CVSS: 6.3EPSS: 0%CPEs: 3EXPL: 0CVE-2025-68296 – drm, fbcon, vga_switcheroo: Avoid race condition in fbcon setup
https://notcve.org/view.php?id=CVE-2025-68296
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: drm, fbcon, vga_switcheroo: Avoid race condition in fbcon setup Protect vga_switcheroo_client_fb_set() with console lock. Avoids OOB access in fbcon_remap_all(). Without holding the console lock the call races with switching outputs. VGA switcheroo calls fbcon_remap_all() when switching clients. The fbcon function uses struct fb_info.node, which is set by register_framebuffer(). As the fb-helper code currently sets up VGA switcheroo before ... • https://git.kernel.org/stable/c/6a9ee8af344e3bd7dbd61e67037096cdf7f83289 •
CVSS: 5.5EPSS: 0%CPEs: 12EXPL: 0CVE-2025-68295 – smb: client: fix memory leak in cifs_construct_tcon()
https://notcve.org/view.php?id=CVE-2025-68295
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: smb: client: fix memory leak in cifs_construct_tcon() When having a multiuser mount with domain= specified and using cifscreds, cifs_set_cifscreds() will end up setting @ctx->domainname, so it needs to be freed before leaving cifs_construct_tcon(). This fixes the following memory leak reported by kmemleak: mount.cifs //srv/share /mnt -o domain=ZELDA,multiuser,... su - testuser cifscreds add -d ZELDA -u testuser ... ls /mnt/1 ... umount /mnt... • https://git.kernel.org/stable/c/f2aee329a68f5a907bcff11a109dfe17c0b41aeb •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-68293 – mm/huge_memory: fix NULL pointer deference when splitting folio
https://notcve.org/view.php?id=CVE-2025-68293
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: mm/huge_memory: fix NULL pointer deference when splitting folio Commit c010d47f107f ("mm: thp: split huge page to any lower order pages") introduced an early check on the folio's order via mapping->flags before proceeding with the split work. This check introduced a bug: for shmem folios in the swap cache and truncated folios, the mapping pointer can be NULL. Accessing mapping->flags in this state leads directly to a NULL pointer dereferenc... • https://git.kernel.org/stable/c/c010d47f107f609b9f4d6a103b6dfc53889049e9 •
CVSS: 9.4EPSS: 0%CPEs: 4EXPL: 0CVE-2025-68291 – mptcp: Initialise rcv_mss before calling tcp_send_active_reset() in mptcp_do_fastclose().
https://notcve.org/view.php?id=CVE-2025-68291
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: mptcp: Initialise rcv_mss before calling tcp_send_active_reset() in mptcp_do_fastclose(). syzbot reported divide-by-zero in __tcp_select_window() by MPTCP socket. [0] We had a similar issue for the bare TCP and fixed in commit 499350a5a6e7 ("tcp: initialize rcv_mss to TCP_MIN_MSS instead of 0"). Let's apply the same fix to mptcp_do_fastclose(). [0]: Oops: divide error: 0000 [#1] SMP KASAN PTI CPU: 0 UID: 0 PID: 6068 Comm: syz.0.17 Not taint... • https://git.kernel.org/stable/c/9ea05fabce31ff93a0adae8221c58bc6d7b832f3 •
CVSS: 7.8EPSS: 0%CPEs: 7EXPL: 0CVE-2025-68290 – most: usb: fix double free on late probe failure
https://notcve.org/view.php?id=CVE-2025-68290
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: most: usb: fix double free on late probe failure The MOST subsystem has a non-standard registration function which frees the interface on registration failures and on deregistration. This unsurprisingly leads to bugs in the MOST drivers, and a couple of recent changes turned a reference underflow and use-after-free in the USB driver into several double free and a use-after-free on late probe failures. In the Linux kernel, the following vuln... • https://git.kernel.org/stable/c/723de0f9171eeb49a3ae98cae82ebbbb992b3a7c •
CVSS: 5.5EPSS: 0%CPEs: 14EXPL: 0CVE-2025-68289 – usb: gadget: f_eem: Fix memory leak in eem_unwrap
https://notcve.org/view.php?id=CVE-2025-68289
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_eem: Fix memory leak in eem_unwrap The existing code did not handle the failure case of usb_ep_queue in the command path, potentially leading to memory leaks. Improve error handling to free all allocated resources on usb_ep_queue failure. This patch continues to use goto logic for error handling, as the existing error handling is complex and not easily adaptable to auto-cleanup helpers. kmemleak results: unreferenced object 0... • https://git.kernel.org/stable/c/3b545788505b2e2883aff13bdddeacaf88942a4f •
CVSS: 5.6EPSS: 0%CPEs: 13EXPL: 0CVE-2025-68288 – usb: storage: Fix memory leak in USB bulk transport
https://notcve.org/view.php?id=CVE-2025-68288
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: usb: storage: Fix memory leak in USB bulk transport A kernel memory leak was identified by the 'ioctl_sg01' test from Linux Test Project (LTP). The following bytes were mainly observed: 0x53425355. When USB storage devices incorrectly skip the data phase with status data, the code extracts/validates the CSW from the sg buffer, but fails to clear it afterwards. This leaves status protocol data in srb's transfer buffer, such as the US_BULK_CS... • https://git.kernel.org/stable/c/a45b599ad808c3c982fdcdc12b0b8611c2f92824 •
CVSS: 7.0EPSS: 0%CPEs: 7EXPL: 0CVE-2025-68287 – usb: dwc3: Fix race condition between concurrent dwc3_remove_requests() call paths
https://notcve.org/view.php?id=CVE-2025-68287
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: usb: dwc3: Fix race condition between concurrent dwc3_remove_requests() call paths This patch addresses a race condition caused by unsynchronized execution of multiple call paths invoking `dwc3_remove_requests()`, leading to premature freeing of USB requests and subsequent crashes. Three distinct execution paths interact with `dwc3_remove_requests()`: Path 1: Triggered via `dwc3_gadget_reset_interrupt()` during USB reset handling. The call ... • https://git.kernel.org/stable/c/72246da40f3719af3bfd104a2365b32537c27d83 •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2025-68286 – drm/amd/display: Check NULL before accessing
https://notcve.org/view.php?id=CVE-2025-68286
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check NULL before accessing [WHAT] IGT kms_cursor_legacy's long-nonblocking-modeset-vs-cursor-atomic fails with NULL pointer dereference. This can be reproduced with both an eDP panel and a DP monitors connected. BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 13 UID: 0 PID: ... • https://git.kernel.org/stable/c/4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c •
CVSS: 6.3EPSS: 0%CPEs: 7EXPL: 0CVE-2025-68285 – libceph: fix potential use-after-free in have_mon_and_osd_map()
https://notcve.org/view.php?id=CVE-2025-68285
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: libceph: fix potential use-after-free in have_mon_and_osd_map() The wait loop in __ceph_open_session() can race with the client receiving a new monmap or osdmap shortly after the initial map is received. Both ceph_monc_handle_map() and handle_one_map() install a new map immediately after freeing the old one kfree(monc->monmap); monc->monmap = monmap; ceph_osdmap_destroy(osdc->osdmap); osdc->osdmap = newmap; under client->monc.mutex and clie... • https://git.kernel.org/stable/c/6822d00b5462e7a9dfa11dcc60cc25823a2107c5 •