CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2025-68750 – usb: potential integer overflow in usbg_make_tpg()
https://notcve.org/view.php?id=CVE-2025-68750
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: usb: potential integer overflow in usbg_make_tpg() The variable tpgt in usbg_make_tpg() is defined as unsigned long and is assigned to tpgt->tport_tpgt, which is defined as u16. This may cause an integer overflow when tpgt is greater than USHRT_MAX (65535). I haven't tried to trigger it myself, but it is possible to trigger it by calling usbg_make_tpg() with a large value for tpgt. I modified the type of tpgt to match tpgt->tport_tpgt and a... • https://git.kernel.org/stable/c/0861b9cb2ff519b7c5a3b1dd52a343e18c4efb24 •
CVSS: 6.9EPSS: 0%CPEs: 3EXPL: 0CVE-2025-68749 – accel/ivpu: Fix race condition when unbinding BOs
https://notcve.org/view.php?id=CVE-2025-68749
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: accel/ivpu: Fix race condition when unbinding BOs Fix 'Memory manager not clean during takedown' warning that occurs when ivpu_gem_bo_free() removes the BO from the BOs list before it gets unmapped. Then file_priv_unbind() triggers a warning in drm_mm_takedown() during context teardown. Protect the unmapping sequence with bo_list_lock to ensure the BO is always fully unmapped when removed from the list. This ensures the BO is either fully u... • https://git.kernel.org/stable/c/48aea7f2a2efae6a1bd201061c71a81b3f3b7e55 •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-68746 – spi: tegra210-quad: Fix timeout handling
https://notcve.org/view.php?id=CVE-2025-68746
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: spi: tegra210-quad: Fix timeout handling When the CPU that the QSPI interrupt handler runs on (typically CPU 0) is excessively busy, it can lead to rare cases of the IRQ thread not running before the transfer timeout is reached. While handling the timeouts, any pending transfers are cleaned up and the message that they correspond to is marked as failed, which leaves the curr_xfer field pointing at stale memory. To avoid this, clear curr_xfe... • https://git.kernel.org/stable/c/921fc1838fb036f690b8ba52e6a6d3644b475cbb •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2025-68745 – scsi: qla2xxx: Clear cmds after chip reset
https://notcve.org/view.php?id=CVE-2025-68745
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Clear cmds after chip reset Commit aefed3e5548f ("scsi: qla2xxx: target: Fix offline port handling and host reset handling") caused two problems: 1. Commands sent to FW, after chip reset got stuck and never freed as FW is not going to respond to them anymore. 2. BUG_ON(cmd->sg_mapped) in qlt_free_cmd(). Commit 26f9ce53817a ("scsi: qla2xxx: Fix missed DMA unmap for aborted commands") attempted to fix this, but introduced anoth... • https://git.kernel.org/stable/c/aefed3e5548f28e5fecafda6604fcbc65484dbaa •
CVSS: 7.1EPSS: 0%CPEs: 4EXPL: 0CVE-2025-68744 – bpf: Free special fields when update [lru_,]percpu_hash maps
https://notcve.org/view.php?id=CVE-2025-68744
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: bpf: Free special fields when update [lru_,]percpu_hash maps As [lru_,]percpu_hash maps support BPF_KPTR_{REF,PERCPU}, missing calls to 'bpf_obj_free_fields()' in 'pcpu_copy_value()' could cause the memory referenced by BPF_KPTR_{REF,PERCPU} fields to be held until the map gets freed. Fix this by calling 'bpf_obj_free_fields()' after 'copy_map_value[,_long]()' in 'pcpu_copy_value()'. In the Linux kernel, the following vulnerability has been... • https://git.kernel.org/stable/c/65334e64a493c6a0976de7ad56bf8b7a9ff04b4a •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-68742 – bpf: Fix invalid prog->stats access when update_effective_progs fails
https://notcve.org/view.php?id=CVE-2025-68742
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: bpf: Fix invalid prog->stats access when update_effective_progs fails Syzkaller triggers an invalid memory access issue following fault injection in update_effective_progs. The issue can be described as follows: __cgroup_bpf_detach update_effective_progs compute_effective_progs bpf_prog_array_alloc <-- fault inject purge_effective_progs /* change to dummy_bpf_prog */ array->items[index] = &dummy_bpf_prog.prog ---softirq start--- __do_softir... • https://git.kernel.org/stable/c/492ecee892c2a4ba6a14903d5d586ff750b7e805 •
CVSS: 5.6EPSS: 0%CPEs: 4EXPL: 0CVE-2025-68741 – scsi: qla2xxx: Fix improper freeing of purex item
https://notcve.org/view.php?id=CVE-2025-68741
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Fix improper freeing of purex item In qla2xxx_process_purls_iocb(), an item is allocated via qla27xx_copy_multiple_pkt(), which internally calls qla24xx_alloc_purex_item(). The qla24xx_alloc_purex_item() function may return a pre-allocated item from a per-adapter pool for small allocations, instead of dynamically allocating memory with kzalloc(). An error handling path in qla2xxx_process_purls_iocb() incorrectly uses kfree() ... • https://git.kernel.org/stable/c/875386b98857822b77ac7f95bdf367b70af5b78c •
CVSS: 6.6EPSS: 0%CPEs: 4EXPL: 0CVE-2025-68740 – ima: Handle error code returned by ima_filter_rule_match()
https://notcve.org/view.php?id=CVE-2025-68740
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: ima: Handle error code returned by ima_filter_rule_match() In ima_match_rules(), if ima_filter_rule_match() returns -ENOENT due to the rule being NULL, the function incorrectly skips the 'if (!rc)' check and sets 'result = true'. The LSM rule is considered a match, causing extra files to be measured by IMA. This issue can be reproduced in the following scenario: After unloading the SELinux policy module via 'semodule -d', if an IMA measurem... • https://git.kernel.org/stable/c/4af4662fa4a9dc62289c580337ae2506339c4729 •
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2025-68736 – landlock: Fix handling of disconnected directories
https://notcve.org/view.php?id=CVE-2025-68736
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: landlock: Fix handling of disconnected directories Disconnected files or directories can appear when they are visible and opened from a bind mount, but have been renamed or moved from the source of the bind mount in a way that makes them inaccessible from the mount point (i.e. out of scope). Previously, access rights tied to files or directories opened through a disconnected directory were collected by walking the related hierarchy down to ... • https://git.kernel.org/stable/c/cb2c7d1a1776057c9a1f48ed1250d85e94d4850d •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-68734 – isdn: mISDN: hfcsusb: fix memory leak in hfcsusb_probe()
https://notcve.org/view.php?id=CVE-2025-68734
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: isdn: mISDN: hfcsusb: fix memory leak in hfcsusb_probe() In hfcsusb_probe(), the memory allocated for ctrl_urb gets leaked when setup_instance() fails with an error code. Fix that by freeing the urb before freeing the hw structure. Also change the error paths to use the goto ladder style. Compile tested only. Issue found using a prototype static analysis tool. • https://git.kernel.org/stable/c/69f52adb2d534afc41fcc658f155e01f0b322f9e •