CVSS: 5.6EPSS: 0%CPEs: 5EXPL: 0CVE-2025-71064 – net: hns3: using the num_tqps in the vf driver to apply for resources
https://notcve.org/view.php?id=CVE-2025-71064
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: net: hns3: using the num_tqps in the vf driver to apply for resources Currently, hdev->htqp is allocated using hdev->num_tqps, and kinfo->tqp is allocated using kinfo->num_tqps. However, kinfo->num_tqps is set to min(new_tqps, hdev->num_tqps); Therefore, kinfo->num_tqps may be smaller than hdev->num_tqps, which causes some hdev->htqp[i] to remain uninitialized in hclgevf_knic_setup(). Thus, this patch allocates hdev->htqp and kinfo->tqp usi... • https://git.kernel.org/stable/c/e2cb1dec9779ba2d89302a653eb0abaeb8682196 •
CVSS: 7.1EPSS: 0%CPEs: 3EXPL: 0CVE-2025-68822 – Input: alps - fix use-after-free bugs caused by dev3_register_work
https://notcve.org/view.php?id=CVE-2025-68822
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: Input: alps - fix use-after-free bugs caused by dev3_register_work The dev3_register_work delayed work item is initialized within alps_reconnect() and scheduled upon receipt of the first bare PS/2 packet from an external PS/2 device connected to the ALPS touchpad. During device detachment, the original implementation calls flush_workqueue() in psmouse_disconnect() to ensure completion of dev3_register_work. However, the flush_workqueue() in... • https://git.kernel.org/stable/c/04aae283ba6a8cd4851d937bf9c6d6ef0361d794 •
CVSS: 5.5EPSS: 0%CPEs: 10EXPL: 0CVE-2025-68820 – ext4: xattr: fix null pointer deref in ext4_raw_inode()
https://notcve.org/view.php?id=CVE-2025-68820
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: ext4: xattr: fix null pointer deref in ext4_raw_inode() If ext4_get_inode_loc() fails (e.g. if it returns -EFSCORRUPTED), iloc.bh will remain set to NULL. Since ext4_xattr_inode_dec_ref_all() lacks error checking, this will lead to a null pointer dereference in ext4_raw_inode(), called right after ext4_get_inode_loc(). Found by Linux Verification Center (linuxtesting.org) with SVACE. In the Linux kernel, the following vulnerability has been... • https://git.kernel.org/stable/c/cf9291a3449b04688b81e32621e88de8f4314b54 •
CVSS: 7.2EPSS: 0%CPEs: 5EXPL: 0CVE-2025-68819 – media: dvb-usb: dtv5100: fix out-of-bounds in dtv5100_i2c_msg()
https://notcve.org/view.php?id=CVE-2025-68819
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: media: dvb-usb: dtv5100: fix out-of-bounds in dtv5100_i2c_msg() rlen value is a user-controlled value, but dtv5100_i2c_msg() does not check the size of the rlen value. Therefore, if it is set to a value larger than sizeof(st->data), an out-of-bounds vuln occurs for st->data. Therefore, we need to add proper range checking to prevent this vuln. In the Linux kernel, the following vulnerability has been resolved: media: dvb-usb: dtv5100: fix o... • https://git.kernel.org/stable/c/60688d5e6e6e2ae62f29762d1e3b2aec2dbd3817 •
CVSS: 5.5EPSS: 0%CPEs: 9EXPL: 0CVE-2025-68818 – scsi: Revert "scsi: qla2xxx: Perform lockless command completion in abort path"
https://notcve.org/view.php?id=CVE-2025-68818
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: scsi: Revert "scsi: qla2xxx: Perform lockless command completion in abort path" This reverts commit 0367076b0817d5c75dfb83001ce7ce5c64d803a9. The commit being reverted added code to __qla2x00_abort_all_cmds() to call sp->done() without holding a spinlock. But unlike the older code below it, this new code failed to check sp->cmd_type and just assumed TYPE_SRB, which results in a jump to an invalid pointer in target-mode with TYPE_TGT_CMD: ql... • https://git.kernel.org/stable/c/cd0a1804ac5bab2545ac700c8d0fe9ae9284c567 •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2025-68816 – net/mlx5: fw_tracer, Validate format string parameters
https://notcve.org/view.php?id=CVE-2025-68816
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: net/mlx5: fw_tracer, Validate format string parameters Add validation for format string parameters in the firmware tracer to prevent potential security vulnerabilities and crashes from malformed format strings received from firmware. The firmware tracer receives format strings from the device firmware and uses them to format trace messages. Without proper validation, bad firmware could provide format strings with invalid format specifiers (... • https://git.kernel.org/stable/c/70dd6fdb8987b14f7b6105f6be0617299e459398 •
CVSS: 7.2EPSS: 0%CPEs: 7EXPL: 0CVE-2025-68815 – net/sched: ets: Remove drr class from the active list if it changes to strict
https://notcve.org/view.php?id=CVE-2025-68815
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: net/sched: ets: Remove drr class from the active list if it changes to strict Whenever a user issues an ets qdisc change command, transforming a drr class into a strict one, the ets code isn't checking whether that class was in the active list and removing it. This means that, if a user changes a strict class (which was in the active list) back to a drr one, that class will be added twice to the active list [1]. Doing so with the following ... • https://git.kernel.org/stable/c/cd9b50adc6bb9ad3f7d244590a389522215865c4 •
CVSS: 6.2EPSS: 0%CPEs: 11EXPL: 0CVE-2025-68813 – ipvs: fix ipv4 null-ptr-deref in route error path
https://notcve.org/view.php?id=CVE-2025-68813
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: ipvs: fix ipv4 null-ptr-deref in route error path The IPv4 code path in __ip_vs_get_out_rt() calls dst_link_failure() without ensuring skb->dev is set, leading to a NULL pointer dereference in fib_compute_spec_dst() when ipv4_link_failure() attempts to send ICMP destination unreachable messages. The issue emerged after commit ed0de45a1008 ("ipv4: recompile ip options in ipv4_link_failure") started calling __ip_options_compile() from ipv4_li... • https://git.kernel.org/stable/c/ed0de45a1008991fdaa27a0152befcb74d126a8b •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2025-68808 – media: vidtv: initialize local pointers upon transfer of memory ownership
https://notcve.org/view.php?id=CVE-2025-68808
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: media: vidtv: initialize local pointers upon transfer of memory ownership vidtv_channel_si_init() creates a temporary list (program, service, event) and ownership of the memory itself is transferred to the PAT/SDT/EIT tables through vidtv_psi_pat_program_assign(), vidtv_psi_sdt_service_assign(), vidtv_psi_eit_event_assign(). The problem here is that the local pointer where the memory ownership transfer was completed is not initialized to NU... • https://git.kernel.org/stable/c/3be8037960bccd13052cfdeba8805ad785041d70 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-68804 – platform/chrome: cros_ec_ishtp: Fix UAF after unbinding driver
https://notcve.org/view.php?id=CVE-2025-68804
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: platform/chrome: cros_ec_ishtp: Fix UAF after unbinding driver After unbinding the driver, another kthread `cros_ec_console_log_work` is still accessing the device, resulting an UAF and crash. The driver doesn't unregister the EC device in .remove() which should shutdown sub-devices synchronously. Fix it. In the Linux kernel, the following vulnerability has been resolved: platform/chrome: cros_ec_ishtp: Fix UAF after unbinding driver After ... • https://git.kernel.org/stable/c/26a14267aff218c60b89007fdb44ca392ba6122c •