CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2025-68724 – crypto: asymmetric_keys - prevent overflow in asymmetric_key_generate_id
https://notcve.org/view.php?id=CVE-2025-68724
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: crypto: asymmetric_keys - prevent overflow in asymmetric_key_generate_id Use check_add_overflow() to guard against potential integer overflows when adding the binary blob lengths and the size of an asymmetric_key_id structure and return ERR_PTR(-EOVERFLOW) accordingly. This prevents a possible buffer overflow when copying data from potentially malicious X.509 certificate fields that can be arbitrarily large, such as ASN.1 INTEGER serial num... • https://git.kernel.org/stable/c/7901c1a8effbe5f89673bfc09d6e37b8f334f1a7 •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2025-68380 – wifi: ath11k: fix peer HE MCS assignment
https://notcve.org/view.php?id=CVE-2025-68380
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: fix peer HE MCS assignment In ath11k_wmi_send_peer_assoc_cmd(), peer's transmit MCS is sent to firmware as receive MCS while peer's receive MCS sent as transmit MCS, which goes against firmwire's definition. While connecting to a misbehaved AP that advertises 0xffff (meaning not supported) for 160 MHz transmit MCS map, firmware crashes due to 0xffff is assigned to he_mcs->rx_mcs_set field. Ext Tag: HE Capabilities [...] Suppor... • https://git.kernel.org/stable/c/61fe43e7216df6e9a912d831aafc7142fa20f280 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-68379 – RDMA/rxe: Fix null deref on srq->rq.queue after resize failure
https://notcve.org/view.php?id=CVE-2025-68379
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix null deref on srq->rq.queue after resize failure A NULL pointer dereference can occur in rxe_srq_chk_attr() when ibv_modify_srq() is invoked twice in succession under certain error conditions. The first call may fail in rxe_queue_resize(), which leads rxe_srq_from_attr() to set srq->rq.queue = NULL. The second call then triggers a crash (null deref) when accessing srq->rq.queue->buf->index_mask. Call Trace:
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2025-68378 – bpf: Fix stackmap overflow check in __bpf_get_stackid()
https://notcve.org/view.php?id=CVE-2025-68378
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: bpf: Fix stackmap overflow check in __bpf_get_stackid() Syzkaller reported a KASAN slab-out-of-bounds write in __bpf_get_stackid() when copying stack trace data. The issue occurs when the perf trace contains more stack entries than the stack map bucket can hold, leading to an out-of-bounds write in the bucket's data array. In the Linux kernel, the following vulnerability has been resolved: bpf: Fix stackmap overflow check in __bpf_get_stack... • https://git.kernel.org/stable/c/ee2a098851bfbe8bcdd964c0121f4246f00ff41e •
CVSS: 7.1EPSS: 0%CPEs: 10EXPL: 0CVE-2025-68372 – nbd: defer config put in recv_work
https://notcve.org/view.php?id=CVE-2025-68372
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: nbd: defer config put in recv_work There is one uaf issue in recv_work when running NBD_CLEAR_SOCK and NBD_CMD_RECONFIGURE: nbd_genl_connect // conf_ref=2 (connect and recv_work A) nbd_open // conf_ref=3 recv_work A done // conf_ref=2 NBD_CLEAR_SOCK // conf_ref=1 nbd_genl_reconfigure // conf_ref=2 (trigger recv_work B) close nbd // conf_ref=1 recv_work B config_put // conf_ref=0 atomic_dec(&config->recv_threads); -> UAF Or only running NBD_... • https://git.kernel.org/stable/c/87aac3a80af5cbad93e63250e8a1e19095ba0d30 •
CVSS: 6.9EPSS: 0%CPEs: 6EXPL: 0CVE-2025-68371 – scsi: smartpqi: Fix device resources accessed after device removal
https://notcve.org/view.php?id=CVE-2025-68371
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: scsi: smartpqi: Fix device resources accessed after device removal Correct possible race conditions during device removal. Previously, a scheduled work item to reset a LUN could still execute after the device was removed, leading to use-after-free and other resource access issues. This race condition occurs because the abort handler may schedule a LUN reset concurrently with device removal via sdev_destroy(), leading to use-after-free and i... • https://git.kernel.org/stable/c/2d80f4054f7f901b8ad97358a9069616ac8524c7 •
CVSS: 6.9EPSS: 0%CPEs: 7EXPL: 0CVE-2025-68369 – ntfs3: init run lock for extend inode
https://notcve.org/view.php?id=CVE-2025-68369
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: ntfs3: init run lock for extend inode After setting the inode mode of $Extend to a regular file, executing the truncate system call will enter the do_truncate() routine, causing the run_lock uninitialized error reported by syzbot. Prior to patch 4e8011ffec79, if the inode mode of $Extend was not set to a regular file, the do_truncate() routine would not be entered. Add the run_lock initialization when loading $Extend. syzbot reported: INFO:... • https://git.kernel.org/stable/c/78d46f5276ed3589aaaa435580068c5b62efc921 •
CVSS: 6.9EPSS: 0%CPEs: 6EXPL: 0CVE-2025-68367 – macintosh/mac_hid: fix race condition in mac_hid_toggle_emumouse
https://notcve.org/view.php?id=CVE-2025-68367
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: macintosh/mac_hid: fix race condition in mac_hid_toggle_emumouse The following warning appears when running syzkaller, and this issue also exists in the mainline code. ------------[ cut here ]------------ list_add double add: new=ffffffffa57eee28, prev=ffffffffa57eee28, next=ffffffffa5e63100. WARNING: CPU: 0 PID: 1491 at lib/list_debug.c:35 __list_add_valid_or_report+0xf7/0x130 Modules linked in: CPU: 0 PID: 1491 Comm: syz.1.28 Not tainted ... • https://git.kernel.org/stable/c/99b089c3c38a83ebaeb1cc4584ddcde841626467 •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2025-68366 – nbd: defer config unlock in nbd_genl_connect
https://notcve.org/view.php?id=CVE-2025-68366
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: nbd: defer config unlock in nbd_genl_connect There is one use-after-free warning when running NBD_CMD_CONNECT and NBD_CLEAR_SOCK: nbd_genl_connect nbd_alloc_and_init_config // config_refs=1 nbd_start_device // config_refs=2 set NBD_RT_HAS_CONFIG_REF open nbd // config_refs=3 recv_work done // config_refs=2 NBD_CLEAR_SOCK // config_refs=1 close nbd // config_refs=0 refcount_inc -> uaf ------------[ cut here ]------------ refcount_t: addition... • https://git.kernel.org/stable/c/e46c7287b1c27683a8e30ca825fb98e2b97f1099 •
CVSS: 5.6EPSS: 0%CPEs: 2EXPL: 0CVE-2025-68365 – fs/ntfs3: Initialize allocated memory before use
https://notcve.org/view.php?id=CVE-2025-68365
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Initialize allocated memory before use KMSAN reports: Multiple uninitialized values detected: - KMSAN: uninit-value in ntfs_read_hdr (3) - KMSAN: uninit-value in bcmp (3) Memory is allocated by __getname(), which is a wrapper for kmem_cache_alloc(). This memory is used before being properly cleared. Change kmem_cache_alloc() to kmem_cache_zalloc() to properly allocate and clear memory before use. In the Linux kernel, the following... • https://git.kernel.org/stable/c/82cae269cfa953032fbb8980a7d554d60fb00b17 •