSD: NFSv4 file creation neglects setting ACL
https://notcve.org/view.php?id=CVE-2025-68803
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: NFSD: NFSv4 file creation neglects setting ACL An NFSv4 client that sets an ACL with a named principal during file creation retrieves the ACL afterwards, and finds that it is only a default ACL (based on the mode bits) and not the ACL that was requested during file creation. This violates RFC 8881 section 6.4.1.3: "the ACL attribute is set as given". The issue occurs in nfsd_create_setattr(), which calls nfsd_attrs_valid() to determine whet... • https://git.kernel.org/stable/c/c5409ce523af40d5c3019717bc5b4f72038d48be •
CVSS: 6.6EPSS: 0%CPEs: 3EXPL: 0CVE-2025-68802 – drm/xe: Limit num_syncs to prevent oversized allocations
https://notcve.org/view.php?id=CVE-2025-68802
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: drm/xe: Limit num_syncs to prevent oversized allocations The exec and vm_bind ioctl allow userspace to specify an arbitrary num_syncs value. Without bounds checking, a very large num_syncs can force an excessively large allocation, leading to kernel warnings from the page allocator as below. Introduce DRM_XE_MAX_SYNCS (set to 1024) and reject any request exceeding this limit. " ------------[ cut here ]------------ WARNING: CPU: 0 PID: 1217 ... • https://git.kernel.org/stable/c/dd08ebf6c3525a7ea2186e636df064ea47281987 •
CVSS: 7.8EPSS: 0%CPEs: 7EXPL: 0CVE-2025-68801 – mlxsw: spectrum_router: Fix neighbour use-after-free
https://notcve.org/view.php?id=CVE-2025-68801
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_router: Fix neighbour use-after-free We sometimes observe use-after-free when dereferencing a neighbour [1]. The problem seems to be that the driver stores a pointer to the neighbour, but without holding a reference on it. A reference is only taken when the neighbour is used by a nexthop. Fix by simplifying the reference counting scheme. Always take a reference when storing a neighbour pointer in a neighbour entry. Avoid tak... • https://git.kernel.org/stable/c/6cf3c971dc84cb36579515ddb488919b9e9fb6de •
CVSS: 7.2EPSS: 0%CPEs: 7EXPL: 0CVE-2025-68800 – mlxsw: spectrum_mr: Fix use-after-free when updating multicast route stats
https://notcve.org/view.php?id=CVE-2025-68800
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_mr: Fix use-after-free when updating multicast route stats Cited commit added a dedicated mutex (instead of RTNL) to protect the multicast route list, so that it will not change while the driver periodically traverses it in order to update the kernel about multicast route stats that were queried from the device. One instance of list entry deletion (during route replace) was missed and it can result in a use-after-free [1]. F... • https://git.kernel.org/stable/c/f38656d067257cc43b652958dd154e1ab0773701 •