CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2025-71082 – Bluetooth: btusb: revert use of devm_kzalloc in btusb
https://notcve.org/view.php?id=CVE-2025-71082
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btusb: revert use of devm_kzalloc in btusb This reverts commit 98921dbd00c4e ("Bluetooth: Use devm_kzalloc in btusb.c file"). In btusb_probe(), we use devm_kzalloc() to allocate the btusb data. This ties the lifetime of all the btusb data to the binding of a driver to one interface, INTF. In a driver that binds to other interfaces, ISOC and DIAG, this is an accident waiting to happen. The issue is revealed in btusb_disconnect(), ... • https://git.kernel.org/stable/c/98921dbd00c4e2e4bdd56423cb5edf98d57b45f7 •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2025-71081 – ASoC: stm32: sai: fix OF node leak on probe
https://notcve.org/view.php?id=CVE-2025-71081
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: ASoC: stm32: sai: fix OF node leak on probe The reference taken to the sync provider OF node when probing the platform device is currently only dropped if the set_sync() callback fails during DAI probe. Make sure to drop the reference on platform probe failures (e.g. probe deferral) and on driver unbind. This also avoids a potential use-after-free in case the DAI is ever reprobed without first rebinding the platform driver. In the Linux ker... • https://git.kernel.org/stable/c/5914d285f6b782892a91d6621723fdc41a775b15 •
CVSS: 6.6EPSS: 0%CPEs: 12EXPL: 0CVE-2025-71079 – net: nfc: fix deadlock between nfc_unregister_device and rfkill_fop_write
https://notcve.org/view.php?id=CVE-2025-71079
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: net: nfc: fix deadlock between nfc_unregister_device and rfkill_fop_write A deadlock can occur between nfc_unregister_device() and rfkill_fop_write() due to lock ordering inversion between device_lock and rfkill_global_mutex. The problematic lock order is: Thread A (rfkill_fop_write): rfkill_fop_write() mutex_lock(&rfkill_global_mutex) rfkill_set_block() nfc_rfkill_set_block() nfc_dev_down() device_lock(&dev->dev) <- waits for device_lock T... • https://git.kernel.org/stable/c/3e3b5dfcd16a3e254aab61bd1e8c417dd4503102 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-71078 – powerpc/64s/slb: Fix SLB multihit issue during SLB preload
https://notcve.org/view.php?id=CVE-2025-71078
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: powerpc/64s/slb: Fix SLB multihit issue during SLB preload On systems using the hash MMU, there is a software SLB preload cache that mirrors the entries loaded into the hardware SLB buffer. This preload cache is subject to periodic eviction — typically after every 256 context switches — to remove old entry. To optimize performance, the kernel skips switch_mmu_context() in switch_mm_irqs_off() when the prev and next mm_struct are the same. H... • https://git.kernel.org/stable/c/5434ae74629af58ad0fc27143a9ea435f7734410 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-71077 – tpm: Cap the number of PCR banks
https://notcve.org/view.php?id=CVE-2025-71077
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: tpm: Cap the number of PCR banks tpm2_get_pcr_allocation() does not cap any upper limit for the number of banks. Cap the limit to eight banks so that out of bounds values coming from external I/O cause on only limited harm. In the Linux kernel, the following vulnerability has been resolved: tpm: Cap the number of PCR banks tpm2_get_pcr_allocation() does not cap any upper limit for the number of banks. Cap the limit to eight banks so that ou... • https://git.kernel.org/stable/c/bcfff8384f6c4e6627676ef07ccad9cfacd67849 •
CVSS: 7.0EPSS: 0%CPEs: 5EXPL: 0CVE-2025-71075 – scsi: aic94xx: fix use-after-free in device removal path
https://notcve.org/view.php?id=CVE-2025-71075
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: scsi: aic94xx: fix use-after-free in device removal path The asd_pci_remove() function fails to synchronize with pending tasklets before freeing the asd_ha structure, leading to a potential use-after-free vulnerability. When a device removal is triggered (via hot-unplug or module unload), race condition can occur. The fix adds tasklet_kill() before freeing the asd_ha structure, ensuring all scheduled tasklets complete before cleanup proceed... • https://git.kernel.org/stable/c/2908d778ab3e244900c310974e1fc1c69066e450 •
CVSS: 7.3EPSS: 0%CPEs: 2EXPL: 0CVE-2025-71074 – functionfs: fix the open/removal races
https://notcve.org/view.php?id=CVE-2025-71074
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: functionfs: fix the open/removal races ffs_epfile_open() can race with removal, ending up with file->private_data pointing to freed object. There is a total count of opened files on functionfs (both ep0 and dynamic ones) and when it hits zero, dynamic files get removed. Unfortunately, that removal can happen while another thread is in ffs_epfile_open(), but has not incremented the count yet. In that case open will succeed, leaving us with U... • https://git.kernel.org/stable/c/ddf8abd2599491cbad959c700b90ba72a5dce8d0 •
CVSS: 7.2EPSS: 0%CPEs: 3EXPL: 0CVE-2025-71073 – Input: lkkbd - disable pending work before freeing device
https://notcve.org/view.php?id=CVE-2025-71073
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: Input: lkkbd - disable pending work before freeing device lkkbd_interrupt() schedules lk->tq via schedule_work(), and the work handler lkkbd_reinit() dereferences the lkkbd structure and its serio/input_dev fields. lkkbd_disconnect() and error paths in lkkbd_connect() free the lkkbd structure without preventing the reinit work from being queued again until serio_close() returns. This can allow the work handler to run after the structure has... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-71069 – f2fs: invalidate dentry cache on failed whiteout creation
https://notcve.org/view.php?id=CVE-2025-71069
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: f2fs: invalidate dentry cache on failed whiteout creation F2FS can mount filesystems with corrupted directory depth values that get runtime-clamped to MAX_DIR_HASH_DEPTH. When RENAME_WHITEOUT operations are performed on such directories, f2fs_rename performs directory modifications (updating target entry and deleting source entry) before attempting to add the whiteout entry via f2fs_add_link. If f2fs_add_link fails due to the corrupted dire... • https://git.kernel.org/stable/c/7e01e7ad746bc8198a8b46163ddc73a1c7d22339 •
CVSS: 6.3EPSS: 0%CPEs: 7EXPL: 0CVE-2025-71066 – net/sched: ets: Always remove class from active list before deleting in ets_qdisc_change
https://notcve.org/view.php?id=CVE-2025-71066
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: net/sched: ets: Always remove class from active list before deleting in ets_qdisc_change zdi-disclosures@trendmicro.com says: The vulnerability is a race condition between `ets_qdisc_dequeue` and `ets_qdisc_change`. It leads to UAF on `struct Qdisc` object. Attacker requires the capability to create new user and network namespace in order to trigger the bug. See my additional commentary at the end of the analysis. Analysis: static int ets_q... • https://git.kernel.org/stable/c/de6d25924c2a8c2988c6a385990cafbe742061bf •