CVSS: 6.3EPSS: 0%CPEs: 4EXPL: 0CVE-2025-68809 – ksmbd: vfs: fix race on m_flags in vfs_cache
https://notcve.org/view.php?id=CVE-2025-68809
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: vfs: fix race on m_flags in vfs_cache ksmbd maintains delete-on-close and pending-delete state in ksmbd_inode->m_flags. In vfs_cache.c this field is accessed under inconsistent locking: some paths read and modify m_flags under ci->m_lock while others do so without taking the lock at all. Examples: - ksmbd_query_inode_status() and __ksmbd_inode_close() use ci->m_lock when checking or updating m_flags. - ksmbd_inode_pending_delete(), k... • https://git.kernel.org/stable/c/f44158485826c076335d6860d35872271a83791d •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2025-68808 – media: vidtv: initialize local pointers upon transfer of memory ownership
https://notcve.org/view.php?id=CVE-2025-68808
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: media: vidtv: initialize local pointers upon transfer of memory ownership vidtv_channel_si_init() creates a temporary list (program, service, event) and ownership of the memory itself is transferred to the PAT/SDT/EIT tables through vidtv_psi_pat_program_assign(), vidtv_psi_sdt_service_assign(), vidtv_psi_eit_event_assign(). The problem here is that the local pointer where the memory ownership transfer was completed is not initialized to NU... • https://git.kernel.org/stable/c/3be8037960bccd13052cfdeba8805ad785041d70 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-68806 – ksmbd: fix buffer validation by including null terminator size in EA length
https://notcve.org/view.php?id=CVE-2025-68806
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix buffer validation by including null terminator size in EA length The smb2_set_ea function, which handles Extended Attributes (EA), was performing buffer validation checks that incorrectly omitted the size of the null terminating character (+1 byte) for EA Name. This patch fixes the issue by explicitly adding '+ 1' to EaNameLength where the null terminator is expected to be present in the buffer, ensuring the validation accurately... • https://git.kernel.org/stable/c/d070c4dd2a5bed4e9832eec5b6c029c7d14892ea •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-68804 – platform/chrome: cros_ec_ishtp: Fix UAF after unbinding driver
https://notcve.org/view.php?id=CVE-2025-68804
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: platform/chrome: cros_ec_ishtp: Fix UAF after unbinding driver After unbinding the driver, another kthread `cros_ec_console_log_work` is still accessing the device, resulting an UAF and crash. The driver doesn't unregister the EC device in .remove() which should shutdown sub-devices synchronously. Fix it. In the Linux kernel, the following vulnerability has been resolved: platform/chrome: cros_ec_ishtp: Fix UAF after unbinding driver After ... • https://git.kernel.org/stable/c/26a14267aff218c60b89007fdb44ca392ba6122c •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2025-68803 – NFSD: NFSv4 file creation neglects setting ACL
https://notcve.org/view.php?id=CVE-2025-68803
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: NFSD: NFSv4 file creation neglects setting ACL An NFSv4 client that sets an ACL with a named principal during file creation retrieves the ACL afterwards, and finds that it is only a default ACL (based on the mode bits) and not the ACL that was requested during file creation. This violates RFC 8881 section 6.4.1.3: "the ACL attribute is set as given". The issue occurs in nfsd_create_setattr(), which calls nfsd_attrs_valid() to determine whet... • https://git.kernel.org/stable/c/c0cbe70742f4a70893cd6e5f6b10b6e89b6db95b •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2025-68801 – mlxsw: spectrum_router: Fix neighbour use-after-free
https://notcve.org/view.php?id=CVE-2025-68801
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_router: Fix neighbour use-after-free We sometimes observe use-after-free when dereferencing a neighbour [1]. The problem seems to be that the driver stores a pointer to the neighbour, but without holding a reference on it. A reference is only taken when the neighbour is used by a nexthop. Fix by simplifying the reference counting scheme. Always take a reference when storing a neighbour pointer in a neighbour entry. Avoid tak... • https://git.kernel.org/stable/c/6cf3c971dc84cb36579515ddb488919b9e9fb6de •
CVSS: 7.2EPSS: 0%CPEs: 5EXPL: 0CVE-2025-68800 – mlxsw: spectrum_mr: Fix use-after-free when updating multicast route stats
https://notcve.org/view.php?id=CVE-2025-68800
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_mr: Fix use-after-free when updating multicast route stats Cited commit added a dedicated mutex (instead of RTNL) to protect the multicast route list, so that it will not change while the driver periodically traverses it in order to update the kernel about multicast route stats that were queried from the device. One instance of list entry deletion (during route replace) was missed and it can result in a use-after-free [1]. F... • https://git.kernel.org/stable/c/f38656d067257cc43b652958dd154e1ab0773701 •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2025-68799 – caif: fix integer underflow in cffrml_receive()
https://notcve.org/view.php?id=CVE-2025-68799
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: caif: fix integer underflow in cffrml_receive() The cffrml_receive() function extracts a length field from the packet header and, when FCS is disabled, subtracts 2 from this length without validating that len >= 2. If an attacker sends a malicious packet with a length field of 0 or 1 to an interface with FCS disabled, the subtraction causes an integer underflow. This can lead to memory exhaustion and kernel instability, potential informatio... • https://git.kernel.org/stable/c/b482cd2053e3b90a7b33a78c63cdb6badf2ec383 •
CVSS: 7.2EPSS: 0%CPEs: 5EXPL: 0CVE-2025-68798 – perf/x86/amd: Check event before enable to avoid GPF
https://notcve.org/view.php?id=CVE-2025-68798
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: perf/x86/amd: Check event before enable to avoid GPF On AMD machines cpuc->events[idx] can become NULL in a subtle race condition with NMI->throttle->x86_pmu_stop(). Check event for NULL in amd_pmu_enable_all() before enable to avoid a GPF. This appears to be an AMD only issue. Syzkaller reported a GPF in amd_pmu_enable_all. INFO: NMI handler (perf_event_nmi_handler) took too long to run: 13.143 msecs Oops: general protection fault, probabl... • https://git.kernel.org/stable/c/ada543459cab7f653dcacdaba4011a8bb19c627c •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-68797 – char: applicom: fix NULL pointer dereference in ac_ioctl
https://notcve.org/view.php?id=CVE-2025-68797
13 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: char: applicom: fix NULL pointer dereference in ac_ioctl Discovered by Atuin - Automated Vulnerability Discovery Engine. In ac_ioctl, the validation of IndexCard and the check for a valid RamIO pointer are skipped when cmd is 6. However, the function unconditionally executes readb(apbs[IndexCard].RamIO + VERS) at the end. If cmd is 6, IndexCard may reference a board that does not exist (where RamIO is NULL), leading to a NULL pointer derefe... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •