CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2022-50709 – wifi: ath9k: avoid uninit memory read in ath9k_htc_rx_msg()
https://notcve.org/view.php?id=CVE-2022-50709
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: ath9k: avoid uninit memory read in ath9k_htc_rx_msg() syzbot is reporting uninit value at ath9k_htc_rx_msg() [1], for ioctl(USB_RAW_IOCTL_EP_WRITE) can call ath9k_hif_usb_rx_stream() with pkt_len = 0 but ath9k_hif_usb_rx_stream() uses __dev_alloc_skb(pkt_len + 32, GFP_ATOMIC) based on an assumption that pkt_len is valid. As a result, ath9k_hif_usb_rx_stream() allocates skb with uninitialized memory and ath9k_htc_rx_msg() is reading fr... • https://git.kernel.org/stable/c/fb9987d0f748c983bb795a86f47522313f701a08 •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2022-50708 – HSI: ssi_protocol: fix potential resource leak in ssip_pn_open()
https://notcve.org/view.php?id=CVE-2022-50708
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: HSI: ssi_protocol: fix potential resource leak in ssip_pn_open() ssip_pn_open() claims the HSI client's port with hsi_claim_port(). When hsi_register_port_event() gets some error and returns a negetive value, the HSI client's port should be released with hsi_release_port(). Fix it by calling hsi_release_port() when hsi_register_port_event() fails. • https://git.kernel.org/stable/c/dc7bf5d7186849aa36b9f0e42e250a813a7b0bdb •
CVSS: -EPSS: 0%CPEs: 9EXPL: 0CVE-2022-50703 – soc: qcom: smsm: Fix refcount leak bugs in qcom_smsm_probe()
https://notcve.org/view.php?id=CVE-2022-50703
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: soc: qcom: smsm: Fix refcount leak bugs in qcom_smsm_probe() There are two refcount leak bugs in qcom_smsm_probe(): (1) The 'local_node' is escaped out from for_each_child_of_node() as the break of iteration, we should call of_node_put() for it in error path or when it is not used anymore. (2) The 'node' is escaped out from for_each_available_child_of_node() as the 'goto', we should call of_node_put() for it in goto target. The SUSE Linux E... • https://git.kernel.org/stable/c/c97c4090ff72297a878a37715bd301624b71c885 •
CVSS: -EPSS: 0%CPEs: 9EXPL: 0CVE-2022-50697 – mrp: introduce active flags to prevent UAF when applicant uninit
https://notcve.org/view.php?id=CVE-2022-50697
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: mrp: introduce active flags to prevent UAF when applicant uninit The caller of del_timer_sync must prevent restarting of the timer, If we have no this synchronization, there is a small probability that the cancellation will not be successful. And syzbot report the fellowing crash: ================================================================== BUG: KASAN: use-after-free in hlist_add_head include/linux/list.h:929 [inline] BUG: KASAN: use-... • https://git.kernel.org/stable/c/febf018d22347b5df94066bca05d0c11a84e839d •
CVSS: 3.3EPSS: 0%CPEs: 8EXPL: 0CVE-2025-68733 – smack: fix bug: unprivileged task can create labels
https://notcve.org/view.php?id=CVE-2025-68733
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: smack: fix bug: unprivileged task can create labels If an unprivileged task is allowed to relabel itself (/smack/relabel-self is not empty), it can freely create new labels by writing their names into own /proc/PID/attr/smack/current This occurs because do_setattr() imports the provided label in advance, before checking "relabel-self" list. This change ensures that the "relabel-self" list is checked before importing the label. In the Linux ... • https://git.kernel.org/stable/c/38416e53936ecf896948fdeffc36b76979117952 •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2025-68724 – crypto: asymmetric_keys - prevent overflow in asymmetric_key_generate_id
https://notcve.org/view.php?id=CVE-2025-68724
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: crypto: asymmetric_keys - prevent overflow in asymmetric_key_generate_id Use check_add_overflow() to guard against potential integer overflows when adding the binary blob lengths and the size of an asymmetric_key_id structure and return ERR_PTR(-EOVERFLOW) accordingly. This prevents a possible buffer overflow when copying data from potentially malicious X.509 certificate fields that can be arbitrarily large, such as ASN.1 INTEGER serial num... • https://git.kernel.org/stable/c/7901c1a8effbe5f89673bfc09d6e37b8f334f1a7 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-68379 – RDMA/rxe: Fix null deref on srq->rq.queue after resize failure
https://notcve.org/view.php?id=CVE-2025-68379
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix null deref on srq->rq.queue after resize failure A NULL pointer dereference can occur in rxe_srq_chk_attr() when ibv_modify_srq() is invoked twice in succession under certain error conditions. The first call may fail in rxe_queue_resize(), which leads rxe_srq_from_attr() to set srq->rq.queue = NULL. The second call then triggers a crash (null deref) when accessing srq->rq.queue->buf->index_mask. Call Trace:
CVSS: 7.1EPSS: 0%CPEs: 12EXPL: 0CVE-2025-68372 – nbd: defer config put in recv_work
https://notcve.org/view.php?id=CVE-2025-68372
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: nbd: defer config put in recv_work There is one uaf issue in recv_work when running NBD_CLEAR_SOCK and NBD_CMD_RECONFIGURE: nbd_genl_connect // conf_ref=2 (connect and recv_work A) nbd_open // conf_ref=3 recv_work A done // conf_ref=2 NBD_CLEAR_SOCK // conf_ref=1 nbd_genl_reconfigure // conf_ref=2 (trigger recv_work B) close nbd // conf_ref=1 recv_work B config_put // conf_ref=0 atomic_dec(&config->recv_threads); -> UAF Or only running NBD_... • https://git.kernel.org/stable/c/87aac3a80af5cbad93e63250e8a1e19095ba0d30 •
CVSS: 6.9EPSS: 0%CPEs: 8EXPL: 0CVE-2025-68367 – macintosh/mac_hid: fix race condition in mac_hid_toggle_emumouse
https://notcve.org/view.php?id=CVE-2025-68367
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: macintosh/mac_hid: fix race condition in mac_hid_toggle_emumouse The following warning appears when running syzkaller, and this issue also exists in the mainline code. ------------[ cut here ]------------ list_add double add: new=ffffffffa57eee28, prev=ffffffffa57eee28, next=ffffffffa5e63100. WARNING: CPU: 0 PID: 1491 at lib/list_debug.c:35 __list_add_valid_or_report+0xf7/0x130 Modules linked in: CPU: 0 PID: 1491 Comm: syz.1.28 Not tainted ... • https://git.kernel.org/stable/c/99b089c3c38a83ebaeb1cc4584ddcde841626467 •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2025-68366 – nbd: defer config unlock in nbd_genl_connect
https://notcve.org/view.php?id=CVE-2025-68366
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: nbd: defer config unlock in nbd_genl_connect There is one use-after-free warning when running NBD_CMD_CONNECT and NBD_CLEAR_SOCK: nbd_genl_connect nbd_alloc_and_init_config // config_refs=1 nbd_start_device // config_refs=2 set NBD_RT_HAS_CONFIG_REF open nbd // config_refs=3 recv_work done // config_refs=2 NBD_CLEAR_SOCK // config_refs=1 close nbd // config_refs=0 refcount_inc -> uaf ------------[ cut here ]------------ refcount_t: addition... • https://git.kernel.org/stable/c/e46c7287b1c27683a8e30ca825fb98e2b97f1099 •