CVSS: 5.6EPSS: 0%CPEs: 14EXPL: 0CVE-2025-68241 – ipv4: route: Prevent rt_bind_exception() from rebinding stale fnhe
https://notcve.org/view.php?id=CVE-2025-68241
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: ipv4: route: Prevent rt_bind_exception() from rebinding stale fnhe The sit driver's packet transmission path calls: sit_tunnel_xmit() -> update_or_create_fnhe(), which lead to fnhe_remove_oldest() being called to delete entries exceeding FNHE_RECLAIM_DEPTH+random. The race window is between fnhe_remove_oldest() selecting fnheX for deletion and the subsequent kfree_rcu(). During this time, the concurrent path's __mkroute_output() -> find_exc... • https://git.kernel.org/stable/c/e46e23c289f62ccd8e2230d9ce652072d777ff30 •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2025-68239 – binfmt_misc: restore write access before closing files opened by open_exec()
https://notcve.org/view.php?id=CVE-2025-68239
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: binfmt_misc: restore write access before closing files opened by open_exec() bm_register_write() opens an executable file using open_exec(), which internally calls do_open_execat() and denies write access on the file to avoid modification while it is being executed. However, when an error occurs, bm_register_write() closes the file using filp_close() directly. This does not restore the write permission, which may cause subsequent write oper... • https://git.kernel.org/stable/c/e7850f4d844e0acfac7e570af611d89deade3146 •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2025-68231 – mm/mempool: fix poisoning order>0 pages with HIGHMEM
https://notcve.org/view.php?id=CVE-2025-68231
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: mm/mempool: fix poisoning order>0 pages with HIGHMEM The kernel test has reported: BUG: unable to handle page fault for address: fffba000 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page *pde = 03171067 *pte = 00000000 Oops: Oops: 0002 [#1] CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Tainted: G T 6.18.0-rc2-00031-gec7f31b2a2d3 #1 NONE a1d066dfe789f54bc7645c7989957d2bdee593ca Tainted: [T]=RANDSTRUCT Hardware na... • https://git.kernel.org/stable/c/bdfedb76f4f5aa5e37380e3b71adee4a39f30fc6 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-68229 – scsi: target: tcm_loop: Fix segfault in tcm_loop_tpg_address_show()
https://notcve.org/view.php?id=CVE-2025-68229
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: scsi: target: tcm_loop: Fix segfault in tcm_loop_tpg_address_show() If the allocation of tl_hba->sh fails in tcm_loop_driver_probe() and we attempt to dereference it in tcm_loop_tpg_address_show() we will get a segfault, see below for an example. So, check tl_hba->sh before dereferencing it. Unable to allocate struct scsi_host BUG: kernel NULL pointer dereference, address: 0000000000000194 #PF: supervisor read access in kernel mode #PF: err... • https://git.kernel.org/stable/c/2628b352c3d4905adf8129ea50900bd980b6ccef •
CVSS: 7.8EPSS: 0%CPEs: 7EXPL: 0CVE-2025-68227 – mptcp: Fix proto fallback detection with BPF
https://notcve.org/view.php?id=CVE-2025-68227
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: mptcp: Fix proto fallback detection with BPF The sockmap feature allows bpf syscall from userspace, or based on bpf sockops, replacing the sk_prot of sockets during protocol stack processing with sockmap's custom read/write interfaces. ''' tcp_rcv_state_process() syn_recv_sock()/subflow_syn_recv_sock() tcp_init_transfer(BPF_SOCK_OPS_PASSIVE_ESTABLISHED_CB) bpf_skops_established <== sockops bpf_sock_map_update(sk) <== call bpf helper tcp_bpf... • https://git.kernel.org/stable/c/0b4f33def7bbde1ce2fea05f116639270e7acdc7 •
CVSS: 6.1EPSS: 0%CPEs: 5EXPL: 0CVE-2025-68223 – drm/radeon: delete radeon_fence_process in is_signaled, no deadlock
https://notcve.org/view.php?id=CVE-2025-68223
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/radeon: delete radeon_fence_process in is_signaled, no deadlock Delete the attempt to progress the queue when checking if fence is signaled. This avoids deadlock. dma-fence_ops::signaled can be called with the fence lock in unknown state. For radeon, the fence lock is also the wait queue lock. This can cause a self deadlock when signaled() tries to make forward progress on the wait queue. But advancing the queue is unneeded because inco... • https://git.kernel.org/stable/c/954605ca3f897ad617123279eb3404a404cce5ab •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-68220 – net: ethernet: ti: netcp: Standardize knav_dma_open_channel to return NULL on error
https://notcve.org/view.php?id=CVE-2025-68220
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: net: ethernet: ti: netcp: Standardize knav_dma_open_channel to return NULL on error Make knav_dma_open_channel consistently return NULL on error instead of ERR_PTR. Currently the header include/linux/soc/ti/knav_dma.h returns NULL when the driver is disabled, but the driver implementation does not even return NULL or ERR_PTR on failure, causing inconsistency in the users. This results in a crash in netcp_free_navigator_resources as followed... • https://git.kernel.org/stable/c/88139ed030583557751e279968e13e892ae10825 •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2025-68217 – Input: pegasus-notetaker - fix potential out-of-bounds access
https://notcve.org/view.php?id=CVE-2025-68217
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: Input: pegasus-notetaker - fix potential out-of-bounds access In the pegasus_notetaker driver, the pegasus_probe() function allocates the URB transfer buffer using the wMaxPacketSize value from the endpoint descriptor. An attacker can use a malicious USB descriptor to force the allocation of a very small buffer. Subsequently, if the device sends an interrupt packet with a specific pattern (e.g., where the first byte is 0x80 or 0x42), the pe... • https://git.kernel.org/stable/c/1afca2b66aac7ac262d3511c68725e9e7053b40f •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2025-68211 – ksm: use range-walk function to jump over holes in scan_get_next_rmap_item
https://notcve.org/view.php?id=CVE-2025-68211
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: ksm: use range-walk function to jump over holes in scan_get_next_rmap_item Currently, scan_get_next_rmap_item() walks every page address in a VMA to locate mergeable pages. This becomes highly inefficient when scanning large virtual memory areas that contain mostly unmapped regions, causing ksmd to use large amount of cpu without deduplicating much pages. This patch replaces the per-address lookup with a range walk using walk_page_range(). ... • https://git.kernel.org/stable/c/31dbd01f314364b70c2e026a5793a29a4da8a9dc •
CVSS: 9.4EPSS: 0%CPEs: 3EXPL: 0CVE-2025-68206 – netfilter: nft_ct: add seqadj extension for natted connections
https://notcve.org/view.php?id=CVE-2025-68206
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_ct: add seqadj extension for natted connections Sequence adjustment may be required for FTP traffic with PASV/EPSV modes. due to need to re-write packet payload (IP, port) on the ftp control connection. This can require changes to the TCP length and expected seq / ack_seq. The easiest way to reproduce this issue is with PASV mode. Example ruleset: table inet ftp_nat { ct helper ftp_helper { type "ftp" protocol tcp l3proto ine... • https://git.kernel.org/stable/c/1a64edf54f55d7956cf5a0d95898bc1f84f9b818 •