CVSS: 5.6EPSS: 0%CPEs: 7EXPL: 0CVE-2025-71064 – net: hns3: using the num_tqps in the vf driver to apply for resources
https://notcve.org/view.php?id=CVE-2025-71064
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: net: hns3: using the num_tqps in the vf driver to apply for resources Currently, hdev->htqp is allocated using hdev->num_tqps, and kinfo->tqp is allocated using kinfo->num_tqps. However, kinfo->num_tqps is set to min(new_tqps, hdev->num_tqps); Therefore, kinfo->num_tqps may be smaller than hdev->num_tqps, which causes some hdev->htqp[i] to remain uninitialized in hclgevf_knic_setup(). Thus, this patch allocates hdev->htqp and kinfo->tqp usi... • https://git.kernel.org/stable/c/e2cb1dec9779ba2d89302a653eb0abaeb8682196 •
CVSS: 7.1EPSS: 0%CPEs: 3EXPL: 0CVE-2025-68822 – Input: alps - fix use-after-free bugs caused by dev3_register_work
https://notcve.org/view.php?id=CVE-2025-68822
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: Input: alps - fix use-after-free bugs caused by dev3_register_work The dev3_register_work delayed work item is initialized within alps_reconnect() and scheduled upon receipt of the first bare PS/2 packet from an external PS/2 device connected to the ALPS touchpad. During device detachment, the original implementation calls flush_workqueue() in psmouse_disconnect() to ensure completion of dev3_register_work. However, the flush_workqueue() in... • https://git.kernel.org/stable/c/04aae283ba6a8cd4851d937bf9c6d6ef0361d794 •
CVSS: 7.2EPSS: 0%CPEs: 7EXPL: 0CVE-2025-68819 – media: dvb-usb: dtv5100: fix out-of-bounds in dtv5100_i2c_msg()
https://notcve.org/view.php?id=CVE-2025-68819
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: media: dvb-usb: dtv5100: fix out-of-bounds in dtv5100_i2c_msg() rlen value is a user-controlled value, but dtv5100_i2c_msg() does not check the size of the rlen value. Therefore, if it is set to a value larger than sizeof(st->data), an out-of-bounds vuln occurs for st->data. Therefore, we need to add proper range checking to prevent this vuln. In the Linux kernel, the following vulnerability has been resolved: media: dvb-usb: dtv5100: fix o... • https://git.kernel.org/stable/c/60688d5e6e6e2ae62f29762d1e3b2aec2dbd3817 •
CVSS: 7.1EPSS: 0%CPEs: 7EXPL: 0CVE-2025-68816 – net/mlx5: fw_tracer, Validate format string parameters
https://notcve.org/view.php?id=CVE-2025-68816
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: net/mlx5: fw_tracer, Validate format string parameters Add validation for format string parameters in the firmware tracer to prevent potential security vulnerabilities and crashes from malformed format strings received from firmware. The firmware tracer receives format strings from the device firmware and uses them to format trace messages. Without proper validation, bad firmware could provide format strings with invalid format specifiers (... • https://git.kernel.org/stable/c/70dd6fdb8987b14f7b6105f6be0617299e459398 •
CVSS: 6.2EPSS: 0%CPEs: 13EXPL: 0CVE-2025-68813 – ipvs: fix ipv4 null-ptr-deref in route error path
https://notcve.org/view.php?id=CVE-2025-68813
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: ipvs: fix ipv4 null-ptr-deref in route error path The IPv4 code path in __ip_vs_get_out_rt() calls dst_link_failure() without ensuring skb->dev is set, leading to a NULL pointer dereference in fib_compute_spec_dst() when ipv4_link_failure() attempts to send ICMP destination unreachable messages. The issue emerged after commit ed0de45a1008 ("ipv4: recompile ip options in ipv4_link_failure") started calling __ip_options_compile() from ipv4_li... • https://git.kernel.org/stable/c/ed0de45a1008991fdaa27a0152befcb74d126a8b •
CVSS: 7.8EPSS: 0%CPEs: 7EXPL: 0CVE-2025-68801 – mlxsw: spectrum_router: Fix neighbour use-after-free
https://notcve.org/view.php?id=CVE-2025-68801
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_router: Fix neighbour use-after-free We sometimes observe use-after-free when dereferencing a neighbour [1]. The problem seems to be that the driver stores a pointer to the neighbour, but without holding a reference on it. A reference is only taken when the neighbour is used by a nexthop. Fix by simplifying the reference counting scheme. Always take a reference when storing a neighbour pointer in a neighbour entry. Avoid tak... • https://git.kernel.org/stable/c/6cf3c971dc84cb36579515ddb488919b9e9fb6de •
CVSS: 7.1EPSS: 0%CPEs: 7EXPL: 0CVE-2025-68799 – caif: fix integer underflow in cffrml_receive()
https://notcve.org/view.php?id=CVE-2025-68799
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: caif: fix integer underflow in cffrml_receive() The cffrml_receive() function extracts a length field from the packet header and, when FCS is disabled, subtracts 2 from this length without validating that len >= 2. If an attacker sends a malicious packet with a length field of 0 or 1 to an interface with FCS disabled, the subtraction causes an integer underflow. This can lead to memory exhaustion and kernel instability, potential informatio... • https://git.kernel.org/stable/c/b482cd2053e3b90a7b33a78c63cdb6badf2ec383 •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2025-68797 – char: applicom: fix NULL pointer dereference in ac_ioctl
https://notcve.org/view.php?id=CVE-2025-68797
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: char: applicom: fix NULL pointer dereference in ac_ioctl Discovered by Atuin - Automated Vulnerability Discovery Engine. In ac_ioctl, the validation of IndexCard and the check for a valid RamIO pointer are skipped when cmd is 6. However, the function unconditionally executes readb(apbs[IndexCard].RamIO + VERS) at the end. If cmd is 6, IndexCard may reference a board that does not exist (where RamIO is NULL), leading to a NULL pointer derefe... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 5.0EPSS: 0%CPEs: 7EXPL: 0CVE-2025-68796 – f2fs: fix to avoid updating zero-sized extent in extent cache
https://notcve.org/view.php?id=CVE-2025-68796
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid updating zero-sized extent in extent cache As syzbot reported: F2FS-fs (loop0): __update_extent_tree_range: extent len is zero, type: 0, extent [0, 0, 0], age [0, 0] ------------[ cut here ]------------ kernel BUG at fs/f2fs/extent_cache.c:678! Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI CPU: 0 UID: 0 PID: 5336 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIO... • https://git.kernel.org/stable/c/6e9619499f53b22ead972e476c0e8341c997d929 •
CVSS: 7.2EPSS: 0%CPEs: 7EXPL: 0CVE-2025-68795 – ethtool: Avoid overflowing userspace buffer on stats query
https://notcve.org/view.php?id=CVE-2025-68795
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: ethtool: Avoid overflowing userspace buffer on stats query The ethtool -S command operates across three ioctl calls: ETHTOOL_GSSET_INFO for the size, ETHTOOL_GSTRINGS for the names, and ETHTOOL_GSTATS for the values. If the number of stats changes between these calls (e.g., due to device reconfiguration), userspace's buffer allocation will be incorrect, potentially leading to buffer overflow. Drivers are generally expected to maintain stabl... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •