CVSS: 8.4EPSS: %CPEs: 7EXPL: 0CVE-2025-71104 – KVM: x86: Fix VM hard lockup after prolonged inactivity with periodic HV timer
https://notcve.org/view.php?id=CVE-2025-71104
14 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Fix VM hard lockup after prolonged inactivity with periodic HV timer When advancing the target expiration for the guest's APIC timer in periodic mode, set the expiration to "now" if the target expiration is in the past (similar to what is done in update_target_expiration()). Blindly adding the period to the previous target expiration can result in KVM generating a practically unbounded number of hrtimer IRQs due to programming an ... • https://git.kernel.org/stable/c/d8f2f498d9ed0c5010bc1bbc1146f94c8bf9f8cc •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-71098 – ip6_gre: make ip6gre_header() robust
https://notcve.org/view.php?id=CVE-2025-71098
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: ip6_gre: make ip6gre_header() robust Over the years, syzbot found many ways to crash the kernel in ip6gre_header() [1]. This involves team or bonding drivers ability to dynamically change their dev->needed_headroom and/or dev->hard_header_len In this particular crash mld_newpack() allocated an skb with a too small reserve/headroom, and by the time mld_sendpack() was called, syzbot managed to attach an ip6gre device. [1] skbuff: skb_under_pa... • https://git.kernel.org/stable/c/c12b395a46646bab69089ce7016ac78177f6001f •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2025-71096 – RDMA/core: Check for the presence of LS_NLA_TYPE_DGID correctly
https://notcve.org/view.php?id=CVE-2025-71096
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: RDMA/core: Check for the presence of LS_NLA_TYPE_DGID correctly The netlink response for RDMA_NL_LS_OP_IP_RESOLVE should always have a LS_NLA_TYPE_DGID attribute, it is invalid if it does not. Use the nl parsing logic properly and call nla_parse_deprecated() to fill the nlattrs array and then directly index that array to get the data for the DGID. Just fail if it is NULL. Remove the for loop searching for the nla, and squash the validation ... • https://git.kernel.org/stable/c/ae43f8286730d1f2d241c34601df59f6d2286ac4 •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2025-71093 – e1000: fix OOB in e1000_tbi_should_accept()
https://notcve.org/view.php?id=CVE-2025-71093
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: e1000: fix OOB in e1000_tbi_should_accept() In e1000_tbi_should_accept() we read the last byte of the frame via 'data[length - 1]' to evaluate the TBI workaround. If the descriptor- reported length is zero or larger than the actual RX buffer size, this read goes out of bounds and can hit unrelated slab objects. The issue is observed from the NAPI receive path (e1000_clean_rx_irq): ============================================================... • https://git.kernel.org/stable/c/2037110c96d5f1dd71453fcd0d54e79be12a352b •
CVSS: 6.3EPSS: 0%CPEs: 5EXPL: 0CVE-2025-71091 – team: fix check for port enabled in team_queue_override_port_prio_changed()
https://notcve.org/view.php?id=CVE-2025-71091
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: team: fix check for port enabled in team_queue_override_port_prio_changed() There has been a syzkaller bug reported recently with the following trace: list_del corruption, ffff888058bea080->prev is LIST_POISON2 (dead000000000122) ------------[ cut here ]------------ kernel BUG at lib/list_debug.c:59! Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI CPU: 3 UID: 0 PID: 21246 Comm: syz.0.2928 Not tainted syzkaller #0 PREEMPT(full) Hardware name... • https://git.kernel.org/stable/c/6c31ff366c1116823e77019bae3e92e9d77a49f4 •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2025-71087 – iavf: fix off-by-one issues in iavf_config_rss_reg()
https://notcve.org/view.php?id=CVE-2025-71087
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: iavf: fix off-by-one issues in iavf_config_rss_reg() There are off-by-one bugs when configuring RSS hash key and lookup table, causing out-of-bounds reads to memory [1] and out-of-bounds writes to device registers. Before commit 43a3d9ba34c9 ("i40evf: Allow PF driver to configure RSS"), the loop upper bounds were: i <= I40E_VFQF_{HKEY,HLUT}_MAX_INDEX which is safe since the value is the last valid index. That commit changed the bounds to: i... • https://git.kernel.org/stable/c/43a3d9ba34c9ca313573201d3f45de5ab3494cec •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2025-71085 – ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr()
https://notcve.org/view.php?id=CVE-2025-71085
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr() There exists a kernel oops caused by a BUG_ON(nhead < 0) at net/core/skbuff.c:2232 in pskb_expand_head(). This bug is triggered as part of the calipso_skbuff_setattr() routine when skb_cow() is passed headroom > INT_MAX (i.e. (int)(skb_headroom(skb) + len_delta) < 0). The root cause of the bug is due to an implicit integer cast in __skb_cow(). The check (headroom > skb_he... • https://git.kernel.org/stable/c/2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-71083 – drm/ttm: Avoid NULL pointer deref for evicted BOs
https://notcve.org/view.php?id=CVE-2025-71083
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: drm/ttm: Avoid NULL pointer deref for evicted BOs It is possible for a BO to exist that is not currently associated with a resource, e.g. because it has been evicted. When devcoredump tries to read the contents of all BOs for dumping, we need to expect this as well -- in this case, ENODATA is recorded instead of the buffer contents. In the Linux kernel, the following vulnerability has been resolved: drm/ttm: Avoid NULL pointer deref for evi... • https://git.kernel.org/stable/c/09ac4fcb3f255e9225967c75f5893325c116cdbe •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2025-71082 – Bluetooth: btusb: revert use of devm_kzalloc in btusb
https://notcve.org/view.php?id=CVE-2025-71082
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btusb: revert use of devm_kzalloc in btusb This reverts commit 98921dbd00c4e ("Bluetooth: Use devm_kzalloc in btusb.c file"). In btusb_probe(), we use devm_kzalloc() to allocate the btusb data. This ties the lifetime of all the btusb data to the binding of a driver to one interface, INTF. In a driver that binds to other interfaces, ISOC and DIAG, this is an accident waiting to happen. The issue is revealed in btusb_disconnect(), ... • https://git.kernel.org/stable/c/98921dbd00c4e2e4bdd56423cb5edf98d57b45f7 •
CVSS: 6.6EPSS: 0%CPEs: 12EXPL: 0CVE-2025-71079 – net: nfc: fix deadlock between nfc_unregister_device and rfkill_fop_write
https://notcve.org/view.php?id=CVE-2025-71079
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: net: nfc: fix deadlock between nfc_unregister_device and rfkill_fop_write A deadlock can occur between nfc_unregister_device() and rfkill_fop_write() due to lock ordering inversion between device_lock and rfkill_global_mutex. The problematic lock order is: Thread A (rfkill_fop_write): rfkill_fop_write() mutex_lock(&rfkill_global_mutex) rfkill_set_block() nfc_rfkill_set_block() nfc_dev_down() device_lock(&dev->dev) <- waits for device_lock T... • https://git.kernel.org/stable/c/3e3b5dfcd16a3e254aab61bd1e8c417dd4503102 •