CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2025-71087 – iavf: fix off-by-one issues in iavf_config_rss_reg()
https://notcve.org/view.php?id=CVE-2025-71087
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: iavf: fix off-by-one issues in iavf_config_rss_reg() There are off-by-one bugs when configuring RSS hash key and lookup table, causing out-of-bounds reads to memory [1] and out-of-bounds writes to device registers. Before commit 43a3d9ba34c9 ("i40evf: Allow PF driver to configure RSS"), the loop upper bounds were: i <= I40E_VFQF_{HKEY,HLUT}_MAX_INDEX which is safe since the value is the last valid index. That commit changed the bounds to: i... • https://git.kernel.org/stable/c/43a3d9ba34c9ca313573201d3f45de5ab3494cec •
CVSS: 5.5EPSS: 0%CPEs: 9EXPL: 0CVE-2025-71086 – net: rose: fix invalid array index in rose_kill_by_device()
https://notcve.org/view.php?id=CVE-2025-71086
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: net: rose: fix invalid array index in rose_kill_by_device() rose_kill_by_device() collects sockets into a local array[] and then iterates over them to disconnect sockets bound to a device being brought down. The loop mistakenly indexes array[cnt] instead of array[i]. For cnt < ARRAY_SIZE(array), this reads an uninitialized entry; for cnt == ARRAY_SIZE(array), it is an out-of-bounds read. Either case can lead to an invalid socket pointer der... • https://git.kernel.org/stable/c/3e0d1585799d8a991eba9678f297fd78d9f1846e •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2025-71085 – ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr()
https://notcve.org/view.php?id=CVE-2025-71085
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr() There exists a kernel oops caused by a BUG_ON(nhead < 0) at net/core/skbuff.c:2232 in pskb_expand_head(). This bug is triggered as part of the calipso_skbuff_setattr() routine when skb_cow() is passed headroom > INT_MAX (i.e. (int)(skb_headroom(skb) + len_delta) < 0). The root cause of the bug is due to an implicit integer cast in __skb_cow(). The check (headroom > skb_he... • https://git.kernel.org/stable/c/2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-71083 – drm/ttm: Avoid NULL pointer deref for evicted BOs
https://notcve.org/view.php?id=CVE-2025-71083
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: drm/ttm: Avoid NULL pointer deref for evicted BOs It is possible for a BO to exist that is not currently associated with a resource, e.g. because it has been evicted. When devcoredump tries to read the contents of all BOs for dumping, we need to expect this as well -- in this case, ENODATA is recorded instead of the buffer contents. In the Linux kernel, the following vulnerability has been resolved: drm/ttm: Avoid NULL pointer deref for evi... • https://git.kernel.org/stable/c/09ac4fcb3f255e9225967c75f5893325c116cdbe •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2025-71082 – Bluetooth: btusb: revert use of devm_kzalloc in btusb
https://notcve.org/view.php?id=CVE-2025-71082
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btusb: revert use of devm_kzalloc in btusb This reverts commit 98921dbd00c4e ("Bluetooth: Use devm_kzalloc in btusb.c file"). In btusb_probe(), we use devm_kzalloc() to allocate the btusb data. This ties the lifetime of all the btusb data to the binding of a driver to one interface, INTF. In a driver that binds to other interfaces, ISOC and DIAG, this is an accident waiting to happen. The issue is revealed in btusb_disconnect(), ... • https://git.kernel.org/stable/c/98921dbd00c4e2e4bdd56423cb5edf98d57b45f7 •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2025-71081 – ASoC: stm32: sai: fix OF node leak on probe
https://notcve.org/view.php?id=CVE-2025-71081
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: ASoC: stm32: sai: fix OF node leak on probe The reference taken to the sync provider OF node when probing the platform device is currently only dropped if the set_sync() callback fails during DAI probe. Make sure to drop the reference on platform probe failures (e.g. probe deferral) and on driver unbind. This also avoids a potential use-after-free in case the DAI is ever reprobed without first rebinding the platform driver. In the Linux ker... • https://git.kernel.org/stable/c/5914d285f6b782892a91d6621723fdc41a775b15 •
CVSS: 6.6EPSS: 0%CPEs: 12EXPL: 0CVE-2025-71079 – net: nfc: fix deadlock between nfc_unregister_device and rfkill_fop_write
https://notcve.org/view.php?id=CVE-2025-71079
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: net: nfc: fix deadlock between nfc_unregister_device and rfkill_fop_write A deadlock can occur between nfc_unregister_device() and rfkill_fop_write() due to lock ordering inversion between device_lock and rfkill_global_mutex. The problematic lock order is: Thread A (rfkill_fop_write): rfkill_fop_write() mutex_lock(&rfkill_global_mutex) rfkill_set_block() nfc_rfkill_set_block() nfc_dev_down() device_lock(&dev->dev) <- waits for device_lock T... • https://git.kernel.org/stable/c/3e3b5dfcd16a3e254aab61bd1e8c417dd4503102 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-71078 – powerpc/64s/slb: Fix SLB multihit issue during SLB preload
https://notcve.org/view.php?id=CVE-2025-71078
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: powerpc/64s/slb: Fix SLB multihit issue during SLB preload On systems using the hash MMU, there is a software SLB preload cache that mirrors the entries loaded into the hardware SLB buffer. This preload cache is subject to periodic eviction — typically after every 256 context switches — to remove old entry. To optimize performance, the kernel skips switch_mmu_context() in switch_mm_irqs_off() when the prev and next mm_struct are the same. H... • https://git.kernel.org/stable/c/5434ae74629af58ad0fc27143a9ea435f7734410 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-71077 – tpm: Cap the number of PCR banks
https://notcve.org/view.php?id=CVE-2025-71077
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: tpm: Cap the number of PCR banks tpm2_get_pcr_allocation() does not cap any upper limit for the number of banks. Cap the limit to eight banks so that out of bounds values coming from external I/O cause on only limited harm. In the Linux kernel, the following vulnerability has been resolved: tpm: Cap the number of PCR banks tpm2_get_pcr_allocation() does not cap any upper limit for the number of banks. Cap the limit to eight banks so that ou... • https://git.kernel.org/stable/c/bcfff8384f6c4e6627676ef07ccad9cfacd67849 •
CVSS: 7.0EPSS: 0%CPEs: 5EXPL: 0CVE-2025-71075 – scsi: aic94xx: fix use-after-free in device removal path
https://notcve.org/view.php?id=CVE-2025-71075
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: scsi: aic94xx: fix use-after-free in device removal path The asd_pci_remove() function fails to synchronize with pending tasklets before freeing the asd_ha structure, leading to a potential use-after-free vulnerability. When a device removal is triggered (via hot-unplug or module unload), race condition can occur. The fix adds tasklet_kill() before freeing the asd_ha structure, ensuring all scheduled tasklets complete before cleanup proceed... • https://git.kernel.org/stable/c/2908d778ab3e244900c310974e1fc1c69066e450 •