CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2022-50828 – clk: zynqmp: Fix stack-out-of-bounds in strncpy`
https://notcve.org/view.php?id=CVE-2022-50828
30 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: clk: zynqmp: Fix stack-out-of-bounds in strncpy` "BUG: KASAN: stack-out-of-bounds in strncpy+0x30/0x68" Linux-ATF interface is using 16 bytes of SMC payload. In case clock name is longer than 15 bytes, string terminated NULL character will not be received by Linux. Add explicit NULL character at last byte to fix issues when clock name is longer. This fixes below bug reported by KASAN: ========================================================... • https://git.kernel.org/stable/c/5852b1365df4414523210e444ac7df1dec09acb4 •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2023-54203 – ksmbd: fix slab-out-of-bounds in init_smb2_rsp_hdr
https://notcve.org/view.php?id=CVE-2023-54203
30 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix slab-out-of-bounds in init_smb2_rsp_hdr When smb1 mount fails, KASAN detect slab-out-of-bounds in init_smb2_rsp_hdr like the following one. For smb1 negotiate(56bytes) , init_smb2_rsp_hdr() for smb2 is called. The issue occurs while handling smb1 negotiate as smb2 server operations. Add smb server operations for smb1 (get_cmd_val, init_rsp_hdr, allocate_rsp_buf, check_user_session) to handle smb1 negotiate so that smb2 server ope... • https://git.kernel.org/stable/c/51a8534c0f35c0401e45f1055f914729cad98bf9 •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2023-54202 – drm/i915: fix race condition UAF in i915_perf_add_config_ioctl
https://notcve.org/view.php?id=CVE-2023-54202
30 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/i915: fix race condition UAF in i915_perf_add_config_ioctl Userspace can guess the id value and try to race oa_config object creation with config remove, resulting in a use-after-free if we dereference the object after unlocking the metrics_lock. For that reason, unlocking the metrics_lock must be done after we are done dereferencing the object. [tursulin: Manually added stable tag.] (cherry picked from commit 49f6f6483b652108bcb73accd0... • https://git.kernel.org/stable/c/f89823c212246d0671cc51e69894a3df1a743aee •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2023-54201 – RDMA/efa: Fix wrong resources deallocation order
https://notcve.org/view.php?id=CVE-2023-54201
30 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: RDMA/efa: Fix wrong resources deallocation order When trying to destroy QP or CQ, we first decrease the refcount and potentially free memory regions allocated for the object and then request the device to destroy the object. If the device fails, the object isn't fully destroyed so the user/IB core can try to destroy the object again which will lead to underflow when trying to decrease an already zeroed refcount. Deallocate resources in reve... • https://git.kernel.org/stable/c/ff6629f88c529b07d9704c656c64dae76910e3e9 •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2023-54200 – netfilter: nf_tables: always release netdev hooks from notifier
https://notcve.org/view.php?id=CVE-2023-54200
30 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: always release netdev hooks from notifier This reverts "netfilter: nf_tables: skip netdev events generated on netns removal". The problem is that when a veth device is released, the veth release callback will also queue the peer netns device for removal. Its possible that the peer netns is also slated for removal. In this case, the device memory is already released before the pre_exit hook of the peer netns runs: BUG: ... • https://git.kernel.org/stable/c/68a3765c659f809dcaac20030853a054646eb739 •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2023-54199 – drm/msm/adreno: Fix null ptr access in adreno_gpu_cleanup()
https://notcve.org/view.php?id=CVE-2023-54199
30 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/msm/adreno: Fix null ptr access in adreno_gpu_cleanup() Fix the below kernel panic due to null pointer access: [ 18.504431] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000048 [ 18.513464] Mem abort info: [ 18.516346] ESR = 0x0000000096000005 [ 18.520204] EC = 0x25: DABT (current EL), IL = 32 bits [ 18.525706] SET = 0, FnV = 0 [ 18.528878] EA = 0, S1PTW = 0 [ 18.532117] FSC = 0x05: level 1 translation fa... • https://git.kernel.org/stable/c/17e822f7591fb66162aca07685dc0b01468e5480 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2023-54198 – tty: fix out-of-bounds access in tty_driver_lookup_tty()
https://notcve.org/view.php?id=CVE-2023-54198
30 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: tty: fix out-of-bounds access in tty_driver_lookup_tty() When specifying an invalid console= device like console=tty3270, tty_driver_lookup_tty() returns the tty struct without checking whether index is a valid number. To reproduce: qemu-system-x86_64 -enable-kvm -nographic -serial mon:stdio \ -kernel ../linux-build-x86/arch/x86/boot/bzImage \ -append "console=ttyS0 console=tty3270" This crashes with: [ 0.770599] BUG: kernel NULL pointer de... • https://git.kernel.org/stable/c/99f1fe189daf8e99a847e420567e49dd7ee2aae7 •
CVSS: -EPSS: 0%CPEs: 9EXPL: 0CVE-2023-54197 – Revert "Bluetooth: btsdio: fix use after free bug in btsdio_remove due to unfinished work"
https://notcve.org/view.php?id=CVE-2023-54197
30 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: Revert "Bluetooth: btsdio: fix use after free bug in btsdio_remove due to unfinished work" This reverts commit 1e9ac114c4428fdb7ff4635b45d4f46017e8916f. This patch introduces a possible null-ptr-def problem. Revert it. And the fixed bug by this patch have resolved by commit 73f7b171b7c0 ("Bluetooth: btsdio: fix use after free bug in btsdio_remove due to race condition"). • https://git.kernel.org/stable/c/95eacef5692545f199fae4e52abfbfa273acb351 •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2023-54196 – fs/ntfs3: Fix NULL pointer dereference in 'ni_write_inode'
https://notcve.org/view.php?id=CVE-2023-54196
30 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Fix NULL pointer dereference in 'ni_write_inode' Syzbot found the following issue: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000016 Mem abort info: ESR = 0x0000000096000006 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x06: level 2 translation fault Data abort info: ISV = 0, ISS = 0x00000006 CM = 0, WnR = 0 user pgtable: 4k pages, 48-bit VAs, pgdp=000000010... • https://git.kernel.org/stable/c/82cae269cfa953032fbb8980a7d554d60fb00b17 •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2023-54195 – rxrpc: Fix timeout of a call that hasn't yet been granted a channel
https://notcve.org/view.php?id=CVE-2023-54195
30 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix timeout of a call that hasn't yet been granted a channel afs_make_call() calls rxrpc_kernel_begin_call() to begin a call (which may get stalled in the background waiting for a connection to become available); it then calls rxrpc_kernel_set_max_life() to set the timeouts - but that starts the call timer so the call timer might then expire before we get a connection assigned - leading to the following oops if the call stalled: BUG:... • https://git.kernel.org/stable/c/9d35d880e0e4a3ab32d8c12f9e4d76198aadd42d •