CVSS: 6.9EPSS: %CPEs: 5EXPL: 0CVE-2025-71111 – hwmon: (w83791d) Convert macros to functions to avoid TOCTOU
https://notcve.org/view.php?id=CVE-2025-71111
14 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: hwmon: (w83791d) Convert macros to functions to avoid TOCTOU The macro FAN_FROM_REG evaluates its arguments multiple times. When used in lockless contexts involving shared driver data, this leads to Time-of-Check to Time-of-Use (TOCTOU) race conditions, potentially causing divide-by-zero errors. Convert the macro to a static function. This guarantees that arguments are evaluated only once (pass-by-value), preventing the race conditions. Add... • https://git.kernel.org/stable/c/9873964d6eb24bd0205394f9b791de9eddbcb855 •
CVSS: 7.8EPSS: %CPEs: 3EXPL: 0CVE-2025-71109 – MIPS: ftrace: Fix memory corruption when kernel is located beyond 32 bits
https://notcve.org/view.php?id=CVE-2025-71109
14 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: MIPS: ftrace: Fix memory corruption when kernel is located beyond 32 bits Since commit e424054000878 ("MIPS: Tracing: Reduce the overhead of dynamic Function Tracer"), the macro UASM_i_LA_mostly has been used, and this macro can generate more than 2 instructions. At the same time, the code in ftrace assumes that no more than 2 instructions can be generated, which is why it stores them in an int[2] array. However, as previously noted, the ma... • https://git.kernel.org/stable/c/e424054000878d7eb11e44289242886d6e219d22 •
CVSS: 6.6EPSS: %CPEs: 5EXPL: 0CVE-2025-71108 – usb: typec: ucsi: Handle incorrect num_connectors capability
https://notcve.org/view.php?id=CVE-2025-71108
14 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: usb: typec: ucsi: Handle incorrect num_connectors capability The UCSI spec states that the num_connectors field is 7 bits, and the 8th bit is reserved and should be set to zero. Some buggy FW has been known to set this bit, and it can lead to a system not booting. Flag that the FW is not behaving correctly, and auto-fix the value so that the system boots correctly. Found on Lenovo P1 G8 during Linux enablement program. The FW will be fixed,... • https://git.kernel.org/stable/c/f72f97d0aee4a993a35f2496bca5efd24827235d •
CVSS: 8.4EPSS: %CPEs: 7EXPL: 0CVE-2025-71104 – KVM: x86: Fix VM hard lockup after prolonged inactivity with periodic HV timer
https://notcve.org/view.php?id=CVE-2025-71104
14 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Fix VM hard lockup after prolonged inactivity with periodic HV timer When advancing the target expiration for the guest's APIC timer in periodic mode, set the expiration to "now" if the target expiration is in the past (similar to what is done in update_target_expiration()). Blindly adding the period to the previous target expiration can result in KVM generating a practically unbounded number of hrtimer IRQs due to programming an ... • https://git.kernel.org/stable/c/d8f2f498d9ed0c5010bc1bbc1146f94c8bf9f8cc •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-71098 – ip6_gre: make ip6gre_header() robust
https://notcve.org/view.php?id=CVE-2025-71098
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: ip6_gre: make ip6gre_header() robust Over the years, syzbot found many ways to crash the kernel in ip6gre_header() [1]. This involves team or bonding drivers ability to dynamically change their dev->needed_headroom and/or dev->hard_header_len In this particular crash mld_newpack() allocated an skb with a too small reserve/headroom, and by the time mld_sendpack() was called, syzbot managed to attach an ip6gre device. [1] skbuff: skb_under_pa... • https://git.kernel.org/stable/c/c12b395a46646bab69089ce7016ac78177f6001f •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-71097 – ipv4: Fix reference count leak when using error routes with nexthop objects
https://notcve.org/view.php?id=CVE-2025-71097
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: ipv4: Fix reference count leak when using error routes with nexthop objects When a nexthop object is deleted, it is marked as dead and then fib_table_flush() is called to flush all the routes that are using the dead nexthop. The current logic in fib_table_flush() is to only flush error routes (e.g., blackhole) when it is called as part of network namespace dismantle (i.e., with flush_all=true). Therefore, error routes are not flushed when t... • https://git.kernel.org/stable/c/493ced1ac47c48bb86d9d4e8e87df8592be85a0e •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2025-71096 – RDMA/core: Check for the presence of LS_NLA_TYPE_DGID correctly
https://notcve.org/view.php?id=CVE-2025-71096
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: RDMA/core: Check for the presence of LS_NLA_TYPE_DGID correctly The netlink response for RDMA_NL_LS_OP_IP_RESOLVE should always have a LS_NLA_TYPE_DGID attribute, it is invalid if it does not. Use the nl parsing logic properly and call nla_parse_deprecated() to fill the nlattrs array and then directly index that array to get the data for the DGID. Just fail if it is NULL. Remove the for loop searching for the nla, and squash the validation ... • https://git.kernel.org/stable/c/ae43f8286730d1f2d241c34601df59f6d2286ac4 •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2025-71093 – e1000: fix OOB in e1000_tbi_should_accept()
https://notcve.org/view.php?id=CVE-2025-71093
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: e1000: fix OOB in e1000_tbi_should_accept() In e1000_tbi_should_accept() we read the last byte of the frame via 'data[length - 1]' to evaluate the TBI workaround. If the descriptor- reported length is zero or larger than the actual RX buffer size, this read goes out of bounds and can hit unrelated slab objects. The issue is observed from the NAPI receive path (e1000_clean_rx_irq): ============================================================... • https://git.kernel.org/stable/c/2037110c96d5f1dd71453fcd0d54e79be12a352b •
CVSS: 6.3EPSS: 0%CPEs: 5EXPL: 0CVE-2025-71091 – team: fix check for port enabled in team_queue_override_port_prio_changed()
https://notcve.org/view.php?id=CVE-2025-71091
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: team: fix check for port enabled in team_queue_override_port_prio_changed() There has been a syzkaller bug reported recently with the following trace: list_del corruption, ffff888058bea080->prev is LIST_POISON2 (dead000000000122) ------------[ cut here ]------------ kernel BUG at lib/list_debug.c:59! Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI CPU: 3 UID: 0 PID: 21246 Comm: syz.0.2928 Not tainted syzkaller #0 PREEMPT(full) Hardware name... • https://git.kernel.org/stable/c/6c31ff366c1116823e77019bae3e92e9d77a49f4 •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-71089 – iommu: disable SVA when CONFIG_X86 is set
https://notcve.org/view.php?id=CVE-2025-71089
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: iommu: disable SVA when CONFIG_X86 is set Patch series "Fix stale IOTLB entries for kernel address space", v7. This proposes a fix for a security vulnerability related to IOMMU Shared Virtual Addressing (SVA). In an SVA context, an IOMMU can cache kernel page table entries. When a kernel page table page is freed and reallocated for another purpose, the IOMMU might still hold stale, incorrect entries. This can be exploited to cause a use-aft... • https://git.kernel.org/stable/c/26b25a2b98e45aeb40eedcedc586ad5034cbd984 •