CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-68255 – staging: rtl8723bs: fix stack buffer overflow in OnAssocReq IE parsing
https://notcve.org/view.php?id=CVE-2025-68255
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: staging: rtl8723bs: fix stack buffer overflow in OnAssocReq IE parsing The Supported Rates IE length from an incoming Association Request frame was used directly as the memcpy() length when copying into a fixed-size 16-byte stack buffer (supportRate). A malicious station can advertise an IE length larger than 16 bytes, causing a stack buffer overflow. Clamp ie_len to the buffer size before copying the Supported Rates IE, and correct the bou... • https://git.kernel.org/stable/c/61871c83259a511980ec2664964cecc69005398b •
CVSS: 8.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-68254 – staging: rtl8723bs: fix out-of-bounds read in OnBeacon ESR IE parsing
https://notcve.org/view.php?id=CVE-2025-68254
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: staging: rtl8723bs: fix out-of-bounds read in OnBeacon ESR IE parsing The Extended Supported Rates (ESR) IE handling in OnBeacon accessed *(p + 1 + ielen) and *(p + 2 + ielen) without verifying that these offsets lie within the received frame buffer. A malformed beacon with an ESR IE positioned at the end of the buffer could cause an out-of-bounds read, potentially triggering a kernel panic. Add a boundary check to ensure that the ESR IE bo... • https://git.kernel.org/stable/c/d1ab7f9cee22e7b8a528da9ac953e4193b96cda5 •
CVSS: 6.4EPSS: 0%CPEs: 4EXPL: 0CVE-2025-68252 – misc: fastrpc: Fix dma_buf object leak in fastrpc_map_lookup
https://notcve.org/view.php?id=CVE-2025-68252
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: misc: fastrpc: Fix dma_buf object leak in fastrpc_map_lookup In fastrpc_map_lookup, dma_buf_get is called to obtain a reference to the dma_buf for comparison purposes. However, this reference is never released when the function returns, leading to a dma_buf memory leak. Fix this by adding dma_buf_put before returning from the function, ensuring that the temporarily acquired reference is properly released regardless of whether a matching map... • https://git.kernel.org/stable/c/ec5cb80503bbfee67573699fe52fcf456fd57678 •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-68251 – erofs: avoid infinite loops due to corrupted subpage compact indexes
https://notcve.org/view.php?id=CVE-2025-68251
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: erofs: avoid infinite loops due to corrupted subpage compact indexes Robert reported an infinite loop observed by two crafted images. The root cause is that `clusterofs` can be larger than `lclustersize` for !NONHEAD `lclusters` in corrupted subpage compact indexes, e.g.: blocksize = lclustersize = 512 lcn = 6 clusterofs = 515 Move the corresponding check for full compress indexes to `z_erofs_load_lcluster_from_disk()` to also cover subpage... • https://git.kernel.org/stable/c/8d2517aaeea3ab8651bb517bca8f3c8664d318ea •
CVSS: 6.1EPSS: 0%CPEs: 7EXPL: 0CVE-2025-68249 – most: usb: hdm_probe: Fix calling put_device() before device initialization
https://notcve.org/view.php?id=CVE-2025-68249
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: most: usb: hdm_probe: Fix calling put_device() before device initialization The early error path in hdm_probe() can jump to err_free_mdev before &mdev->dev has been initialized with device_initialize(). Calling put_device(&mdev->dev) there triggers a device core WARN and ends up invoking kref_put(&kobj->kref, kobject_release) on an uninitialized kobject. In this path the private struct was only kmalloc'ed and the intended release is effecti... • https://git.kernel.org/stable/c/97a6f772f36b7f52bcfa56a581bbd2470cffe23d •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-68246 – ksmbd: close accepted socket when per-IP limit rejects connection
https://notcve.org/view.php?id=CVE-2025-68246
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: close accepted socket when per-IP limit rejects connection When the per-IP connection limit is exceeded in ksmbd_kthread_fn(), the code sets ret = -EAGAIN and continues the accept loop without closing the just-accepted socket. That leaks one socket per rejected attempt from a single IP and enables a trivial remote DoS. Release client_sk before continuing. This bug was found with ZeroPath. In the Linux kernel, the following vulnerabil... • https://git.kernel.org/stable/c/0626e6641f6b467447c81dd7678a69c66f7746cf •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-68245 – net: netpoll: fix incorrect refcount handling causing incorrect cleanup
https://notcve.org/view.php?id=CVE-2025-68245
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: net: netpoll: fix incorrect refcount handling causing incorrect cleanup commit efa95b01da18 ("netpoll: fix use after free") incorrectly ignored the refcount and prematurely set dev->npinfo to NULL during netpoll cleanup, leading to improper behavior and memory leaks. Scenario causing lack of proper cleanup: 1) A netpoll is associated with a NIC (e.g., eth0) and netdev->npinfo is allocated, and refcnt = 1 - Keep in mind that npinfo is shared... • https://git.kernel.org/stable/c/efa95b01da18ad22af62f6d99a3243f3be8fd264 •
CVSS: 9.8EPSS: 0%CPEs: 6EXPL: 0CVE-2025-68244 – drm/i915: Avoid lock inversion when pinning to GGTT on CHV/BXT+VTD
https://notcve.org/view.php?id=CVE-2025-68244
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/i915: Avoid lock inversion when pinning to GGTT on CHV/BXT+VTD On completion of i915_vma_pin_ww(), a synchronous variant of dma_fence_work_commit() is called. When pinning a VMA to GGTT address space on a Cherry View family processor, or on a Broxton generation SoC with VTD enabled, i.e., when stop_machine() is then called from intel_ggtt_bind_vma(), that can potentially lead to lock inversion among reservation_ww and cpu_hotplug locks.... • https://git.kernel.org/stable/c/7d1c2618eac590d948eb33b9807d913ddb6e105f •
CVSS: 5.6EPSS: 0%CPEs: 14EXPL: 0CVE-2025-68241 – ipv4: route: Prevent rt_bind_exception() from rebinding stale fnhe
https://notcve.org/view.php?id=CVE-2025-68241
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: ipv4: route: Prevent rt_bind_exception() from rebinding stale fnhe The sit driver's packet transmission path calls: sit_tunnel_xmit() -> update_or_create_fnhe(), which lead to fnhe_remove_oldest() being called to delete entries exceeding FNHE_RECLAIM_DEPTH+random. The race window is between fnhe_remove_oldest() selecting fnheX for deletion and the subsequent kfree_rcu(). During this time, the concurrent path's __mkroute_output() -> find_exc... • https://git.kernel.org/stable/c/e46e23c289f62ccd8e2230d9ce652072d777ff30 •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2025-68239 – binfmt_misc: restore write access before closing files opened by open_exec()
https://notcve.org/view.php?id=CVE-2025-68239
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: binfmt_misc: restore write access before closing files opened by open_exec() bm_register_write() opens an executable file using open_exec(), which internally calls do_open_execat() and denies write access on the file to avoid modification while it is being executed. However, when an error occurs, bm_register_write() closes the file using filp_close() directly. This does not restore the write permission, which may cause subsequent write oper... • https://git.kernel.org/stable/c/e7850f4d844e0acfac7e570af611d89deade3146 •