CVSS: 6.1EPSS: 0%CPEs: 6EXPL: 0CVE-2025-68321 – page_pool: always add GFP_NOWARN for ATOMIC allocations
https://notcve.org/view.php?id=CVE-2025-68321
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: page_pool: always add GFP_NOWARN for ATOMIC allocations Driver authors often forget to add GFP_NOWARN for page allocation from the datapath. This is annoying to users as OOMs are a fact of life, and we pretty much expect network Rx to hit page allocation failures during OOM. Make page pool add GFP_NOWARN for ATOMIC allocations by default. In the Linux kernel, the following vulnerability has been resolved: page_pool: always add GFP_NOWARN fo... • https://git.kernel.org/stable/c/ff7d6b27f894f1469dc51ccb828b7363ccd9799f •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2025-68315 – f2fs: fix to detect potential corrupted nid in free_nid_list
https://notcve.org/view.php?id=CVE-2025-68315
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to detect potential corrupted nid in free_nid_list As reported, on-disk footer.ino and footer.nid is the same and out-of-range, let's add sanity check on f2fs_alloc_nid() to detect any potential corruption in free_nid_list. In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to detect potential corrupted nid in free_nid_list As reported, on-disk footer.ino and footer.nid is the same and out-of-range, let'... • https://git.kernel.org/stable/c/98e4da8ca301e062d79ae168c67e56f3c3de3ce4 •
CVSS: 7.8EPSS: 0%CPEs: 13EXPL: 0CVE-2025-68312 – usbnet: Prevents free active kevent
https://notcve.org/view.php?id=CVE-2025-68312
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: usbnet: Prevents free active kevent The root cause of this issue are: 1. When probing the usbnet device, executing usbnet_link_change(dev, 0, 0); put the kevent work in global workqueue. However, the kevent has not yet been scheduled when the usbnet device is unregistered. Therefore, executing free_netdev() results in the "free active object (kevent)" error reported here. 2. Another factor is that when calling usbnet_disconnect()->unregiste... • https://git.kernel.org/stable/c/8b4588b8b00b299be16a35be67b331d8fdba03f3 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-68310 – s390/pci: Avoid deadlock between PCI error recovery and mlx5 crdump
https://notcve.org/view.php?id=CVE-2025-68310
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: s390/pci: Avoid deadlock between PCI error recovery and mlx5 crdump Do not block PCI config accesses through pci_cfg_access_lock() when executing the s390 variant of PCI error recovery: Acquire just device_lock() instead of pci_dev_lock() as powerpc's EEH and generig PCI AER processing do. During error recovery testing a pair of tasks was reported to be hung: mlx5_core 0000:00:00.1: mlx5_health_try_recover:338:(pid 5553): health recovery fl... • https://git.kernel.org/stable/c/4cdf2f4e24ff0d345fc36ef6d6aec059333a261e •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2025-68308 – can: kvaser_usb: leaf: Fix potential infinite loop in command parsers
https://notcve.org/view.php?id=CVE-2025-68308
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: can: kvaser_usb: leaf: Fix potential infinite loop in command parsers The `kvaser_usb_leaf_wait_cmd()` and `kvaser_usb_leaf_read_bulk_callback` functions contain logic to zero-length commands. These commands are used to align data to the USB endpoint's wMaxPacketSize boundary. The driver attempts to skip these placeholders by aligning the buffer position `pos` to the next packet boundary using `round_up()` function. However, if zero-length ... • https://git.kernel.org/stable/c/7259124eac7d1b76b41c7a9cb2511a30556deebe •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-68307 – can: gs_usb: gs_usb_xmit_callback(): fix handling of failed transmitted URBs
https://notcve.org/view.php?id=CVE-2025-68307
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: can: gs_usb: gs_usb_xmit_callback(): fix handling of failed transmitted URBs The driver lacks the cleanup of failed transfers of URBs. This reduces the number of available URBs per error by 1. This leads to reduced performance and ultimately to a complete stop of the transmission. If the sending of a bulk URB fails do proper cleanup: - increase netdev stats - mark the echo_sbk as free - free the driver's context and do accounting - wake the... • https://git.kernel.org/stable/c/d08e973a77d128b25e01a08c34d89593fdf222da •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2025-68303 – platform/x86: intel: punit_ipc: fix memory corruption
https://notcve.org/view.php?id=CVE-2025-68303
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: platform/x86: intel: punit_ipc: fix memory corruption This passes the address of the pointer "&punit_ipcdev" when the intent was to pass the pointer itself "punit_ipcdev" (without the ampersand). This means that the: complete(&ipcdev->cmd_complete); in intel_punit_ioc() will write to a wrong memory address corrupting it. In the Linux kernel, the following vulnerability has been resolved: platform/x86: intel: punit_ipc: fix memory corruption... • https://git.kernel.org/stable/c/fdca4f16f57da76a8e68047923588a87d1c01f0a •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2025-68302 – net: sxgbe: fix potential NULL dereference in sxgbe_rx()
https://notcve.org/view.php?id=CVE-2025-68302
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: net: sxgbe: fix potential NULL dereference in sxgbe_rx() Currently, when skb is null, the driver prints an error and then dereferences skb on the next line. To fix this, let's add a 'break' after the error message to switch to sxgbe_rx_refill(), which is similar to the approach taken by the other drivers in this particular case, e.g. calxeda with xgmac_rx(). Found during a code review. In the Linux kernel, the following vulnerability has be... • https://git.kernel.org/stable/c/1edb9ca69e8a7988900fc0283e10550b5592164d •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2025-68301 – net: atlantic: fix fragment overflow handling in RX path
https://notcve.org/view.php?id=CVE-2025-68301
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: net: atlantic: fix fragment overflow handling in RX path The atlantic driver can receive packets with more than MAX_SKB_FRAGS (17) fragments when handling large multi-descriptor packets. This causes an out-of-bounds write in skb_add_rx_frag_netmem() leading to kernel panic. The issue occurs because the driver doesn't check the total number of fragments before calling skb_add_rx_frag(). When a packet requires more than MAX_SKB_FRAGS fragment... • https://git.kernel.org/stable/c/cd66ab20a8f84474564a68fffffd37d998f6c340 •
CVSS: 6.3EPSS: 0%CPEs: 3EXPL: 0CVE-2025-68296 – drm, fbcon, vga_switcheroo: Avoid race condition in fbcon setup
https://notcve.org/view.php?id=CVE-2025-68296
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: drm, fbcon, vga_switcheroo: Avoid race condition in fbcon setup Protect vga_switcheroo_client_fb_set() with console lock. Avoids OOB access in fbcon_remap_all(). Without holding the console lock the call races with switching outputs. VGA switcheroo calls fbcon_remap_all() when switching clients. The fbcon function uses struct fb_info.node, which is set by register_framebuffer(). As the fb-helper code currently sets up VGA switcheroo before ... • https://git.kernel.org/stable/c/6a9ee8af344e3bd7dbd61e67037096cdf7f83289 •