CVSS: 7.1EPSS: 0%CPEs: 6EXPL: 0CVE-2025-68200 – bpf: Add bpf_prog_run_data_pointers()
https://notcve.org/view.php?id=CVE-2025-68200
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: bpf: Add bpf_prog_run_data_pointers() syzbot found that cls_bpf_classify() is able to change tc_skb_cb(skb)->drop_reason triggering a warning in sk_skb_reason_drop(). WARNING: CPU: 0 PID: 5965 at net/core/skbuff.c:1192 __sk_skb_reason_drop net/core/skbuff.c:1189 [inline] WARNING: CPU: 0 PID: 5965 at net/core/skbuff.c:1192 sk_skb_reason_drop+0x76/0x170 net/core/skbuff.c:1214 struct tc_skb_cb has been added in commit ec624fe740b4 ("net/sched:... • https://git.kernel.org/stable/c/0d76daf2013ce1da20eab5e26bd81d983e1c18fb •
CVSS: 7.1EPSS: 0%CPEs: 3EXPL: 0CVE-2025-68199 – codetag: debug: handle existing CODETAG_EMPTY in mark_objexts_empty for slabobj_ext
https://notcve.org/view.php?id=CVE-2025-68199
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: codetag: debug: handle existing CODETAG_EMPTY in mark_objexts_empty for slabobj_ext When alloc_slab_obj_exts() fails and then later succeeds in allocating a slab extension vector, it calls handle_failed_objexts_alloc() to mark all objects in the vector as empty. As a result all objects in this slab (slabA) will have their extensions set to CODETAG_EMPTY. Later on if this slabA is used to allocate a slabobj_ext vector for another slab (slabB... • https://git.kernel.org/stable/c/09c46563ff6d5f090211e48ff1fdba0ec7f4c97f •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-68198 – crash: fix crashkernel resource shrink
https://notcve.org/view.php?id=CVE-2025-68198
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: crash: fix crashkernel resource shrink When crashkernel is configured with a high reservation, shrinking its value below the low crashkernel reservation causes two issues: 1. Invalid crashkernel resource objects 2. Kernel crash if crashkernel shrinking is done twice For example, with crashkernel=200M,high, the kernel reserves 200MB of high memory and some default low memory (say 256MB). The reservation appears as: cat /proc/iomem | grep -i ... • https://git.kernel.org/stable/c/16c6006af4d4e70ecef93977a5314409d931020b •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-68194 – media: imon: make send_packet() more robust
https://notcve.org/view.php?id=CVE-2025-68194
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: media: imon: make send_packet() more robust syzbot is reporting that imon has three problems which result in hung tasks due to forever holding device lock [1]. First problem is that when usb_rx_callback_intf0() once got -EPROTO error after ictx->dev_present_intf0 became true, usb_rx_callback_intf0() resubmits urb after printk(), and resubmitted urb causes usb_rx_callback_intf0() to again get -EPROTO error. This results in printk() flooding ... • https://git.kernel.org/stable/c/21677cfc562a27e099719d413287bc8d1d24deb7 •
CVSS: 7.2EPSS: 0%CPEs: 2EXPL: 0CVE-2025-68193 – drm/xe/guc: Add devm release action to safely tear down CT
https://notcve.org/view.php?id=CVE-2025-68193
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/xe/guc: Add devm release action to safely tear down CT When a buffer object (BO) is allocated with the XE_BO_FLAG_GGTT_INVALIDATE flag, the driver initiates TLB invalidation requests via the CTB mechanism while releasing the BO. However a premature release of the CTB BO can lead to system crashes, as observed in: Oops: Oops: 0000 [#1] SMP NOPTI RIP: 0010:h2g_write+0x2f3/0x7c0 [xe] Call Trace: guc_ct_send_locked+0x8b/0x670 [xe] xe_guc_ct... • https://git.kernel.org/stable/c/231c4110873a5db4975512c30aa10edcc5be56e2 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-68192 – net: usb: qmi_wwan: initialize MAC header offset in qmimux_rx_fixup
https://notcve.org/view.php?id=CVE-2025-68192
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: net: usb: qmi_wwan: initialize MAC header offset in qmimux_rx_fixup Raw IP packets have no MAC header, leaving skb->mac_header uninitialized. This can trigger kernel panics on ARM64 when xfrm or other subsystems access the offset due to strict alignment checks. Initialize the MAC header to prevent such crashes. This can trigger kernel panics on ARM when running IPsec over the qmimux0 interface. Example trace: Internal error: Oops: 000000009... • https://git.kernel.org/stable/c/c6adf77953bcec0ad63d7782479452464e50f7a3 •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2025-68191 – udp_tunnel: use netdev_warn() instead of netdev_WARN()
https://notcve.org/view.php?id=CVE-2025-68191
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: udp_tunnel: use netdev_warn() instead of netdev_WARN() netdev_WARN() uses WARN/WARN_ON to print a backtrace along with file and line information. In this case, udp_tunnel_nic_register() returning an error is just a failed operation, not a kernel bug. udp_tunnel_nic_register() can fail due to a memory allocation failure (kzalloc() or udp_tunnel_nic_alloc()). This is a normal runtime error and not a kernel bug. Replace netdev_WARN() with netd... • https://git.kernel.org/stable/c/cc4e3835eff474aa274d6e1d18f69d9d296d3b76 •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-68190 – drm/amdgpu/atom: Check kcalloc() for WS buffer in amdgpu_atom_execute_table_locked()
https://notcve.org/view.php?id=CVE-2025-68190
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu/atom: Check kcalloc() for WS buffer in amdgpu_atom_execute_table_locked() kcalloc() may fail. When WS is non-zero and allocation fails, ectx.ws remains NULL while ectx.ws_size is set, leading to a potential NULL pointer dereference in atom_get_src_int() when accessing WS entries. Return -ENOMEM on allocation failure to avoid the NULL dereference. In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu/atom:... • https://git.kernel.org/stable/c/d38ceaf99ed015f2a0b9af3499791bd3a3daae21 •
CVSS: 7.2EPSS: 0%CPEs: 3EXPL: 0CVE-2025-68188 – tcp: use dst_dev_rcu() in tcp_fastopen_active_disable_ofo_check()
https://notcve.org/view.php?id=CVE-2025-68188
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: tcp: use dst_dev_rcu() in tcp_fastopen_active_disable_ofo_check() Use RCU to avoid a pair of atomic operations and a potential UAF on dst_dev()->flags. In the Linux kernel, the following vulnerability has been resolved: tcp: use dst_dev_rcu() in tcp_fastopen_active_disable_ofo_check() Use RCU to avoid a pair of atomic operations and a potential UAF on dst_dev()->flags. Several security issues were discovered in the Linux kernel. An attacker... • https://git.kernel.org/stable/c/cf1ef3f0719b4dcb74810ed507e2a2540f9811b4 •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-68186 – ring-buffer: Do not warn in ring_buffer_map_get_reader() when reader catches up
https://notcve.org/view.php?id=CVE-2025-68186
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: ring-buffer: Do not warn in ring_buffer_map_get_reader() when reader catches up The function ring_buffer_map_get_reader() is a bit more strict than the other get reader functions, and except for certain situations the rb_get_reader_page() should not return NULL. If it does, it triggers a warning. This warning was triggering but after looking at why, it was because another acceptable situation was happening and it wasn't checked for. If the ... • https://git.kernel.org/stable/c/117c39200d9d760cbd5944bb89efb7b9c51965aa •