CVSS: 8.4EPSS: %CPEs: 7EXPL: 0CVE-2025-71104 – KVM: x86: Fix VM hard lockup after prolonged inactivity with periodic HV timer
https://notcve.org/view.php?id=CVE-2025-71104
14 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Fix VM hard lockup after prolonged inactivity with periodic HV timer When advancing the target expiration for the guest's APIC timer in periodic mode, set the expiration to "now" if the target expiration is in the past (similar to what is done in update_target_expiration()). Blindly adding the period to the previous target expiration can result in KVM generating a practically unbounded number of hrtimer IRQs due to programming an ... • https://git.kernel.org/stable/c/d8f2f498d9ed0c5010bc1bbc1146f94c8bf9f8cc •
CVSS: 5.5EPSS: %CPEs: 5EXPL: 0CVE-2025-71102 – scs: fix a wrong parameter in __scs_magic
https://notcve.org/view.php?id=CVE-2025-71102
14 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: scs: fix a wrong parameter in __scs_magic __scs_magic() needs a 'void *' variable, but a 'struct task_struct *' is given. 'task_scs(tsk)' is the starting address of the task's shadow call stack, and '__scs_magic(task_scs(tsk))' is the end address of the task's shadow call stack. Here should be '__scs_magic(task_scs(tsk))'. The user-visible effect of this bug is that when CONFIG_DEBUG_STACK_USAGE is enabled, the shadow call stack usage check... • https://git.kernel.org/stable/c/5bbaf9d1fcb9be696ee9a61636ab6803556c70f2 •
CVSS: 10.0EPSS: 0%CPEs: 4EXPL: 0CVE-2025-71101 – platform/x86: hp-bioscfg: Fix out-of-bounds array access in ACPI package parsing
https://notcve.org/view.php?id=CVE-2025-71101
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: platform/x86: hp-bioscfg: Fix out-of-bounds array access in ACPI package parsing The hp_populate_*_elements_from_package() functions in the hp-bioscfg driver contain out-of-bounds array access vulnerabilities. These functions parse ACPI packages into internal data structures using a for loop with index variable 'elem' that iterates through enum_obj/integer_obj/order_obj/password_obj/string_obj arrays. When processing multi-element fields li... • https://git.kernel.org/stable/c/e6c7b3e15559699a30646dd45195549c7db447bd •
CVSS: 7.2EPSS: 0%CPEs: 3EXPL: 0CVE-2025-71100 – wifi: rtlwifi: 8192cu: fix tid out of range in rtl92cu_tx_fill_desc()
https://notcve.org/view.php?id=CVE-2025-71100
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: wifi: rtlwifi: 8192cu: fix tid out of range in rtl92cu_tx_fill_desc() TID getting from ieee80211_get_tid() might be out of range of array size of sta_entry->tids[], so check TID is less than MAX_TID_COUNT. Othwerwise, UBSAN warn: UBSAN: array-index-out-of-bounds in drivers/net/wireless/realtek/rtlwifi/rtl8192cu/trx.c:514:30 index 10 is out of range for type 'rtl_tid_data [9]' In the Linux kernel, the following vulnerability has been resolve... • https://git.kernel.org/stable/c/8ca4cdef93297c9b9bf08da39bc940bd20acbb94 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-71098 – ip6_gre: make ip6gre_header() robust
https://notcve.org/view.php?id=CVE-2025-71098
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: ip6_gre: make ip6gre_header() robust Over the years, syzbot found many ways to crash the kernel in ip6gre_header() [1]. This involves team or bonding drivers ability to dynamically change their dev->needed_headroom and/or dev->hard_header_len In this particular crash mld_newpack() allocated an skb with a too small reserve/headroom, and by the time mld_sendpack() was called, syzbot managed to attach an ip6gre device. [1] skbuff: skb_under_pa... • https://git.kernel.org/stable/c/c12b395a46646bab69089ce7016ac78177f6001f •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-71097 – ipv4: Fix reference count leak when using error routes with nexthop objects
https://notcve.org/view.php?id=CVE-2025-71097
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: ipv4: Fix reference count leak when using error routes with nexthop objects When a nexthop object is deleted, it is marked as dead and then fib_table_flush() is called to flush all the routes that are using the dead nexthop. The current logic in fib_table_flush() is to only flush error routes (e.g., blackhole) when it is called as part of network namespace dismantle (i.e., with flush_all=true). Therefore, error routes are not flushed when t... • https://git.kernel.org/stable/c/493ced1ac47c48bb86d9d4e8e87df8592be85a0e •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2025-71096 – RDMA/core: Check for the presence of LS_NLA_TYPE_DGID correctly
https://notcve.org/view.php?id=CVE-2025-71096
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: RDMA/core: Check for the presence of LS_NLA_TYPE_DGID correctly The netlink response for RDMA_NL_LS_OP_IP_RESOLVE should always have a LS_NLA_TYPE_DGID attribute, it is invalid if it does not. Use the nl parsing logic properly and call nla_parse_deprecated() to fill the nlattrs array and then directly index that array to get the data for the DGID. Just fail if it is NULL. Remove the for loop searching for the nla, and squash the validation ... • https://git.kernel.org/stable/c/ae43f8286730d1f2d241c34601df59f6d2286ac4 •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2025-71095 – net: stmmac: fix the crash issue for zero copy XDP_TX action
https://notcve.org/view.php?id=CVE-2025-71095
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: net: stmmac: fix the crash issue for zero copy XDP_TX action There is a crash issue when running zero copy XDP_TX action, the crash log is shown below. [ 216.122464] Unable to handle kernel paging request at virtual address fffeffff80000000 [ 216.187524] Internal error: Oops: 0000000096000144 [#1] SMP [ 216.301694] Call trace: [ 216.304130] dcache_clean_poc+0x20/0x38 (P) [ 216.308308] __dma_sync_single_for_device+0x1bc/0x1e0 [ 216.313351] s... • https://git.kernel.org/stable/c/bba2556efad66e7eaa56fece13f7708caa1187f8 •
CVSS: 7.2EPSS: 0%CPEs: 6EXPL: 0CVE-2025-71094 – net: usb: asix: validate PHY address before use
https://notcve.org/view.php?id=CVE-2025-71094
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: net: usb: asix: validate PHY address before use The ASIX driver reads the PHY address from the USB device via asix_read_phy_addr(). A malicious or faulty device can return an invalid address (>= PHY_MAX_ADDR), which causes a warning in mdiobus_get_phy(): addr 207 out of range WARNING: drivers/net/phy/mdio_bus.c:76 Validate the PHY address in asix_read_phy_addr() and remove the now-redundant check in ax88172a.c. In the Linux kernel, the foll... • https://git.kernel.org/stable/c/7e88b11a862afe59ee0c365123ea5fb96a26cb3b •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2025-71093 – e1000: fix OOB in e1000_tbi_should_accept()
https://notcve.org/view.php?id=CVE-2025-71093
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: e1000: fix OOB in e1000_tbi_should_accept() In e1000_tbi_should_accept() we read the last byte of the frame via 'data[length - 1]' to evaluate the TBI workaround. If the descriptor- reported length is zero or larger than the actual RX buffer size, this read goes out of bounds and can hit unrelated slab objects. The issue is observed from the NAPI receive path (e1000_clean_rx_irq): ============================================================... • https://git.kernel.org/stable/c/2037110c96d5f1dd71453fcd0d54e79be12a352b •