CVSS: 9.8EPSS: 0%CPEs: 6EXPL: 0CVE-2025-68244 – drm/i915: Avoid lock inversion when pinning to GGTT on CHV/BXT+VTD
https://notcve.org/view.php?id=CVE-2025-68244
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/i915: Avoid lock inversion when pinning to GGTT on CHV/BXT+VTD On completion of i915_vma_pin_ww(), a synchronous variant of dma_fence_work_commit() is called. When pinning a VMA to GGTT address space on a Cherry View family processor, or on a Broxton generation SoC with VTD enabled, i.e., when stop_machine() is then called from intel_ggtt_bind_vma(), that can potentially lead to lock inversion among reservation_ww and cpu_hotplug locks.... • https://git.kernel.org/stable/c/7d1c2618eac590d948eb33b9807d913ddb6e105f •
CVSS: 5.6EPSS: 0%CPEs: 14EXPL: 0CVE-2025-68241 – ipv4: route: Prevent rt_bind_exception() from rebinding stale fnhe
https://notcve.org/view.php?id=CVE-2025-68241
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: ipv4: route: Prevent rt_bind_exception() from rebinding stale fnhe The sit driver's packet transmission path calls: sit_tunnel_xmit() -> update_or_create_fnhe(), which lead to fnhe_remove_oldest() being called to delete entries exceeding FNHE_RECLAIM_DEPTH+random. The race window is between fnhe_remove_oldest() selecting fnheX for deletion and the subsequent kfree_rcu(). During this time, the concurrent path's __mkroute_output() -> find_exc... • https://git.kernel.org/stable/c/e46e23c289f62ccd8e2230d9ce652072d777ff30 •
CVSS: 7.1EPSS: 0%CPEs: 11EXPL: 0CVE-2025-68239 – binfmt_misc: restore write access before closing files opened by open_exec()
https://notcve.org/view.php?id=CVE-2025-68239
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: binfmt_misc: restore write access before closing files opened by open_exec() bm_register_write() opens an executable file using open_exec(), which internally calls do_open_execat() and denies write access on the file to avoid modification while it is being executed. However, when an error occurs, bm_register_write() closes the file using filp_close() directly. This does not restore the write permission, which may cause subsequent write oper... • https://git.kernel.org/stable/c/e7850f4d844e0acfac7e570af611d89deade3146 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-68238 – mtd: rawnand: cadence: fix DMA device NULL pointer dereference
https://notcve.org/view.php?id=CVE-2025-68238
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: mtd: rawnand: cadence: fix DMA device NULL pointer dereference The DMA device pointer `dma_dev` was being dereferenced before ensuring that `cdns_ctrl->dmac` is properly initialized. Move the assignment of `dma_dev` after successfully acquiring the DMA channel to ensure the pointer is valid before use. In the Linux kernel, the following vulnerability has been resolved: mtd: rawnand: cadence: fix DMA device NULL pointer dereference The DMA d... • https://git.kernel.org/stable/c/0cae7c285f4771a9927ef592899234d307aea5d4 •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2025-68237 – mtdchar: fix integer overflow in read/write ioctls
https://notcve.org/view.php?id=CVE-2025-68237
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: mtdchar: fix integer overflow in read/write ioctls The "req.start" and "req.len" variables are u64 values that come from the user at the start of the function. We mask away the high 32 bits of "req.len" so that's capped at U32_MAX but the "req.start" variable can go up to U64_MAX which means that the addition can still integer overflow. Use check_add_overflow() to fix this bug. In the Linux kernel, the following vulnerability has been resol... • https://git.kernel.org/stable/c/6420ac0af95dbcb2fd8452e2d551ab50e1bbad83 •
CVSS: 7.1EPSS: 0%CPEs: 3EXPL: 0CVE-2025-68236 – scsi: ufs: ufs-qcom: Fix UFS OCP issue during UFS power down (PC=3)
https://notcve.org/view.php?id=CVE-2025-68236
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: ufs-qcom: Fix UFS OCP issue during UFS power down (PC=3) According to UFS specifications, the power-off sequence for a UFS device includes: - Sending an SSU command with Power_Condition=3 and await a response. - Asserting RST_N low. - Turning off REF_CLK. - Turning off VCC. - Turning off VCCQ/VCCQ2. As part of ufs shutdown, after the SSU command completion, asserting hardware reset (HWRST) triggers the device firmware to wake up ... • https://git.kernel.org/stable/c/b61d0414136853fc38898829cde837ce5d691a9a •
CVSS: 7.2EPSS: 0%CPEs: 4EXPL: 0CVE-2025-68235 – nouveau/firmware: Add missing kfree() of nvkm_falcon_fw::boot
https://notcve.org/view.php?id=CVE-2025-68235
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: nouveau/firmware: Add missing kfree() of nvkm_falcon_fw::boot nvkm_falcon_fw::boot is allocated, but no one frees it. This causes a kmemleak warning. Make sure this data is deallocated. In the Linux kernel, the following vulnerability has been resolved: nouveau/firmware: Add missing kfree() of nvkm_falcon_fw::boot nvkm_falcon_fw::boot is allocated, but no one frees it. This causes a kmemleak warning. • https://git.kernel.org/stable/c/2541626cfb794e57ba0575a6920826f591f7ced0 •
CVSS: 7.2EPSS: 0%CPEs: 5EXPL: 0CVE-2025-68233 – drm/tegra: Add call to put_pid()
https://notcve.org/view.php?id=CVE-2025-68233
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/tegra: Add call to put_pid() Add a call to put_pid() corresponding to get_task_pid(). host1x_memory_context_alloc() does not take ownership of the PID so we need to free it here to avoid leaking. [mperttunen@nvidia.com: reword commit message] In the Linux kernel, the following vulnerability has been resolved: drm/tegra: Add call to put_pid() Add a call to put_pid() corresponding to get_task_pid(). host1x_memory_context_alloc() does not ... • https://git.kernel.org/stable/c/e09db97889ec647ad373f7a7422c83099c6120c5 •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2025-68231 – mm/mempool: fix poisoning order>0 pages with HIGHMEM
https://notcve.org/view.php?id=CVE-2025-68231
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: mm/mempool: fix poisoning order>0 pages with HIGHMEM The kernel test has reported: BUG: unable to handle page fault for address: fffba000 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page *pde = 03171067 *pte = 00000000 Oops: Oops: 0002 [#1] CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Tainted: G T 6.18.0-rc2-00031-gec7f31b2a2d3 #1 NONE a1d066dfe789f54bc7645c7989957d2bdee593ca Tainted: [T]=RANDSTRUCT Hardware na... • https://git.kernel.org/stable/c/bdfedb76f4f5aa5e37380e3b71adee4a39f30fc6 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-68229 – scsi: target: tcm_loop: Fix segfault in tcm_loop_tpg_address_show()
https://notcve.org/view.php?id=CVE-2025-68229
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: scsi: target: tcm_loop: Fix segfault in tcm_loop_tpg_address_show() If the allocation of tl_hba->sh fails in tcm_loop_driver_probe() and we attempt to dereference it in tcm_loop_tpg_address_show() we will get a segfault, see below for an example. So, check tl_hba->sh before dereferencing it. Unable to allocate struct scsi_host BUG: kernel NULL pointer dereference, address: 0000000000000194 #PF: supervisor read access in kernel mode #PF: err... • https://git.kernel.org/stable/c/2628b352c3d4905adf8129ea50900bd980b6ccef •