CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2023-54111 – pinctrl: rockchip: Fix refcount leak in rockchip_pinctrl_parse_groups
https://notcve.org/view.php?id=CVE-2023-54111
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: pinctrl: rockchip: Fix refcount leak in rockchip_pinctrl_parse_groups of_find_node_by_phandle() returns a node pointer with refcount incremented, We should use of_node_put() on it when not needed anymore. Add missing of_node_put() to avoid refcount leak. In the Linux kernel, the following vulnerability has been resolved: pinctrl: rockchip: Fix refcount leak in rockchip_pinctrl_parse_groups of_find_node_by_phandle() returns a node pointer wi... • https://git.kernel.org/stable/c/d3e5116119bd02ea7716bbe04b39c21bba4bcf42 •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2023-54110 – usb: rndis_host: Secure rndis_query check against int overflow
https://notcve.org/view.php?id=CVE-2023-54110
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: usb: rndis_host: Secure rndis_query check against int overflow Variables off and len typed as uint32 in rndis_query function are controlled by incoming RNDIS response message thus their value may be manipulated. Setting off to a unexpectetly large value will cause the sum with len and 8 to overflow and pass the implemented validation step. Consequently the response pointer will be referring to a location past the expected buffer boundaries ... • https://git.kernel.org/stable/c/ddda08624013e8435e9f7cfc34a35bd7b3520b6d •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2023-54109 – media: rcar_fdp1: Fix refcount leak in probe and remove function
https://notcve.org/view.php?id=CVE-2023-54109
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: media: rcar_fdp1: Fix refcount leak in probe and remove function rcar_fcp_get() take reference, which should be balanced with rcar_fcp_put(). Add missing rcar_fcp_put() in fdp1_remove and the error paths of fdp1_probe() to fix this. [hverkuil: resolve merge conflict, remove() is now void] In the Linux kernel, the following vulnerability has been resolved: media: rcar_fdp1: Fix refcount leak in probe and remove function rcar_fcp_get() take r... • https://git.kernel.org/stable/c/4710b752e029f3f82dd4a84d9dc61fe72c97bf82 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2023-54108 – scsi: qla2xxx: Fix DMA-API call trace on NVMe LS requests
https://notcve.org/view.php?id=CVE-2023-54108
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Fix DMA-API call trace on NVMe LS requests The following message and call trace was seen with debug kernels: DMA-API: qla2xxx 0000:41:00.0: device driver failed to check map error [device address=0x00000002a3ff38d8] [size=1024 bytes] [mapped as single] WARNING: CPU: 0 PID: 2930 at kernel/dma/debug.c:1017 check_unmap+0xf42/0x1990 Call Trace: debug_dma_unmap_page+0xc9/0x100 qla_nvme_ls_unmap+0x141/0x210 [qla2xxx] Remove DMA map... • https://git.kernel.org/stable/c/2d087c7e55db420107c3ea97b228e067a7b488a1 •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-54107 – blk-cgroup: dropping parent refcount after pd_free_fn() is done
https://notcve.org/view.php?id=CVE-2023-54107
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: blk-cgroup: dropping parent refcount after pd_free_fn() is done Some cgroup policies will access parent pd through child pd even after pd_offline_fn() is done. If pd_free_fn() for parent is called before child, then UAF can be triggered. Hence it's better to guarantee the order of pd_free_fn(). Currently refcount of parent blkg is dropped in __blkg_release(), which is before pd_free_fn() is called in blkg_free_work_fn() while blkg_free_work... • https://git.kernel.org/stable/c/c7241babf0855d8a6180cd1743ff0ec34de40b4e •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2023-54105 – can: isotp: check CAN address family in isotp_bind()
https://notcve.org/view.php?id=CVE-2023-54105
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: can: isotp: check CAN address family in isotp_bind() Add missing check to block non-AF_CAN binds. Syzbot created some code which matched the right sockaddr struct size but used AF_XDP (0x2C) instead of AF_CAN (0x1D) in the address family field: bind$xdp(r2, &(0x7f0000000540)={0x2c, 0x0, r4, 0x0, r2}, 0x10) ^^^^ This has no funtional impact but the userspace should be notified about the wrong address family field content. In the Linux kernel... • https://git.kernel.org/stable/c/de3c02383aa678f6799402ac47fdd89cf4bfcaa9 •
CVSS: 7.1EPSS: 0%CPEs: 6EXPL: 0CVE-2023-54103 – media: mtk-jpeg: Fix use after free bug due to uncanceled work
https://notcve.org/view.php?id=CVE-2023-54103
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: media: mtk-jpeg: Fix use after free bug due to uncanceled work In mtk_jpeg_probe, &jpeg->job_timeout_work is bound with mtk_jpeg_job_timeout_work. Then mtk_jpeg_dec_device_run and mtk_jpeg_enc_device_run may be called to start the work. If we remove the module which will call mtk_jpeg_remove to make cleanup, there may be a unfinished work. The possible sequence is as follows, which will cause a typical UAF bug. Fix it by canceling the work ... • https://git.kernel.org/stable/c/b2f0d2724ba477d326e9d654d4db1c93e98f8b93 •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2023-54102 – scsi: lpfc: Prevent lpfc_debugfs_lockstat_write() buffer overflow
https://notcve.org/view.php?id=CVE-2023-54102
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Prevent lpfc_debugfs_lockstat_write() buffer overflow A static code analysis tool flagged the possibility of buffer overflow when using copy_from_user() for a debugfs entry. Currently, it is possible that copy_from_user() copies more bytes than what would fit in the mybuf char array. Add a min() restriction check between sizeof(mybuf) - 1 and nbytes passed from the userspace buffer to protect against buffer overflow. In the Linu... • https://git.kernel.org/stable/c/644a9d5e22761a41d5005a26996a643da96de962 •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2023-54099 – fs: Protect reconfiguration of sb read-write from racing writes
https://notcve.org/view.php?id=CVE-2023-54099
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: fs: Protect reconfiguration of sb read-write from racing writes The reconfigure / remount code takes a lot of effort to protect filesystem's reconfiguration code from racing writes on remounting read-only. However during remounting read-only filesystem to read-write mode userspace writes can start immediately once we clear SB_RDONLY flag. This is inconvenient for example for ext4 because we need to do some writes to the filesystem (such as ... • https://git.kernel.org/stable/c/0336b42456e485fda1006b5b411e7372e20fbf03 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2023-54098 – drm/i915/gvt: fix gvt debugfs destroy
https://notcve.org/view.php?id=CVE-2023-54098
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/i915/gvt: fix gvt debugfs destroy When gvt debug fs is destroyed, need to have a sane check if drm minor's debugfs root is still available or not, otherwise in case like device remove through unbinding, drm minor's debugfs directory has already been removed, then intel_gvt_debugfs_clean() would act upon dangling pointer like below oops. i915 0000:00:02.0: Direct firmware load for i915/gvt/vid_0x8086_did_0x1926_rid_0x0a.golden_hw_state f... • https://git.kernel.org/stable/c/bc7b0be316aebac42eb9e8e54c984609555944da •