CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-68258 – comedi: multiq3: sanitize config options in multiq3_attach()
https://notcve.org/view.php?id=CVE-2025-68258
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: comedi: multiq3: sanitize config options in multiq3_attach() Syzbot identified an issue [1] in multiq3_attach() that induces a task timeout due to open() or COMEDI_DEVCONFIG ioctl operations, specifically, in the case of multiq3 driver. This problem arose when syzkaller managed to craft weird configuration options used to specify the number of channels in encoder subdevice. If a particularly great number is passed to s->n_chan in multiq3_at... • https://git.kernel.org/stable/c/77e01cdbad5175f56027fd6fae00bd0fc175651a •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-68256 – staging: rtl8723bs: fix out-of-bounds read in rtw_get_ie() parser
https://notcve.org/view.php?id=CVE-2025-68256
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: staging: rtl8723bs: fix out-of-bounds read in rtw_get_ie() parser The Information Element (IE) parser rtw_get_ie() trusted the length byte of each IE without validating that the IE body (len bytes after the 2-byte header) fits inside the remaining frame buffer. A malformed frame can advertise an IE length larger than the available data, causing the parser to increment its pointer beyond the buffer end. This results in out-of-bounds reads or... • https://git.kernel.org/stable/c/a54e2b2db1b7de2e008b4f62eec35aaefcc663c5 •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-68255 – staging: rtl8723bs: fix stack buffer overflow in OnAssocReq IE parsing
https://notcve.org/view.php?id=CVE-2025-68255
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: staging: rtl8723bs: fix stack buffer overflow in OnAssocReq IE parsing The Supported Rates IE length from an incoming Association Request frame was used directly as the memcpy() length when copying into a fixed-size 16-byte stack buffer (supportRate). A malicious station can advertise an IE length larger than 16 bytes, causing a stack buffer overflow. Clamp ie_len to the buffer size before copying the Supported Rates IE, and correct the bou... • https://git.kernel.org/stable/c/61871c83259a511980ec2664964cecc69005398b •
CVSS: 8.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-68254 – staging: rtl8723bs: fix out-of-bounds read in OnBeacon ESR IE parsing
https://notcve.org/view.php?id=CVE-2025-68254
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: staging: rtl8723bs: fix out-of-bounds read in OnBeacon ESR IE parsing The Extended Supported Rates (ESR) IE handling in OnBeacon accessed *(p + 1 + ielen) and *(p + 2 + ielen) without verifying that these offsets lie within the received frame buffer. A malformed beacon with an ESR IE positioned at the end of the buffer could cause an out-of-bounds read, potentially triggering a kernel panic. Add a boundary check to ensure that the ESR IE bo... • https://git.kernel.org/stable/c/d1ab7f9cee22e7b8a528da9ac953e4193b96cda5 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-68246 – ksmbd: close accepted socket when per-IP limit rejects connection
https://notcve.org/view.php?id=CVE-2025-68246
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: close accepted socket when per-IP limit rejects connection When the per-IP connection limit is exceeded in ksmbd_kthread_fn(), the code sets ret = -EAGAIN and continues the accept loop without closing the just-accepted socket. That leaks one socket per rejected attempt from a single IP and enables a trivial remote DoS. Release client_sk before continuing. This bug was found with ZeroPath. In the Linux kernel, the following vulnerabil... • https://git.kernel.org/stable/c/7a3c7154d5fc05956a8ad9e72ecf49e21555bfca •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-68245 – net: netpoll: fix incorrect refcount handling causing incorrect cleanup
https://notcve.org/view.php?id=CVE-2025-68245
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: net: netpoll: fix incorrect refcount handling causing incorrect cleanup commit efa95b01da18 ("netpoll: fix use after free") incorrectly ignored the refcount and prematurely set dev->npinfo to NULL during netpoll cleanup, leading to improper behavior and memory leaks. Scenario causing lack of proper cleanup: 1) A netpoll is associated with a NIC (e.g., eth0) and netdev->npinfo is allocated, and refcnt = 1 - Keep in mind that npinfo is shared... • https://git.kernel.org/stable/c/efa95b01da18ad22af62f6d99a3243f3be8fd264 •
CVSS: 5.6EPSS: 0%CPEs: 14EXPL: 0CVE-2025-68241 – ipv4: route: Prevent rt_bind_exception() from rebinding stale fnhe
https://notcve.org/view.php?id=CVE-2025-68241
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: ipv4: route: Prevent rt_bind_exception() from rebinding stale fnhe The sit driver's packet transmission path calls: sit_tunnel_xmit() -> update_or_create_fnhe(), which lead to fnhe_remove_oldest() being called to delete entries exceeding FNHE_RECLAIM_DEPTH+random. The race window is between fnhe_remove_oldest() selecting fnheX for deletion and the subsequent kfree_rcu(). During this time, the concurrent path's __mkroute_output() -> find_exc... • https://git.kernel.org/stable/c/e46e23c289f62ccd8e2230d9ce652072d777ff30 •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2025-68239 – binfmt_misc: restore write access before closing files opened by open_exec()
https://notcve.org/view.php?id=CVE-2025-68239
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: binfmt_misc: restore write access before closing files opened by open_exec() bm_register_write() opens an executable file using open_exec(), which internally calls do_open_execat() and denies write access on the file to avoid modification while it is being executed. However, when an error occurs, bm_register_write() closes the file using filp_close() directly. This does not restore the write permission, which may cause subsequent write oper... • https://git.kernel.org/stable/c/e7850f4d844e0acfac7e570af611d89deade3146 •
CVSS: 7.1EPSS: 0%CPEs: 2EXPL: 0CVE-2025-68236 – scsi: ufs: ufs-qcom: Fix UFS OCP issue during UFS power down (PC=3)
https://notcve.org/view.php?id=CVE-2025-68236
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: ufs-qcom: Fix UFS OCP issue during UFS power down (PC=3) According to UFS specifications, the power-off sequence for a UFS device includes: - Sending an SSU command with Power_Condition=3 and await a response. - Asserting RST_N low. - Turning off REF_CLK. - Turning off VCC. - Turning off VCCQ/VCCQ2. As part of ufs shutdown, after the SSU command completion, asserting hardware reset (HWRST) triggers the device firmware to wake up ... • https://git.kernel.org/stable/c/b712f234a74c1f5ce70b5d7aec3fc2499c258141 •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2025-68231 – mm/mempool: fix poisoning order>0 pages with HIGHMEM
https://notcve.org/view.php?id=CVE-2025-68231
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: mm/mempool: fix poisoning order>0 pages with HIGHMEM The kernel test has reported: BUG: unable to handle page fault for address: fffba000 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page *pde = 03171067 *pte = 00000000 Oops: Oops: 0002 [#1] CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Tainted: G T 6.18.0-rc2-00031-gec7f31b2a2d3 #1 NONE a1d066dfe789f54bc7645c7989957d2bdee593ca Tainted: [T]=RANDSTRUCT Hardware na... • https://git.kernel.org/stable/c/bdfedb76f4f5aa5e37380e3b71adee4a39f30fc6 •