linux package
kernel
pkg:linux/kernel
Vulnerabilities (1,755)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-68308 | — | >= 4.19.0, < 5.10.247 | 5.10.247 | Dec 16, 2025 | In the Linux kernel, the following vulnerability has been resolved: can: kvaser_usb: leaf: Fix potential infinite loop in command parsers The `kvaser_usb_leaf_wait_cmd()` and `kvaser_usb_leaf_read_bulk_callback` functions contain logic to zero-length commands. These commands ar | ||
| CVE-2025-68307 | — | >= 3.16.0, < 6.1.159 | 6.1.159 | Dec 16, 2025 | In the Linux kernel, the following vulnerability has been resolved: can: gs_usb: gs_usb_xmit_callback(): fix handling of failed transmitted URBs The driver lacks the cleanup of failed transfers of URBs. This reduces the number of available URBs per error by 1. This leads to red | ||
| CVE-2025-68306 | — | >= 6.11.0, < 6.12.61 | 6.12.61 | Dec 16, 2025 | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btusb: mediatek: Fix kernel crash when releasing mtk iso interface When performing reset tests and encountering abnormal card drop issues that lead to a kernel crash, it is necessary to perform a nul | ||
| CVE-2025-68305 | — | < 6.6.119 | 6.6.119 | Dec 16, 2025 | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sock: Prevent race in socket write iter and sock bind There is a potential race condition between sock bind and socket write iter. bind may free the same cmd via mgmt_pending before write iter se | ||
| CVE-2025-68304 | — | >= 6.6.0, < 6.17.11 | 6.17.11 | Dec 16, 2025 | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_core: lookup hci_conn on RX path on protocol side The hdev lock/lookup/unlock/use pattern in the packet RX path doesn't ensure hci_conn* is not concurrently modified/deleted. This locking appears | ||
| CVE-2025-68303 | — | >= 4.5.0, < 5.15.197 | 5.15.197 | Dec 16, 2025 | In the Linux kernel, the following vulnerability has been resolved: platform/x86: intel: punit_ipc: fix memory corruption This passes the address of the pointer "&punit_ipcdev" when the intent was to pass the pointer itself "punit_ipcdev" (without the ampersand). This means tha | ||
| CVE-2025-68302 | — | >= 3.15.0, < 5.10.247 | 5.10.247 | Dec 16, 2025 | In the Linux kernel, the following vulnerability has been resolved: net: sxgbe: fix potential NULL dereference in sxgbe_rx() Currently, when skb is null, the driver prints an error and then dereferences skb on the next line. To fix this, let's add a 'break' after the error mes | ||
| CVE-2025-68301 | — | < 5.10.247 | 5.10.247 | Dec 16, 2025 | In the Linux kernel, the following vulnerability has been resolved: net: atlantic: fix fragment overflow handling in RX path The atlantic driver can receive packets with more than MAX_SKB_FRAGS (17) fragments when handling large multi-descriptor packets. This causes an out-of-b | ||
| CVE-2025-68300 | — | >= 6.12.59, < 6.12.61 | 6.12.61 | Dec 16, 2025 | In the Linux kernel, the following vulnerability has been resolved: fs/namespace: fix reference leak in grab_requested_mnt_ns lookup_mnt_ns() already takes a reference on mnt_ns. grab_requested_mnt_ns() doesn't need to take an extra reference. | ||
| CVE-2025-68299 | — | >= 6.17.9, < 6.17.11 | 6.17.11 | Dec 16, 2025 | In the Linux kernel, the following vulnerability has been resolved: afs: Fix delayed allocation of a cell's anonymous key The allocation of a cell's anonymous key is done in a background thread along with other cell setup such as doing a DNS upcall. In the reported bug, this i | ||
| CVE-2025-68298 | — | < 6.12.61 | 6.12.61 | Dec 16, 2025 | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btusb: mediatek: Avoid btusb_mtk_claim_iso_intf() NULL deref In btusb_mtk_setup(), we set `btmtk_data->isopkt_intf` to: usb_ifnum_to_if(data->udev, MTK_ISO_IFNUM) That function can return NULL in | ||
| CVE-2025-68297 | — | < 6.6.119 | 6.6.119 | Dec 16, 2025 | In the Linux kernel, the following vulnerability has been resolved: ceph: fix crash in process_v2_sparse_read() for encrypted directories The crash in process_v2_sparse_read() for fscrypt-encrypted directories has been reported. Issue takes place for Ceph msgr2 protocol in secu | ||
| CVE-2025-68296 | — | >= 2.6.34, < 6.12.61 | 6.12.61 | Dec 16, 2025 | In the Linux kernel, the following vulnerability has been resolved: drm, fbcon, vga_switcheroo: Avoid race condition in fbcon setup Protect vga_switcheroo_client_fb_set() with console lock. Avoids OOB access in fbcon_remap_all(). Without holding the console lock the call races | ||
| CVE-2025-68295 | — | >= 5.3.0, < 5.10.247 | 5.10.247 | Dec 16, 2025 | In the Linux kernel, the following vulnerability has been resolved: smb: client: fix memory leak in cifs_construct_tcon() When having a multiuser mount with domain= specified and using cifscreds, cifs_set_cifscreds() will end up setting @ctx->domainname, so it needs to be freed | ||
| CVE-2025-68294 | — | >= 6.15.0, < 6.17.11 | 6.17.11 | Dec 16, 2025 | In the Linux kernel, the following vulnerability has been resolved: io_uring/net: ensure vectored buffer node import is tied to notification When support for vectored registered buffers was added, the import itself is using 'req' rather than the notification io_kiocb, sr->notif | ||
| CVE-2025-68293 | — | >= 6.9.0, < 6.12.61 | 6.12.61 | Dec 16, 2025 | In the Linux kernel, the following vulnerability has been resolved: mm/huge_memory: fix NULL pointer deference when splitting folio Commit c010d47f107f ("mm: thp: split huge page to any lower order pages") introduced an early check on the folio's order via mapping->flags before | ||
| CVE-2025-68292 | — | >= 6.11.0, < 6.12.61 | 6.12.61 | Dec 16, 2025 | In the Linux kernel, the following vulnerability has been resolved: mm/memfd: fix information leak in hugetlb folios When allocating hugetlb folios for memfd, three initialization steps are missing: 1. Folios are not zeroed, leading to kernel memory disclosure to userspace 2. | ||
| CVE-2025-68291 | — | >= 6.1.159, < 6.1.160 | 6.1.160 | Dec 16, 2025 | In the Linux kernel, the following vulnerability has been resolved: mptcp: Initialise rcv_mss before calling tcp_send_active_reset() in mptcp_do_fastclose(). syzbot reported divide-by-zero in __tcp_select_window() by MPTCP socket. [0] We had a similar issue for the bare TCP an | ||
| CVE-2025-68290 | — | >= 5.6.0, < 5.10.247 | 5.10.247 | Dec 16, 2025 | In the Linux kernel, the following vulnerability has been resolved: most: usb: fix double free on late probe failure The MOST subsystem has a non-standard registration function which frees the interface on registration failures and on deregistration. This unsurprisingly leads | ||
| CVE-2025-68289 | — | < 5.10.247 | 5.10.247 | Dec 16, 2025 | In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_eem: Fix memory leak in eem_unwrap The existing code did not handle the failure case of usb_ep_queue in the command path, potentially leading to memory leaks. Improve error handling to free all |
- CVE-2025-68308Dec 16, 2025affected >= 4.19.0, < 5.10.247fixed 5.10.247
In the Linux kernel, the following vulnerability has been resolved: can: kvaser_usb: leaf: Fix potential infinite loop in command parsers The `kvaser_usb_leaf_wait_cmd()` and `kvaser_usb_leaf_read_bulk_callback` functions contain logic to zero-length commands. These commands ar
- CVE-2025-68307Dec 16, 2025affected >= 3.16.0, < 6.1.159fixed 6.1.159
In the Linux kernel, the following vulnerability has been resolved: can: gs_usb: gs_usb_xmit_callback(): fix handling of failed transmitted URBs The driver lacks the cleanup of failed transfers of URBs. This reduces the number of available URBs per error by 1. This leads to red
- CVE-2025-68306Dec 16, 2025affected >= 6.11.0, < 6.12.61fixed 6.12.61
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btusb: mediatek: Fix kernel crash when releasing mtk iso interface When performing reset tests and encountering abnormal card drop issues that lead to a kernel crash, it is necessary to perform a nul
- CVE-2025-68305Dec 16, 2025affected < 6.6.119fixed 6.6.119
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sock: Prevent race in socket write iter and sock bind There is a potential race condition between sock bind and socket write iter. bind may free the same cmd via mgmt_pending before write iter se
- CVE-2025-68304Dec 16, 2025affected >= 6.6.0, < 6.17.11fixed 6.17.11
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_core: lookup hci_conn on RX path on protocol side The hdev lock/lookup/unlock/use pattern in the packet RX path doesn't ensure hci_conn* is not concurrently modified/deleted. This locking appears
- CVE-2025-68303Dec 16, 2025affected >= 4.5.0, < 5.15.197fixed 5.15.197
In the Linux kernel, the following vulnerability has been resolved: platform/x86: intel: punit_ipc: fix memory corruption This passes the address of the pointer "&punit_ipcdev" when the intent was to pass the pointer itself "punit_ipcdev" (without the ampersand). This means tha
- CVE-2025-68302Dec 16, 2025affected >= 3.15.0, < 5.10.247fixed 5.10.247
In the Linux kernel, the following vulnerability has been resolved: net: sxgbe: fix potential NULL dereference in sxgbe_rx() Currently, when skb is null, the driver prints an error and then dereferences skb on the next line. To fix this, let's add a 'break' after the error mes
- CVE-2025-68301Dec 16, 2025affected < 5.10.247fixed 5.10.247
In the Linux kernel, the following vulnerability has been resolved: net: atlantic: fix fragment overflow handling in RX path The atlantic driver can receive packets with more than MAX_SKB_FRAGS (17) fragments when handling large multi-descriptor packets. This causes an out-of-b
- CVE-2025-68300Dec 16, 2025affected >= 6.12.59, < 6.12.61fixed 6.12.61
In the Linux kernel, the following vulnerability has been resolved: fs/namespace: fix reference leak in grab_requested_mnt_ns lookup_mnt_ns() already takes a reference on mnt_ns. grab_requested_mnt_ns() doesn't need to take an extra reference.
- CVE-2025-68299Dec 16, 2025affected >= 6.17.9, < 6.17.11fixed 6.17.11
In the Linux kernel, the following vulnerability has been resolved: afs: Fix delayed allocation of a cell's anonymous key The allocation of a cell's anonymous key is done in a background thread along with other cell setup such as doing a DNS upcall. In the reported bug, this i
- CVE-2025-68298Dec 16, 2025affected < 6.12.61fixed 6.12.61
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btusb: mediatek: Avoid btusb_mtk_claim_iso_intf() NULL deref In btusb_mtk_setup(), we set `btmtk_data->isopkt_intf` to: usb_ifnum_to_if(data->udev, MTK_ISO_IFNUM) That function can return NULL in
- CVE-2025-68297Dec 16, 2025affected < 6.6.119fixed 6.6.119
In the Linux kernel, the following vulnerability has been resolved: ceph: fix crash in process_v2_sparse_read() for encrypted directories The crash in process_v2_sparse_read() for fscrypt-encrypted directories has been reported. Issue takes place for Ceph msgr2 protocol in secu
- CVE-2025-68296Dec 16, 2025affected >= 2.6.34, < 6.12.61fixed 6.12.61
In the Linux kernel, the following vulnerability has been resolved: drm, fbcon, vga_switcheroo: Avoid race condition in fbcon setup Protect vga_switcheroo_client_fb_set() with console lock. Avoids OOB access in fbcon_remap_all(). Without holding the console lock the call races
- CVE-2025-68295Dec 16, 2025affected >= 5.3.0, < 5.10.247fixed 5.10.247
In the Linux kernel, the following vulnerability has been resolved: smb: client: fix memory leak in cifs_construct_tcon() When having a multiuser mount with domain= specified and using cifscreds, cifs_set_cifscreds() will end up setting @ctx->domainname, so it needs to be freed
- CVE-2025-68294Dec 16, 2025affected >= 6.15.0, < 6.17.11fixed 6.17.11
In the Linux kernel, the following vulnerability has been resolved: io_uring/net: ensure vectored buffer node import is tied to notification When support for vectored registered buffers was added, the import itself is using 'req' rather than the notification io_kiocb, sr->notif
- CVE-2025-68293Dec 16, 2025affected >= 6.9.0, < 6.12.61fixed 6.12.61
In the Linux kernel, the following vulnerability has been resolved: mm/huge_memory: fix NULL pointer deference when splitting folio Commit c010d47f107f ("mm: thp: split huge page to any lower order pages") introduced an early check on the folio's order via mapping->flags before
- CVE-2025-68292Dec 16, 2025affected >= 6.11.0, < 6.12.61fixed 6.12.61
In the Linux kernel, the following vulnerability has been resolved: mm/memfd: fix information leak in hugetlb folios When allocating hugetlb folios for memfd, three initialization steps are missing: 1. Folios are not zeroed, leading to kernel memory disclosure to userspace 2.
- CVE-2025-68291Dec 16, 2025affected >= 6.1.159, < 6.1.160fixed 6.1.160
In the Linux kernel, the following vulnerability has been resolved: mptcp: Initialise rcv_mss before calling tcp_send_active_reset() in mptcp_do_fastclose(). syzbot reported divide-by-zero in __tcp_select_window() by MPTCP socket. [0] We had a similar issue for the bare TCP an
- CVE-2025-68290Dec 16, 2025affected >= 5.6.0, < 5.10.247fixed 5.10.247
In the Linux kernel, the following vulnerability has been resolved: most: usb: fix double free on late probe failure The MOST subsystem has a non-standard registration function which frees the interface on registration failures and on deregistration. This unsurprisingly leads
- CVE-2025-68289Dec 16, 2025affected < 5.10.247fixed 5.10.247
In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_eem: Fix memory leak in eem_unwrap The existing code did not handle the failure case of usb_ep_queue in the command path, potentially leading to memory leaks. Improve error handling to free all
Page 51 of 88