CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2023-54118 – serial: sc16is7xx: setup GPIO controller later in probe
https://notcve.org/view.php?id=CVE-2023-54118
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: serial: sc16is7xx: setup GPIO controller later in probe The GPIO controller component of the sc16is7xx driver is setup too early, which can result in a race condition where another device tries to utilise the GPIO lines before the sc16is7xx device has finished initialising. This issue manifests itself as an Oops when the GPIO lines are configured: Unable to handle kernel read from unreadable memory at virtual address ... pc : sc16is7xx_gpio... • https://git.kernel.org/stable/c/17b96b5c19bec791b433890549e44ca523dc82aa •
CVSS: 5.6EPSS: 0%CPEs: 8EXPL: 0CVE-2023-54115 – pcmcia: rsrc_nonstatic: Fix memory leak in nonstatic_release_resource_db()
https://notcve.org/view.php?id=CVE-2023-54115
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: pcmcia: rsrc_nonstatic: Fix memory leak in nonstatic_release_resource_db() When nonstatic_release_resource_db() frees all resources associated with an PCMCIA socket, it forgets to free socket_data too, causing a memory leak observable with kmemleak: unreferenced object 0xc28d1000 (size 64): comm "systemd-udevd", pid 297, jiffies 4294898478 (age 194.484s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 f0 85 0e c3 00 00 00 00 ............... • https://git.kernel.org/stable/c/bde0b6da7bd893c37afaee3555cc3ac3be582313 •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2023-54110 – usb: rndis_host: Secure rndis_query check against int overflow
https://notcve.org/view.php?id=CVE-2023-54110
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: usb: rndis_host: Secure rndis_query check against int overflow Variables off and len typed as uint32 in rndis_query function are controlled by incoming RNDIS response message thus their value may be manipulated. Setting off to a unexpectetly large value will cause the sum with len and 8 to overflow and pass the implemented validation step. Consequently the response pointer will be referring to a location past the expected buffer boundaries ... • https://git.kernel.org/stable/c/ddda08624013e8435e9f7cfc34a35bd7b3520b6d •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-54107 – blk-cgroup: dropping parent refcount after pd_free_fn() is done
https://notcve.org/view.php?id=CVE-2023-54107
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: blk-cgroup: dropping parent refcount after pd_free_fn() is done Some cgroup policies will access parent pd through child pd even after pd_offline_fn() is done. If pd_free_fn() for parent is called before child, then UAF can be triggered. Hence it's better to guarantee the order of pd_free_fn(). Currently refcount of parent blkg is dropped in __blkg_release(), which is before pd_free_fn() is called in blkg_free_work_fn() while blkg_free_work... • https://git.kernel.org/stable/c/c7241babf0855d8a6180cd1743ff0ec34de40b4e •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2023-54105 – can: isotp: check CAN address family in isotp_bind()
https://notcve.org/view.php?id=CVE-2023-54105
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: can: isotp: check CAN address family in isotp_bind() Add missing check to block non-AF_CAN binds. Syzbot created some code which matched the right sockaddr struct size but used AF_XDP (0x2C) instead of AF_CAN (0x1D) in the address family field: bind$xdp(r2, &(0x7f0000000540)={0x2c, 0x0, r4, 0x0, r2}, 0x10) ^^^^ This has no funtional impact but the userspace should be notified about the wrong address family field content. In the Linux kernel... • https://git.kernel.org/stable/c/de3c02383aa678f6799402ac47fdd89cf4bfcaa9 •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2023-54102 – scsi: lpfc: Prevent lpfc_debugfs_lockstat_write() buffer overflow
https://notcve.org/view.php?id=CVE-2023-54102
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Prevent lpfc_debugfs_lockstat_write() buffer overflow A static code analysis tool flagged the possibility of buffer overflow when using copy_from_user() for a debugfs entry. Currently, it is possible that copy_from_user() copies more bytes than what would fit in the mybuf char array. Add a min() restriction check between sizeof(mybuf) - 1 and nbytes passed from the userspace buffer to protect against buffer overflow. In the Linu... • https://git.kernel.org/stable/c/644a9d5e22761a41d5005a26996a643da96de962 •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2023-54099 – fs: Protect reconfiguration of sb read-write from racing writes
https://notcve.org/view.php?id=CVE-2023-54099
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: fs: Protect reconfiguration of sb read-write from racing writes The reconfigure / remount code takes a lot of effort to protect filesystem's reconfiguration code from racing writes on remounting read-only. However during remounting read-only filesystem to read-write mode userspace writes can start immediately once we clear SB_RDONLY flag. This is inconvenient for example for ext4 because we need to do some writes to the filesystem (such as ... • https://git.kernel.org/stable/c/0336b42456e485fda1006b5b411e7372e20fbf03 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2023-54093 – media: anysee: fix null-ptr-deref in anysee_master_xfer
https://notcve.org/view.php?id=CVE-2023-54093
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: media: anysee: fix null-ptr-deref in anysee_master_xfer In anysee_master_xfer, msg is controlled by user. When msg[i].buf is null and msg[i].len is zero, former checks on msg[i].buf would be passed. Malicious data finally reach anysee_master_xfer. If accessing msg[i].buf[0] without sanity check, null ptr deref would happen. We add check on msg[i].len to prevent crash. Similar commit: commit 0ed554fd769a ("media: dvb-usb: az6027: fix null-pt... • https://git.kernel.org/stable/c/73c0b224ceeba12dee2a7a8cbc147648da0b2e63 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2023-54087 – ubi: Fix possible null-ptr-deref in ubi_free_volume()
https://notcve.org/view.php?id=CVE-2023-54087
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: ubi: Fix possible null-ptr-deref in ubi_free_volume() It willl cause null-ptr-deref in the following case: uif_init() ubi_add_volume() cdev_add() -> if it fails, call kill_volumes() device_register() kill_volumes() -> if ubi_add_volume() fails call this function ubi_free_volume() cdev_del() device_unregister() -> trying to delete a not added device, it causes null-ptr-deref So in ubi_free_volume(), it delete devices whether they are added o... • https://git.kernel.org/stable/c/801c135ce73d5df1caf3eca35b66a10824ae0707 •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2023-54086 – bpf: Add preempt_count_{sub,add} into btf id deny list
https://notcve.org/view.php?id=CVE-2023-54086
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: bpf: Add preempt_count_{sub,add} into btf id deny list The recursion check in __bpf_prog_enter* and __bpf_prog_exit* leave preempt_count_{sub,add} unprotected. When attaching trampoline to them we get panic as follows, [ 867.843050] BUG: TASK stack guard page was hit at 0000000009d325cf (stack is 0000000046a46a15..00000000537e7b28) [ 867.843064] stack guard page: 0000 [#1] PREEMPT SMP NOPTI [ 867.843067] CPU: 8 PID: 11009 Comm: trace Kdump:... • https://git.kernel.org/stable/c/095018267c87b8bfbbb12eeb1c0ebf2359e1782c •