CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-54107 – blk-cgroup: dropping parent refcount after pd_free_fn() is done
https://notcve.org/view.php?id=CVE-2023-54107
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: blk-cgroup: dropping parent refcount after pd_free_fn() is done Some cgroup policies will access parent pd through child pd even after pd_offline_fn() is done. If pd_free_fn() for parent is called before child, then UAF can be triggered. Hence it's better to guarantee the order of pd_free_fn(). Currently refcount of parent blkg is dropped in __blkg_release(), which is before pd_free_fn() is called in blkg_free_work_fn() while blkg_free_work... • https://git.kernel.org/stable/c/d578c770c85233af592e54537f93f3831bde7e9a •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2023-54106 – net/mlx5: fix potential memory leak in mlx5e_init_rep_rx
https://notcve.org/view.php?id=CVE-2023-54106
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: net/mlx5: fix potential memory leak in mlx5e_init_rep_rx The memory pointed to by the priv->rx_res pointer is not freed in the error path of mlx5e_init_rep_rx, which can lead to a memory leak. Fix by freeing the memory in the error path, thereby making the error path identical to mlx5e_cleanup_rep_rx(). In the Linux kernel, the following vulnerability has been resolved: net/mlx5: fix potential memory leak in mlx5e_init_rep_rx The memory poi... • https://git.kernel.org/stable/c/af8bbf7300686961f74e72e2dc10a76672603cb3 •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2023-54105 – can: isotp: check CAN address family in isotp_bind()
https://notcve.org/view.php?id=CVE-2023-54105
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: can: isotp: check CAN address family in isotp_bind() Add missing check to block non-AF_CAN binds. Syzbot created some code which matched the right sockaddr struct size but used AF_XDP (0x2C) instead of AF_CAN (0x1D) in the address family field: bind$xdp(r2, &(0x7f0000000540)={0x2c, 0x0, r4, 0x0, r2}, 0x10) ^^^^ This has no funtional impact but the userspace should be notified about the wrong address family field content. In the Linux kernel... • https://git.kernel.org/stable/c/e057dd3fc20ffb3d7f150af46542a51b59b90127 •
CVSS: 5.6EPSS: 0%CPEs: 5EXPL: 0CVE-2023-54104 – mtd: rawnand: fsl_upm: Fix an off-by one test in fun_exec_op()
https://notcve.org/view.php?id=CVE-2023-54104
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: mtd: rawnand: fsl_upm: Fix an off-by one test in fun_exec_op() 'op-cs' is copied in 'fun->mchip_number' which is used to access the 'mchip_offsets' and the 'rnb_gpio' arrays. These arrays have NAND_MAX_CHIPS elements, so the index must be below this limit. Fix the sanity check in order to avoid the NAND_MAX_CHIPS value. This would lead to out-of-bound accesses. In the Linux kernel, the following vulnerability has been resolved: mtd: rawnand... • https://git.kernel.org/stable/c/54309d65776755bcdb9dcf3744cd764fc1e254ea •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2023-54102 – scsi: lpfc: Prevent lpfc_debugfs_lockstat_write() buffer overflow
https://notcve.org/view.php?id=CVE-2023-54102
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Prevent lpfc_debugfs_lockstat_write() buffer overflow A static code analysis tool flagged the possibility of buffer overflow when using copy_from_user() for a debugfs entry. Currently, it is possible that copy_from_user() copies more bytes than what would fit in the mybuf char array. Add a min() restriction check between sizeof(mybuf) - 1 and nbytes passed from the userspace buffer to protect against buffer overflow. In the Linu... • https://git.kernel.org/stable/c/6a828b0f6192b4930894925d1c1d0dc1f1d99e6e •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2023-54101 – driver: soc: xilinx: use _safe loop iterator to avoid a use after free
https://notcve.org/view.php?id=CVE-2023-54101
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: driver: soc: xilinx: use _safe loop iterator to avoid a use after free The hash_for_each_possible() loop dereferences "eve_data" to get the next item on the list. However the loop frees eve_data so it leads to a use after free. Use hash_for_each_possible_safe() instead. In the Linux kernel, the following vulnerability has been resolved: driver: soc: xilinx: use _safe loop iterator to avoid a use after free The hash_for_each_possible() loop ... • https://git.kernel.org/stable/c/c7fdb2404f66131bc9c22e06f712717288826487 •
CVSS: 7.1EPSS: 0%CPEs: 6EXPL: 0CVE-2023-54100 – scsi: qedi: Fix use after free bug in qedi_remove()
https://notcve.org/view.php?id=CVE-2023-54100
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: scsi: qedi: Fix use after free bug in qedi_remove() In qedi_probe() we call __qedi_probe() which initializes &qedi->recovery_work with qedi_recovery_handler() and &qedi->board_disable_work with qedi_board_disable_work(). When qedi_schedule_recovery_handler() is called, schedule_delayed_work() will finally start the work. In qedi_remove(), which is called to remove the driver, the following sequence may be observed: Fix this by finishing the... • https://git.kernel.org/stable/c/4b1068f5d74b6cc92319bd7eba40809b1222e73f •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2023-54099 – fs: Protect reconfiguration of sb read-write from racing writes
https://notcve.org/view.php?id=CVE-2023-54099
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: fs: Protect reconfiguration of sb read-write from racing writes The reconfigure / remount code takes a lot of effort to protect filesystem's reconfiguration code from racing writes on remounting read-only. However during remounting read-only filesystem to read-write mode userspace writes can start immediately once we clear SB_RDONLY flag. This is inconvenient for example for ext4 because we need to do some writes to the filesystem (such as ... • https://git.kernel.org/stable/c/8d0347f6c3a9d4953ddd636a31c6584da082e084 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2023-54098 – drm/i915/gvt: fix gvt debugfs destroy
https://notcve.org/view.php?id=CVE-2023-54098
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/i915/gvt: fix gvt debugfs destroy When gvt debug fs is destroyed, need to have a sane check if drm minor's debugfs root is still available or not, otherwise in case like device remove through unbinding, drm minor's debugfs directory has already been removed, then intel_gvt_debugfs_clean() would act upon dangling pointer like below oops. i915 0000:00:02.0: Direct firmware load for i915/gvt/vid_0x8086_did_0x1926_rid_0x0a.golden_hw_state f... • https://git.kernel.org/stable/c/bc7b0be316aebac42eb9e8e54c984609555944da •
CVSS: 7.1EPSS: 0%CPEs: 7EXPL: 0CVE-2023-54097 – regulator: stm32-pwr: fix of_iomap leak
https://notcve.org/view.php?id=CVE-2023-54097
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: regulator: stm32-pwr: fix of_iomap leak Smatch reports: drivers/regulator/stm32-pwr.c:166 stm32_pwr_regulator_probe() warn: 'base' from of_iomap() not released on lines: 151,166. In stm32_pwr_regulator_probe(), base is not released when devm_kzalloc() fails to allocate memory or devm_regulator_register() fails to register a new regulator device, which may cause a leak. To fix this issue, replace of_iomap() with devm_platform_ioremap_resourc... • https://git.kernel.org/stable/c/dc62f951a6a8490bcccc7b6de36cd85bd57be740 •