CVSS: 7.3EPSS: 0%CPEs: 13EXPL: 0CVE-2025-68261 – ext4: add i_data_sem protection in ext4_destroy_inline_data_nolock()
https://notcve.org/view.php?id=CVE-2025-68261
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: ext4: add i_data_sem protection in ext4_destroy_inline_data_nolock() Fix a race between inline data destruction and block mapping. The function ext4_destroy_inline_data_nolock() changes the inode data layout by clearing EXT4_INODE_INLINE_DATA and setting EXT4_INODE_EXTENTS. At the same time, another thread may execute ext4_map_blocks(), which tests EXT4_INODE_EXTENTS to decide whether to call ext4_ext_map_blocks() or ext4_ind_map_blocks(). ... • https://git.kernel.org/stable/c/c755e251357a0cee0679081f08c3f4ba797a8009 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-68258 – comedi: multiq3: sanitize config options in multiq3_attach()
https://notcve.org/view.php?id=CVE-2025-68258
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: comedi: multiq3: sanitize config options in multiq3_attach() Syzbot identified an issue [1] in multiq3_attach() that induces a task timeout due to open() or COMEDI_DEVCONFIG ioctl operations, specifically, in the case of multiq3 driver. This problem arose when syzkaller managed to craft weird configuration options used to specify the number of channels in encoder subdevice. If a particularly great number is passed to s->n_chan in multiq3_at... • https://git.kernel.org/stable/c/77e01cdbad5175f56027fd6fae00bd0fc175651a •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2025-68256 – staging: rtl8723bs: fix out-of-bounds read in rtw_get_ie() parser
https://notcve.org/view.php?id=CVE-2025-68256
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: staging: rtl8723bs: fix out-of-bounds read in rtw_get_ie() parser The Information Element (IE) parser rtw_get_ie() trusted the length byte of each IE without validating that the IE body (len bytes after the 2-byte header) fits inside the remaining frame buffer. A malformed frame can advertise an IE length larger than the available data, causing the parser to increment its pointer beyond the buffer end. This results in out-of-bounds reads or... • https://git.kernel.org/stable/c/554c0a3abf216c991c5ebddcdb2c08689ecd290b •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2025-68255 – staging: rtl8723bs: fix stack buffer overflow in OnAssocReq IE parsing
https://notcve.org/view.php?id=CVE-2025-68255
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: staging: rtl8723bs: fix stack buffer overflow in OnAssocReq IE parsing The Supported Rates IE length from an incoming Association Request frame was used directly as the memcpy() length when copying into a fixed-size 16-byte stack buffer (supportRate). A malicious station can advertise an IE length larger than 16 bytes, causing a stack buffer overflow. Clamp ie_len to the buffer size before copying the Supported Rates IE, and correct the bou... • https://git.kernel.org/stable/c/554c0a3abf216c991c5ebddcdb2c08689ecd290b •
CVSS: 8.5EPSS: 0%CPEs: 7EXPL: 0CVE-2025-68254 – staging: rtl8723bs: fix out-of-bounds read in OnBeacon ESR IE parsing
https://notcve.org/view.php?id=CVE-2025-68254
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: staging: rtl8723bs: fix out-of-bounds read in OnBeacon ESR IE parsing The Extended Supported Rates (ESR) IE handling in OnBeacon accessed *(p + 1 + ielen) and *(p + 2 + ielen) without verifying that these offsets lie within the received frame buffer. A malformed beacon with an ESR IE positioned at the end of the buffer could cause an out-of-bounds read, potentially triggering a kernel panic. Add a boundary check to ensure that the ESR IE bo... • https://git.kernel.org/stable/c/554c0a3abf216c991c5ebddcdb2c08689ecd290b •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-68245 – net: netpoll: fix incorrect refcount handling causing incorrect cleanup
https://notcve.org/view.php?id=CVE-2025-68245
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: net: netpoll: fix incorrect refcount handling causing incorrect cleanup commit efa95b01da18 ("netpoll: fix use after free") incorrectly ignored the refcount and prematurely set dev->npinfo to NULL during netpoll cleanup, leading to improper behavior and memory leaks. Scenario causing lack of proper cleanup: 1) A netpoll is associated with a NIC (e.g., eth0) and netdev->npinfo is allocated, and refcnt = 1 - Keep in mind that npinfo is shared... • https://git.kernel.org/stable/c/efa95b01da18ad22af62f6d99a3243f3be8fd264 •
CVSS: 5.6EPSS: 0%CPEs: 14EXPL: 0CVE-2025-68241 – ipv4: route: Prevent rt_bind_exception() from rebinding stale fnhe
https://notcve.org/view.php?id=CVE-2025-68241
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: ipv4: route: Prevent rt_bind_exception() from rebinding stale fnhe The sit driver's packet transmission path calls: sit_tunnel_xmit() -> update_or_create_fnhe(), which lead to fnhe_remove_oldest() being called to delete entries exceeding FNHE_RECLAIM_DEPTH+random. The race window is between fnhe_remove_oldest() selecting fnheX for deletion and the subsequent kfree_rcu(). During this time, the concurrent path's __mkroute_output() -> find_exc... • https://git.kernel.org/stable/c/e46e23c289f62ccd8e2230d9ce652072d777ff30 •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2025-68239 – binfmt_misc: restore write access before closing files opened by open_exec()
https://notcve.org/view.php?id=CVE-2025-68239
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: binfmt_misc: restore write access before closing files opened by open_exec() bm_register_write() opens an executable file using open_exec(), which internally calls do_open_execat() and denies write access on the file to avoid modification while it is being executed. However, when an error occurs, bm_register_write() closes the file using filp_close() directly. This does not restore the write permission, which may cause subsequent write oper... • https://git.kernel.org/stable/c/e7850f4d844e0acfac7e570af611d89deade3146 •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2025-68231 – mm/mempool: fix poisoning order>0 pages with HIGHMEM
https://notcve.org/view.php?id=CVE-2025-68231
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: mm/mempool: fix poisoning order>0 pages with HIGHMEM The kernel test has reported: BUG: unable to handle page fault for address: fffba000 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page *pde = 03171067 *pte = 00000000 Oops: Oops: 0002 [#1] CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Tainted: G T 6.18.0-rc2-00031-gec7f31b2a2d3 #1 NONE a1d066dfe789f54bc7645c7989957d2bdee593ca Tainted: [T]=RANDSTRUCT Hardware na... • https://git.kernel.org/stable/c/bdfedb76f4f5aa5e37380e3b71adee4a39f30fc6 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-68229 – scsi: target: tcm_loop: Fix segfault in tcm_loop_tpg_address_show()
https://notcve.org/view.php?id=CVE-2025-68229
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: scsi: target: tcm_loop: Fix segfault in tcm_loop_tpg_address_show() If the allocation of tl_hba->sh fails in tcm_loop_driver_probe() and we attempt to dereference it in tcm_loop_tpg_address_show() we will get a segfault, see below for an example. So, check tl_hba->sh before dereferencing it. Unable to allocate struct scsi_host BUG: kernel NULL pointer dereference, address: 0000000000000194 #PF: supervisor read access in kernel mode #PF: err... • https://git.kernel.org/stable/c/2628b352c3d4905adf8129ea50900bd980b6ccef •