CVSS: 6.6EPSS: 0%CPEs: 3EXPL: 0CVE-2025-68802 – drm/xe: Limit num_syncs to prevent oversized allocations
https://notcve.org/view.php?id=CVE-2025-68802
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: drm/xe: Limit num_syncs to prevent oversized allocations The exec and vm_bind ioctl allow userspace to specify an arbitrary num_syncs value. Without bounds checking, a very large num_syncs can force an excessively large allocation, leading to kernel warnings from the page allocator as below. Introduce DRM_XE_MAX_SYNCS (set to 1024) and reject any request exceeding this limit. " ------------[ cut here ]------------ WARNING: CPU: 0 PID: 1217 ... • https://git.kernel.org/stable/c/dd08ebf6c3525a7ea2186e636df064ea47281987 •
CVSS: 7.8EPSS: 0%CPEs: 7EXPL: 0CVE-2025-68801 – mlxsw: spectrum_router: Fix neighbour use-after-free
https://notcve.org/view.php?id=CVE-2025-68801
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_router: Fix neighbour use-after-free We sometimes observe use-after-free when dereferencing a neighbour [1]. The problem seems to be that the driver stores a pointer to the neighbour, but without holding a reference on it. A reference is only taken when the neighbour is used by a nexthop. Fix by simplifying the reference counting scheme. Always take a reference when storing a neighbour pointer in a neighbour entry. Avoid tak... • https://git.kernel.org/stable/c/6cf3c971dc84cb36579515ddb488919b9e9fb6de •
CVSS: 7.2EPSS: 0%CPEs: 7EXPL: 0CVE-2025-68800 – mlxsw: spectrum_mr: Fix use-after-free when updating multicast route stats
https://notcve.org/view.php?id=CVE-2025-68800
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_mr: Fix use-after-free when updating multicast route stats Cited commit added a dedicated mutex (instead of RTNL) to protect the multicast route list, so that it will not change while the driver periodically traverses it in order to update the kernel about multicast route stats that were queried from the device. One instance of list entry deletion (during route replace) was missed and it can result in a use-after-free [1]. F... • https://git.kernel.org/stable/c/f38656d067257cc43b652958dd154e1ab0773701 •
CVSS: 7.1EPSS: 0%CPEs: 7EXPL: 0CVE-2025-68799 – caif: fix integer underflow in cffrml_receive()
https://notcve.org/view.php?id=CVE-2025-68799
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: caif: fix integer underflow in cffrml_receive() The cffrml_receive() function extracts a length field from the packet header and, when FCS is disabled, subtracts 2 from this length without validating that len >= 2. If an attacker sends a malicious packet with a length field of 0 or 1 to an interface with FCS disabled, the subtraction causes an integer underflow. This can lead to memory exhaustion and kernel instability, potential informatio... • https://git.kernel.org/stable/c/b482cd2053e3b90a7b33a78c63cdb6badf2ec383 •
CVSS: 7.2EPSS: 0%CPEs: 5EXPL: 0CVE-2025-68798 – perf/x86/amd: Check event before enable to avoid GPF
https://notcve.org/view.php?id=CVE-2025-68798
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: perf/x86/amd: Check event before enable to avoid GPF On AMD machines cpuc->events[idx] can become NULL in a subtle race condition with NMI->throttle->x86_pmu_stop(). Check event for NULL in amd_pmu_enable_all() before enable to avoid a GPF. This appears to be an AMD only issue. Syzkaller reported a GPF in amd_pmu_enable_all. INFO: NMI handler (perf_event_nmi_handler) took too long to run: 13.143 msecs Oops: general protection fault, probabl... • https://git.kernel.org/stable/c/ada543459cab7f653dcacdaba4011a8bb19c627c •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2025-68797 – char: applicom: fix NULL pointer dereference in ac_ioctl
https://notcve.org/view.php?id=CVE-2025-68797
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: char: applicom: fix NULL pointer dereference in ac_ioctl Discovered by Atuin - Automated Vulnerability Discovery Engine. In ac_ioctl, the validation of IndexCard and the check for a valid RamIO pointer are skipped when cmd is 6. However, the function unconditionally executes readb(apbs[IndexCard].RamIO + VERS) at the end. If cmd is 6, IndexCard may reference a board that does not exist (where RamIO is NULL), leading to a NULL pointer derefe... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 5.0EPSS: 0%CPEs: 7EXPL: 0CVE-2025-68796 – f2fs: fix to avoid updating zero-sized extent in extent cache
https://notcve.org/view.php?id=CVE-2025-68796
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid updating zero-sized extent in extent cache As syzbot reported: F2FS-fs (loop0): __update_extent_tree_range: extent len is zero, type: 0, extent [0, 0, 0], age [0, 0] ------------[ cut here ]------------ kernel BUG at fs/f2fs/extent_cache.c:678! Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI CPU: 0 UID: 0 PID: 5336 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIO... • https://git.kernel.org/stable/c/6e9619499f53b22ead972e476c0e8341c997d929 •
CVSS: 7.2EPSS: 0%CPEs: 7EXPL: 0CVE-2025-68795 – ethtool: Avoid overflowing userspace buffer on stats query
https://notcve.org/view.php?id=CVE-2025-68795
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: ethtool: Avoid overflowing userspace buffer on stats query The ethtool -S command operates across three ioctl calls: ETHTOOL_GSSET_INFO for the size, ETHTOOL_GSTRINGS for the names, and ETHTOOL_GSTATS for the values. If the number of stats changes between these calls (e.g., due to device reconfiguration), userspace's buffer allocation will be incorrect, potentially leading to buffer overflow. Drivers are generally expected to maintain stabl... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-68794 – iomap: adjust read range correctly for non-block-aligned positions
https://notcve.org/view.php?id=CVE-2025-68794
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: iomap: adjust read range correctly for non-block-aligned positions iomap_adjust_read_range() assumes that the position and length passed in are block-aligned. This is not always the case however, as shown in the syzbot generated case for erofs. This causes too many bytes to be skipped for uptodate blocks, which results in returning the incorrect position and length to read in. If all the blocks are uptodate, this underflows length and retur... • https://git.kernel.org/stable/c/9dc55f1389f9569acf9659e58dd836a9c70df217 •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2025-68792 – tpm2-sessions: Fix out of range indexing in name_size
https://notcve.org/view.php?id=CVE-2025-68792
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: tpm2-sessions: Fix out of range indexing in name_size 'name_size' does not have any range checks, and it just directly indexes with TPM_ALG_ID, which could lead into memory corruption at worst. Address the issue by only processing known values and returning -EINVAL for unrecognized values. Make also 'tpm_buf_append_name' and 'tpm_buf_fill_hmac_session' fallible so that errors are detected before causing any spurious TPM traffic. End also th... • https://git.kernel.org/stable/c/1085b8276bb4239daa7008f0dcd5c973e4bd690f •