CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2025-68801 – mlxsw: spectrum_router: Fix neighbour use-after-free
https://notcve.org/view.php?id=CVE-2025-68801
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_router: Fix neighbour use-after-free We sometimes observe use-after-free when dereferencing a neighbour [1]. The problem seems to be that the driver stores a pointer to the neighbour, but without holding a reference on it. A reference is only taken when the neighbour is used by a nexthop. Fix by simplifying the reference counting scheme. Always take a reference when storing a neighbour pointer in a neighbour entry. Avoid tak... • https://git.kernel.org/stable/c/6cf3c971dc84cb36579515ddb488919b9e9fb6de •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2025-68799 – caif: fix integer underflow in cffrml_receive()
https://notcve.org/view.php?id=CVE-2025-68799
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: caif: fix integer underflow in cffrml_receive() The cffrml_receive() function extracts a length field from the packet header and, when FCS is disabled, subtracts 2 from this length without validating that len >= 2. If an attacker sends a malicious packet with a length field of 0 or 1 to an interface with FCS disabled, the subtraction causes an integer underflow. This can lead to memory exhaustion and kernel instability, potential informatio... • https://git.kernel.org/stable/c/b482cd2053e3b90a7b33a78c63cdb6badf2ec383 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-68797 – char: applicom: fix NULL pointer dereference in ac_ioctl
https://notcve.org/view.php?id=CVE-2025-68797
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: char: applicom: fix NULL pointer dereference in ac_ioctl Discovered by Atuin - Automated Vulnerability Discovery Engine. In ac_ioctl, the validation of IndexCard and the check for a valid RamIO pointer are skipped when cmd is 6. However, the function unconditionally executes readb(apbs[IndexCard].RamIO + VERS) at the end. If cmd is 6, IndexCard may reference a board that does not exist (where RamIO is NULL), leading to a NULL pointer derefe... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 5.0EPSS: 0%CPEs: 5EXPL: 0CVE-2025-68796 – f2fs: fix to avoid updating zero-sized extent in extent cache
https://notcve.org/view.php?id=CVE-2025-68796
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid updating zero-sized extent in extent cache As syzbot reported: F2FS-fs (loop0): __update_extent_tree_range: extent len is zero, type: 0, extent [0, 0, 0], age [0, 0] ------------[ cut here ]------------ kernel BUG at fs/f2fs/extent_cache.c:678! Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI CPU: 0 UID: 0 PID: 5336 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIO... • https://git.kernel.org/stable/c/6e9619499f53b22ead972e476c0e8341c997d929 •
CVSS: 7.2EPSS: 0%CPEs: 5EXPL: 0CVE-2025-68795 – ethtool: Avoid overflowing userspace buffer on stats query
https://notcve.org/view.php?id=CVE-2025-68795
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: ethtool: Avoid overflowing userspace buffer on stats query The ethtool -S command operates across three ioctl calls: ETHTOOL_GSSET_INFO for the size, ETHTOOL_GSTRINGS for the names, and ETHTOOL_GSTATS for the values. If the number of stats changes between these calls (e.g., due to device reconfiguration), userspace's buffer allocation will be incorrect, potentially leading to buffer overflow. Drivers are generally expected to maintain stabl... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-68794 – iomap: adjust read range correctly for non-block-aligned positions
https://notcve.org/view.php?id=CVE-2025-68794
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: iomap: adjust read range correctly for non-block-aligned positions iomap_adjust_read_range() assumes that the position and length passed in are block-aligned. This is not always the case however, as shown in the syzbot generated case for erofs. This causes too many bytes to be skipped for uptodate blocks, which results in returning the incorrect position and length to read in. If all the blocks are uptodate, this underflows length and retur... • https://git.kernel.org/stable/c/9dc55f1389f9569acf9659e58dd836a9c70df217 •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2025-68789 – hwmon: (ibmpex) fix use-after-free in high/low store
https://notcve.org/view.php?id=CVE-2025-68789
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: hwmon: (ibmpex) fix use-after-free in high/low store The ibmpex_high_low_store() function retrieves driver data using dev_get_drvdata() and uses it without validation. This creates a race condition where the sysfs callback can be invoked after the data structure is freed, leading to use-after-free. Fix by adding a NULL check after dev_get_drvdata(), and reordering operations in the deletion path to prevent TOCTOU. In the Linux kernel, the f... • https://git.kernel.org/stable/c/57c7c3a0fdea95eddcaeba31e7ca7dfc917682ab •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-68788 – fsnotify: do not generate ACCESS/MODIFY events on child for special files
https://notcve.org/view.php?id=CVE-2025-68788
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: fsnotify: do not generate ACCESS/MODIFY events on child for special files inotify/fanotify do not allow users with no read access to a file to subscribe to events (e.g. IN_ACCESS/IN_MODIFY), but they do allow the same user to subscribe for watching events on children when the user has access to the parent directory (e.g. /dev). Users with no read access to a file but with read access to its parent directory can still stat the file and see i... • https://git.kernel.org/stable/c/72acc854427948efed7a83da27f7dc3239ac9afc •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-68787 – netrom: Fix memory leak in nr_sendmsg()
https://notcve.org/view.php?id=CVE-2025-68787
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: netrom: Fix memory leak in nr_sendmsg() syzbot reported a memory leak [1]. When function sock_alloc_send_skb() return NULL in nr_output(), the original skb is not freed, which was allocated in nr_sendmsg(). Fix this by freeing it before return. [1] BUG: memory leak unreferenced object 0xffff888129f35500 (size 240): comm "syz.0.17", pid 6119, jiffies 4294944652 hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ......... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-68785 – net: openvswitch: fix middle attribute validation in push_nsh() action
https://notcve.org/view.php?id=CVE-2025-68785
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: net: openvswitch: fix middle attribute validation in push_nsh() action The push_nsh() action structure looks like this: OVS_ACTION_ATTR_PUSH_NSH(OVS_KEY_ATTR_NSH(OVS_NSH_KEY_ATTR_BASE,...)) The outermost OVS_ACTION_ATTR_PUSH_NSH attribute is OK'ed by the nla_for_each_nested() inside __ovs_nla_copy_actions(). The innermost OVS_NSH_KEY_ATTR_BASE/MD1/MD2 are OK'ed by the nla_for_each_nested() inside nsh_key_put_from_nlattr(). But nothing check... • https://git.kernel.org/stable/c/b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3 •