CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2023-54292 – RDMA/irdma: Fix data race on CQP request done
https://notcve.org/view.php?id=CVE-2023-54292
30 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: RDMA/irdma: Fix data race on CQP request done KCSAN detects a data race on cqp_request->request_done memory location which is accessed locklessly in irdma_handle_cqp_op while being updated in irdma_cqp_ce_handler. Annotate lockless intent with READ_ONCE/WRITE_ONCE to avoid any compiler optimizations like load fusing and/or KCSAN warning. [222808.417128] BUG: KCSAN: data-race in irdma_cqp_ce_handler [irdma] / irdma_wait_event [irdma] [222808... • https://git.kernel.org/stable/c/915cc7ac0f8e2a23675ee896e87f17c7d3c47089 •
CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2023-54291 – vduse: fix NULL pointer dereference
https://notcve.org/view.php?id=CVE-2023-54291
30 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: vduse: fix NULL pointer dereference vduse_vdpa_set_vq_affinity callback can be called with NULL value as cpu_mask when deleting the vduse device. This patch resets virtqueue's IRQ affinity mask value to set all CPUs instead of dereferencing NULL cpu_mask. [ 4760.952149] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ 4760.959110] #PF: supervisor read access in kernel mode [ 4760.964247] #PF: error_code(0x0000) - not-presen... • https://git.kernel.org/stable/c/28f6288eb63d5979fa6758e64f52e4d55cf184a8 •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2023-54289 – scsi: qedf: Fix NULL dereference in error handling
https://notcve.org/view.php?id=CVE-2023-54289
30 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: scsi: qedf: Fix NULL dereference in error handling Smatch reported: drivers/scsi/qedf/qedf_main.c:3056 qedf_alloc_global_queues() warn: missing unwind goto? At this point in the function, nothing has been allocated so we can return directly. In particular the "qedf->global_queues" have not been allocated so calling qedf_free_global_queues() will lead to a NULL dereference when we check if (!gl[i]) and "gl" is NULL. • https://git.kernel.org/stable/c/61d8658b4a435eac729966cc94cdda077a8df5cd •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2023-54288 – wifi: mac80211: fortify the spinlock against deadlock by interrupt
https://notcve.org/view.php?id=CVE-2023-54288
30 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: fortify the spinlock against deadlock by interrupt In the function ieee80211_tx_dequeue() there is a particular locking sequence: begin: spin_lock(&local->queue_stop_reason_lock); q_stopped = local->queue_stop_reasons[q]; spin_unlock(&local->queue_stop_reason_lock); However small the chance (increased by ftracetest), an asynchronous interrupt can occur in between of spin_lock() and spin_unlock(), and the interrupt routine wi... • https://git.kernel.org/stable/c/7b8fe53d2a1da48db02ae961b29b8ee2f5515861 •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2023-54287 – tty: serial: imx: disable Ageing Timer interrupt request irq
https://notcve.org/view.php?id=CVE-2023-54287
30 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: tty: serial: imx: disable Ageing Timer interrupt request irq There maybe pending USR interrupt before requesting irq, however uart_add_one_port has not executed, so there will be kernel panic: [ 0.795668] Unable to handle kernel NULL pointer dereference at virtual addre ss 0000000000000080 [ 0.802701] Mem abort info: [ 0.805367] ESR = 0x0000000096000004 [ 0.808950] EC = 0x25: DABT (current EL), IL = 32 bits [ 0.814033] SET = 0, FnV = 0 [ 0.... • https://git.kernel.org/stable/c/8a61f0c70ae65c6b70d13228c3120c73d7425a60 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2023-54286 – wifi: iwlwifi: dvm: Fix memcpy: detected field-spanning write backtrace
https://notcve.org/view.php?id=CVE-2023-54286
30 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: dvm: Fix memcpy: detected field-spanning write backtrace A received TKIP key may be up to 32 bytes because it may contain MIC rx/tx keys too. These are not used by iwl and copying these over overflows the iwl_keyinfo.key field. Add a check to not copy more data to iwl_keyinfo.key then will fit. This fixes backtraces like this one: memcpy: detected field-spanning write (size 32) of single field "sta_cmd.key.key" at drivers/net... • https://git.kernel.org/stable/c/76b5ea43ad2fb4f726ddfaff839430a706e7d7c2 •
CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2023-54285 – iomap: Fix possible overflow condition in iomap_write_delalloc_scan
https://notcve.org/view.php?id=CVE-2023-54285
30 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: iomap: Fix possible overflow condition in iomap_write_delalloc_scan folio_next_index() returns an unsigned long value which left shifted by PAGE_SHIFT could possibly cause an overflow on 32-bit system. Instead use folio_pos(folio) + folio_size(folio), which does this correctly. • https://git.kernel.org/stable/c/5c281b0c5d18c8eeb1cfd5023f4adb153e6d1240 •
CVSS: -EPSS: 0%CPEs: 9EXPL: 0CVE-2023-54284 – media: av7110: prevent underflow in write_ts_to_decoder()
https://notcve.org/view.php?id=CVE-2023-54284
30 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: media: av7110: prevent underflow in write_ts_to_decoder() The buf[4] value comes from the user via ts_play(). It is a value in the u8 range. The final length we pass to av7110_ipack_instant_repack() is "len - (buf[4] + 1) - 4" so add a check to ensure that the length is not negative. It's not clear that passing a negative len value does anything bad necessarily, but it's not best practice. With the new bounds checking the "if (! • https://git.kernel.org/stable/c/fd46d16d602ab7fd53cef7ff55b9dcb0b47ad3bf •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2023-54283 – bpf: Address KCSAN report on bpf_lru_list
https://notcve.org/view.php?id=CVE-2023-54283
30 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: bpf: Address KCSAN report on bpf_lru_list KCSAN reported a data-race when accessing node->ref. Although node->ref does not have to be accurate, take this chance to use a more common READ_ONCE() and WRITE_ONCE() pattern instead of data_race(). There is an existing bpf_lru_node_is_ref() and bpf_lru_node_set_ref(). This patch also adds bpf_lru_node_clear_ref() to do the WRITE_ONCE(node->ref, 0) also. ===========================================... • https://git.kernel.org/stable/c/6eaef1b1d8720053eb1b6e7a3ff8b2ff0716bb90 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2023-54282 – media: tuners: qt1010: replace BUG_ON with a regular error
https://notcve.org/view.php?id=CVE-2023-54282
30 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: media: tuners: qt1010: replace BUG_ON with a regular error BUG_ON is unnecessary here, and in addition it confuses smatch. Replacing this with an error return help resolve this smatch warning: drivers/media/tuners/qt1010.c:350 qt1010_init() error: buffer overflow 'i2c_data' 34 <= 34 • https://git.kernel.org/stable/c/6cae780862d221106626b2b5fb21a197f398c6ec •