CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2025-68786 – ksmbd: skip lock-range check on equal size to avoid size==0 underflow
https://notcve.org/view.php?id=CVE-2025-68786
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: skip lock-range check on equal size to avoid size==0 underflow When size equals the current i_size (including 0), the code used to call check_lock_range(filp, i_size, size - 1, WRITE), which computes `size - 1` and can underflow for size==0. Skip the equal case. In the Linux kernel, the following vulnerability has been resolved: ksmbd: skip lock-range check on equal size to avoid size==0 underflow When size equals the current i_size ... • https://git.kernel.org/stable/c/f44158485826c076335d6860d35872271a83791d •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2025-68785 – net: openvswitch: fix middle attribute validation in push_nsh() action
https://notcve.org/view.php?id=CVE-2025-68785
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: net: openvswitch: fix middle attribute validation in push_nsh() action The push_nsh() action structure looks like this: OVS_ACTION_ATTR_PUSH_NSH(OVS_KEY_ATTR_NSH(OVS_NSH_KEY_ATTR_BASE,...)) The outermost OVS_ACTION_ATTR_PUSH_NSH attribute is OK'ed by the nla_for_each_nested() inside __ovs_nla_copy_actions(). The innermost OVS_NSH_KEY_ATTR_BASE/MD1/MD2 are OK'ed by the nla_for_each_nested() inside nsh_key_put_from_nlattr(). But nothing check... • https://git.kernel.org/stable/c/b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3 •
CVSS: 7.1EPSS: 0%CPEs: 3EXPL: 0CVE-2025-68784 – xfs: fix a UAF problem in xattr repair
https://notcve.org/view.php?id=CVE-2025-68784
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: xfs: fix a UAF problem in xattr repair The xchk_setup_xattr_buf function can allocate a new value buffer, which means that any reference to ab->value before the call could become a dangling pointer. Fix this by moving an assignment to after the buffer setup. In the Linux kernel, the following vulnerability has been resolved: xfs: fix a UAF problem in xattr repair The xchk_setup_xattr_buf function can allocate a new value buffer, which means... • https://git.kernel.org/stable/c/e47dcf113ae348678143cc935a1183059c02c9ad •
CVSS: 7.2EPSS: 0%CPEs: 7EXPL: 0CVE-2025-68783 – ALSA: usb-mixer: us16x08: validate meter packet indices
https://notcve.org/view.php?id=CVE-2025-68783
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-mixer: us16x08: validate meter packet indices get_meter_levels_from_urb() parses the 64-byte meter packets sent by the device and fills the per-channel arrays meter_level[], comp_level[] and master_level[] in struct snd_us16x08_meter_store. Currently the function derives the channel index directly from the meter packet (MUB2(meter_urb, s) - 1) and uses it to index those arrays without validating the range. If the packet contains a... • https://git.kernel.org/stable/c/d2bb390a2081a36ffe906724d2848d846f2aeb29 •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2025-68782 – scsi: target: Reset t_task_cdb pointer in error case
https://notcve.org/view.php?id=CVE-2025-68782
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: scsi: target: Reset t_task_cdb pointer in error case If allocation of cmd->t_task_cdb fails, it remains NULL but is later dereferenced in the 'err' path. In case of error, reset NULL t_task_cdb value to point at the default fixed-size buffer. Found by Linux Verification Center (linuxtesting.org) with SVACE. In the Linux kernel, the following vulnerability has been resolved: scsi: target: Reset t_task_cdb pointer in error case If allocation ... • https://git.kernel.org/stable/c/9e95fb805dc043cc8ed878a08d1583e4097a5f80 •
CVSS: 7.0EPSS: 0%CPEs: 5EXPL: 0CVE-2025-68781 – usb: phy: fsl-usb: Fix use-after-free in delayed work during device removal
https://notcve.org/view.php?id=CVE-2025-68781
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: usb: phy: fsl-usb: Fix use-after-free in delayed work during device removal The delayed work item otg_event is initialized in fsl_otg_conf() and scheduled under two conditions: 1. When a host controller binds to the OTG controller. 2. When the USB ID pin state changes (cable insertion/removal). A race condition occurs when the device is removed via fsl_otg_remove(): the fsl_otg instance may be freed while the delayed work is still pending o... • https://git.kernel.org/stable/c/0807c500a1a6d7fa20cbd7bbe7fea14a66112463 •
CVSS: 7.1EPSS: 0%CPEs: 6EXPL: 0CVE-2025-68780 – sched/deadline: only set free_cpus for online runqueues
https://notcve.org/view.php?id=CVE-2025-68780
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: sched/deadline: only set free_cpus for online runqueues Commit 16b269436b72 ("sched/deadline: Modify cpudl::free_cpus to reflect rd->online") introduced the cpudl_set/clear_freecpu functions to allow the cpu_dl::free_cpus mask to be manipulated by the deadline scheduler class rq_on/offline callbacks so the mask would also reflect this state. Commit 9659e1eeee28 ("sched/deadline: Remove cpu_active_mask from cpudl_find()") removed the check o... • https://git.kernel.org/stable/c/9659e1eeee28f7025b6545934d644d19e9c6e603 •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2025-68778 – btrfs: don't log conflicting inode if it's a dir moved in the current transaction
https://notcve.org/view.php?id=CVE-2025-68778
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: btrfs: don't log conflicting inode if it's a dir moved in the current transaction We can't log a conflicting inode if it's a directory and it was moved from one parent directory to another parent directory in the current transaction, as this can result an attempt to have a directory with two hard links during log replay, one for the old parent directory and another for the new parent directory. The following scenario triggers that issue: 1)... • https://git.kernel.org/stable/c/44f714dae50a2e795d3268a6831762aa6fa54f55 •
CVSS: 8.5EPSS: 0%CPEs: 7EXPL: 0CVE-2025-68777 – Input: ti_am335x_tsc - fix off-by-one error in wire_order validation
https://notcve.org/view.php?id=CVE-2025-68777
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: Input: ti_am335x_tsc - fix off-by-one error in wire_order validation The current validation 'wire_order[i] > ARRAY_SIZE(config_pins)' allows wire_order[i] to equal ARRAY_SIZE(config_pins), which causes out-of-bounds access when used as index in 'config_pins[wire_order[i]]'. Since config_pins has 4 elements (indices 0-3), the valid range for wire_order should be 0-3. Fix the off-by-one error by using >= instead of > in the validation check. ... • https://git.kernel.org/stable/c/bb76dc09ddfc135c6c5e8eb7d3c583bfa8bdd439 •
CVSS: 7.1EPSS: 0%CPEs: 7EXPL: 0CVE-2025-68776 – net/hsr: fix NULL pointer dereference in prp_get_untagged_frame()
https://notcve.org/view.php?id=CVE-2025-68776
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: net/hsr: fix NULL pointer dereference in prp_get_untagged_frame() prp_get_untagged_frame() calls __pskb_copy() to create frame->skb_std but doesn't check if the allocation failed. If __pskb_copy() returns NULL, skb_clone() is called with a NULL pointer, causing a crash: Oops: general protection fault, probably for non-canonical address 0xdffffc000000000f: 0000 [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000078-0x0000000... • https://git.kernel.org/stable/c/f266a683a4804dc499efc6c2206ef68efed029d0 •