CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2023-53829 – f2fs: flush inode if atomic file is aborted
https://notcve.org/view.php?id=CVE-2023-53829
09 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: f2fs: flush inode if atomic file is aborted Let's flush the inode being aborted atomic operation to avoid stale dirty inode during eviction in this call stack: f2fs_mark_inode_dirty_sync+0x22/0x40 [f2fs] f2fs_abort_atomic_write+0xc4/0xf0 [f2fs] f2fs_evict_inode+0x3f/0x690 [f2fs] ? sugov_start+0x140/0x140 evict+0xc3/0x1c0 evict_inodes+0x17b/0x210 generic_shutdown_super+0x32/0x120 kill_block_super+0x21/0x50 deactivate_locked_super+0x31/0x90 c... • https://git.kernel.org/stable/c/1c64dbe8fa3552a340bca6d7fa09468c16ed2a85 •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2023-53827 – Bluetooth: L2CAP: Fix use-after-free in l2cap_disconnect_{req,rsp}
https://notcve.org/view.php?id=CVE-2023-53827
09 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix use-after-free in l2cap_disconnect_{req,rsp} Similar to commit d0be8347c623 ("Bluetooth: L2CAP: Fix use-after-free caused by l2cap_chan_put"), just use l2cap_chan_hold_unless_zero to prevent referencing a channel that is about to be destroyed. In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix use-after-free in l2cap_disconnect_{req,rsp} Similar to commit d0be8347c623 ("Bluetooth:... • https://git.kernel.org/stable/c/f2d38e77aa5f3effc143e7dd24da8acf02925958 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2023-53826 – ubi: Fix UAF wear-leveling entry in eraseblk_count_seq_show()
https://notcve.org/view.php?id=CVE-2023-53826
09 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: ubi: Fix UAF wear-leveling entry in eraseblk_count_seq_show() Wear-leveling entry could be freed in error path, which may be accessed again in eraseblk_count_seq_show(), for example: __erase_worker eraseblk_count_seq_show wl = ubi->lookuptbl[*block_number] if (wl) wl_entry_destroy ubi->lookuptbl[e->pnum] = NULL kmem_cache_free(ubi_wl_entry_slab, e) erase_count = wl->ec // UAF! Wear-leveling entry updating/accessing in ubi->lookuptbl should ... • https://git.kernel.org/stable/c/801c135ce73d5df1caf3eca35b66a10824ae0707 •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2023-53825 – kcm: Fix error handling for SOCK_DGRAM in kcm_sendmsg().
https://notcve.org/view.php?id=CVE-2023-53825
09 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: kcm: Fix error handling for SOCK_DGRAM in kcm_sendmsg(). syzkaller found a memory leak in kcm_sendmsg(), and commit c821a88bd720 ("kcm: Fix memory leak in error path of kcm_sendmsg()") suppressed it by updating kcm_tx_msg(head)->last_skb if partial data is copied so that the following sendmsg() will resume from the skb. However, we cannot know how many bytes were copied when we get the error. Thus, we could mess up the MSG_MORE queue. When ... • https://git.kernel.org/stable/c/ab7ac4eb9832e32a09f4e8042705484d2fb0aad3 •
CVSS: 4.7EPSS: 0%CPEs: 5EXPL: 0CVE-2023-53824 – netlink: annotate lockless accesses to nlk->max_recvmsg_len
https://notcve.org/view.php?id=CVE-2023-53824
09 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: netlink: annotate lockless accesses to nlk->max_recvmsg_len syzbot reported a data-race in data-race in netlink_recvmsg() [1] Indeed, netlink_recvmsg() can be run concurrently, and netlink_dump() also needs protection. [1] BUG: KCSAN: data-race in netlink_recvmsg / netlink_recvmsg read to 0xffff888141840b38 of 8 bytes by task 23057 on cpu 0: netlink_recvmsg+0xea/0x730 net/netlink/af_netlink.c:1988 sock_recvmsg_nosec net/socket.c:1017 [inlin... • https://git.kernel.org/stable/c/9063e21fb026c4966fc93261c18322214f9835eb •
CVSS: 6.2EPSS: 0%CPEs: 3EXPL: 0CVE-2023-53822 – wifi: ath11k: Ignore frags from uninitialized peer in dp.
https://notcve.org/view.php?id=CVE-2023-53822
09 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: Ignore frags from uninitialized peer in dp. When max virtual ap interfaces are configured in all the bands with ACS and hostapd restart is done every 60s, a crash is observed at random times. In this certain scenario, a fragmented packet is received for self peer, for which rx_tid and rx_frags are not initialized in datapath. While handling this fragment, crash is observed as the rx_frag list is uninitialised and when we walk ... • https://git.kernel.org/stable/c/e78526a06b53718bfc1dfff37864c7760e41f8ec •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2023-53821 – ip6_vti: fix slab-use-after-free in decode_session6
https://notcve.org/view.php?id=CVE-2023-53821
09 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: ip6_vti: fix slab-use-after-free in decode_session6 When ipv6_vti device is set to the qdisc of the sfb type, the cb field of the sent skb may be modified during enqueuing. Then, slab-use-after-free may occur when ipv6_vti device sends IPv6 packets. The stack information is as follows: BUG: KASAN: slab-use-after-free in decode_session6+0x103f/0x1890 Read of size 1 at addr ffff88802e08edc2 by task swapper/0/0 CPU: 0 PID: 0 Comm: swapper/0 No... • https://git.kernel.org/stable/c/f855691975bb06373a98711e4cfe2c224244b536 •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2022-50678 – wifi: brcmfmac: fix invalid address access when enabling SCAN log level
https://notcve.org/view.php?id=CVE-2022-50678
09 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: fix invalid address access when enabling SCAN log level The variable i is changed when setting random MAC address and causes invalid address access when printing the value of pi->reqs[i]->reqid. We replace reqs index with ri to fix the issue. [ 136.726473] Unable to handle kernel access to user memory outside uaccess routines at virtual address 0000000000000000 [ 136.737365] Mem abort info: [ 136.740172] ESR = 0x96000004 [ 1... • https://git.kernel.org/stable/c/7ccb0529446ae68a8581916bfc95c353306d76ba •
CVSS: 5.5EPSS: 0%CPEs: 9EXPL: 0CVE-2022-50676 – net: rds: don't hold sock lock when cancelling work from rds_tcp_reset_callbacks()
https://notcve.org/view.php?id=CVE-2022-50676
09 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: net: rds: don't hold sock lock when cancelling work from rds_tcp_reset_callbacks() syzbot is reporting lockdep warning at rds_tcp_reset_callbacks() [1], for commit ac3615e7f3cffe2a ("RDS: TCP: Reduce code duplication in rds_tcp_reset_callbacks()") added cancel_delayed_work_sync() into a section protected by lock_sock() without realizing that rds_send_xmit() might call lock_sock(). We don't need to protect cancel_delayed_work_sync() using lo... • https://git.kernel.org/stable/c/ac3615e7f3cffe2a1a6b25172dfd09e138593d82 •
CVSS: 7.1EPSS: 0%CPEs: 7EXPL: 0CVE-2022-50673 – ext4: fix use-after-free in ext4_orphan_cleanup
https://notcve.org/view.php?id=CVE-2022-50673
09 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: ext4: fix use-after-free in ext4_orphan_cleanup I caught a issue as follows: ================================================================== BUG: KASAN: use-after-free in __list_add_valid+0x28/0x1a0 Read of size 8 at addr ffff88814b13f378 by task mount/710 CPU: 1 PID: 710 Comm: mount Not tainted 6.1.0-rc3-next #370 Call Trace: