CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2025-68724 – crypto: asymmetric_keys - prevent overflow in asymmetric_key_generate_id
https://notcve.org/view.php?id=CVE-2025-68724
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: crypto: asymmetric_keys - prevent overflow in asymmetric_key_generate_id Use check_add_overflow() to guard against potential integer overflows when adding the binary blob lengths and the size of an asymmetric_key_id structure and return ERR_PTR(-EOVERFLOW) accordingly. This prevents a possible buffer overflow when copying data from potentially malicious X.509 certificate fields that can be arbitrarily large, such as ASN.1 INTEGER serial num... • https://git.kernel.org/stable/c/7901c1a8effbe5f89673bfc09d6e37b8f334f1a7 •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2025-68380 – wifi: ath11k: fix peer HE MCS assignment
https://notcve.org/view.php?id=CVE-2025-68380
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: fix peer HE MCS assignment In ath11k_wmi_send_peer_assoc_cmd(), peer's transmit MCS is sent to firmware as receive MCS while peer's receive MCS sent as transmit MCS, which goes against firmwire's definition. While connecting to a misbehaved AP that advertises 0xffff (meaning not supported) for 160 MHz transmit MCS map, firmware crashes due to 0xffff is assigned to he_mcs->rx_mcs_set field. Ext Tag: HE Capabilities [...] Suppor... • https://git.kernel.org/stable/c/61fe43e7216df6e9a912d831aafc7142fa20f280 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-68379 – RDMA/rxe: Fix null deref on srq->rq.queue after resize failure
https://notcve.org/view.php?id=CVE-2025-68379
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix null deref on srq->rq.queue after resize failure A NULL pointer dereference can occur in rxe_srq_chk_attr() when ibv_modify_srq() is invoked twice in succession under certain error conditions. The first call may fail in rxe_queue_resize(), which leads rxe_srq_from_attr() to set srq->rq.queue = NULL. The second call then triggers a crash (null deref) when accessing srq->rq.queue->buf->index_mask. Call Trace:
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2025-68378 – bpf: Fix stackmap overflow check in __bpf_get_stackid()
https://notcve.org/view.php?id=CVE-2025-68378
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: bpf: Fix stackmap overflow check in __bpf_get_stackid() Syzkaller reported a KASAN slab-out-of-bounds write in __bpf_get_stackid() when copying stack trace data. The issue occurs when the perf trace contains more stack entries than the stack map bucket can hold, leading to an out-of-bounds write in the bucket's data array. In the Linux kernel, the following vulnerability has been resolved: bpf: Fix stackmap overflow check in __bpf_get_stack... • https://git.kernel.org/stable/c/ee2a098851bfbe8bcdd964c0121f4246f00ff41e •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-68376 – coresight: ETR: Fix ETR buffer use-after-free issue
https://notcve.org/view.php?id=CVE-2025-68376
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: coresight: ETR: Fix ETR buffer use-after-free issue When ETR is enabled as CS_MODE_SYSFS, if the buffer size is changed and enabled again, currently sysfs_buf will point to the newly allocated memory(buf_new) and free the old memory(buf_old). But the etr_buf that is being used by the ETR remains pointed to buf_old, not updated to buf_new. In this case, it will result in a memory use-after-free issue. Fix this by checking ETR's mode before u... • https://git.kernel.org/stable/c/bd2767ec3df2775bc336f441f9068a989ccb919d •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-68374 – md: fix rcu protection in md_wakeup_thread
https://notcve.org/view.php?id=CVE-2025-68374
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: md: fix rcu protection in md_wakeup_thread We attempted to use RCU to protect the pointer 'thread', but directly passed the value when calling md_wakeup_thread(). This means that the RCU pointer has been acquired before rcu_read_lock(), which renders rcu_read_lock() ineffective and could lead to a use-after-free. In the Linux kernel, the following vulnerability has been resolved: md: fix rcu protection in md_wakeup_thread We attempted to us... • https://git.kernel.org/stable/c/4469315439827290923fce4f3f672599cabeb366 •
CVSS: 7.1EPSS: 0%CPEs: 12EXPL: 0CVE-2025-68372 – nbd: defer config put in recv_work
https://notcve.org/view.php?id=CVE-2025-68372
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: nbd: defer config put in recv_work There is one uaf issue in recv_work when running NBD_CLEAR_SOCK and NBD_CMD_RECONFIGURE: nbd_genl_connect // conf_ref=2 (connect and recv_work A) nbd_open // conf_ref=3 recv_work A done // conf_ref=2 NBD_CLEAR_SOCK // conf_ref=1 nbd_genl_reconfigure // conf_ref=2 (trigger recv_work B) close nbd // conf_ref=1 recv_work B config_put // conf_ref=0 atomic_dec(&config->recv_threads); -> UAF Or only running NBD_... • https://git.kernel.org/stable/c/87aac3a80af5cbad93e63250e8a1e19095ba0d30 •
CVSS: 6.9EPSS: 0%CPEs: 6EXPL: 0CVE-2025-68371 – scsi: smartpqi: Fix device resources accessed after device removal
https://notcve.org/view.php?id=CVE-2025-68371
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: scsi: smartpqi: Fix device resources accessed after device removal Correct possible race conditions during device removal. Previously, a scheduled work item to reset a LUN could still execute after the device was removed, leading to use-after-free and other resource access issues. This race condition occurs because the abort handler may schedule a LUN reset concurrently with device removal via sdev_destroy(), leading to use-after-free and i... • https://git.kernel.org/stable/c/2d80f4054f7f901b8ad97358a9069616ac8524c7 •
CVSS: 6.9EPSS: 0%CPEs: 7EXPL: 0CVE-2025-68369 – ntfs3: init run lock for extend inode
https://notcve.org/view.php?id=CVE-2025-68369
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: ntfs3: init run lock for extend inode After setting the inode mode of $Extend to a regular file, executing the truncate system call will enter the do_truncate() routine, causing the run_lock uninitialized error reported by syzbot. Prior to patch 4e8011ffec79, if the inode mode of $Extend was not set to a regular file, the do_truncate() routine would not be entered. Add the run_lock initialization when loading $Extend. syzbot reported: INFO:... • https://git.kernel.org/stable/c/63eb6730ce0604d3eacf036c2f68ea70b068317c •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2025-68368 – md: init bioset in mddev_init
https://notcve.org/view.php?id=CVE-2025-68368
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: md: init bioset in mddev_init IO operations may be needed before md_run(), such as updating metadata after writing sysfs. Without bioset, this triggers a NULL pointer dereference as below: BUG: kernel NULL pointer dereference, address: 0000000000000020 Call Trace: md_update_sb+0x658/0xe00 new_level_store+0xc5/0x120 md_attr_store+0xc9/0x1e0 sysfs_kf_write+0x6f/0xa0 kernfs_fop_write_iter+0x141/0x2a0 vfs_write+0x1fc/0x5a0 ksys_write+0x79/0x180... • https://git.kernel.org/stable/c/d981ed8419303ed12351eea8541ad6cb76455fe3 •