SUSE CVE-2025-40290

In the Linux kernel, the following vulnerability has been resolved: xsk: avoid data corruption on cq descriptor number Since commit 30f241fcf52a "xsk: Fix immature cq descriptor production", the descriptor number is stored in skb control block and xskcqsubmitaddrlocked relies on it to put the ume...

SUSE CVE-2025-40291

In the Linux kernel, the following vulnerability has been resolved: iouring: fix regbuf vector size truncation There is a report of ioestimatebvecsize truncating the calculated number of segments that leads to corruption issues. Check it doesn't overflow "int"s used later. Rough but simple, can b...

SUSE CVE-2025-40292

In the Linux kernel, the following vulnerability has been resolved: virtio-net: fix received length check in big packets Since commit 4959aebba8c0 "virtio-net: use mtu size as buffer length for big packets", when guest gso is off, the allocated size for big packets is not MAXSKBFRAGS PAGESIZE...

SUSE CVE-2025-40293

In the Linux kernel, the following vulnerability has been resolved: iommufd: Don't overflow during division for dirty tracking If pgshift is 63 then BITSPERTYPEbitmap-bitmap pgsize will overflow to 0 and this triggers divide by 0. In this case the index should just be 0, so reorganize things to...

SUSE CVE-2025-40294

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Fix OOB access in parseadvmonitorpattern In the parseadvmonitorpattern function, the value of the 'length' variable is currently limited to HCIMAXEXTADLENGTH251. The size of the 'value' array in the mgmtadvpatter...

SUSE CVE-2025-40295

In the Linux kernel, the following vulnerability has been resolved: fscrypt: fix left shift underflow when inode-iblkbits PAGESHIFT When simulating an nvme device on qemu with both logicalblocksize and physicalblocksize set to 8 KiB, an error trace appears during partition table reading at boot...

SUSE CVE-2025-40296

In the Linux kernel, the following vulnerability has been resolved: platform/x86: int3472: Fix double free of GPIO device during unregister regulatorunregister already frees the associated GPIO device. On ThinkPad X9 Lunar Lake, this causes a double free issue that leads to random failures when...

SUSE CVE-2025-40297

In the Linux kernel, the following vulnerability has been resolved: net: bridge: fix use-after-free due to MST port state bypass syzbot reported1 a use-after-free when deleting an expired fdb. It is due to a race condition between learning still happening and a port being deleted, after all its...

SUSE CVE-2025-40298

In the Linux kernel, the following vulnerability has been resolved: gve: Implement settime64 with -EOPNOTSUPP ptpclocksettime assumes every ptpclock has implemented settime64. Stub it with -EOPNOTSUPP to prevent a NULL dereference...

SUSE CVE-2025-40299

In the Linux kernel, the following vulnerability has been resolved: gve: Implement gettimex64 with -EOPNOTSUPP gve implemented a ptpclock for sole use of doauxwork at this time. ptpclockgettime and ptpsysoffset assume every ptpclock has implemented either gettimex64 or gettime64. Stub gettimex64...

SUSE CVE-2025-40301

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hcievent: validate skb length for unknown CC opcode In hcicmdcompleteevt, if the command complete event has an unknown opcode, we assume the first byte of the remaining skb-data contains the return status. However,...

SUSE CVE-2025-40302

In the Linux kernel, the following vulnerability has been resolved: media: videobuf2: forbid removebufs when legacy fileio is active vb2ioctlremovebufs call manipulates queue internal buffer list, potentially overwriting some pointers used by the legacy fileio access mode. Forbid that ioctl when...

SUSE CVE-2025-40303

In the Linux kernel, the following vulnerability has been resolved: btrfs: ensure no dirty metadata is written back for an fs with errors BUG During development of a minor feature make sure all btrfsbio::endio is called in task context, I noticed a crash in generic/388, where metadata writes...

SUSE CVE-2025-40304

In the Linux kernel, the following vulnerability has been resolved: fbdev: Add bounds checking in bitputcs to fix vmalloc-out-of-bounds Add bounds checking to prevent writes past framebuffer boundaries when rendering text near screen edges. Return early if the Y position is off-screen and clip...

SUSE CVE-2025-40305

In the Linux kernel, the following vulnerability has been resolved: 9p/transfd: p9fdrequest: kick rx thread if EPOLLIN p9readwork doesn't set Rworksched and doesn't do scheduleworkm-rq if listempty&m-reqlist. However, if the pipe is full, we need to read more data and this used to work prior to...

SUSE CVE-2025-40306

In the Linux kernel, the following vulnerability has been resolved: orangefs: fix xattr related buffer overflow... Willy Tarreau forwarded me a message from Disclosure with the following warning: The helper xattrkey uses the pointer variable in the loop condition rather than dereferencing it. As...

SUSE CVE-2025-40307

In the Linux kernel, the following vulnerability has been resolved: exfat: validate cluster allocation bits of the allocation bitmap syzbot created an exfat image with cluster bits not set for the allocation bitmap. exfat-fs reads and uses the allocation bitmap without checking this. The problem ...

SUSE CVE-2025-40308

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: bcsp: receive data only if registered Currently, bcsprecv can be called even when the BCSP protocol has not been registered. This leads to a NULL pointer dereference, as shown in the following stack trace: KASAN:...

SUSE CVE-2025-40309

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: SCO: Fix UAF on scoconnfree BUG: KASAN: slab-use-after-free in scoconnfree net/bluetooth/sco.c:87 inline BUG: KASAN: slab-use-after-free in krefput include/linux/kref.h:65 inline BUG: KASAN: slab-use-after-free in...

SUSE CVE-2025-40310

In the Linux kernel, the following vulnerability has been resolved: amd/amdkfd: resolve a race in amdgpuamdkfddevicefinisw There is race in amdgpuamdkfddevicefinisw and interrupt. if amdgpuamdkfddevicefinisw run in b/w kfdcleanupnodes and kfreekfd, and KGD interrupt generated. kernel panic log:...

SUSE CVE-2025-40311

In the Linux kernel, the following vulnerability has been resolved: accel/habanalabs: support mapping cb with vmalloc-backed coherent memory When IOMMU is enabled, dmaalloccoherent with GFPUSER may return addresses from the vmalloc range. If such an address is mapped without VMMIXEDMAP,...

SUSE CVE-2025-40312

In the Linux kernel, the following vulnerability has been resolved: jfs: Verify inode mode when loading from disk The inode mode loaded from corrupted disk can be invalid. Do like what commit 0a9e74051313 "isofs: Verify inode mode when loading from disk" does...

SUSE CVE-2025-40313

In the Linux kernel, the following vulnerability has been resolved: ntfs3: pretend $Extend records as regular files Since commit af153bb63a33 "vfs: catch invalid modes in mayopen" requires any inode be one of SIFDIR/SIFLNK/SIFREG/SIFCHR/SIFBLK/ SIFIFO/SIFSOCK type, use SIFREG for $Extend records...

SUSE CVE-2025-40314

In the Linux kernel, the following vulnerability has been resolved: usb: cdns3: gadget: Use-after-free during failed initialization and exit of cdnsp gadget In the cdnspgadgetinit and cdnspgadgetexit functions, the gadget structure pdev-gadget was freed before its endpoints. The endpoints are...

SUSE CVE-2025-40315

In the Linux kernel, the following vulnerability has been resolved: usb: gadget: ffs: Fix epfile null pointer access after ep enable. A race condition occurs when ffsfuncepsenable runs concurrently with ffsdatareset. The ffsdataclear called in ffsdatareset sets ffs-epfiles to NULL before resettin...

SUSE CVE-2025-40316

In the Linux kernel, the following vulnerability has been resolved: drm/mediatek: Fix device use-after-free on unbind A recent change fixed device reference leaks when looking up drm platform device driver data during bind but failed to remove a partial fix which had been added by commit...

SUSE CVE-2025-40317

In the Linux kernel, the following vulnerability has been resolved: regmap: slimbus: fix buscontext pointer in regmap init calls Commit 4e65bda8273c "ASoC: wcd934x: fix error handling in wcd934xcodecparsedata" revealed the problem in the slimbus regmap. That commit breaks audio playback, for...

SUSE CVE-2025-40318

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hcisync: fix race in hcicmdsyncdequeueonce hcicmdsyncdequeueonce does lookup and then cancel the entry under two separate lock sections. Meanwhile, hcicmdsyncwork can also delete the same entry, leading to double listd...

SUSE CVE-2025-40319

In the Linux kernel, the following vulnerability has been resolved: bpf: Sync pending IRQ work before freeing ring buffer Fix a race where irqwork can be queued in bpfringbufcommit but the ring buffer is freed before the work executes. In the syzbot reproducer, a BPF program attached to schedswit...

SUSE CVE-2025-40320

In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential cfid UAF in smb2queryinfocompound When smb2queryinfocompound retries, a previously allocated cfid may have been freed in the first attempt. Because cfid wasn't reset on replay, later cleanup could act o...

SUSE CVE-2025-40321

In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: fix crash while sending Action Frames in standalone AP Mode Currently, whenever there is a need to transmit an Action frame, the brcmfmac driver always uses the P2P vif to send the "actframe" IOVAR to firmware. Th...

SUSE CVE-2025-40322

In the Linux kernel, the following vulnerability has been resolved: fbdev: bitblit: bound-check glyph index in bitputcs bitputcsaligned/unaligned derived the glyph pointer from the character value masked by 0xff/0x1ff, which may exceed the actual font's glyph count and read past the end of the...

SUSE CVE-2025-40323

In the Linux kernel, the following vulnerability has been resolved: fbcon: Set fbdisplayi-mode to NULL when the mode is released Recently, we discovered the following issue through syzkaller: BUG: KASAN: slab-use-after-free in fbmodeisequal+0x285/0x2f0 Read of size 4 at addr ff11000001b3c69c by...

SUSE CVE-2025-40324

In the Linux kernel, the following vulnerability has been resolved: NFSD: Fix crash in nfsd4readrelease When tracing is enabled, the tracenfsdreaddone trace point crashes during the pynfs read.testNoFh test...

SUSE CVE-2025-40326

In the Linux kernel, the following vulnerability has been resolved: NFSD: Define actions for the new timedeleg FATTR4 attributes NFSv4 clients won't send legitimate GETATTR requests for these new attributes because they are intended to be used only with CBGETATTR and SETATTR. But NFSD has to do...

SUSE CVE-2025-66004

A Path Traversal vulnerability in usbmuxd allows local users to escalate to the service user.This issue affects usbmuxd: before 3ded00c9985a5108cfc7591a309f9a23d57a8cba...

SUSE CVE-2025-66512

Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server and Server Enterprise prior to 31.0.12 and 32.0.3, a missing sanitization allowed malicious users to circumvent the content security policy when a malicious user manages to trick a user it viewing an uploaded SVG outside...

SUSE CVE-2025-40267

In the Linux kernel, the following vulnerability has been resolved: iouring/rw: ensure allocated iovec gets cleared for early failure A previous commit reused the recyling infrastructure for early cleanup, but this is not enough for the case where our internal caches have overflowed. If this...

SUSE CVE-2025-40268

In the Linux kernel, the following vulnerability has been resolved: cifs: client: fix memory leak in smb3fscontextparseparam The user calls fsconfig twice, but when the program exits, free only frees ctx-source for the second fsconfig, not the first. Regarding fc-source, there is no code in the f...

SUSE CVE-2025-40269

In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix potential overflow of PCM transfer buffer The PCM stream data in USB-audio driver is transferred over USB URB packet buffers, and each packet size is determined dynamically. The packet sizes are limited by so...

SUSE CVE-2025-40270

In the Linux kernel, the following vulnerability has been resolved: mm, swap: fix potential UAF issue for VMA readahead Since commit 78524b05f1a3 "mm, swap: avoid redundant swap device pinning", the common helper for allocating and preparing a folio in the swap cache layer no longer tries to get ...

SUSE CVE-2025-40271

In the Linux kernel, the following vulnerability has been resolved: fs/proc: fix uaf in procreaddirde Pde is erased from subdir rbtree through rberase, but not set the node to EMPTY, which may result in uaf access. We should use RBCLEARNODE set the erased node to EMPTY, then pdesubdirnext will...

SUSE CVE-2025-40272

In the Linux kernel, the following vulnerability has been resolved: mm/secretmem: fix use-after-free race in fault handler When a page fault occurs in a secret memory file created with memfdsecret2, the kernel will allocate a new folio for it, mark the underlying page as not-present in the direct...

SUSE CVE-2025-40273

In the Linux kernel, the following vulnerability has been resolved: NFSD: free copynotify stateid in nfs4freeolstateid Typically copynotify stateid is freed either when parent's stateid is being close/freed or in nfsd4laundromat if the stateid hasn't been used in a lease period. However, in case...

SUSE CVE-2025-40274

In the Linux kernel, the following vulnerability has been resolved: KVM: guestmemfd: Remove bindings on memslot deletion when gmem is dying When unbinding a memslot from a guestmemfd instance, remove the bindings even if the guestmemfd file is dying, i.e. even if its file refcount has gone to zer...

SUSE CVE-2025-40275

In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix NULL pointer dereference in sndusbmixercontrolsbadd In sndusbcreatestreams, for UAC version 3 devices, the Interface Association Descriptor IAD is retrieved via usbifnumtoif. If this call fails, a fallback...

SUSE CVE-2025-40276

In the Linux kernel, the following vulnerability has been resolved: drm/panthor: Flush shmem writes before mapping buffers CPU-uncached The shmem layer zeroes out the new pages using cached mappings, and if we don't CPU-flush we might leave dirty cachelines behind, leading to potential data leaks...

SUSE CVE-2025-40277

In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Validate command header size against SVGACMDMAXDATASIZE This data originates from userspace and is used in buffer offset calculations which could potentially overflow causing an out-of-bounds access...

SUSE CVE-2025-40278

In the Linux kernel, the following vulnerability has been resolved: net: sched: actife: initialize struct tcife to fix KMSAN kernel-infoleak Fix a KMSAN kernel-infoleak detected by the syzbot . net? KMSAN: kernel-infoleak in skbdatagramiter In tcfifedump, the variable 'opt' was partially...

SUSE CVE-2025-40279

In the Linux kernel, the following vulnerability has been resolved: net: sched: actconnmark: initialize struct tcife to fix kernel leak In tcfconnmarkdump, the variable 'opt' was partially initialized using a designatied initializer. While the padding bytes are reamined uninitialized. nlaput copi...