CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2025-68750 – usb: potential integer overflow in usbg_make_tpg()
https://notcve.org/view.php?id=CVE-2025-68750
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: usb: potential integer overflow in usbg_make_tpg() The variable tpgt in usbg_make_tpg() is defined as unsigned long and is assigned to tpgt->tport_tpgt, which is defined as u16. This may cause an integer overflow when tpgt is greater than USHRT_MAX (65535). I haven't tried to trigger it myself, but it is possible to trigger it by calling usbg_make_tpg() with a large value for tpgt. I modified the type of tpgt to match tpgt->tport_tpgt and a... • https://git.kernel.org/stable/c/0861b9cb2ff519b7c5a3b1dd52a343e18c4efb24 •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-54161 – af_unix: Fix null-ptr-deref in unix_stream_sendpage().
https://notcve.org/view.php?id=CVE-2023-54161
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: af_unix: Fix null-ptr-deref in unix_stream_sendpage(). Bing-Jhong Billy Jheng reported null-ptr-deref in unix_stream_sendpage() with detailed analysis and a nice repro. unix_stream_sendpage() tries to add data to the last skb in the peer's recv queue without locking the queue. If the peer's FD is passed to another socket and the socket's FD is passed to the peer, there is a loop between them. If we close both sockets without receiving FD, t... • https://git.kernel.org/stable/c/869e7c62486ec0e170a9771acaa251d1a33b5871 •
CVSS: 6.3EPSS: 0%CPEs: 7EXPL: 0CVE-2023-54160 – firmware: arm_sdei: Fix sleep from invalid context BUG
https://notcve.org/view.php?id=CVE-2023-54160
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: firmware: arm_sdei: Fix sleep from invalid context BUG Running a preempt-rt (v6.2-rc3-rt1) based kernel on an Ampere Altra triggers: BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:46 in_atomic(): 0, irqs_disabled(): 128, non_block: 0, pid: 24, name: cpuhp/0 preempt_count: 0, expected: 0 RCU nest depth: 0, expected: 0 3 locks held by cpuhp/0/24: #0: ffffda30217c70d0 (cpu_hotplug_lock){++++}-{0:0}, at: cpuh... • https://git.kernel.org/stable/c/59842a9ba27d5390ae5bf3233a92cad3a26d495c •
CVSS: 4.9EPSS: 0%CPEs: 7EXPL: 0CVE-2023-54159 – usb: mtu3: fix kernel panic at qmu transfer done irq handler
https://notcve.org/view.php?id=CVE-2023-54159
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: usb: mtu3: fix kernel panic at qmu transfer done irq handler When handle qmu transfer irq, it will unlock @mtu->lock before give back request, if another thread handle disconnect event at the same time, and try to disable ep, it may lock @mtu->lock and free qmu ring, then qmu irq hanlder may get a NULL gpd, avoid the KE by checking gpd's value before handling it. e.g. qmu done irq on cpu0 thread running on cpu1 qmu_done_tx() handle gpd [0] ... • https://git.kernel.org/stable/c/48e0d3735aa557a8adaf94632ca3cf78798e8505 •
CVSS: 7.8EPSS: 0%CPEs: 7EXPL: 0CVE-2023-54158 – btrfs: don't free qgroup space unless specified
https://notcve.org/view.php?id=CVE-2023-54158
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: btrfs: don't free qgroup space unless specified Boris noticed in his simple quotas testing that he was getting a leak with Sweet Tea's change to subvol create that stopped doing a transaction commit. This was just a side effect of that change. In the delayed inode code we have an optimization that will free extra reservations if we think we can pack a dir item into an already modified leaf. Previously this wouldn't be triggered in the subvo... • https://git.kernel.org/stable/c/1e05bf5e80bb1161b7294c9ce5292b26232ab853 •
CVSS: 6.9EPSS: 0%CPEs: 4EXPL: 0CVE-2023-54157 – binder: fix UAF of alloc->vma in race with munmap()
https://notcve.org/view.php?id=CVE-2023-54157
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: binder: fix UAF of alloc->vma in race with munmap() [ cmllamas: clean forward port from commit 015ac18be7de ("binder: fix UAF of alloc->vma in race with munmap()") in 5.10 stable. It is needed in mainline after the revert of commit a43cfc87caaf ("android: binder: stop saving a pointer to the VMA") as pointed out by Liam. The commit log and tags have been tweaked to reflect this. ] In commit 720c24192404 ("ANDROID: binder: change down_write ... • https://git.kernel.org/stable/c/dd2283f2605e3b3e9c61bcae844b34f2afa4813f •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2023-54156 – sfc: fix crash when reading stats while NIC is resetting
https://notcve.org/view.php?id=CVE-2023-54156
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: sfc: fix crash when reading stats while NIC is resetting efx_net_stats() (.ndo_get_stats64) can be called during an ethtool selftest, during which time nic_data->mc_stats is NULL as the NIC has been fini'd. In this case do not attempt to fetch the latest stats from the hardware, else we will crash on a NULL dereference: BUG: kernel NULL pointer dereference, address: 0000000000000038 RIP efx_nic_update_stats abridged calltrace: efx_ef10_upda... • https://git.kernel.org/stable/c/d3142c193dca9a2f6878f4128ce1aaf221bb3f99 •
CVSS: 5.6EPSS: 0%CPEs: 4EXPL: 0CVE-2023-54155 – net: core: remove unnecessary frame_sz check in bpf_xdp_adjust_tail()
https://notcve.org/view.php?id=CVE-2023-54155
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: net: core: remove unnecessary frame_sz check in bpf_xdp_adjust_tail() Syzkaller reported the following issue: ======================================= Too BIG xdp->frame_sz = 131072 WARNING: CPU: 0 PID: 5020 at net/core/filter.c:4121 ____bpf_xdp_adjust_tail net/core/filter.c:4121 [inline] WARNING: CPU: 0 PID: 5020 at net/core/filter.c:4121 bpf_xdp_adjust_tail+0x466/0xa10 net/core/filter.c:4103 ... Call Trace:
CVSS: 5.6EPSS: 0%CPEs: 5EXPL: 0CVE-2023-54154 – scsi: target: core: Fix target_cmd_counter leak
https://notcve.org/view.php?id=CVE-2023-54154
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: scsi: target: core: Fix target_cmd_counter leak The target_cmd_counter struct allocated via target_alloc_cmd_counter() is never freed, resulting in leaks across various transport types, e.g.: unreferenced object 0xffff88801f920120 (size 96): comm "sh", pid 102, jiffies 4294892535 (age 713.412s) hex dump (first 32 bytes): 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 38 01 92 1f 80 88 ff ff ........... • https://git.kernel.org/stable/c/76b77646f17118f5babe93c032e6b7a53bbde3b9 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2023-54153 – ext4: turn quotas off if mount failed after enabling quotas
https://notcve.org/view.php?id=CVE-2023-54153
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: ext4: turn quotas off if mount failed after enabling quotas Yi found during a review of the patch "ext4: don't BUG on inconsistent journal feature" that when ext4_mark_recovery_complete() returns an error value, the error handling path does not turn off the enabled quotas, which triggers the following kmemleak: ================================================================ unreferenced object 0xffff8cf68678e7c0 (size 64): comm "mount", pi... • https://git.kernel.org/stable/c/11215630aada28307ba555a43138db6ac54fa825 •