CVSS: 5.5EPSS: 0%CPEs: 12EXPL: 0CVE-2025-68295 – smb: client: fix memory leak in cifs_construct_tcon()
https://notcve.org/view.php?id=CVE-2025-68295
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: smb: client: fix memory leak in cifs_construct_tcon() When having a multiuser mount with domain= specified and using cifscreds, cifs_set_cifscreds() will end up setting @ctx->domainname, so it needs to be freed before leaving cifs_construct_tcon(). This fixes the following memory leak reported by kmemleak: mount.cifs //srv/share /mnt -o domain=ZELDA,multiuser,... su - testuser cifscreds add -d ZELDA -u testuser ... ls /mnt/1 ... umount /mnt... • https://git.kernel.org/stable/c/f2aee329a68f5a907bcff11a109dfe17c0b41aeb •
CVSS: 7.8EPSS: 0%CPEs: 7EXPL: 0CVE-2025-68290 – most: usb: fix double free on late probe failure
https://notcve.org/view.php?id=CVE-2025-68290
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: most: usb: fix double free on late probe failure The MOST subsystem has a non-standard registration function which frees the interface on registration failures and on deregistration. This unsurprisingly leads to bugs in the MOST drivers, and a couple of recent changes turned a reference underflow and use-after-free in the USB driver into several double free and a use-after-free on late probe failures. In the Linux kernel, the following vuln... • https://git.kernel.org/stable/c/723de0f9171eeb49a3ae98cae82ebbbb992b3a7c •
CVSS: 5.5EPSS: 0%CPEs: 14EXPL: 0CVE-2025-68289 – usb: gadget: f_eem: Fix memory leak in eem_unwrap
https://notcve.org/view.php?id=CVE-2025-68289
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_eem: Fix memory leak in eem_unwrap The existing code did not handle the failure case of usb_ep_queue in the command path, potentially leading to memory leaks. Improve error handling to free all allocated resources on usb_ep_queue failure. This patch continues to use goto logic for error handling, as the existing error handling is complex and not easily adaptable to auto-cleanup helpers. kmemleak results: unreferenced object 0... • https://git.kernel.org/stable/c/3b545788505b2e2883aff13bdddeacaf88942a4f •
CVSS: 5.6EPSS: 0%CPEs: 13EXPL: 0CVE-2025-68288 – usb: storage: Fix memory leak in USB bulk transport
https://notcve.org/view.php?id=CVE-2025-68288
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: usb: storage: Fix memory leak in USB bulk transport A kernel memory leak was identified by the 'ioctl_sg01' test from Linux Test Project (LTP). The following bytes were mainly observed: 0x53425355. When USB storage devices incorrectly skip the data phase with status data, the code extracts/validates the CSW from the sg buffer, but fails to clear it afterwards. This leaves status protocol data in srb's transfer buffer, such as the US_BULK_CS... • https://git.kernel.org/stable/c/a45b599ad808c3c982fdcdc12b0b8611c2f92824 •
CVSS: 7.0EPSS: 0%CPEs: 7EXPL: 0CVE-2025-68287 – usb: dwc3: Fix race condition between concurrent dwc3_remove_requests() call paths
https://notcve.org/view.php?id=CVE-2025-68287
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: usb: dwc3: Fix race condition between concurrent dwc3_remove_requests() call paths This patch addresses a race condition caused by unsynchronized execution of multiple call paths invoking `dwc3_remove_requests()`, leading to premature freeing of USB requests and subsequent crashes. Three distinct execution paths interact with `dwc3_remove_requests()`: Path 1: Triggered via `dwc3_gadget_reset_interrupt()` during USB reset handling. The call ... • https://git.kernel.org/stable/c/72246da40f3719af3bfd104a2365b32537c27d83 •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2025-68286 – drm/amd/display: Check NULL before accessing
https://notcve.org/view.php?id=CVE-2025-68286
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check NULL before accessing [WHAT] IGT kms_cursor_legacy's long-nonblocking-modeset-vs-cursor-atomic fails with NULL pointer dereference. This can be reproduced with both an eDP panel and a DP monitors connected. BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 13 UID: 0 PID: ... • https://git.kernel.org/stable/c/781f2f32e9c19eb791b52af283c96f9a9677a7f2 •
CVSS: 6.3EPSS: 0%CPEs: 7EXPL: 0CVE-2025-68285 – libceph: fix potential use-after-free in have_mon_and_osd_map()
https://notcve.org/view.php?id=CVE-2025-68285
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: libceph: fix potential use-after-free in have_mon_and_osd_map() The wait loop in __ceph_open_session() can race with the client receiving a new monmap or osdmap shortly after the initial map is received. Both ceph_monc_handle_map() and handle_one_map() install a new map immediately after freeing the old one kfree(monc->monmap); monc->monmap = monmap; ceph_osdmap_destroy(osdc->osdmap); osdc->osdmap = newmap; under client->monc.mutex and clie... • https://git.kernel.org/stable/c/bb4910c5fd436701faf367e1b5476a5a6d2aff1c •
CVSS: 6.6EPSS: 0%CPEs: 6EXPL: 0CVE-2025-68284 – libceph: prevent potential out-of-bounds writes in handle_auth_session_key()
https://notcve.org/view.php?id=CVE-2025-68284
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: libceph: prevent potential out-of-bounds writes in handle_auth_session_key() The len field originates from untrusted network packets. Boundary checks have been added to prevent potential out-of-bounds writes when decrypting the connection secret or processing service tickets. [ idryomov: changelog ] In the Linux kernel, the following vulnerability has been resolved: libceph: prevent potential out-of-bounds writes in handle_auth_session_key(... • https://git.kernel.org/stable/c/f22c55a20a2d9ffbbac57408d5d488cef8201e9d •
CVSS: 7.2EPSS: 0%CPEs: 5EXPL: 0CVE-2025-68283 – libceph: replace BUG_ON with bounds check for map->max_osd
https://notcve.org/view.php?id=CVE-2025-68283
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: libceph: replace BUG_ON with bounds check for map->max_osd OSD indexes come from untrusted network packets. Boundary checks are added to validate these against map->max_osd. [ idryomov: drop BUG_ON in ceph_get_primary_affinity(), minor cosmetic edits ] In the Linux kernel, the following vulnerability has been resolved: libceph: replace BUG_ON with bounds check for map->max_osd OSD indexes come from untrusted network packets. Boundary checks... • https://git.kernel.org/stable/c/57f5fbae9f1024aba17ff75e00433324115c548a •
CVSS: 6.9EPSS: 0%CPEs: 5EXPL: 0CVE-2025-68282 – usb: gadget: udc: fix use-after-free in usb_gadget_state_work
https://notcve.org/view.php?id=CVE-2025-68282
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: usb: gadget: udc: fix use-after-free in usb_gadget_state_work A race condition during gadget teardown can lead to a use-after-free in usb_gadget_state_work(), as reported by KASAN: BUG: KASAN: invalid-access in sysfs_notify+0x2c/0xd0 Workqueue: events usb_gadget_state_work The fundamental race occurs because a concurrent event (e.g., an interrupt) can call usb_gadget_set_state() and schedule gadget->work at any time during the cleanup proce... • https://git.kernel.org/stable/c/5702f75375aa9ecf8ad3431aef3fe6ce8c8dbd15 •