CVSS: 7.1EPSS: 0%CPEs: 6EXPL: 0CVE-2025-71150 – ksmbd: Fix refcount leak when invalid session is found on session lookup
https://notcve.org/view.php?id=CVE-2025-71150
23 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: Fix refcount leak when invalid session is found on session lookup When a session is found but its state is not SMB2_SESSION_VALID, It indicates that no valid session was found, but it is missing to decrement the reference count acquired by the session lookup, which results in a reference count leak. This patch fixes the issue by explicitly calling ksmbd_user_session_put to release the reference to the session. In the Linux kernel, th... • https://git.kernel.org/stable/c/37a0e2b362b3150317fb6e2139de67b1e29ae5ff •
CVSS: 6.6EPSS: 0%CPEs: 5EXPL: 0CVE-2025-71149 – io_uring/poll: correctly handle io_poll_add() return value on update
https://notcve.org/view.php?id=CVE-2025-71149
23 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: io_uring/poll: correctly handle io_poll_add() return value on update When the core of io_uring was updated to handle completions consistently and with fixed return codes, the POLL_REMOVE opcode with updates got slightly broken. If a POLL_ADD is pending and then POLL_REMOVE is used to update the events of that request, if that update causes the POLL_ADD to now trigger, then that completion is lost and a CQE is never posted. Additionally, ens... • https://git.kernel.org/stable/c/97b388d70b53fd7d286ac1b81e5a88bd6af98209 •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-71148 – net/handshake: restore destructor on submit failure
https://notcve.org/view.php?id=CVE-2025-71148
23 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: net/handshake: restore destructor on submit failure handshake_req_submit() replaces sk->sk_destruct but never restores it when submission fails before the request is hashed. handshake_sk_destruct() then returns early and the original destructor never runs, leaking the socket. Restore sk_destruct on the error path. In the Linux kernel, the following vulnerability has been resolved: net/handshake: restore destructor on submit failure handshak... • https://git.kernel.org/stable/c/3b3009ea8abb713b022d94fba95ec270cf6e7eae •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2025-71147 – KEYS: trusted: Fix a memory leak in tpm2_load_cmd
https://notcve.org/view.php?id=CVE-2025-71147
23 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: KEYS: trusted: Fix a memory leak in tpm2_load_cmd 'tpm2_load_cmd' allocates a tempoary blob indirectly via 'tpm2_key_decode' but it is not freed in the failure paths. Address this by wrapping the blob into with a cleanup helper. In the Linux kernel, the following vulnerability has been resolved: KEYS: trusted: Fix a memory leak in tpm2_load_cmd 'tpm2_load_cmd' allocates a tempoary blob indirectly via 'tpm2_key_decode' but it is not freed in... • https://git.kernel.org/stable/c/f2219745250f388edacabe6cca73654131c67d0a •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-71145 – usb: phy: isp1301: fix non-OF device reference imbalance
https://notcve.org/view.php?id=CVE-2025-71145
23 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: usb: phy: isp1301: fix non-OF device reference imbalance A recent change fixing a device reference leak in a UDC driver introduced a potential use-after-free in the non-OF case as the isp1301_get_client() helper only increases the reference count for the returned I2C device in the OF case. Increment the reference count also for non-OF so that the caller can decrement it unconditionally. Note that this is inherently racy just as using the re... • https://git.kernel.org/stable/c/21c7c83d592e6335bfb6d65608da3726f976bad4 •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2026-22977 – net: sock: fix hardened usercopy panic in sock_recv_errqueue
https://notcve.org/view.php?id=CVE-2026-22977
21 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: net: sock: fix hardened usercopy panic in sock_recv_errqueue skbuff_fclone_cache was created without defining a usercopy region, [1] unlike skbuff_head_cache which properly whitelists the cb[] field. [2] This causes a usercopy BUG() when CONFIG_HARDENED_USERCOPY is enabled and the kernel attempts to copy sk_buff.cb data to userspace via sock_recv_errqueue() -> put_cmsg(). The crash occurs when: 1. TCP allocates an skb using alloc_skb_fclone... • https://git.kernel.org/stable/c/6d07d1cd300f4c7e16005f881fea388164999cc8 •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2026-22976 – net/sched: sch_qfq: Fix NULL deref when deactivating inactive aggregate in qfq_reset
https://notcve.org/view.php?id=CVE-2026-22976
21 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_qfq: Fix NULL deref when deactivating inactive aggregate in qfq_reset `qfq_class->leaf_qdisc->q.qlen > 0` does not imply that the class itself is active. Two qfq_class objects may point to the same leaf_qdisc. This happens when: 1. one QFQ qdisc is attached to the dev as the root qdisc, and 2. another QFQ qdisc is temporarily referenced (e.g., via qdisc_get() / qdisc_put()) and is pending to be destroyed, as in function tc_ne... • https://git.kernel.org/stable/c/0545a3037773512d3448557ba048cebb73b3e4af •
CVSS: 8.5EPSS: 0%CPEs: 6EXPL: 0CVE-2025-71144 – mptcp: ensure context reset on disconnect()
https://notcve.org/view.php?id=CVE-2025-71144
14 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: mptcp: ensure context reset on disconnect() After the blamed commit below, if the MPC subflow is already in TCP_CLOSE status or has fallback to TCP at mptcp_disconnect() time, mptcp_do_fastclose() skips setting the `send_fastclose flag` and the later __mptcp_close_ssk() does not reset anymore the related subflow context. Any later connection will be created with both the `request_mptcp` flag and the msk-level fallback status off (it is unco... • https://git.kernel.org/stable/c/3a13454fd098ed51e733958488f8ec62859a9ed8 •
CVSS: 7.2EPSS: 0%CPEs: 4EXPL: 0CVE-2025-71143 – clk: samsung: exynos-clkout: Assign .num before accessing .hws
https://notcve.org/view.php?id=CVE-2025-71143
14 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: clk: samsung: exynos-clkout: Assign .num before accessing .hws Commit f316cdff8d67 ("clk: Annotate struct clk_hw_onecell_data with __counted_by") annotated the hws member of 'struct clk_hw_onecell_data' with __counted_by, which informs the bounds sanitizer (UBSAN_BOUNDS) about the number of elements in .hws[], so that it can warn when .hws[] is accessed out of bounds. As noted in that change, the __counted_by member must be initialized with... • https://git.kernel.org/stable/c/f316cdff8d677db9ad9c90acb44c4cd535b0ee27 •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-71141 – drm/tilcdc: Fix removal actions in case of failed probe
https://notcve.org/view.php?id=CVE-2025-71141
14 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: drm/tilcdc: Fix removal actions in case of failed probe The drm_kms_helper_poll_fini() and drm_atomic_helper_shutdown() helpers should only be called when the device has been successfully registered. Currently, these functions are called unconditionally in tilcdc_fini(), which causes warnings during probe deferral scenarios. [ 7.972317] WARNING: CPU: 0 PID: 23 at drivers/gpu/drm/drm_atomic_state_helper.c:175 drm_atomic_helper_crtc_duplicate... • https://git.kernel.org/stable/c/69f03be1fa08a66735d53d92d3429c052540e3bf •