CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2025-68345 – ALSA: hda: cs35l41: Fix NULL pointer dereference in cs35l41_hda_read_acpi()
https://notcve.org/view.php?id=CVE-2025-68345
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: ALSA: hda: cs35l41: Fix NULL pointer dereference in cs35l41_hda_read_acpi() The acpi_get_first_physical_node() function can return NULL, in which case the get_device() function also returns NULL, but this value is then dereferenced without checking,so add a check to prevent a crash. Found by Linux Verification Center (linuxtesting.org) with SVACE. In the Linux kernel, the following vulnerability has been resolved: ALSA: hda: cs35l41: Fix NU... • https://git.kernel.org/stable/c/7b2f3eb492dac7665c75df067e4d8e4869589f4a •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2025-68344 – ALSA: wavefront: Fix integer overflow in sample size validation
https://notcve.org/view.php?id=CVE-2025-68344
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: ALSA: wavefront: Fix integer overflow in sample size validation The wavefront_send_sample() function has an integer overflow issue when validating sample size. The header->size field is u32 but gets cast to int for comparison with dev->freemem Fix by using unsigned comparison to avoid integer overflow. In the Linux kernel, the following vulnerability has been resolved: ALSA: wavefront: Fix integer overflow in sample size validation The wave... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2025-68343 – can: gs_usb: gs_usb_receive_bulk_callback(): check actual_length before accessing header
https://notcve.org/view.php?id=CVE-2025-68343
23 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: can: gs_usb: gs_usb_receive_bulk_callback(): check actual_length before accessing header The driver expects to receive a struct gs_host_frame in gs_usb_receive_bulk_callback(). Use struct_group to describe the header of the struct gs_host_frame and check that we have at least received the header before accessing any members of it. To resubmit the URB, do not dereference the pointer chain "dev->parent->hf_size_rx" but use "parent->hf_size_rx... • https://git.kernel.org/stable/c/d08e973a77d128b25e01a08c34d89593fdf222da •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2025-68342 – can: gs_usb: gs_usb_receive_bulk_callback(): check actual_length before accessing data
https://notcve.org/view.php?id=CVE-2025-68342
23 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: can: gs_usb: gs_usb_receive_bulk_callback(): check actual_length before accessing data The URB received in gs_usb_receive_bulk_callback() contains a struct gs_host_frame. The length of the data after the header depends on the gs_host_frame hf::flags and the active device features (e.g. time stamping). Introduce a new function gs_usb_get_minimum_length() and check that we have at least received the required amount of data before accessing it... • https://git.kernel.org/stable/c/d08e973a77d128b25e01a08c34d89593fdf222da •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2025-68340 – team: Move team device type change at the end of team_port_add
https://notcve.org/view.php?id=CVE-2025-68340
23 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: team: Move team device type change at the end of team_port_add Attempting to add a port device that is already up will expectedly fail, but not before modifying the team device header_ops. In the case of the syzbot reproducer the gre0 device is already in state UP when it attempts to add it as a port device of team0, this fails but before that header_ops->create of team0 is changed from eth_header to ipgre_header in the call to team_dev_typ... • https://git.kernel.org/stable/c/1d76efe1577b4323609b1bcbfafa8b731eda071a •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2025-68339 – atm/fore200e: Fix possible data race in fore200e_open()
https://notcve.org/view.php?id=CVE-2025-68339
23 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: atm/fore200e: Fix possible data race in fore200e_open() Protect access to fore200e->available_cell_rate with rate_mtx lock in the error handling path of fore200e_open() to prevent a data race. The field fore200e->available_cell_rate is a shared resource used to track available bandwidth. It is concurrently accessed by fore200e_open(), fore200e_close(), and fore200e_change_qos(). In fore200e_open(), the lock rate_mtx is correctly held when s... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2025-68338 – net: dsa: microchip: Don't free uninitialized ksz_irq
https://notcve.org/view.php?id=CVE-2025-68338
23 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: net: dsa: microchip: Don't free uninitialized ksz_irq If something goes wrong at setup, ksz_irq_free() can be called on uninitialized ksz_irq (for example when ksz_ptp_irq_setup() fails). It leads to freeing uninitialized IRQ numbers and/or domains. Use dsa_switch_for_each_user_port_continue_reverse() in the error path to iterate only over the fully initialized ports. • https://git.kernel.org/stable/c/cc13ab18b201ab630f03511060ba289b70052959 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-68337 – jbd2: avoid bug_on in jbd2_journal_get_create_access() when file system corrupted
https://notcve.org/view.php?id=CVE-2025-68337
22 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: jbd2: avoid bug_on in jbd2_journal_get_create_access() when file system corrupted There's issue when file system corrupted: ------------[ cut here ]------------ kernel BUG at fs/jbd2/transaction.c:1289! Oops: invalid opcode: 0000 [#1] SMP KASAN PTI CPU: 5 UID: 0 PID: 2031 Comm: mkdir Not tainted 6.18.0-rc1-next RIP: 0010:jbd2_journal_get_create_access+0x3b6/0x4d0 RSP: 0018:ffff888117aafa30 EFLAGS: 00010202 RAX: 0000000000000000 RBX: ffff888... • https://git.kernel.org/stable/c/470decc613ab2048b619a01028072d932d9086ee •
CVSS: 4.7EPSS: 0%CPEs: 13EXPL: 0CVE-2025-68336 – locking/spinlock/debug: Fix data-race in do_raw_write_lock
https://notcve.org/view.php?id=CVE-2025-68336
22 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: locking/spinlock/debug: Fix data-race in do_raw_write_lock KCSAN reports: BUG: KCSAN: data-race in do_raw_write_lock / do_raw_write_lock write (marked) to 0xffff800009cf504c of 4 bytes by task 1102 on cpu 1: do_raw_write_lock+0x120/0x204 _raw_write_lock_irq do_exit call_usermodehelper_exec_async ret_from_fork read to 0xffff800009cf504c of 4 bytes by task 1103 on cpu 0: do_raw_write_lock+0x88/0x204 _raw_write_lock_irq do_exit call_usermodehe... • https://git.kernel.org/stable/c/1a365e822372ba24c9da0822bc583894f6f3d821 •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2025-68335 – comedi: pcl818: fix null-ptr-deref in pcl818_ai_cancel()
https://notcve.org/view.php?id=CVE-2025-68335
22 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: comedi: pcl818: fix null-ptr-deref in pcl818_ai_cancel() Syzbot identified an issue [1] in pcl818_ai_cancel(), which stems from the fact that in case of early device detach via pcl818_detach(), subdevice dev->read_subdev may not have initialized its pointer to &struct comedi_async as intended. Thus, any such dereferencing of &s->async->cmd will lead to general protection fault and kernel crash. Mitigate this problem by removing a call to pc... • https://git.kernel.org/stable/c/00aba6e7b5653a6607238ecdab7172318059d984 •