CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2025-71068 – svcrdma: bound check rq_pages index in inline path
https://notcve.org/view.php?id=CVE-2025-71068
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: svcrdma: bound check rq_pages index in inline path svc_rdma_copy_inline_range indexed rqstp->rq_pages[rc_curpage] without verifying rc_curpage stays within the allocated page array. Add guards before the first use and after advancing to a new page. In the Linux kernel, the following vulnerability has been resolved: svcrdma: bound check rq_pages index in inline path svc_rdma_copy_inline_range indexed rqstp->rq_pages[rc_curpage] without verif... • https://git.kernel.org/stable/c/d7cc73972661be4a02a1b09f1d9b3283c6c05154 •
CVSS: 7.1EPSS: 0%CPEs: 4EXPL: 0CVE-2025-71067 – ntfs: set dummy blocksize to read boot_block when mounting
https://notcve.org/view.php?id=CVE-2025-71067
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: ntfs: set dummy blocksize to read boot_block when mounting When mounting, sb->s_blocksize is used to read the boot_block without being defined or validated. Set a dummy blocksize before attempting to read the boot_block. The issue can be triggered with the following syz reproducer: mkdirat(0xffffffffffffff9c, &(0x7f0000000080)='./file1\x00', 0x0) r4 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040), 0x121403, 0x0) ioctl$FS_IOC_SETFLAGS(r... • https://git.kernel.org/stable/c/28861e3bbd9e7ac4cd9c811aad71b4d116e27930 •
CVSS: 6.3EPSS: 0%CPEs: 7EXPL: 0CVE-2025-71066 – net/sched: ets: Always remove class from active list before deleting in ets_qdisc_change
https://notcve.org/view.php?id=CVE-2025-71066
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: net/sched: ets: Always remove class from active list before deleting in ets_qdisc_change zdi-disclosures@trendmicro.com says: The vulnerability is a race condition between `ets_qdisc_dequeue` and `ets_qdisc_change`. It leads to UAF on `struct Qdisc` object. Attacker requires the capability to create new user and network namespace in order to trigger the bug. See my additional commentary at the end of the analysis. Analysis: static int ets_q... • https://git.kernel.org/stable/c/ae2659d2c670252759ee9c823c4e039c0e05a6f2 •
CVSS: 5.0EPSS: 0%CPEs: 4EXPL: 0CVE-2025-71065 – f2fs: fix to avoid potential deadlock
https://notcve.org/view.php?id=CVE-2025-71065
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid potential deadlock As Jiaming Zhang and syzbot reported, there is potential deadlock in f2fs as below: Chain exists of: &sbi->cp_rwsem --> fs_reclaim --> sb_internal#2 Possible unsafe locking scenario: CPU0 CPU1 ---- ---- rlock(sb_internal#2); lock(fs_reclaim); lock(sb_internal#2); rlock(&sbi->cp_rwsem); *** DEADLOCK *** 3 locks held by kswapd0/73: #0: ffffffff8e247a40 (fs_reclaim){+.+.}-{0:0}, at: balance_pgdat mm/vmscan... • https://git.kernel.org/stable/c/95fa90c9e5a7f14c2497d5b032544478c9377c3a •
CVSS: 5.6EPSS: 0%CPEs: 7EXPL: 0CVE-2025-71064 – net: hns3: using the num_tqps in the vf driver to apply for resources
https://notcve.org/view.php?id=CVE-2025-71064
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: net: hns3: using the num_tqps in the vf driver to apply for resources Currently, hdev->htqp is allocated using hdev->num_tqps, and kinfo->tqp is allocated using kinfo->num_tqps. However, kinfo->num_tqps is set to min(new_tqps, hdev->num_tqps); Therefore, kinfo->num_tqps may be smaller than hdev->num_tqps, which causes some hdev->htqp[i] to remain uninitialized in hclgevf_knic_setup(). Thus, this patch allocates hdev->htqp and kinfo->tqp usi... • https://git.kernel.org/stable/c/e2cb1dec9779ba2d89302a653eb0abaeb8682196 •
CVSS: 7.1EPSS: 0%CPEs: 4EXPL: 0CVE-2025-68823 – ublk: fix deadlock when reading partition table
https://notcve.org/view.php?id=CVE-2025-68823
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: ublk: fix deadlock when reading partition table When one process(such as udev) opens ublk block device (e.g., to read the partition table via bdev_open()), a deadlock[1] can occur: 1. bdev_open() grabs disk->open_mutex 2. The process issues read I/O to ublk backend to read partition table 3. In __ublk_complete_rq(), blk_update_request() or blk_mq_end_request() runs bio->bi_end_io() callbacks 4. If this triggers fput() on file descriptor of ... • https://git.kernel.org/stable/c/71f28f3136aff5890cd56de78abc673f8393cad9 •
CVSS: 7.1EPSS: 0%CPEs: 3EXPL: 0CVE-2025-68822 – Input: alps - fix use-after-free bugs caused by dev3_register_work
https://notcve.org/view.php?id=CVE-2025-68822
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: Input: alps - fix use-after-free bugs caused by dev3_register_work The dev3_register_work delayed work item is initialized within alps_reconnect() and scheduled upon receipt of the first bare PS/2 packet from an external PS/2 device connected to the ALPS touchpad. During device detachment, the original implementation calls flush_workqueue() in psmouse_disconnect() to ensure completion of dev3_register_work. However, the flush_workqueue() in... • https://git.kernel.org/stable/c/04aae283ba6a8cd4851d937bf9c6d6ef0361d794 •
CVSS: 7.1EPSS: 0%CPEs: 6EXPL: 0CVE-2025-68821 – fuse: fix readahead reclaim deadlock
https://notcve.org/view.php?id=CVE-2025-68821
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: fuse: fix readahead reclaim deadlock Commit e26ee4efbc79 ("fuse: allocate ff->release_args only if release is needed") skips allocating ff->release_args if the server does not implement open. However in doing so, fuse_prepare_release() now skips grabbing the reference on the inode, which makes it possible for an inode to be evicted from the dcache while there are inflight readahead requests. This causes a deadlock if the server triggers rec... • https://git.kernel.org/stable/c/a39f70d63f4373a598820d9491719e44cd60afe9 •
CVSS: 5.5EPSS: 0%CPEs: 10EXPL: 0CVE-2025-68820 – ext4: xattr: fix null pointer deref in ext4_raw_inode()
https://notcve.org/view.php?id=CVE-2025-68820
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: ext4: xattr: fix null pointer deref in ext4_raw_inode() If ext4_get_inode_loc() fails (e.g. if it returns -EFSCORRUPTED), iloc.bh will remain set to NULL. Since ext4_xattr_inode_dec_ref_all() lacks error checking, this will lead to a null pointer dereference in ext4_raw_inode(), called right after ext4_get_inode_loc(). Found by Linux Verification Center (linuxtesting.org) with SVACE. In the Linux kernel, the following vulnerability has been... • https://git.kernel.org/stable/c/76c365fa7e2a8bb85f0190cdb4b8cdc99b2fdce3 •
CVSS: 7.2EPSS: 0%CPEs: 7EXPL: 0CVE-2025-68819 – media: dvb-usb: dtv5100: fix out-of-bounds in dtv5100_i2c_msg()
https://notcve.org/view.php?id=CVE-2025-68819
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: media: dvb-usb: dtv5100: fix out-of-bounds in dtv5100_i2c_msg() rlen value is a user-controlled value, but dtv5100_i2c_msg() does not check the size of the rlen value. Therefore, if it is set to a value larger than sizeof(st->data), an out-of-bounds vuln occurs for st->data. Therefore, we need to add proper range checking to prevent this vuln. In the Linux kernel, the following vulnerability has been resolved: media: dvb-usb: dtv5100: fix o... • https://git.kernel.org/stable/c/60688d5e6e6e2ae62f29762d1e3b2aec2dbd3817 •