CVSS: 7.2EPSS: 0%CPEs: 7EXPL: 0CVE-2025-68819 – media: dvb-usb: dtv5100: fix out-of-bounds in dtv5100_i2c_msg()
https://notcve.org/view.php?id=CVE-2025-68819
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: media: dvb-usb: dtv5100: fix out-of-bounds in dtv5100_i2c_msg() rlen value is a user-controlled value, but dtv5100_i2c_msg() does not check the size of the rlen value. Therefore, if it is set to a value larger than sizeof(st->data), an out-of-bounds vuln occurs for st->data. Therefore, we need to add proper range checking to prevent this vuln. In the Linux kernel, the following vulnerability has been resolved: media: dvb-usb: dtv5100: fix o... • https://git.kernel.org/stable/c/60688d5e6e6e2ae62f29762d1e3b2aec2dbd3817 •
CVSS: 5.5EPSS: 0%CPEs: 9EXPL: 0CVE-2025-68818 – scsi: Revert "scsi: qla2xxx: Perform lockless command completion in abort path"
https://notcve.org/view.php?id=CVE-2025-68818
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: scsi: Revert "scsi: qla2xxx: Perform lockless command completion in abort path" This reverts commit 0367076b0817d5c75dfb83001ce7ce5c64d803a9. The commit being reverted added code to __qla2x00_abort_all_cmds() to call sp->done() without holding a spinlock. But unlike the older code below it, this new code failed to check sp->cmd_type and just assumed TYPE_SRB, which results in a jump to an invalid pointer in target-mode with TYPE_TGT_CMD: ql... • https://git.kernel.org/stable/c/231cfa78ec5badd84a1a2b09465bfad1a926aba1 •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2025-68817 – ksmbd: fix use-after-free in ksmbd_tree_connect_put under concurrency
https://notcve.org/view.php?id=CVE-2025-68817
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in ksmbd_tree_connect_put under concurrency Under high concurrency, A tree-connection object (tcon) is freed on a disconnect path while another path still holds a reference and later executes *_put()/write on it. In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in ksmbd_tree_connect_put under concurrency Under high concurrency, A tree-connection object (tcon) is freed on... • https://git.kernel.org/stable/c/dd45db4d9bbc8f122a9b4db5ce94ae29fcf03d3c •
CVSS: 7.1EPSS: 0%CPEs: 7EXPL: 0CVE-2025-68816 – net/mlx5: fw_tracer, Validate format string parameters
https://notcve.org/view.php?id=CVE-2025-68816
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: net/mlx5: fw_tracer, Validate format string parameters Add validation for format string parameters in the firmware tracer to prevent potential security vulnerabilities and crashes from malformed format strings received from firmware. The firmware tracer receives format strings from the device firmware and uses them to format trace messages. Without proper validation, bad firmware could provide format strings with invalid format specifiers (... • https://git.kernel.org/stable/c/70dd6fdb8987b14f7b6105f6be0617299e459398 •
CVSS: 7.2EPSS: 0%CPEs: 8EXPL: 0CVE-2025-68815 – net/sched: ets: Remove drr class from the active list if it changes to strict
https://notcve.org/view.php?id=CVE-2025-68815
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: net/sched: ets: Remove drr class from the active list if it changes to strict Whenever a user issues an ets qdisc change command, transforming a drr class into a strict one, the ets code isn't checking whether that class was in the active list and removing it. This means that, if a user changes a strict class (which was in the active list) back to a drr one, that class will be added twice to the active list [1]. Doing so with the following ... • https://git.kernel.org/stable/c/f517335a61ff8037b18ba1b0a002c1f82926a934 •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2025-68814 – io_uring: fix filename leak in __io_openat_prep()
https://notcve.org/view.php?id=CVE-2025-68814
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: io_uring: fix filename leak in __io_openat_prep() __io_openat_prep() allocates a struct filename using getname(). However, for the condition of the file being installed in the fixed file table as well as having O_CLOEXEC flag set, the function returns early. At that point, the request doesn't have REQ_F_NEED_CLEANUP flag set. Due to this, the memory for the newly allocated struct filename is not cleaned up, causing a memory leak. Fix this b... • https://git.kernel.org/stable/c/b9445598d8c60a1379887b957024b71343965f74 •
CVSS: 6.2EPSS: 0%CPEs: 13EXPL: 0CVE-2025-68813 – ipvs: fix ipv4 null-ptr-deref in route error path
https://notcve.org/view.php?id=CVE-2025-68813
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: ipvs: fix ipv4 null-ptr-deref in route error path The IPv4 code path in __ip_vs_get_out_rt() calls dst_link_failure() without ensuring skb->dev is set, leading to a NULL pointer dereference in fib_compute_spec_dst() when ipv4_link_failure() attempts to send ICMP destination unreachable messages. The issue emerged after commit ed0de45a1008 ("ipv4: recompile ip options in ipv4_link_failure") started calling __ip_options_compile() from ipv4_li... • https://git.kernel.org/stable/c/ed0de45a1008991fdaa27a0152befcb74d126a8b •
CVSS: 6.3EPSS: 0%CPEs: 4EXPL: 0CVE-2025-68809 – ksmbd: vfs: fix race on m_flags in vfs_cache
https://notcve.org/view.php?id=CVE-2025-68809
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: vfs: fix race on m_flags in vfs_cache ksmbd maintains delete-on-close and pending-delete state in ksmbd_inode->m_flags. In vfs_cache.c this field is accessed under inconsistent locking: some paths read and modify m_flags under ci->m_lock while others do so without taking the lock at all. Examples: - ksmbd_query_inode_status() and __ksmbd_inode_close() use ci->m_lock when checking or updating m_flags. - ksmbd_inode_pending_delete(), k... • https://git.kernel.org/stable/c/f44158485826c076335d6860d35872271a83791d •
CVSS: 7.1EPSS: 0%CPEs: 7EXPL: 0CVE-2025-68808 – media: vidtv: initialize local pointers upon transfer of memory ownership
https://notcve.org/view.php?id=CVE-2025-68808
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: media: vidtv: initialize local pointers upon transfer of memory ownership vidtv_channel_si_init() creates a temporary list (program, service, event) and ownership of the memory itself is transferred to the PAT/SDT/EIT tables through vidtv_psi_pat_program_assign(), vidtv_psi_sdt_service_assign(), vidtv_psi_eit_event_assign(). The problem here is that the local pointer where the memory ownership transfer was completed is not initialized to NU... • https://git.kernel.org/stable/c/3be8037960bccd13052cfdeba8805ad785041d70 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-68806 – ksmbd: fix buffer validation by including null terminator size in EA length
https://notcve.org/view.php?id=CVE-2025-68806
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix buffer validation by including null terminator size in EA length The smb2_set_ea function, which handles Extended Attributes (EA), was performing buffer validation checks that incorrectly omitted the size of the null terminating character (+1 byte) for EA Name. This patch fixes the issue by explicitly adding '+ 1' to EaNameLength where the null terminator is expected to be present in the buffer, ensuring the validation accurately... • https://git.kernel.org/stable/c/d070c4dd2a5bed4e9832eec5b6c029c7d14892ea •