CVSS: 7.2EPSS: 0%CPEs: 4EXPL: 0CVE-2025-68364 – ocfs2: relax BUG() to ocfs2_error() in __ocfs2_move_extent()
https://notcve.org/view.php?id=CVE-2025-68364
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: ocfs2: relax BUG() to ocfs2_error() in __ocfs2_move_extent() In '__ocfs2_move_extent()', relax 'BUG()' to 'ocfs2_error()' just to avoid crashing the whole kernel due to a filesystem corruption. In the Linux kernel, the following vulnerability has been resolved: ocfs2: relax BUG() to ocfs2_error() in __ocfs2_move_extent() In '__ocfs2_move_extent()', relax 'BUG()' to 'ocfs2_error()' just to avoid crashing the whole kernel due to a filesystem ... • https://git.kernel.org/stable/c/8f603e567aa7a243e68ca48b4f105b990851360f •
CVSS: 6.6EPSS: 0%CPEs: 4EXPL: 0CVE-2025-68362 – wifi: rtl818x: rtl8187: Fix potential buffer underflow in rtl8187_rx_cb()
https://notcve.org/view.php?id=CVE-2025-68362
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: rtl818x: rtl8187: Fix potential buffer underflow in rtl8187_rx_cb() The rtl8187_rx_cb() calculates the rx descriptor header address by subtracting its size from the skb tail pointer. However, it does not validate if the received packet (skb->len from urb->actual_length) is large enough to contain this header. If a truncated packet is received, this will lead to a buffer underflow, reading memory before the start of the skb data area, ... • https://git.kernel.org/stable/c/6f7853f3cbe457067e9fe05461f56c7ea4ac488c •
CVSS: 7.1EPSS: 0%CPEs: 2EXPL: 0CVE-2025-68357 – iomap: allocate s_dio_done_wq for async reads as well
https://notcve.org/view.php?id=CVE-2025-68357
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: iomap: allocate s_dio_done_wq for async reads as well Since commit 222f2c7c6d14 ("iomap: always run error completions in user context"), read error completions are deferred to s_dio_done_wq. This means the workqueue also needs to be allocated for async reads. In the Linux kernel, the following vulnerability has been resolved: iomap: allocate s_dio_done_wq for async reads as well Since commit 222f2c7c6d14 ("iomap: always run error completion... • https://git.kernel.org/stable/c/c67775cf0da2407f113c1229e350758f4dca0f51 •
CVSS: 7.1EPSS: 0%CPEs: 4EXPL: 0CVE-2025-68354 – regulator: core: Protect regulator_supply_alias_list with regulator_list_mutex
https://notcve.org/view.php?id=CVE-2025-68354
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: regulator: core: Protect regulator_supply_alias_list with regulator_list_mutex regulator_supply_alias_list was accessed without any locking in regulator_supply_alias(), regulator_register_supply_alias(), and regulator_unregister_supply_alias(). Concurrent registration, unregistration and lookups can race, leading to: 1 use-after-free if an alias entry is removed while being read, 2 duplicate entries when two threads register the same alias,... • https://git.kernel.org/stable/c/a06ccd9c3785fa5550917ae036944f4e080b5749 •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-68344 – ALSA: wavefront: Fix integer overflow in sample size validation
https://notcve.org/view.php?id=CVE-2025-68344
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: ALSA: wavefront: Fix integer overflow in sample size validation The wavefront_send_sample() function has an integer overflow issue when validating sample size. The header->size field is u32 but gets cast to int for comparison with dev->freemem Fix by using unsigned comparison to avoid integer overflow. In the Linux kernel, the following vulnerability has been resolved: ALSA: wavefront: Fix integer overflow in sample size validation The wave... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2025-68343 – can: gs_usb: gs_usb_receive_bulk_callback(): check actual_length before accessing header
https://notcve.org/view.php?id=CVE-2025-68343
23 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: can: gs_usb: gs_usb_receive_bulk_callback(): check actual_length before accessing header The driver expects to receive a struct gs_host_frame in gs_usb_receive_bulk_callback(). Use struct_group to describe the header of the struct gs_host_frame and check that we have at least received the header before accessing any members of it. To resubmit the URB, do not dereference the pointer chain "dev->parent->hf_size_rx" but use "parent->hf_size_rx... • https://git.kernel.org/stable/c/d08e973a77d128b25e01a08c34d89593fdf222da •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2025-68342 – can: gs_usb: gs_usb_receive_bulk_callback(): check actual_length before accessing data
https://notcve.org/view.php?id=CVE-2025-68342
23 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: can: gs_usb: gs_usb_receive_bulk_callback(): check actual_length before accessing data The URB received in gs_usb_receive_bulk_callback() contains a struct gs_host_frame. The length of the data after the header depends on the gs_host_frame hf::flags and the active device features (e.g. time stamping). Introduce a new function gs_usb_get_minimum_length() and check that we have at least received the required amount of data before accessing it... • https://git.kernel.org/stable/c/d08e973a77d128b25e01a08c34d89593fdf222da •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2025-68340 – team: Move team device type change at the end of team_port_add
https://notcve.org/view.php?id=CVE-2025-68340
23 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: team: Move team device type change at the end of team_port_add Attempting to add a port device that is already up will expectedly fail, but not before modifying the team device header_ops. In the case of the syzbot reproducer the gre0 device is already in state UP when it attempts to add it as a port device of team0, this fails but before that header_ops->create of team0 is changed from eth_header to ipgre_header in the call to team_dev_typ... • https://git.kernel.org/stable/c/1d76efe1577b4323609b1bcbfafa8b731eda071a •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2025-68339 – atm/fore200e: Fix possible data race in fore200e_open()
https://notcve.org/view.php?id=CVE-2025-68339
23 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: atm/fore200e: Fix possible data race in fore200e_open() Protect access to fore200e->available_cell_rate with rate_mtx lock in the error handling path of fore200e_open() to prevent a data race. The field fore200e->available_cell_rate is a shared resource used to track available bandwidth. It is concurrently accessed by fore200e_open(), fore200e_close(), and fore200e_change_qos(). In fore200e_open(), the lock rate_mtx is correctly held when s... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2025-68337 – jbd2: avoid bug_on in jbd2_journal_get_create_access() when file system corrupted
https://notcve.org/view.php?id=CVE-2025-68337
22 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: jbd2: avoid bug_on in jbd2_journal_get_create_access() when file system corrupted There's issue when file system corrupted: ------------[ cut here ]------------ kernel BUG at fs/jbd2/transaction.c:1289! Oops: invalid opcode: 0000 [#1] SMP KASAN PTI CPU: 5 UID: 0 PID: 2031 Comm: mkdir Not tainted 6.18.0-rc1-next RIP: 0010:jbd2_journal_get_create_access+0x3b6/0x4d0 RSP: 0018:ffff888117aafa30 EFLAGS: 00010202 RAX: 0000000000000000 RBX: ffff888... • https://git.kernel.org/stable/c/470decc613ab2048b619a01028072d932d9086ee •