CVSS: 6.6EPSS: 0%CPEs: 8EXPL: 0CVE-2025-68362 – wifi: rtl818x: rtl8187: Fix potential buffer underflow in rtl8187_rx_cb()
https://notcve.org/view.php?id=CVE-2025-68362
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: rtl818x: rtl8187: Fix potential buffer underflow in rtl8187_rx_cb() The rtl8187_rx_cb() calculates the rx descriptor header address by subtracting its size from the skb tail pointer. However, it does not validate if the received packet (skb->len from urb->actual_length) is large enough to contain this header. If a truncated packet is received, this will lead to a buffer underflow, reading memory before the start of the skb data area, ... • https://git.kernel.org/stable/c/6f7853f3cbe457067e9fe05461f56c7ea4ac488c •
CVSS: 7.8EPSS: 0%CPEs: 7EXPL: 0CVE-2025-68358 – btrfs: fix racy bitfield write in btrfs_clear_space_info_full()
https://notcve.org/view.php?id=CVE-2025-68358
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: btrfs: fix racy bitfield write in btrfs_clear_space_info_full() From the memory-barriers.txt document regarding memory barrier ordering guarantees: (*) These guarantees do not apply to bitfields, because compilers often generate code to modify these using non-atomic read-modify-write sequences. Do not attempt to use bitfields to synchronize parallel algorithms. (*) Even in cases where bitfields are protected by locks, all fields in a given ... • https://git.kernel.org/stable/c/957780eb2788d8c218d539e19a85653f51a96dc1 •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2025-68354 – regulator: core: Protect regulator_supply_alias_list with regulator_list_mutex
https://notcve.org/view.php?id=CVE-2025-68354
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: regulator: core: Protect regulator_supply_alias_list with regulator_list_mutex regulator_supply_alias_list was accessed without any locking in regulator_supply_alias(), regulator_register_supply_alias(), and regulator_unregister_supply_alias(). Concurrent registration, unregistration and lookups can race, leading to: 1 use-after-free if an alias entry is removed while being read, 2 duplicate entries when two threads register the same alias,... • https://git.kernel.org/stable/c/a06ccd9c3785fa5550917ae036944f4e080b5749 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-68349 – NFSv4/pNFS: Clear NFS_INO_LAYOUTCOMMIT in pnfs_mark_layout_stateid_invalid
https://notcve.org/view.php?id=CVE-2025-68349
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: NFSv4/pNFS: Clear NFS_INO_LAYOUTCOMMIT in pnfs_mark_layout_stateid_invalid Fixes a crash when layout is null during this call stack: write_inode -> nfs4_write_inode -> pnfs_layoutcommit_inode pnfs_set_layoutcommit relies on the lseg refcount to keep the layout around. Need to clear NFS_INO_LAYOUTCOMMIT otherwise we might attempt to reference a null layout. In the Linux kernel, the following vulnerability has been resolved: NFSv4/pNFS: Clear... • https://git.kernel.org/stable/c/fe1cf9469d7bcb6af27e42eb555a41b0135bce4a •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2025-68346 – ALSA: dice: fix buffer overflow in detect_stream_formats()
https://notcve.org/view.php?id=CVE-2025-68346
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: ALSA: dice: fix buffer overflow in detect_stream_formats() The function detect_stream_formats() reads the stream_count value directly from a FireWire device without validating it. This can lead to out-of-bounds writes when a malicious device provides a stream_count value greater than MAX_STREAMS. Fix by applying the same validation to both TX and RX stream counts in detect_stream_formats(). In the Linux kernel, the following vulnerability h... • https://git.kernel.org/stable/c/58579c056c1c9510ae6695ed8e01ee05bbdcfb23 •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2025-68344 – ALSA: wavefront: Fix integer overflow in sample size validation
https://notcve.org/view.php?id=CVE-2025-68344
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: ALSA: wavefront: Fix integer overflow in sample size validation The wavefront_send_sample() function has an integer overflow issue when validating sample size. The header->size field is u32 but gets cast to int for comparison with dev->freemem Fix by using unsigned comparison to avoid integer overflow. In the Linux kernel, the following vulnerability has been resolved: ALSA: wavefront: Fix integer overflow in sample size validation The wave... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2025-68343 – can: gs_usb: gs_usb_receive_bulk_callback(): check actual_length before accessing header
https://notcve.org/view.php?id=CVE-2025-68343
23 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: can: gs_usb: gs_usb_receive_bulk_callback(): check actual_length before accessing header The driver expects to receive a struct gs_host_frame in gs_usb_receive_bulk_callback(). Use struct_group to describe the header of the struct gs_host_frame and check that we have at least received the header before accessing any members of it. To resubmit the URB, do not dereference the pointer chain "dev->parent->hf_size_rx" but use "parent->hf_size_rx... • https://git.kernel.org/stable/c/d08e973a77d128b25e01a08c34d89593fdf222da •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2025-68342 – can: gs_usb: gs_usb_receive_bulk_callback(): check actual_length before accessing data
https://notcve.org/view.php?id=CVE-2025-68342
23 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: can: gs_usb: gs_usb_receive_bulk_callback(): check actual_length before accessing data The URB received in gs_usb_receive_bulk_callback() contains a struct gs_host_frame. The length of the data after the header depends on the gs_host_frame hf::flags and the active device features (e.g. time stamping). Introduce a new function gs_usb_get_minimum_length() and check that we have at least received the required amount of data before accessing it... • https://git.kernel.org/stable/c/d08e973a77d128b25e01a08c34d89593fdf222da •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2025-68340 – team: Move team device type change at the end of team_port_add
https://notcve.org/view.php?id=CVE-2025-68340
23 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: team: Move team device type change at the end of team_port_add Attempting to add a port device that is already up will expectedly fail, but not before modifying the team device header_ops. In the case of the syzbot reproducer the gre0 device is already in state UP when it attempts to add it as a port device of team0, this fails but before that header_ops->create of team0 is changed from eth_header to ipgre_header in the call to team_dev_typ... • https://git.kernel.org/stable/c/1d76efe1577b4323609b1bcbfafa8b731eda071a •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2025-68339 – atm/fore200e: Fix possible data race in fore200e_open()
https://notcve.org/view.php?id=CVE-2025-68339
23 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: atm/fore200e: Fix possible data race in fore200e_open() Protect access to fore200e->available_cell_rate with rate_mtx lock in the error handling path of fore200e_open() to prevent a data race. The field fore200e->available_cell_rate is a shared resource used to track available bandwidth. It is concurrently accessed by fore200e_open(), fore200e_close(), and fore200e_change_qos(). In fore200e_open(), the lock rate_mtx is correctly held when s... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •