CVSS: 7.3EPSS: 0%CPEs: 9EXPL: 0CVE-2025-68261 – ext4: add i_data_sem protection in ext4_destroy_inline_data_nolock()
https://notcve.org/view.php?id=CVE-2025-68261
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: ext4: add i_data_sem protection in ext4_destroy_inline_data_nolock() Fix a race between inline data destruction and block mapping. The function ext4_destroy_inline_data_nolock() changes the inode data layout by clearing EXT4_INODE_INLINE_DATA and setting EXT4_INODE_EXTENTS. At the same time, another thread may execute ext4_map_blocks(), which tests EXT4_INODE_EXTENTS to decide whether to call ext4_ext_map_blocks() or ext4_ind_map_blocks(). ... • https://git.kernel.org/stable/c/c755e251357a0cee0679081f08c3f4ba797a8009 •
CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-68259 – KVM: SVM: Don't skip unrelated instruction if INT3/INTO is replaced
https://notcve.org/view.php?id=CVE-2025-68259
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: KVM: SVM: Don't skip unrelated instruction if INT3/INTO is replaced When re-injecting a soft interrupt from an INT3, INT0, or (select) INTn instruction, discard the exception and retry the instruction if the code stream is changed (e.g. by a different vCPU) between when the CPU executes the instruction and when KVM decodes the instruction to get the next RIP. As effectively predicted by commit 6ef88d6e36c2 ("KVM: SVM: Re-inject INT3/INTO in... • https://git.kernel.org/stable/c/6ef88d6e36c2b4b3886ec9967cafabe4424d27d5 •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-68258 – comedi: multiq3: sanitize config options in multiq3_attach()
https://notcve.org/view.php?id=CVE-2025-68258
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: comedi: multiq3: sanitize config options in multiq3_attach() Syzbot identified an issue [1] in multiq3_attach() that induces a task timeout due to open() or COMEDI_DEVCONFIG ioctl operations, specifically, in the case of multiq3 driver. This problem arose when syzkaller managed to craft weird configuration options used to specify the number of channels in encoder subdevice. If a particularly great number is passed to s->n_chan in multiq3_at... • https://git.kernel.org/stable/c/77e01cdbad5175f56027fd6fae00bd0fc175651a •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-68257 – comedi: check device's attached status in compat ioctls
https://notcve.org/view.php?id=CVE-2025-68257
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: comedi: check device's attached status in compat ioctls Syzbot identified an issue [1] that crashes kernel, seemingly due to unexistent callback dev->get_valid_routes(). By all means, this should not occur as said callback must always be set to get_zero_valid_routes() in __comedi_device_postconfig(). As the crash seems to appear exclusively in i386 kernels, at least, judging from [1] reports, the blame lies with compat versions of standard ... • https://git.kernel.org/stable/c/3fbfd2223a271426509830e6340c386a1054cfad •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-68256 – staging: rtl8723bs: fix out-of-bounds read in rtw_get_ie() parser
https://notcve.org/view.php?id=CVE-2025-68256
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: staging: rtl8723bs: fix out-of-bounds read in rtw_get_ie() parser The Information Element (IE) parser rtw_get_ie() trusted the length byte of each IE without validating that the IE body (len bytes after the 2-byte header) fits inside the remaining frame buffer. A malformed frame can advertise an IE length larger than the available data, causing the parser to increment its pointer beyond the buffer end. This results in out-of-bounds reads or... • https://git.kernel.org/stable/c/a54e2b2db1b7de2e008b4f62eec35aaefcc663c5 •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-68255 – staging: rtl8723bs: fix stack buffer overflow in OnAssocReq IE parsing
https://notcve.org/view.php?id=CVE-2025-68255
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: staging: rtl8723bs: fix stack buffer overflow in OnAssocReq IE parsing The Supported Rates IE length from an incoming Association Request frame was used directly as the memcpy() length when copying into a fixed-size 16-byte stack buffer (supportRate). A malicious station can advertise an IE length larger than 16 bytes, causing a stack buffer overflow. Clamp ie_len to the buffer size before copying the Supported Rates IE, and correct the bou... • https://git.kernel.org/stable/c/61871c83259a511980ec2664964cecc69005398b •
CVSS: 8.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-68254 – staging: rtl8723bs: fix out-of-bounds read in OnBeacon ESR IE parsing
https://notcve.org/view.php?id=CVE-2025-68254
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: staging: rtl8723bs: fix out-of-bounds read in OnBeacon ESR IE parsing The Extended Supported Rates (ESR) IE handling in OnBeacon accessed *(p + 1 + ielen) and *(p + 2 + ielen) without verifying that these offsets lie within the received frame buffer. A malformed beacon with an ESR IE positioned at the end of the buffer could cause an out-of-bounds read, potentially triggering a kernel panic. Add a boundary check to ensure that the ESR IE bo... • https://git.kernel.org/stable/c/d1ab7f9cee22e7b8a528da9ac953e4193b96cda5 •
CVSS: 6.4EPSS: 0%CPEs: 4EXPL: 0CVE-2025-68252 – misc: fastrpc: Fix dma_buf object leak in fastrpc_map_lookup
https://notcve.org/view.php?id=CVE-2025-68252
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: misc: fastrpc: Fix dma_buf object leak in fastrpc_map_lookup In fastrpc_map_lookup, dma_buf_get is called to obtain a reference to the dma_buf for comparison purposes. However, this reference is never released when the function returns, leading to a dma_buf memory leak. Fix this by adding dma_buf_put before returning from the function, ensuring that the temporarily acquired reference is properly released regardless of whether a matching map... • https://git.kernel.org/stable/c/ec5cb80503bbfee67573699fe52fcf456fd57678 •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-68251 – erofs: avoid infinite loops due to corrupted subpage compact indexes
https://notcve.org/view.php?id=CVE-2025-68251
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: erofs: avoid infinite loops due to corrupted subpage compact indexes Robert reported an infinite loop observed by two crafted images. The root cause is that `clusterofs` can be larger than `lclustersize` for !NONHEAD `lclusters` in corrupted subpage compact indexes, e.g.: blocksize = lclustersize = 512 lcn = 6 clusterofs = 515 Move the corresponding check for full compress indexes to `z_erofs_load_lcluster_from_disk()` to also cover subpage... • https://git.kernel.org/stable/c/8d2517aaeea3ab8651bb517bca8f3c8664d318ea •
CVSS: 6.1EPSS: 0%CPEs: 7EXPL: 0CVE-2025-68249 – most: usb: hdm_probe: Fix calling put_device() before device initialization
https://notcve.org/view.php?id=CVE-2025-68249
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: most: usb: hdm_probe: Fix calling put_device() before device initialization The early error path in hdm_probe() can jump to err_free_mdev before &mdev->dev has been initialized with device_initialize(). Calling put_device(&mdev->dev) there triggers a device core WARN and ends up invoking kref_put(&kobj->kref, kobject_release) on an uninitialized kobject. In this path the private struct was only kmalloc'ed and the intended release is effecti... • https://git.kernel.org/stable/c/97a6f772f36b7f52bcfa56a581bbd2470cffe23d •