CVSS: 7.3EPSS: 0%CPEs: 2EXPL: 0CVE-2025-71074 – functionfs: fix the open/removal races
https://notcve.org/view.php?id=CVE-2025-71074
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: functionfs: fix the open/removal races ffs_epfile_open() can race with removal, ending up with file->private_data pointing to freed object. There is a total count of opened files on functionfs (both ep0 and dynamic ones) and when it hits zero, dynamic files get removed. Unfortunately, that removal can happen while another thread is in ffs_epfile_open(), but has not incremented the count yet. In that case open will succeed, leaving us with U... • https://git.kernel.org/stable/c/ddf8abd2599491cbad959c700b90ba72a5dce8d0 •
CVSS: 7.2EPSS: 0%CPEs: 3EXPL: 0CVE-2025-71073 – Input: lkkbd - disable pending work before freeing device
https://notcve.org/view.php?id=CVE-2025-71073
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: Input: lkkbd - disable pending work before freeing device lkkbd_interrupt() schedules lk->tq via schedule_work(), and the work handler lkkbd_reinit() dereferences the lkkbd structure and its serio/input_dev fields. lkkbd_disconnect() and error paths in lkkbd_connect() free the lkkbd structure without preventing the reinit work from being queued again until serio_close() returns. This can allow the work handler to run after the structure has... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 7.2EPSS: 0%CPEs: 3EXPL: 0CVE-2025-71072 – shmem: fix recovery on rename failures
https://notcve.org/view.php?id=CVE-2025-71072
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: shmem: fix recovery on rename failures maple_tree insertions can fail if we are seriously short on memory; simple_offset_rename() does not recover well if it runs into that. The same goes for simple_offset_rename_exchange(). Moreover, shmem_whiteout() expects that if it succeeds, the caller will progress to d_move(), i.e. that shmem_rename2() won't fail past the successful call of shmem_whiteout(). Not hard to fix, fortunately - mtree_store... • https://git.kernel.org/stable/c/a2e459555c5f9da3e619b7e47a63f98574dc75f1 •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2025-71071 – iommu/mediatek: fix use-after-free on probe deferral
https://notcve.org/view.php?id=CVE-2025-71071
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: iommu/mediatek: fix use-after-free on probe deferral The driver is dropping the references taken to the larb devices during probe after successful lookup as well as on errors. This can potentially lead to a use-after-free in case a larb device has not yet been bound to its driver so that the iommu driver probe defers. Fix this by keeping the references as expected while the iommu driver is bound. In the Linux kernel, the following vulnerabi... • https://git.kernel.org/stable/c/8412e5dd24ffc8bc21a00bfaa0b80d4596cdc9da •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2025-71069 – f2fs: invalidate dentry cache on failed whiteout creation
https://notcve.org/view.php?id=CVE-2025-71069
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: f2fs: invalidate dentry cache on failed whiteout creation F2FS can mount filesystems with corrupted directory depth values that get runtime-clamped to MAX_DIR_HASH_DEPTH. When RENAME_WHITEOUT operations are performed on such directories, f2fs_rename performs directory modifications (updating target entry and deleting source entry) before attempting to add the whiteout entry via f2fs_add_link. If f2fs_add_link fails due to the corrupted dire... • https://git.kernel.org/stable/c/7e01e7ad746bc8198a8b46163ddc73a1c7d22339 •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2025-71068 – svcrdma: bound check rq_pages index in inline path
https://notcve.org/view.php?id=CVE-2025-71068
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: svcrdma: bound check rq_pages index in inline path svc_rdma_copy_inline_range indexed rqstp->rq_pages[rc_curpage] without verifying rc_curpage stays within the allocated page array. Add guards before the first use and after advancing to a new page. In the Linux kernel, the following vulnerability has been resolved: svcrdma: bound check rq_pages index in inline path svc_rdma_copy_inline_range indexed rqstp->rq_pages[rc_curpage] without verif... • https://git.kernel.org/stable/c/d7cc73972661be4a02a1b09f1d9b3283c6c05154 •
CVSS: 7.1EPSS: 0%CPEs: 4EXPL: 0CVE-2025-71067 – ntfs: set dummy blocksize to read boot_block when mounting
https://notcve.org/view.php?id=CVE-2025-71067
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: ntfs: set dummy blocksize to read boot_block when mounting When mounting, sb->s_blocksize is used to read the boot_block without being defined or validated. Set a dummy blocksize before attempting to read the boot_block. The issue can be triggered with the following syz reproducer: mkdirat(0xffffffffffffff9c, &(0x7f0000000080)='./file1\x00', 0x0) r4 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040), 0x121403, 0x0) ioctl$FS_IOC_SETFLAGS(r... • https://git.kernel.org/stable/c/28861e3bbd9e7ac4cd9c811aad71b4d116e27930 •
CVSS: 6.3EPSS: 0%CPEs: 7EXPL: 0CVE-2025-71066 – net/sched: ets: Always remove class from active list before deleting in ets_qdisc_change
https://notcve.org/view.php?id=CVE-2025-71066
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: net/sched: ets: Always remove class from active list before deleting in ets_qdisc_change zdi-disclosures@trendmicro.com says: The vulnerability is a race condition between `ets_qdisc_dequeue` and `ets_qdisc_change`. It leads to UAF on `struct Qdisc` object. Attacker requires the capability to create new user and network namespace in order to trigger the bug. See my additional commentary at the end of the analysis. Analysis: static int ets_q... • https://git.kernel.org/stable/c/ae2659d2c670252759ee9c823c4e039c0e05a6f2 •
CVSS: 5.0EPSS: 0%CPEs: 4EXPL: 0CVE-2025-71065 – f2fs: fix to avoid potential deadlock
https://notcve.org/view.php?id=CVE-2025-71065
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid potential deadlock As Jiaming Zhang and syzbot reported, there is potential deadlock in f2fs as below: Chain exists of: &sbi->cp_rwsem --> fs_reclaim --> sb_internal#2 Possible unsafe locking scenario: CPU0 CPU1 ---- ---- rlock(sb_internal#2); lock(fs_reclaim); lock(sb_internal#2); rlock(&sbi->cp_rwsem); *** DEADLOCK *** 3 locks held by kswapd0/73: #0: ffffffff8e247a40 (fs_reclaim){+.+.}-{0:0}, at: balance_pgdat mm/vmscan... • https://git.kernel.org/stable/c/95fa90c9e5a7f14c2497d5b032544478c9377c3a •
CVSS: 5.6EPSS: 0%CPEs: 7EXPL: 0CVE-2025-71064 – net: hns3: using the num_tqps in the vf driver to apply for resources
https://notcve.org/view.php?id=CVE-2025-71064
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: net: hns3: using the num_tqps in the vf driver to apply for resources Currently, hdev->htqp is allocated using hdev->num_tqps, and kinfo->tqp is allocated using kinfo->num_tqps. However, kinfo->num_tqps is set to min(new_tqps, hdev->num_tqps); Therefore, kinfo->num_tqps may be smaller than hdev->num_tqps, which causes some hdev->htqp[i] to remain uninitialized in hclgevf_knic_setup(). Thus, this patch allocates hdev->htqp and kinfo->tqp usi... • https://git.kernel.org/stable/c/e2cb1dec9779ba2d89302a653eb0abaeb8682196 •