CVE-2025-40187

In the Linux kernel, the following vulnerability has been resolved: net/sctp: fix a null dereference in sctpdisposition sctpsfdo51Dce If newasoc-peer.adaptationind=0 and sctpulpeventmakeauthkey=0 and sctpulpeventmakeauthkey returns 0, then the variable aiev remains zero and the zero will be...

CVE-2025-40184

In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Fix debug checking for np-guests using huge mappings When running with transparent huge pages and CONFIGNVHEEL2DEBUG then the debug checking in asserthostsharedguest fails on the launch of an np-guest. This WARNON...

CVE-2025-40185

In the Linux kernel, the following vulnerability has been resolved: ice: iceadapter: release xa entry on adapter allocation failure When iceadapternew fails, the reserved XArray entry created by xainsert is not released. This causes subsequent insertions at the same index to return -EBUSY,...

CVE-2025-40183

In the Linux kernel, the following vulnerability has been resolved: bpf: Fix metadatadst leak bpfredirectneighv4,6 Cilium has a BPF egress gateway feature which forces outgoing K8s Pod traffic to pass through dedicated egress gateways which then SNAT the traffic in order to interact with stable I...

CVE-2025-40182

In the Linux kernel, the following vulnerability has been resolved: crypto: skcipher - Fix reqsize handling Commit afddce13ce81d "crypto: api - Add reqsize to cryptoalg" introduced crareqsize field in cryptoalg struct to replace type specific reqsize fields. It looks like this was introduced...

CVE-2025-40181

In the Linux kernel, the following vulnerability has been resolved: x86/kvm: Force legacy PCI hole to UC when overriding MTRRs for TDX/SNP When running as an SNP or TDX guest under KVM, force the legacy PCI hole, i.e. memory between Top of Lower Usable DRAM and 4GiB, to be mapped as UC via a forc...

CVE-2025-40180

In the Linux kernel, the following vulnerability has been resolved: mailbox: zynqmp-ipi: Fix out-of-bounds access in mailbox cleanup loop The cleanup loop was starting at the wrong array index, causing out-of-bounds access. Start the loop at the correct index for zero-indexed arrays to prevent...

CVE-2025-40178

In the Linux kernel, the following vulnerability has been resolved: pid: Add a judgment for ns null in pidnrns taskpidnrns ns = taskactivepidnscurrent; pidnrnsrcudereferencetaskpidptrtask, type, ns; if pid && ns-level level Sometimes null is returned for taskactivepidns. Then it will trigger kern...

CVE-2025-40179

In the Linux kernel, the following vulnerability has been resolved: ext4: verify orphan file size is not too big In principle orphan file can be arbitrarily large. However orphan replay needs to traverse it all and we also pin all its buffers in memory. Thus filesystems with absurdly large orphan...

CVE-2025-64500

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Symfony's HttpFoundation component defines an object-oriented layer for the HTTP specification. Starting in version 2.0.0 and prior to version 5.4.50, 6.4.29, and 7.3.7, the Request class improperly...

CVE-2025-64429

DuckDB is a SQL database management system. DuckDB implemented block-based encryption of DB on the filesystem starting with DuckDB 1.4.0. There are a few issues related to this implementation. The DuckDB can fall back to an insecure random number generator pcg32 to generate cryptographic keys or...

CVE-2025-64345

Wasmtime is a runtime for WebAssembly. Prior to version 38.0.4, 37.0.3, 36.0.3, and 24.0.5, Wasmtime's Rust embedder API contains an unsound interaction where a WebAssembly shared linear memory could be viewed as a type which provides safe access to the host Rust to the contents of the linear...

CVE-2025-64170

sudo-rs is a memory safe implementation of sudo and su written in Rust. Starting in version 0.2.7 and prior to version 0.2.10, if a user begins entering a password but does not press return for an extended period, a password timeout may occur. When this happens, the keystrokes that were entered a...

CVE-2025-57812

CUPS is a standards-based, open-source printing system, and libcupsfilters contains the code of the filters of the former cups-filters package as library functions to be used for the data format conversion tasks needed in Printer Applications. In CUPS-Filters versions up to and including 1.28.17...

CVE-2024-47866

Ceph is a distributed object, block, and file storage platform. In versions up to and including 19.2.3, using the argument x-amz-copy-source to put an object and specifying an empty string as its content leads to the RGW daemon crashing, resulting in a DoS attack. As of time of publication, no...

CVE-2025-13042

Inappropriate implementation in V8 in Google Chrome prior to 142.0.7444.166 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. Chromium security severity: High...

CVE-2025-59089

If an attacker causes kdcproxy to connect to an attacker-controlled KDC server e.g. through server-side request forgery, they can exploit the fact that kdcproxy does not enforce bounds on TCP response length to conduct a denial-of-service attack. While receiving the KDC's response, kdcproxy copie...

CVE-2025-59088

If kdcproxy receives a request for a realm which does not have server addresses defined in its configuration, by default, it will query SRV records in the DNS zone matching the requested realm name. This creates a server-side request forgery vulnerability, since an attacker could send a request f...

CVE-2025-40175

In the Linux kernel, the following vulnerability has been resolved: idpf: cleanup remaining SKBs in PTP flows When the driver requests Tx timestamp value, one of the first steps is to clone SKB using skbget. It increases the reference counter for that SKB to prevent unexpected freeing by another...

CVE-2025-40176

In the Linux kernel, the following vulnerability has been resolved: tls: wait for pending async decryptions if tlsstrpmsghold fails Async decryption calls tlsstrpmsghold to create a clone of the input skb to hold references to the memory it uses. If we fail to allocate that clone, proceeding with...

CVE-2025-40177

In the Linux kernel, the following vulnerability has been resolved: accel/qaic: Fix bootlog initialization ordering As soon as we queue MHI buffers to receive the bootlog from the device, we could be receiving data. Therefore all the resources needed to process that data need to be setup prior to...

CVE-2025-40174

In the Linux kernel, the following vulnerability has been resolved: x86/mm: Fix SMP ordering in switchmmirqsoff Stephen noted that it is possible to not have an smpmb between the loadedmm store and the tlbgen load in switchmm, meaning the ordering against flushtlbmmrange goes out the window, and ...

CVE-2025-40172

In the Linux kernel, the following vulnerability has been resolved: accel/qaic: Treat remaining == 0 as error in findandmapuserpages Currently, if findandmapuserpages takes a DMA xfer request from the user with a length field set to 0, or in a rare case, the host receives QAICTRANSDMAXFERCONT fro...

CVE-2025-40173

In the Linux kernel, the following vulnerability has been resolved: net/ip6tunnel: Prevent perpetual tunnel growth Similarly to ipv4 tunnel, ipv6 version updates dev-neededheadroom, too. While ipv4 tunnel headroom adjustment growth was limited in commit 5ae1e9922bbd "net: iptunnel: prevent...

CVE-2025-40170

In the Linux kernel, the following vulnerability has been resolved: net: use dstdevrcu in sksetupcaps Use RCU to protect accesses to dst-dev from sksetupcaps and skdstgsomaxsize. Also use dstdevrcu in ip6dstmtumaybeforward, and ipdstmtumaybeforward. ip4dsthoplimit can use dstdevnetrcu...

CVE-2025-40171

In the Linux kernel, the following vulnerability has been resolved: nvmet-fc: move lsop put work to nvmetfclsreqop It’s possible for more than one async command to be in flight from nvmetfcsendlsreq. For each command, a tgtport reference is taken. In the current code, only one put work item is...

CVE-2025-40168

In the Linux kernel, the following vulnerability has been resolved: smc: Use skdstget and dstdevrcu in smcclcprfxmatch. smcclcprfxmatch is called from smclistenwork and not under RCU nor RTNL. Using skdstgetsk-dev could trigger UAF. Let's use skdstget and dstdevrcu. Note that the returned value o...

CVE-2025-40169

In the Linux kernel, the following vulnerability has been resolved: bpf: Reject negative offsets for ALU ops When verifying BPF programs, the checkaluop function validates instructions with ALU operations. The 'offset' field in these instructions is a signed 16-bit integer. The existing check...

CVE-2025-40166

In the Linux kernel, the following vulnerability has been resolved: drm/xe/guc: Check GuC running state before deregistering exec queue In normal operation, a registered exec queue is disabled and deregistered through the GuC, and freed only after the GuC confirms completion. However, if the driv...

CVE-2025-40167

In the Linux kernel, the following vulnerability has been resolved: ext4: detect invalid INLINEDATA + EXTENTS flag combination syzbot reported a BUGON in ext4escacheextent when opening a verity file on a corrupted ext4 filesystem mounted without a journal. The issue is that the filesystem has an...

CVE-2025-40164

In the Linux kernel, the following vulnerability has been resolved: usbnet: Fix using smpprocessorid in preemptible code warnings Syzbot reported the following warning: BUG: using smpprocessorid in preemptible 00000000 code: dhcpcd/2879 caller is usbnetskbreturn+0x74/0x490...

CVE-2025-40165

In the Linux kernel, the following vulnerability has been resolved: media: nxp: imx8-isi: m2m: Fix streaming cleanup on release If streamon/streamoff calls are imbalanced, such as when exiting an application with Ctrl+C when streaming, the m2m usagecount will never reach zero and the ISI channel...

CVE-2025-40163

In the Linux kernel, the following vulnerability has been resolved: sched/deadline: Stop dlserver before CPU goes offline IBM CI tool reported kernel warning1 when running a CPU removal operation through drmgr2. i.e "drmgr -c cpu -r -q 1" WARNING: CPU: 0 PID: 0 at kernel/sched/cpudeadline.c:219...

CVE-2025-40162

In the Linux kernel, the following vulnerability has been resolved: ASoC: amd/sdwutils: avoid NULL deref when devmkasprintf fails devmkasprintf may return NULL on memory allocation failure, but the debug message prints cpus-dainame before checking it. Move the devdbg call after the NULL check to...

CVE-2025-40159

In the Linux kernel, the following vulnerability has been resolved: xsk: Harden userspace-supplied xdpdesc validation Turned out certain clearly invalid values passed in xdpdesc from userspace can pass xp,unalignedvalidatedesc and then lead to UBs or just invalid frames to be queued for xmit...

CVE-2025-40160

In the Linux kernel, the following vulnerability has been resolved: xen/events: Return -EEXIST for bound VIRQs Change findvirq to return -EEXIST when a VIRQ is bound to a different CPU than the one passed in. With that, remove the BUGON from bindvirqtoirq to propogate the error upwards. Some VIRQ...

CVE-2025-40161

In the Linux kernel, the following vulnerability has been resolved: mailbox: zynqmp-ipi: Fix SGI cleanup on unbind The driver incorrectly determines SGI vs SPI interrupts by checking IRQ number 16, which fails with dynamic IRQ allocation. During unbind, this causes improper SGI cleanup leading to...

CVE-2025-40158

In the Linux kernel, the following vulnerability has been resolved: ipv6: use RCU in ip6output Use RCU in ip6output in order to use dstdevrcu to prevent possible UAF. We can remove rcureadlock/rcureadunlock pairs from ip6finishoutput2...

CVE-2025-40157

In the Linux kernel, the following vulnerability has been resolved: EDAC/i10nm: Skip DIMM enumeration on a disabled memory controller When loading the i10nmedac driver on some Intel Granite Rapids servers, a call trace may appear as follows: UBSAN: shift-out-of-bounds in...

CVE-2025-40153

In the Linux kernel, the following vulnerability has been resolved: mm: hugetlb: avoid soft lockup when mprotect to large memory area When calling mprotect to a large hugetlb memory area in our customer's workload 300GB hugetlb memory, soft lockup was observed: watchdog: BUG: soft lockup - CPU98...

CVE-2025-40154

In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: bytcrrt5640: Fix invalid quirk input mapping When an invalid value is passed via quirk option, currently bytcrrt5640 driver only shows an error message but leaves as is. This may lead to unepxected results like OOB...

CVE-2025-40155

In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: debugfs: Fix legacy mode page table dump logic In legacy mode, SSPTPTR is ignored if TT is not 00b or 01b. SSPTPTR maybe uninitialized or zero in that case and may cause oops like: Oops: general protection fault,...

CVE-2025-40156

In the Linux kernel, the following vulnerability has been resolved: PM / devfreq: mtk-cci: Fix potential error pointer dereference in probe The drv-sramreg pointer could be set to ERRPTR-EPROBEDEFER which would lead to a error pointer dereference. Use ISERRORNULL to check that the pointer is vali...

CVE-2025-40152

In the Linux kernel, the following vulnerability has been resolved: drm/msm: Fix bootup splat with separategpudrm modparam The drmgemforeachgpuvmbo call from lookupvma accesses drmgemobj.gpuva.list, which is not initialized when the drm driver does not support DRIVERGEMGPUVA feature. Enable it fo...

CVE-2025-40150

In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid migrating empty section It reports a bug from device w/ zufs: F2FS-fs dm-64: Inconsistent segment 173822 type 1, 0 in SSA and SIT F2FS-fs dm-64: Stopped filesystem due to reason: 4 Thread A Thread B -...

CVE-2025-40149

In the Linux kernel, the following vulnerability has been resolved: tls: Use skdstget and dstdevrcu in getnetdevforsock. getnetdevforsock is called during setsockopt, so not under RCU. Using skdstgetsk-dev could trigger UAF. Let's use skdstget and dstdevrcu. Note that the only -ndoskgetlowerdev...

CVE-2025-40151

In the Linux kernel, the following vulnerability has been resolved: LoongArch: BPF: No support of struct argument in trampoline programs The current implementation does not support struct argument. This causes a oops when running bpf selftest: $ ./testprogs -a tracingstruct Oops1: CPU -1 Unable t...

CVE-2025-40146

In the Linux kernel, the following vulnerability has been resolved: blk-mq: fix potential deadlock while nrrequests grown Allocate and free schedtags while queue is freezed can deadlock1, this is a long term problem, hence allocate memory before freezing queue and free memory after queue is...

CVE-2025-40148

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add NULL pointer checks in dcstream cursor attribute functions The function dcstreamsetcursorattributes currently dereferences the stream pointer and nested members stream-ctx-dc-currentstate without checking for...

CVE-2025-40147

In the Linux kernel, the following vulnerability has been resolved: blk-throttle: fix access race during throttle policy activation On repeated cold boots we occasionally hit a NULL pointer crash in blkshouldthrotl when throttling is consulted before the throttle policy is fully enabled for the...