CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2025-68750 – usb: potential integer overflow in usbg_make_tpg()
https://notcve.org/view.php?id=CVE-2025-68750
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: usb: potential integer overflow in usbg_make_tpg() The variable tpgt in usbg_make_tpg() is defined as unsigned long and is assigned to tpgt->tport_tpgt, which is defined as u16. This may cause an integer overflow when tpgt is greater than USHRT_MAX (65535). I haven't tried to trigger it myself, but it is possible to trigger it by calling usbg_make_tpg() with a large value for tpgt. I modified the type of tpgt to match tpgt->tport_tpgt and a... • https://git.kernel.org/stable/c/0861b9cb2ff519b7c5a3b1dd52a343e18c4efb24 •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-54161 – af_unix: Fix null-ptr-deref in unix_stream_sendpage().
https://notcve.org/view.php?id=CVE-2023-54161
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: af_unix: Fix null-ptr-deref in unix_stream_sendpage(). Bing-Jhong Billy Jheng reported null-ptr-deref in unix_stream_sendpage() with detailed analysis and a nice repro. unix_stream_sendpage() tries to add data to the last skb in the peer's recv queue without locking the queue. If the peer's FD is passed to another socket and the socket's FD is passed to the peer, there is a loop between them. If we close both sockets without receiving FD, t... • https://git.kernel.org/stable/c/869e7c62486ec0e170a9771acaa251d1a33b5871 •
CVSS: 6.3EPSS: 0%CPEs: 7EXPL: 0CVE-2023-54160 – firmware: arm_sdei: Fix sleep from invalid context BUG
https://notcve.org/view.php?id=CVE-2023-54160
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: firmware: arm_sdei: Fix sleep from invalid context BUG Running a preempt-rt (v6.2-rc3-rt1) based kernel on an Ampere Altra triggers: BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:46 in_atomic(): 0, irqs_disabled(): 128, non_block: 0, pid: 24, name: cpuhp/0 preempt_count: 0, expected: 0 RCU nest depth: 0, expected: 0 3 locks held by cpuhp/0/24: #0: ffffda30217c70d0 (cpu_hotplug_lock){++++}-{0:0}, at: cpuh... • https://git.kernel.org/stable/c/59842a9ba27d5390ae5bf3233a92cad3a26d495c •
CVSS: 4.9EPSS: 0%CPEs: 7EXPL: 0CVE-2023-54159 – usb: mtu3: fix kernel panic at qmu transfer done irq handler
https://notcve.org/view.php?id=CVE-2023-54159
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: usb: mtu3: fix kernel panic at qmu transfer done irq handler When handle qmu transfer irq, it will unlock @mtu->lock before give back request, if another thread handle disconnect event at the same time, and try to disable ep, it may lock @mtu->lock and free qmu ring, then qmu irq hanlder may get a NULL gpd, avoid the KE by checking gpd's value before handling it. e.g. qmu done irq on cpu0 thread running on cpu1 qmu_done_tx() handle gpd [0] ... • https://git.kernel.org/stable/c/48e0d3735aa557a8adaf94632ca3cf78798e8505 •
CVSS: 7.8EPSS: 0%CPEs: 7EXPL: 0CVE-2023-54158 – btrfs: don't free qgroup space unless specified
https://notcve.org/view.php?id=CVE-2023-54158
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: btrfs: don't free qgroup space unless specified Boris noticed in his simple quotas testing that he was getting a leak with Sweet Tea's change to subvol create that stopped doing a transaction commit. This was just a side effect of that change. In the delayed inode code we have an optimization that will free extra reservations if we think we can pack a dir item into an already modified leaf. Previously this wouldn't be triggered in the subvo... • https://git.kernel.org/stable/c/1e05bf5e80bb1161b7294c9ce5292b26232ab853 •
CVSS: 6.9EPSS: 0%CPEs: 4EXPL: 0CVE-2023-54157 – binder: fix UAF of alloc->vma in race with munmap()
https://notcve.org/view.php?id=CVE-2023-54157
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: binder: fix UAF of alloc->vma in race with munmap() [ cmllamas: clean forward port from commit 015ac18be7de ("binder: fix UAF of alloc->vma in race with munmap()") in 5.10 stable. It is needed in mainline after the revert of commit a43cfc87caaf ("android: binder: stop saving a pointer to the VMA") as pointed out by Liam. The commit log and tags have been tweaked to reflect this. ] In commit 720c24192404 ("ANDROID: binder: change down_write ... • https://git.kernel.org/stable/c/dd2283f2605e3b3e9c61bcae844b34f2afa4813f •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2023-54153 – ext4: turn quotas off if mount failed after enabling quotas
https://notcve.org/view.php?id=CVE-2023-54153
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: ext4: turn quotas off if mount failed after enabling quotas Yi found during a review of the patch "ext4: don't BUG on inconsistent journal feature" that when ext4_mark_recovery_complete() returns an error value, the error handling path does not turn off the enabled quotas, which triggers the following kmemleak: ================================================================ unreferenced object 0xffff8cf68678e7c0 (size 64): comm "mount", pi... • https://git.kernel.org/stable/c/11215630aada28307ba555a43138db6ac54fa825 •
CVSS: 6.6EPSS: 0%CPEs: 3EXPL: 0CVE-2023-54151 – f2fs: Fix system crash due to lack of free space in LFS
https://notcve.org/view.php?id=CVE-2023-54151
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: f2fs: Fix system crash due to lack of free space in LFS When f2fs tries to checkpoint during foreground gc in LFS mode, system crash occurs due to lack of free space if the amount of dirty node and dentry pages generated by data migration exceeds free space. The reproduction sequence is as follows. - 20GiB capacity block device (null_blk) - format and mount with LFS mode - create a file and write 20,000MiB - 4k random write on full range of... • https://git.kernel.org/stable/c/f4631d295ae3fff9e240ab78dc17f4b83d14f7bc •
CVSS: 7.2EPSS: 0%CPEs: 5EXPL: 0CVE-2023-54150 – drm/amd: Fix an out of bounds error in BIOS parser
https://notcve.org/view.php?id=CVE-2023-54150
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/amd: Fix an out of bounds error in BIOS parser The array is hardcoded to 8 in atomfirmware.h, but firmware provides a bigger one sometimes. Deferencing the larger array causes an out of bounds error. commit 4fc1ba4aa589 ("drm/amd/display: fix array index out of bound error in bios parser") fixed some of this, but there are two other cases not covered by it. Fix those as well. In the Linux kernel, the following vulnerability has been res... • https://git.kernel.org/stable/c/b8e7589f50b709b647b642531599e70707faf70c •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2023-54145 – bpf: drop unnecessary user-triggerable WARN_ONCE in verifierl log
https://notcve.org/view.php?id=CVE-2023-54145
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: bpf: drop unnecessary user-triggerable WARN_ONCE in verifierl log It's trivial for user to trigger "verifier log line truncated" warning, as verifier has a fixed-sized buffer of 1024 bytes (as of now), and there are at least two pieces of user-provided information that can be output through this buffer, and both can be arbitrarily sized by user: - BTF names; - BTF.ext source code lines strings. Verifier log buffer should be properly sized f... • https://git.kernel.org/stable/c/40c88c429a598006f91ad7a2b89856cd50b3a008 •