CVSS: 7.1EPSS: 0%CPEs: 7EXPL: 0CVE-2025-68266 – bfs: Reconstruct file type when loading from disk
https://notcve.org/view.php?id=CVE-2025-68266
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: bfs: Reconstruct file type when loading from disk syzbot is reporting that S_IFMT bits of inode->i_mode can become bogus when the S_IFMT bits of the 32bits "mode" field loaded from disk are corrupted or when the 32bits "attributes" field loaded from disk are corrupted. A documentation says that BFS uses only lower 9 bits of the "mode" field. But I can't find an explicit explanation that the unused upper 23 bits (especially, the S_IFMT bits)... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2025-68264 – ext4: refresh inline data size before write operations
https://notcve.org/view.php?id=CVE-2025-68264
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: ext4: refresh inline data size before write operations The cached ei->i_inline_size can become stale between the initial size check and when ext4_update_inline_data()/ext4_create_inline_data() use it. Although ext4_get_max_inline_size() reads the correct value at the time of the check, concurrent xattr operations can modify i_inline_size before ext4_write_lock_xattr() is acquired. This causes ext4_update_inline_data() and ext4_create_inline... • https://git.kernel.org/stable/c/67cf5b09a46f72e048501b84996f2f77bc42e947 •
CVSS: 9.3EPSS: 0%CPEs: 6EXPL: 0CVE-2025-68263 – ksmbd: ipc: fix use-after-free in ipc_msg_send_request
https://notcve.org/view.php?id=CVE-2025-68263
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: ipc: fix use-after-free in ipc_msg_send_request ipc_msg_send_request() waits for a generic netlink reply using an ipc_msg_table_entry on the stack. The generic netlink handler (handle_generic_event()/handle_response()) fills entry->response under ipc_msg_table_lock, but ipc_msg_send_request() used to validate and free entry->response without holding the same lock. Under high concurrency this allows a race where handle_response() is c... • https://git.kernel.org/stable/c/0626e6641f6b467447c81dd7678a69c66f7746cf •
CVSS: 7.3EPSS: 0%CPEs: 13EXPL: 0CVE-2025-68261 – ext4: add i_data_sem protection in ext4_destroy_inline_data_nolock()
https://notcve.org/view.php?id=CVE-2025-68261
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: ext4: add i_data_sem protection in ext4_destroy_inline_data_nolock() Fix a race between inline data destruction and block mapping. The function ext4_destroy_inline_data_nolock() changes the inode data layout by clearing EXT4_INODE_INLINE_DATA and setting EXT4_INODE_EXTENTS. At the same time, another thread may execute ext4_map_blocks(), which tests EXT4_INODE_EXTENTS to decide whether to call ext4_ext_map_blocks() or ext4_ind_map_blocks(). ... • https://git.kernel.org/stable/c/c755e251357a0cee0679081f08c3f4ba797a8009 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-68258 – comedi: multiq3: sanitize config options in multiq3_attach()
https://notcve.org/view.php?id=CVE-2025-68258
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: comedi: multiq3: sanitize config options in multiq3_attach() Syzbot identified an issue [1] in multiq3_attach() that induces a task timeout due to open() or COMEDI_DEVCONFIG ioctl operations, specifically, in the case of multiq3 driver. This problem arose when syzkaller managed to craft weird configuration options used to specify the number of channels in encoder subdevice. If a particularly great number is passed to s->n_chan in multiq3_at... • https://git.kernel.org/stable/c/77e01cdbad5175f56027fd6fae00bd0fc175651a •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-68257 – comedi: check device's attached status in compat ioctls
https://notcve.org/view.php?id=CVE-2025-68257
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: comedi: check device's attached status in compat ioctls Syzbot identified an issue [1] that crashes kernel, seemingly due to unexistent callback dev->get_valid_routes(). By all means, this should not occur as said callback must always be set to get_zero_valid_routes() in __comedi_device_postconfig(). As the crash seems to appear exclusively in i386 kernels, at least, judging from [1] reports, the blame lies with compat versions of standard ... • https://git.kernel.org/stable/c/3fbfd2223a271426509830e6340c386a1054cfad •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2025-68256 – staging: rtl8723bs: fix out-of-bounds read in rtw_get_ie() parser
https://notcve.org/view.php?id=CVE-2025-68256
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: staging: rtl8723bs: fix out-of-bounds read in rtw_get_ie() parser The Information Element (IE) parser rtw_get_ie() trusted the length byte of each IE without validating that the IE body (len bytes after the 2-byte header) fits inside the remaining frame buffer. A malformed frame can advertise an IE length larger than the available data, causing the parser to increment its pointer beyond the buffer end. This results in out-of-bounds reads or... • https://git.kernel.org/stable/c/554c0a3abf216c991c5ebddcdb2c08689ecd290b •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2025-68255 – staging: rtl8723bs: fix stack buffer overflow in OnAssocReq IE parsing
https://notcve.org/view.php?id=CVE-2025-68255
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: staging: rtl8723bs: fix stack buffer overflow in OnAssocReq IE parsing The Supported Rates IE length from an incoming Association Request frame was used directly as the memcpy() length when copying into a fixed-size 16-byte stack buffer (supportRate). A malicious station can advertise an IE length larger than 16 bytes, causing a stack buffer overflow. Clamp ie_len to the buffer size before copying the Supported Rates IE, and correct the bou... • https://git.kernel.org/stable/c/554c0a3abf216c991c5ebddcdb2c08689ecd290b •
CVSS: 8.5EPSS: 0%CPEs: 7EXPL: 0CVE-2025-68254 – staging: rtl8723bs: fix out-of-bounds read in OnBeacon ESR IE parsing
https://notcve.org/view.php?id=CVE-2025-68254
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: staging: rtl8723bs: fix out-of-bounds read in OnBeacon ESR IE parsing The Extended Supported Rates (ESR) IE handling in OnBeacon accessed *(p + 1 + ielen) and *(p + 2 + ielen) without verifying that these offsets lie within the received frame buffer. A malformed beacon with an ESR IE positioned at the end of the buffer could cause an out-of-bounds read, potentially triggering a kernel panic. Add a boundary check to ensure that the ESR IE bo... • https://git.kernel.org/stable/c/554c0a3abf216c991c5ebddcdb2c08689ecd290b •
CVSS: 6.1EPSS: 0%CPEs: 7EXPL: 0CVE-2025-68249 – most: usb: hdm_probe: Fix calling put_device() before device initialization
https://notcve.org/view.php?id=CVE-2025-68249
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: most: usb: hdm_probe: Fix calling put_device() before device initialization The early error path in hdm_probe() can jump to err_free_mdev before &mdev->dev has been initialized with device_initialize(). Calling put_device(&mdev->dev) there triggers a device core WARN and ends up invoking kref_put(&kobj->kref, kobject_release) on an uninitialized kobject. In this path the private struct was only kmalloc'ed and the intended release is effecti... • https://git.kernel.org/stable/c/97a6f772f36b7f52bcfa56a581bbd2470cffe23d •