CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2023-54035 – netfilter: nf_tables: fix underflow in chain reference counter
https://notcve.org/view.php?id=CVE-2023-54035
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: fix underflow in chain reference counter Set element addition error path decrements reference counter on chains twice: once on element release and again via nft_data_release(). Then, d6b478666ffa ("netfilter: nf_tables: fix underflow in object reference counter") incorrectly fixed this by removing the stateful object reference count decrement. Restore the stateful object decrement as in b91d90368837 ("netfilter: nf_tab... • https://git.kernel.org/stable/c/628bd3e49cba1c066228e23d71a852c23e26da73 •
CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2023-54034 – iommufd: Make sure to zero vfio_iommu_type1_info before copying to user
https://notcve.org/view.php?id=CVE-2023-54034
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: iommufd: Make sure to zero vfio_iommu_type1_info before copying to user Missed a zero initialization here. Most of the struct is filled with a copy_from_user(), however minsz for that copy is smaller than the actual struct by 8 bytes, thus we don't fill the padding. • https://git.kernel.org/stable/c/d624d6652a65ad4f47a58b8651a1ec1163bb81d3 •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2023-54033 – bpf: fix a memory leak in the LRU and LRU_PERCPU hash maps
https://notcve.org/view.php?id=CVE-2023-54033
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: bpf: fix a memory leak in the LRU and LRU_PERCPU hash maps The LRU and LRU_PERCPU maps allocate a new element on update before locking the target hash table bucket. Right after that the maps try to lock the bucket. If this fails, then maps return -EBUSY to the caller without releasing the allocated element. This makes the element untracked: it doesn't belong to either of free lists, and it doesn't belong to the hash table, so can't be re-us... • https://git.kernel.org/stable/c/20b6cc34ea74b6a84599c1f8a70f3315b56a1883 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2023-54032 – btrfs: fix race when deleting quota root from the dirty cow roots list
https://notcve.org/view.php?id=CVE-2023-54032
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: btrfs: fix race when deleting quota root from the dirty cow roots list When disabling quotas we are deleting the quota root from the list fs_info->dirty_cowonly_roots without taking the lock that protects it, which is struct btrfs_fs_info::trans_lock. This unsynchronized list manipulation may cause chaos if there's another concurrent manipulation of this list, such as when adding a root to it with ctree.c:add_root_to_dirty_list(). This can ... • https://git.kernel.org/stable/c/bed92eae26ccf280d1a2168b7509447b56675a27 •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2023-54031 – vdpa: Add queue index attr to vdpa_nl_policy for nlattr length check
https://notcve.org/view.php?id=CVE-2023-54031
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: vdpa: Add queue index attr to vdpa_nl_policy for nlattr length check The vdpa_nl_policy structure is used to validate the nlattr when parsing the incoming nlmsg. It will ensure the attribute being described produces a valid nlattr pointer in info->attrs before entering into each handler in vdpa_nl_ops. That is to say, the missing part in vdpa_nl_policy may lead to illegal nlattr after parsing, which could lead to OOB read just like CVE-2023... • https://git.kernel.org/stable/c/13b00b135665c92065a27c0c39dd97e0f380bd4f •
CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2023-54030 – io_uring/net: don't overflow multishot recv
https://notcve.org/view.php?id=CVE-2023-54030
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: io_uring/net: don't overflow multishot recv Don't allow overflowing multishot recv CQEs, it might get out of hand, hurt performance, and in the worst case scenario OOM the task. • https://git.kernel.org/stable/c/b3fdea6ecb55c3ceea866ff66486927e51a982b3 •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2023-54029 – wifi: iwlwifi: fix iwl_mvm_max_amsdu_size() for MLO
https://notcve.org/view.php?id=CVE-2023-54029
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: fix iwl_mvm_max_amsdu_size() for MLO For MLO, we cannot use vif->bss_conf.chandef.chan->band, since that will lead to a NULL-ptr dereference as bss_conf isn't used. However, in case of real MLO, we also need to take both LMACs into account if they exist, since the station might be active on both LMACs at the same time. • https://git.kernel.org/stable/c/63e2d06adf6b0842132ba89efdf8fada5f7ff1ac •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2023-54028 – RDMA/rxe: Fix the error "trying to register non-static key in rxe_cleanup_task"
https://notcve.org/view.php?id=CVE-2023-54028
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix the error "trying to register non-static key in rxe_cleanup_task" In the function rxe_create_qp(), rxe_qp_from_init() is called to initialize qp, internally things like rxe_init_task are not setup until rxe_qp_init_req(). If an error occurred before this point then the unwind will call rxe_cleanup() and eventually to rxe_qp_do_cleanup()/rxe_cleanup_task() which will oops when trying to access the uninitialized spinlock. If rxe... • https://git.kernel.org/stable/c/8700e3e7c4857d28ebaa824509934556da0b3e76 •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2023-54027 – iio: core: Prevent invalid memory access when there is no parent
https://notcve.org/view.php?id=CVE-2023-54027
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: iio: core: Prevent invalid memory access when there is no parent Commit 813665564b3d ("iio: core: Convert to use firmware node handle instead of OF node") switched the kind of nodes to use for label retrieval in device registration. Probably an unwanted change in that commit was that if the device has no parent then NULL pointer is accessed. This is what happens in the stock IIO dummy driver when a new entry is created in configfs: # mkdir ... • https://git.kernel.org/stable/c/813665564b3d7c74412fe2877520f1d254ce948a •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2023-54026 – opp: Fix use-after-free in lazy_opp_tables after probe deferral
https://notcve.org/view.php?id=CVE-2023-54026
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: opp: Fix use-after-free in lazy_opp_tables after probe deferral When dev_pm_opp_of_find_icc_paths() in _allocate_opp_table() returns -EPROBE_DEFER, the opp_table is freed again, to wait until all the interconnect paths are available. However, if the OPP table is using required-opps then it may already have been added to the global lazy_opp_tables list. The error path does not remove the opp_table from the list again. This can cause crashes ... • https://git.kernel.org/stable/c/7eba0c7641b0009818e469dbfcdd87a0155ab9d4 •