CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-71097 – ipv4: Fix reference count leak when using error routes with nexthop objects
https://notcve.org/view.php?id=CVE-2025-71097
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: ipv4: Fix reference count leak when using error routes with nexthop objects When a nexthop object is deleted, it is marked as dead and then fib_table_flush() is called to flush all the routes that are using the dead nexthop. The current logic in fib_table_flush() is to only flush error routes (e.g., blackhole) when it is called as part of network namespace dismantle (i.e., with flush_all=true). Therefore, error routes are not flushed when t... • https://git.kernel.org/stable/c/493ced1ac47c48bb86d9d4e8e87df8592be85a0e •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2025-71096 – RDMA/core: Check for the presence of LS_NLA_TYPE_DGID correctly
https://notcve.org/view.php?id=CVE-2025-71096
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: RDMA/core: Check for the presence of LS_NLA_TYPE_DGID correctly The netlink response for RDMA_NL_LS_OP_IP_RESOLVE should always have a LS_NLA_TYPE_DGID attribute, it is invalid if it does not. Use the nl parsing logic properly and call nla_parse_deprecated() to fill the nlattrs array and then directly index that array to get the data for the DGID. Just fail if it is NULL. Remove the for loop searching for the nla, and squash the validation ... • https://git.kernel.org/stable/c/ae43f8286730d1f2d241c34601df59f6d2286ac4 •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2025-71093 – e1000: fix OOB in e1000_tbi_should_accept()
https://notcve.org/view.php?id=CVE-2025-71093
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: e1000: fix OOB in e1000_tbi_should_accept() In e1000_tbi_should_accept() we read the last byte of the frame via 'data[length - 1]' to evaluate the TBI workaround. If the descriptor- reported length is zero or larger than the actual RX buffer size, this read goes out of bounds and can hit unrelated slab objects. The issue is observed from the NAPI receive path (e1000_clean_rx_irq): ============================================================... • https://git.kernel.org/stable/c/2037110c96d5f1dd71453fcd0d54e79be12a352b •
CVSS: 6.3EPSS: 0%CPEs: 5EXPL: 0CVE-2025-71091 – team: fix check for port enabled in team_queue_override_port_prio_changed()
https://notcve.org/view.php?id=CVE-2025-71091
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: team: fix check for port enabled in team_queue_override_port_prio_changed() There has been a syzkaller bug reported recently with the following trace: list_del corruption, ffff888058bea080->prev is LIST_POISON2 (dead000000000122) ------------[ cut here ]------------ kernel BUG at lib/list_debug.c:59! Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI CPU: 3 UID: 0 PID: 21246 Comm: syz.0.2928 Not tainted syzkaller #0 PREEMPT(full) Hardware name... • https://git.kernel.org/stable/c/6c31ff366c1116823e77019bae3e92e9d77a49f4 •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-71089 – iommu: disable SVA when CONFIG_X86 is set
https://notcve.org/view.php?id=CVE-2025-71089
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: iommu: disable SVA when CONFIG_X86 is set Patch series "Fix stale IOTLB entries for kernel address space", v7. This proposes a fix for a security vulnerability related to IOMMU Shared Virtual Addressing (SVA). In an SVA context, an IOMMU can cache kernel page table entries. When a kernel page table page is freed and reallocated for another purpose, the IOMMU might still hold stale, incorrect entries. This can be exploited to cause a use-aft... • https://git.kernel.org/stable/c/26b25a2b98e45aeb40eedcedc586ad5034cbd984 •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2025-71087 – iavf: fix off-by-one issues in iavf_config_rss_reg()
https://notcve.org/view.php?id=CVE-2025-71087
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: iavf: fix off-by-one issues in iavf_config_rss_reg() There are off-by-one bugs when configuring RSS hash key and lookup table, causing out-of-bounds reads to memory [1] and out-of-bounds writes to device registers. Before commit 43a3d9ba34c9 ("i40evf: Allow PF driver to configure RSS"), the loop upper bounds were: i <= I40E_VFQF_{HKEY,HLUT}_MAX_INDEX which is safe since the value is the last valid index. That commit changed the bounds to: i... • https://git.kernel.org/stable/c/43a3d9ba34c9ca313573201d3f45de5ab3494cec •
CVSS: 5.5EPSS: 0%CPEs: 9EXPL: 0CVE-2025-71086 – net: rose: fix invalid array index in rose_kill_by_device()
https://notcve.org/view.php?id=CVE-2025-71086
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: net: rose: fix invalid array index in rose_kill_by_device() rose_kill_by_device() collects sockets into a local array[] and then iterates over them to disconnect sockets bound to a device being brought down. The loop mistakenly indexes array[cnt] instead of array[i]. For cnt < ARRAY_SIZE(array), this reads an uninitialized entry; for cnt == ARRAY_SIZE(array), it is an out-of-bounds read. Either case can lead to an invalid socket pointer der... • https://git.kernel.org/stable/c/3e0d1585799d8a991eba9678f297fd78d9f1846e •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2025-71085 – ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr()
https://notcve.org/view.php?id=CVE-2025-71085
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr() There exists a kernel oops caused by a BUG_ON(nhead < 0) at net/core/skbuff.c:2232 in pskb_expand_head(). This bug is triggered as part of the calipso_skbuff_setattr() routine when skb_cow() is passed headroom > INT_MAX (i.e. (int)(skb_headroom(skb) + len_delta) < 0). The root cause of the bug is due to an implicit integer cast in __skb_cow(). The check (headroom > skb_he... • https://git.kernel.org/stable/c/2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3 •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2025-71084 – RDMA/cm: Fix leaking the multicast GID table reference
https://notcve.org/view.php?id=CVE-2025-71084
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: RDMA/cm: Fix leaking the multicast GID table reference If the CM ID is destroyed while the CM event for multicast creating is still queued the cancel_work_sync() will prevent the work from running which also prevents destroying the ah_attr. This leaks a refcount and triggers a WARN: GID entry ref leak for dev syz1 index 2 ref=573 WARNING: CPU: 1 PID: 655 at drivers/infiniband/core/cache.c:809 release_gid_table drivers/infiniband/core/cache.... • https://git.kernel.org/stable/c/fe454dc31e84f8c14cb8942fcb61666c9f40745b •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-71083 – drm/ttm: Avoid NULL pointer deref for evicted BOs
https://notcve.org/view.php?id=CVE-2025-71083
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: drm/ttm: Avoid NULL pointer deref for evicted BOs It is possible for a BO to exist that is not currently associated with a resource, e.g. because it has been evicted. When devcoredump tries to read the contents of all BOs for dumping, we need to expect this as well -- in this case, ENODATA is recorded instead of the buffer contents. In the Linux kernel, the following vulnerability has been resolved: drm/ttm: Avoid NULL pointer deref for evi... • https://git.kernel.org/stable/c/09ac4fcb3f255e9225967c75f5893325c116cdbe •