CVE-2025-40160 xen/events: Return -EEXIST for bound VIRQs

In the Linux kernel, the following vulnerability has been resolved: xen/events: Return -EEXIST for bound VIRQs Change findvirq to return -EEXIST when a VIRQ is bound to a different CPU than the one passed in. With that, remove the BUGON from bindvirqtoirq to propogate the error upwards. Some VIRQ...

CVE-2025-38113 ACPI: CPPC: Fix NULL pointer dereference when nosmp is used

In the Linux kernel, the following vulnerability has been resolved: ACPI: CPPC: Fix NULL pointer dereference when nosmp is used With nosmp in cmdline, other CPUs are not brought up, leaving their cpcdescptr NULL. CPU0's iteration via foreachpossiblecpu dereferences these NULL pointers, causing...

CVE-2024-50257 netfilter: Fix use-after-free in get_info()

In the Linux kernel, the following vulnerability has been resolved: netfilter: Fix use-after-free in getinfo ip6tablenat module unload has refcnt warning for UAF. call trace is: WARNING: CPU: 1 PID: 379 at kernel/module/main.c:853 moduleput+0x6f/0x80 Modules linked in: ip6tablenat- CPU: 1 UID: 0...

CVE-2024-49924

In the Linux kernel, the following vulnerability has been resolved: fbdev: pxafb: Fix possible use after free in pxafbtask In the pxafbprobe function, it calls the pxafbinitfbinfo function, after which &fbi-;task is associated with pxafbtask. Moreover, within this pxafbinitfbinfo function, the...

CVE-2024-49866

In the Linux kernel, the following vulnerability has been resolved: tracing/timerlat: Fix a race during cpuhp processing There is another found exception that the "timerlat/1" thread was scheduled on CPU0, and lead to timer corruption finally: ODEBUG: init active active state 0 object:...

CVE-2024-50061 i3c: master: cdns: Fix use after free vulnerability in cdns_i3c_master Driver Due to Race Condition

In the Linux kernel, the following vulnerability has been resolved: i3c: master: cdns: Fix use after free vulnerability in cdnsi3cmaster Driver Due to Race Condition In the cdnsi3cmasterprobe function, &master-hjwork is bound with cdnsi3cmasterhj. And cdnsi3cmasterinterrupt can call...

CVE-2024-49924

In the Linux kernel, the following vulnerability has been resolved: fbdev: pxafb: Fix possible use after free in pxafbtask In the pxafbprobe function, it calls the pxafbinitfbinfo function, after which &fbi-task is associated with pxafbtask. Moreover, within this pxafbinitfbinfo function, the...

CVE-2024-49924 fbdev: pxafb: Fix possible use after free in pxafb_task()

In the Linux kernel, the following vulnerability has been resolved: fbdev: pxafb: Fix possible use after free in pxafbtask In the pxafbprobe function, it calls the pxafbinitfbinfo function, after which &fbi-task is associated with pxafbtask. Moreover, within this pxafbinitfbinfo function, the...

CVE-2024-49924 fbdev: pxafb: Fix possible use after free in pxafb_task()

In the Linux kernel, the following vulnerability has been resolved: fbdev: pxafb: Fix possible use after free in pxafbtask In the pxafbprobe function, it calls the pxafbinitfbinfo function, after which &fbi-task is associated with pxafbtask. Moreover, within this pxafbinitfbinfo function, the...

CVE-2024-47747 net: seeq: Fix use after free vulnerability in ether3 Driver Due to Race Condition

In the Linux kernel, the following vulnerability has been resolved: net: seeq: Fix use after free vulnerability in ether3 Driver Due to Race Condition In the ether3probe function, a timer is initialized with a callback function ether3ledoff, bound to &prevdev-timer. Once the timer is started, the...

CVE-2023-52847 media: bttv: fix use after free error due to btv->timeout timer

In the Linux kernel, the following vulnerability has been resolved: media: bttv: fix use after free error due to btv-timeout timer There may be some a race condition between timer function bttvirqtimeout and bttvremove. The timer is setup in probe and there is no timerdelete operation in remove...

CVE-2024-26658 bcachefs: grab s_umount only if snapshotting

In the Linux kernel, the following vulnerability has been resolved: bcachefs: grab sumount only if snapshotting When I was testing mongodb over bcachefs with compression, there is a lockdep warning when snapshotting mongodb data volume. $ cat test.sh prog=bcachefs $prog subvolume create /mnt/data...