CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2025-68281 – ASoC: SDCA: bug fix while parsing mipi-sdca-control-cn-list
https://notcve.org/view.php?id=CVE-2025-68281
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: ASoC: SDCA: bug fix while parsing mipi-sdca-control-cn-list "struct sdca_control" declares "values" field as integer array. But the memory allocated to it is of char array. This causes crash for sdca_parse_function API. This patch addresses the issue by allocating correct data size. In the Linux kernel, the following vulnerability has been resolved: ASoC: SDCA: bug fix while parsing mipi-sdca-control-cn-list "struct sdca_control" declares "... • https://git.kernel.org/stable/c/fcd5786b506c51cbabc2560c68e040d8dba22a0d •
CVSS: 7.1EPSS: 0%CPEs: 3EXPL: 0CVE-2025-68266 – bfs: Reconstruct file type when loading from disk
https://notcve.org/view.php?id=CVE-2025-68266
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: bfs: Reconstruct file type when loading from disk syzbot is reporting that S_IFMT bits of inode->i_mode can become bogus when the S_IFMT bits of the 32bits "mode" field loaded from disk are corrupted or when the 32bits "attributes" field loaded from disk are corrupted. A documentation says that BFS uses only lower 9 bits of the "mode" field. But I can't find an explicit explanation that the unused upper 23 bits (especially, the S_IFMT bits)... • https://git.kernel.org/stable/c/77899444d46162aeb65f229590c26ba266864223 •
CVSS: 8.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-68265 – nvme: fix admin request_queue lifetime
https://notcve.org/view.php?id=CVE-2025-68265
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: nvme: fix admin request_queue lifetime The namespaces can access the controller's admin request_queue, and stale references on the namespaces may exist after tearing down the controller. Ensure the admin request_queue is active by moving the controller's 'put' to after all controller references have been released to ensure no one is can access the request_queue. This fixes a reported use-after-free bug: BUG: KASAN: slab-use-after-free in bl... • https://git.kernel.org/stable/c/e8061d02b49c5c901980f58d91e96580e9a14acf •
CVSS: 7.1EPSS: 0%CPEs: 4EXPL: 0CVE-2025-68264 – ext4: refresh inline data size before write operations
https://notcve.org/view.php?id=CVE-2025-68264
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: ext4: refresh inline data size before write operations The cached ei->i_inline_size can become stale between the initial size check and when ext4_update_inline_data()/ext4_create_inline_data() use it. Although ext4_get_max_inline_size() reads the correct value at the time of the check, concurrent xattr operations can modify i_inline_size before ext4_write_lock_xattr() is acquired. This causes ext4_update_inline_data() and ext4_create_inline... • https://git.kernel.org/stable/c/210ac60a86a3ad2c76ae60e0dc71c34af6e7ea0b •
CVSS: 9.3EPSS: 0%CPEs: 4EXPL: 0CVE-2025-68263 – ksmbd: ipc: fix use-after-free in ipc_msg_send_request
https://notcve.org/view.php?id=CVE-2025-68263
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: ipc: fix use-after-free in ipc_msg_send_request ipc_msg_send_request() waits for a generic netlink reply using an ipc_msg_table_entry on the stack. The generic netlink handler (handle_generic_event()/handle_response()) fills entry->response under ipc_msg_table_lock, but ipc_msg_send_request() used to validate and free entry->response without holding the same lock. Under high concurrency this allows a race where handle_response() is c... • https://git.kernel.org/stable/c/0626e6641f6b467447c81dd7678a69c66f7746cf •
CVSS: 7.1EPSS: 0%CPEs: 3EXPL: 0CVE-2025-68262 – crypto: zstd - fix double-free in per-CPU stream cleanup
https://notcve.org/view.php?id=CVE-2025-68262
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: crypto: zstd - fix double-free in per-CPU stream cleanup The crypto/zstd module has a double-free bug that occurs when multiple tfms are allocated and freed. The issue happens because zstd_streams (per-CPU contexts) are freed in zstd_exit() during every tfm destruction, rather than being managed at the module level. When multiple tfms exist, each tfm exit attempts to free the same shared per-CPU streams, resulting in a double-free. This lea... • https://git.kernel.org/stable/c/f5ad93ffb54119a8dc5e18f070624d4ead586969 •
CVSS: 7.3EPSS: 0%CPEs: 9EXPL: 0CVE-2025-68261 – ext4: add i_data_sem protection in ext4_destroy_inline_data_nolock()
https://notcve.org/view.php?id=CVE-2025-68261
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: ext4: add i_data_sem protection in ext4_destroy_inline_data_nolock() Fix a race between inline data destruction and block mapping. The function ext4_destroy_inline_data_nolock() changes the inode data layout by clearing EXT4_INODE_INLINE_DATA and setting EXT4_INODE_EXTENTS. At the same time, another thread may execute ext4_map_blocks(), which tests EXT4_INODE_EXTENTS to decide whether to call ext4_ext_map_blocks() or ext4_ind_map_blocks(). ... • https://git.kernel.org/stable/c/c755e251357a0cee0679081f08c3f4ba797a8009 •
CVSS: 7.1EPSS: 0%CPEs: 2EXPL: 0CVE-2025-68260 – rust_binder: fix race condition on death_list
https://notcve.org/view.php?id=CVE-2025-68260
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: rust_binder: fix race condition on death_list Rust Binder contains the following unsafe operation: // SAFETY: A `NodeDeath` is never inserted into the death list // of any node other than its owner, so it is either in this // death list or in no death list. unsafe { node_inner.death_list.remove(self) }; This operation is unsafe because when touching the prev/next pointers of a list element, we have to ensure that no other thread is also tou... • https://git.kernel.org/stable/c/eafedbc7c050c44744fbdf80bdf3315e860b7513 •
CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-68259 – KVM: SVM: Don't skip unrelated instruction if INT3/INTO is replaced
https://notcve.org/view.php?id=CVE-2025-68259
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: KVM: SVM: Don't skip unrelated instruction if INT3/INTO is replaced When re-injecting a soft interrupt from an INT3, INT0, or (select) INTn instruction, discard the exception and retry the instruction if the code stream is changed (e.g. by a different vCPU) between when the CPU executes the instruction and when KVM decodes the instruction to get the next RIP. As effectively predicted by commit 6ef88d6e36c2 ("KVM: SVM: Re-inject INT3/INTO in... • https://git.kernel.org/stable/c/6ef88d6e36c2b4b3886ec9967cafabe4424d27d5 •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-68258 – comedi: multiq3: sanitize config options in multiq3_attach()
https://notcve.org/view.php?id=CVE-2025-68258
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: comedi: multiq3: sanitize config options in multiq3_attach() Syzbot identified an issue [1] in multiq3_attach() that induces a task timeout due to open() or COMEDI_DEVCONFIG ioctl operations, specifically, in the case of multiq3 driver. This problem arose when syzkaller managed to craft weird configuration options used to specify the number of channels in encoder subdevice. If a particularly great number is passed to s->n_chan in multiq3_at... • https://git.kernel.org/stable/c/77e01cdbad5175f56027fd6fae00bd0fc175651a •