CVSS: -EPSS: 0%CPEs: 9EXPL: 0CVE-2022-50697 – mrp: introduce active flags to prevent UAF when applicant uninit
https://notcve.org/view.php?id=CVE-2022-50697
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: mrp: introduce active flags to prevent UAF when applicant uninit The caller of del_timer_sync must prevent restarting of the timer, If we have no this synchronization, there is a small probability that the cancellation will not be successful. And syzbot report the fellowing crash: ================================================================== BUG: KASAN: use-after-free in hlist_add_head include/linux/list.h:929 [inline] BUG: KASAN: use-... • https://git.kernel.org/stable/c/febf018d22347b5df94066bca05d0c11a84e839d •
CVSS: 3.3EPSS: 0%CPEs: 8EXPL: 0CVE-2025-68733 – smack: fix bug: unprivileged task can create labels
https://notcve.org/view.php?id=CVE-2025-68733
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: smack: fix bug: unprivileged task can create labels If an unprivileged task is allowed to relabel itself (/smack/relabel-self is not empty), it can freely create new labels by writing their names into own /proc/PID/attr/smack/current This occurs because do_setattr() imports the provided label in advance, before checking "relabel-self" list. This change ensures that the "relabel-self" list is checked before importing the label. In the Linux ... • https://git.kernel.org/stable/c/38416e53936ecf896948fdeffc36b76979117952 •
CVSS: 6.9EPSS: 0%CPEs: 7EXPL: 0CVE-2025-68732 – gpu: host1x: Fix race in syncpt alloc/free
https://notcve.org/view.php?id=CVE-2025-68732
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: gpu: host1x: Fix race in syncpt alloc/free Fix race condition between host1x_syncpt_alloc() and host1x_syncpt_put() by using kref_put_mutex() instead of kref_put() + manual mutex locking. This ensures no thread can acquire the syncpt_mutex after the refcount drops to zero but before syncpt_release acquires it. This prevents races where syncpoints could be allocated while still being cleaned up from a previous release. Remove explicit mutex ... • https://git.kernel.org/stable/c/f5ba33fb9690566c382624637125827b5512e766 •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2025-68731 – accel/amdxdna: Fix an integer overflow in aie2_query_ctx_status_array()
https://notcve.org/view.php?id=CVE-2025-68731
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: accel/amdxdna: Fix an integer overflow in aie2_query_ctx_status_array() The unpublished smatch static checker reported a warning. drivers/accel/amdxdna/aie2_pci.c:904 aie2_query_ctx_status_array() warn: potential user controlled sizeof overflow 'args->num_element * args->element_size' '1-u32max(user) * 1-u32max(user)' Even this will not cause a real issue, it is better to put a reasonable limitation for element_size and num_element. Add con... • https://git.kernel.org/stable/c/2f509fe6a42cda845890273fe759fb7ba9edad97 •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-68730 – accel/ivpu: Fix page fault in ivpu_bo_unbind_all_bos_from_context()
https://notcve.org/view.php?id=CVE-2025-68730
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: accel/ivpu: Fix page fault in ivpu_bo_unbind_all_bos_from_context() Don't add BO to the vdev->bo_list in ivpu_gem_create_object(). When failure happens inside drm_gem_shmem_create(), the BO is not fully created and ivpu_gem_bo_free() callback will not be called causing a deleted BO to be left on the list. In the Linux kernel, the following vulnerability has been resolved: accel/ivpu: Fix page fault in ivpu_bo_unbind_all_bos_from_context() D... • https://git.kernel.org/stable/c/8d88e4cdce4f5c56de55174a4d32ea9c06f7fa66 •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2025-68729 – wifi: ath12k: Fix MSDU buffer types handling in RX error path
https://notcve.org/view.php?id=CVE-2025-68729
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: Fix MSDU buffer types handling in RX error path Currently, packets received on the REO exception ring from unassociated peers are of MSDU buffer type, while the driver expects link descriptor type packets. These packets are not parsed further due to a return check on packet type in ath12k_hal_desc_reo_parse_err(), but the associated skb is not freed. This may lead to kernel crashes and buffer leaks. Hence to fix, update the RX... • https://git.kernel.org/stable/c/d889913205cf7ebda905b1e62c5867ed4e39f6c2 •
CVSS: 7.2EPSS: 0%CPEs: 7EXPL: 0CVE-2025-68728 – ntfs3: fix uninit memory after failed mi_read in mi_format_new
https://notcve.org/view.php?id=CVE-2025-68728
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: ntfs3: fix uninit memory after failed mi_read in mi_format_new Fix a KMSAN un-init bug found by syzkaller. ntfs_get_bh() expects a buffer from sb_getblk(), that buffer may not be uptodate. We do not bring the buffer uptodate before setting it as uptodate. If the buffer were to not be uptodate, it could mean adding a buffer with un-init data to the mi record. Attempting to load that record will trigger KMSAN. Avoid this by setting the buffer... • https://git.kernel.org/stable/c/4342306f0f0d5ff4315a204d315c1b51b914fca5 •
CVSS: 7.1EPSS: 0%CPEs: 7EXPL: 0CVE-2025-68727 – ntfs3: Fix uninit buffer allocated by __getname()
https://notcve.org/view.php?id=CVE-2025-68727
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: ntfs3: Fix uninit buffer allocated by __getname() Fix uninit errors caused after buffer allocation given to 'de'; by initializing the buffer with zeroes. The fix was found by using KMSAN. In the Linux kernel, the following vulnerability has been resolved: ntfs3: Fix uninit buffer allocated by __getname() Fix uninit errors caused after buffer allocation given to 'de'; by initializing the buffer with zeroes. The fix was found by using KMSAN. ... • https://git.kernel.org/stable/c/78ab59fee07f22464f32eafebab2bd97ba94ff2d •
CVSS: 8.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-68726 – crypto: aead - Fix reqsize handling
https://notcve.org/view.php?id=CVE-2025-68726
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: crypto: aead - Fix reqsize handling Commit afddce13ce81d ("crypto: api - Add reqsize to crypto_alg") introduced cra_reqsize field in crypto_alg struct to replace type specific reqsize fields. It looks like this was introduced specifically for ahash and acomp from the commit description as subsequent commits add necessary changes in these alg frameworks. However, this is being recommended for use in all crypto algs instead of setting reqsize... • https://git.kernel.org/stable/c/afddce13ce81d52a13898fa0700917835c71acd6 •
CVSS: 6.6EPSS: 0%CPEs: 2EXPL: 0CVE-2025-68725 – bpf: Do not let BPF test infra emit invalid GSO types to stack
https://notcve.org/view.php?id=CVE-2025-68725
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: bpf: Do not let BPF test infra emit invalid GSO types to stack Yinhao et al. reported that their fuzzer tool was able to trigger a skb_warn_bad_offload() from netif_skb_features() -> gso_features_check(). When a BPF program - triggered via BPF test infra - pushes the packet to the loopback device via bpf_clone_redirect() then mentioned offload warning can be seen. GSO-related features are then rightfully disabled. We get into this situation... • https://git.kernel.org/stable/c/850a88cc4096fe1df407452ba2e4d28cf5b3eee9 •