CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2023-54114 – net: nsh: Use correct mac_offset to unwind gso skb in nsh_gso_segment()
https://notcve.org/view.php?id=CVE-2023-54114
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: net: nsh: Use correct mac_offset to unwind gso skb in nsh_gso_segment() As the call trace shows, skb_panic was caused by wrong skb->mac_header in nsh_gso_segment(): invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 3 PID: 2737 Comm: syz Not tainted 6.3.0-next-20230505 #1 RIP: 0010:skb_panic+0xda/0xe0 call Trace: skb_push+0x91/0xa0 nsh_gso_segment+0x4f3/0x570 skb_mac_gso_segment+0x19e/0x270 __skb_gso_segment+0x1e8/0x3c0 validate_xmit_skb+... • https://git.kernel.org/stable/c/c411ed854584a71b0e86ac3019b60e4789d88086 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2023-54112 – kcm: Fix memory leak in error path of kcm_sendmsg()
https://notcve.org/view.php?id=CVE-2023-54112
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: kcm: Fix memory leak in error path of kcm_sendmsg() syzbot reported a memory leak like below: BUG: memory leak unreferenced object 0xffff88810b088c00 (size 240): comm "syz-executor186", pid 5012, jiffies 4294943306 (age 13.680s) hex dump (first 32 bytes): 00 89 08 0b 81 88 ff ff 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2023-54111 – pinctrl: rockchip: Fix refcount leak in rockchip_pinctrl_parse_groups
https://notcve.org/view.php?id=CVE-2023-54111
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: pinctrl: rockchip: Fix refcount leak in rockchip_pinctrl_parse_groups of_find_node_by_phandle() returns a node pointer with refcount incremented, We should use of_node_put() on it when not needed anymore. Add missing of_node_put() to avoid refcount leak. In the Linux kernel, the following vulnerability has been resolved: pinctrl: rockchip: Fix refcount leak in rockchip_pinctrl_parse_groups of_find_node_by_phandle() returns a node pointer wi... • https://git.kernel.org/stable/c/d3e5116119bd02ea7716bbe04b39c21bba4bcf42 •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2023-54110 – usb: rndis_host: Secure rndis_query check against int overflow
https://notcve.org/view.php?id=CVE-2023-54110
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: usb: rndis_host: Secure rndis_query check against int overflow Variables off and len typed as uint32 in rndis_query function are controlled by incoming RNDIS response message thus their value may be manipulated. Setting off to a unexpectetly large value will cause the sum with len and 8 to overflow and pass the implemented validation step. Consequently the response pointer will be referring to a location past the expected buffer boundaries ... • https://git.kernel.org/stable/c/ddda08624013e8435e9f7cfc34a35bd7b3520b6d •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2023-54109 – media: rcar_fdp1: Fix refcount leak in probe and remove function
https://notcve.org/view.php?id=CVE-2023-54109
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: media: rcar_fdp1: Fix refcount leak in probe and remove function rcar_fcp_get() take reference, which should be balanced with rcar_fcp_put(). Add missing rcar_fcp_put() in fdp1_remove and the error paths of fdp1_probe() to fix this. [hverkuil: resolve merge conflict, remove() is now void] In the Linux kernel, the following vulnerability has been resolved: media: rcar_fdp1: Fix refcount leak in probe and remove function rcar_fcp_get() take r... • https://git.kernel.org/stable/c/4710b752e029f3f82dd4a84d9dc61fe72c97bf82 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2023-54108 – scsi: qla2xxx: Fix DMA-API call trace on NVMe LS requests
https://notcve.org/view.php?id=CVE-2023-54108
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Fix DMA-API call trace on NVMe LS requests The following message and call trace was seen with debug kernels: DMA-API: qla2xxx 0000:41:00.0: device driver failed to check map error [device address=0x00000002a3ff38d8] [size=1024 bytes] [mapped as single] WARNING: CPU: 0 PID: 2930 at kernel/dma/debug.c:1017 check_unmap+0xf42/0x1990 Call Trace: debug_dma_unmap_page+0xc9/0x100 qla_nvme_ls_unmap+0x141/0x210 [qla2xxx] Remove DMA map... • https://git.kernel.org/stable/c/2d087c7e55db420107c3ea97b228e067a7b488a1 •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-54107 – blk-cgroup: dropping parent refcount after pd_free_fn() is done
https://notcve.org/view.php?id=CVE-2023-54107
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: blk-cgroup: dropping parent refcount after pd_free_fn() is done Some cgroup policies will access parent pd through child pd even after pd_offline_fn() is done. If pd_free_fn() for parent is called before child, then UAF can be triggered. Hence it's better to guarantee the order of pd_free_fn(). Currently refcount of parent blkg is dropped in __blkg_release(), which is before pd_free_fn() is called in blkg_free_work_fn() while blkg_free_work... • https://git.kernel.org/stable/c/c7241babf0855d8a6180cd1743ff0ec34de40b4e •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2023-54105 – can: isotp: check CAN address family in isotp_bind()
https://notcve.org/view.php?id=CVE-2023-54105
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: can: isotp: check CAN address family in isotp_bind() Add missing check to block non-AF_CAN binds. Syzbot created some code which matched the right sockaddr struct size but used AF_XDP (0x2C) instead of AF_CAN (0x1D) in the address family field: bind$xdp(r2, &(0x7f0000000540)={0x2c, 0x0, r4, 0x0, r2}, 0x10) ^^^^ This has no funtional impact but the userspace should be notified about the wrong address family field content. In the Linux kernel... • https://git.kernel.org/stable/c/de3c02383aa678f6799402ac47fdd89cf4bfcaa9 •
CVSS: 5.6EPSS: 0%CPEs: 5EXPL: 0CVE-2023-54104 – mtd: rawnand: fsl_upm: Fix an off-by one test in fun_exec_op()
https://notcve.org/view.php?id=CVE-2023-54104
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: mtd: rawnand: fsl_upm: Fix an off-by one test in fun_exec_op() 'op-cs' is copied in 'fun->mchip_number' which is used to access the 'mchip_offsets' and the 'rnb_gpio' arrays. These arrays have NAND_MAX_CHIPS elements, so the index must be below this limit. Fix the sanity check in order to avoid the NAND_MAX_CHIPS value. This would lead to out-of-bound accesses. In the Linux kernel, the following vulnerability has been resolved: mtd: rawnand... • https://git.kernel.org/stable/c/54309d65776755bcdb9dcf3744cd764fc1e254ea •
CVSS: 7.1EPSS: 0%CPEs: 6EXPL: 0CVE-2023-54103 – media: mtk-jpeg: Fix use after free bug due to uncanceled work
https://notcve.org/view.php?id=CVE-2023-54103
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: media: mtk-jpeg: Fix use after free bug due to uncanceled work In mtk_jpeg_probe, &jpeg->job_timeout_work is bound with mtk_jpeg_job_timeout_work. Then mtk_jpeg_dec_device_run and mtk_jpeg_enc_device_run may be called to start the work. If we remove the module which will call mtk_jpeg_remove to make cleanup, there may be a unfinished work. The possible sequence is as follows, which will cause a typical UAF bug. Fix it by canceling the work ... • https://git.kernel.org/stable/c/b2f0d2724ba477d326e9d654d4db1c93e98f8b93 •