68528 matches found
CVE-2025-71078
In the Linux kernel, the following vulnerability has been resolved: powerpc/64s/slb: Fix SLB multihit issue during SLB preload On systems using the hash MMU, there is a software SLB preload cache that mirrors the entries loaded into the hardware SLB buffer. This preload cache is subject to period...
CVE-2025-68800
In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrummr: Fix use-after-free when updating multicast route stats Cited commit added a dedicated mutex instead of RTNL to protect the multicast route list, so that it will not change while the driver periodically traverse...
CVE-2025-68820
In the Linux kernel, the following vulnerability has been resolved: ext4: xattr: fix null pointer deref in ext4rawinode If ext4getinodeloc fails e.g. if it returns -EFSCORRUPTED, iloc.bh will remain set to NULL. Since ext4xattrinodedecrefall lacks error checking, this will lead to a null pointer...
CVE-2025-71101
In the Linux kernel, the following vulnerability has been resolved: platform/x86: hp-bioscfg: Fix out-of-bounds array access in ACPI package parsing The hppopulateelementsfrompackage functions in the hp-bioscfg driver contain out-of-bounds array access vulnerabilities. These functions parse ACPI...
CVE-2025-68815
In the Linux kernel, the following vulnerability has been resolved: net/sched: ets: Remove drr class from the active list if it changes to strict Whenever a user issues an ets qdisc change command, transforming a drr class into a strict one, the ets code isn't checking whether that class was in t...
CVE-2025-71098
In the Linux kernel, the following vulnerability has been resolved: ip6gre: make ip6greheader robust Over the years, syzbot found many ways to crash the kernel in ip6greheader 1. This involves team or bonding drivers ability to dynamically change their dev-neededheadroom and/or dev-hardheaderlen ...
CVE-2025-68794
In the Linux kernel, the following vulnerability has been resolved: iomap: adjust read range correctly for non-block-aligned positions iomapadjustreadrange assumes that the position and length passed in are block-aligned. This is not always the case however, as shown in the syzbot generated case...
CVE-2025-71097
In the Linux kernel, the following vulnerability has been resolved: ipv4: Fix reference count leak when using error routes with nexthop objects When a nexthop object is deleted, it is marked as dead and then fibtableflush is called to flush all the routes that are using the dead nexthop. The...
CVE-2025-68822
In the Linux kernel, the following vulnerability has been resolved: Input: alps - fix use-after-free bugs caused by dev3registerwork The dev3registerwork delayed work item is initialized within alpsreconnect and scheduled upon receipt of the first bare PS/2 packet from an external PS/2 device...
CVE-2025-71094
In the Linux kernel, the following vulnerability has been resolved: net: usb: asix: validate PHY address before use The ASIX driver reads the PHY address from the USB device via asixreadphyaddr. A malicious or faulty device can return an invalid address = PHYMAXADDR, which causes a warning in...
CVE-2025-71071
In the Linux kernel, the following vulnerability has been resolved: iommu/mediatek: fix use-after-free on probe deferral The driver is dropping the references taken to the larb devices during probe after successful lookup as well as on errors. This can potentially lead to a use-after-free in case...
CVE-2025-71080
In the Linux kernel, the following vulnerability has been resolved: ipv6: fix a BUG in rt6getpcpuroute under PREEMPTRT On PREEMPTRT kernels, after rt6getpcpuroute returns NULL, the current task can be preempted. Another task running on the same CPU may then execute rt6makepcpuroute and successful...
CVE-2025-71069
In the Linux kernel, the following vulnerability has been resolved: f2fs: invalidate dentry cache on failed whiteout creation F2FS can mount filesystems with corrupted directory depth values that get runtime-clamped to MAXDIRHASHDEPTH. When RENAMEWHITEOUT operations are performed on such...
CVE-2025-71096
In the Linux kernel, the following vulnerability has been resolved: RDMA/core: Check for the presence of LSNLATYPEDGID correctly The netlink response for RDMANLLSOPIPRESOLVE should always have a LSNLATYPEDGID attribute, it is invalid if it does not. Use the nl parsing logic properly and call...
CVE-2025-68819
In the Linux kernel, the following vulnerability has been resolved: media: dvb-usb: dtv5100: fix out-of-bounds in dtv5100i2cmsg rlen value is a user-controlled value, but dtv5100i2cmsg does not check the size of the rlen value. Therefore, if it is set to a value larger than sizeofst-data, an...
CVE-2025-71083
In the Linux kernel, the following vulnerability has been resolved: drm/ttm: Avoid NULL pointer deref for evicted BOs It is possible for a BO to exist that is not currently associated with a resource, e.g. because it has been evicted. When devcoredump tries to read the contents of all BOs for...
CVE-2025-68790
In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix double unregister of HCAPORTS component Clear hcadevcomcomp in device's private data after unregistering it in LAG teardown. Otherwise a slightly lagging second pass through mlx5unloadone might try to unregister it...
CVE-2025-68793
In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix a job-pasid access race in gpu recovery Avoid a possible UAF in GPU recovery due to a race between the sched timeout callback and the tdr work queue. The gpu recovery function calls drmschedstop and later...
CVE-2025-68801
In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrumrouter: Fix neighbour use-after-free We sometimes observe use-after-free when dereferencing a neighbour 1. The problem seems to be that the driver stores a pointer to the neighbour, but without holding a reference ...
CVE-2025-68802
In the Linux kernel, the following vulnerability has been resolved: drm/xe: Limit numsyncs to prevent oversized allocations The exec and vmbind ioctl allow userspace to specify an arbitrary numsyncs value. Without bounds checking, a very large numsyncs can force an excessively large allocation,...
CVE-2025-68797
In the Linux kernel, the following vulnerability has been resolved: char: applicom: fix NULL pointer dereference in acioctl Discovered by Atuin - Automated Vulnerability Discovery Engine. In acioctl, the validation of IndexCard and the check for a valid RamIO pointer are skipped when cmd is 6...
CVE-2025-68791
In the Linux kernel, the following vulnerability has been resolved: fuse: missing copyfinish in fuse-over-io-uring argument copies Fix a possible reference count leak of payload pages during fuse argument copies. Joanne: simplified error cleanup...
CVE-2025-68799
In the Linux kernel, the following vulnerability has been resolved: caif: fix integer underflow in cffrmlreceive The cffrmlreceive function extracts a length field from the packet header and, when FCS is disabled, subtracts 2 from this length without validating that len = 2. If an attacker sends ...
CVE-2025-71070
In the Linux kernel, the following vulnerability has been resolved: ublk: clean up user copy references on ublk server exit If a ublk server process releases a ublk char device file, any requests dispatched to the ublk server but not yet completed will retain a ref value of UBLKREFCOUNTINIT. Befo...
CVE-2025-71086
In the Linux kernel, the following vulnerability has been resolved: net: rose: fix invalid array index in rosekillbydevice rosekillbydevice collects sockets into a local array and then iterates over them to disconnect sockets bound to a device being brought down. The loop mistakenly indexes...
CVE-2025-71088
In the Linux kernel, the following vulnerability has been resolved: mptcp: fallback earlier on simult connection Syzkaller reports a simult-connect race leading to inconsistent fallback status: WARNING: CPU: 3 PID: 33 at net/mptcp/subflow.c:1515 subflowdataready+0x40b/0x7c0 net/mptcp/subflow.c:15...
CVE-2025-71095
In the Linux kernel, the following vulnerability has been resolved: net: stmmac: fix the crash issue for zero copy XDPTX action There is a crash issue when running zero copy XDPTX action, the crash log is shown below. 216.122464 Unable to handle kernel paging request at virtual address...
CVE-2025-68809
In the Linux kernel, the following vulnerability has been resolved: ksmbd: vfs: fix race on mflags in vfscache ksmbd maintains delete-on-close and pending-delete state in ksmbdinode-mflags. In vfscache.c this field is accessed under inconsistent locking: some paths read and modify mflags under...
CVE-2025-71073
In the Linux kernel, the following vulnerability has been resolved: Input: lkkbd - disable pending work before freeing device lkkbdinterrupt schedules lk-tq via schedulework, and the work handler lkkbdreinit dereferences the lkkbd structure and its serio/inputdev fields. lkkbddisconnect and error...
CVE-2025-71068
In the Linux kernel, the following vulnerability has been resolved: svcrdma: bound check rqpages index in inline path svcrdmacopyinlinerange indexed rqstp-rqpagesrccurpage without verifying rccurpage stays within the allocated page array. Add guards before the first use and after advancing to a n...
CVE-2025-71100
In the Linux kernel, the following vulnerability has been resolved: wifi: rtlwifi: 8192cu: fix tid out of range in rtl92cutxfilldesc TID getting from ieee80211gettid might be out of range of array size of staentry-tids, so check TID is less than MAXTIDCOUNT. Othwerwise, UBSAN warn: UBSAN:...
CVE-2025-68817
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in ksmbdtreeconnectput under concurrency Under high concurrency, A tree-connection object tcon is freed on a disconnect path while another path still holds a reference and later executes put/write on it...
CVE-2025-71076
In the Linux kernel, the following vulnerability has been resolved: drm/xe/oa: Limit numsyncs to prevent oversized allocations The OA open parameters did not validate numsyncs, allowing userspace to pass arbitrarily large values, potentially leading to excessive allocations. Add check to ensure...
CVE-2025-71090
In the Linux kernel, the following vulnerability has been resolved: nfsd: fix nfsdfile reference leak in nfsd4addrdaccesstowrdeleg nfsd4addrdaccesstowrdeleg unconditionally overwrites fp-fifdsORDONLY with a newly acquired nfsdfile. However, if the client already has a SHAREACCESSREAD open from a...
CVE-2025-71065
In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid potential deadlock As Jiaming Zhang and syzbot reported, there is potential deadlock in f2fs as below: Chain exists of: &sbi-cprwsem -- fsreclaim -- sbinternal2 Possible unsafe locking scenario: CPU0 CPU1 ----...
CVE-2025-71081
In the Linux kernel, the following vulnerability has been resolved: ASoC: stm32: sai: fix OF node leak on probe The reference taken to the sync provider OF node when probing the platform device is currently only dropped if the setsync callback fails during DAI probe. Make sure to drop the referen...
CVE-2025-68814
In the Linux kernel, the following vulnerability has been resolved: iouring: fix filename leak in ioopenatprep ioopenatprep allocates a struct filename using getname. However, for the condition of the file being installed in the fixed file table as well as having OCLOEXEC flag set, the function...
CVE-2025-71067
In the Linux kernel, the following vulnerability has been resolved: ntfs: set dummy blocksize to read bootblock when mounting When mounting, sb-sblocksize is used to read the bootblock without being defined or validated. Set a dummy blocksize before attempting to read the bootblock. The issue can...
CVE-2025-71087
In the Linux kernel, the following vulnerability has been resolved: iavf: fix off-by-one issues in iavfconfigrssreg There are off-by-one bugs when configuring RSS hash key and lookup table, causing out-of-bounds reads to memory 1 and out-of-bounds writes to device registers. Before commit...
CVE-2025-68803
In the Linux kernel, the following vulnerability has been resolved: NFSD: NFSv4 file creation neglects setting ACL An NFSv4 client that sets an ACL with a named principal during file creation retrieves the ACL afterwards, and finds that it is only a default ACL based on the mode bits and not the...
CVE-2025-68823
In the Linux kernel, the following vulnerability has been resolved: ublk: fix deadlock when reading partition table When one processsuch as udev opens ublk block device e.g., to read the partition table via bdevopen, a deadlock1 can occur: 1. bdevopen grabs disk-openmutex 2. The process issues re...
CVE-2025-68796
In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid updating zero-sized extent in extent cache As syzbot reported: F2FS-fs loop0: updateextenttreerange: extent len is zero, type: 0, extent 0, 0, 0, age 0, 0 ------------ cut here ------------ kernel BUG at...
CVE-2025-68816
In the Linux kernel, the following vulnerability has been resolved: net/mlx5: fwtracer, Validate format string parameters Add validation for format string parameters in the firmware tracer to prevent potential security vulnerabilities and crashes from malformed format strings received from...
CVE-2025-68795
In the Linux kernel, the following vulnerability has been resolved: ethtool: Avoid overflowing userspace buffer on stats query The ethtool -S command operates across three ioctl calls: ETHTOOLGSSETINFO for the size, ETHTOOLGSTRINGS for the names, and ETHTOOLGSTATS for the values. If the number of...
CVE-2025-71085
In the Linux kernel, the following vulnerability has been resolved: ipv6: BUG in pskbexpandhead as part of calipsoskbuffsetattr There exists a kernel oops caused by a BUGONnhead INTMAX i.e. intskbheadroomskb + lendelta skbheadroomskb is meant to ensure that delta = headroom - skbheadroomskb is...
CVE-2025-71064
In the Linux kernel, the following vulnerability has been resolved: net: hns3: using the numtqps in the vf driver to apply for resources Currently, hdev-htqp is allocated using hdev-numtqps, and kinfo-tqp is allocated using kinfo-numtqps. However, kinfo-numtqps is set to minnewtqps, hdev-numtqps;...
CVE-2025-71092
In the Linux kernel, the following vulnerability has been resolved: RDMA/bnxtre: Fix OOB write in bnxtrecopyerrstats Commit ef56081d1864 "RDMA/bnxtre: RoCE related hardware counters update" added three new counters and placed them after BNXTREOUTOFSEQERR. BNXTREOUTOFSEQERR acts as a boundary mark...
CVE-2025-71089
In the Linux kernel, the following vulnerability has been resolved: iommu: disable SVA when CONFIGX86 is set Patch series "Fix stale IOTLB entries for kernel address space", v7. This proposes a fix for a security vulnerability related to IOMMU Shared Virtual Addressing SVA. In an SVA context, an...
CVE-2025-71091
In the Linux kernel, the following vulnerability has been resolved: team: fix check for port enabled in teamqueueoverrideportpriochanged There has been a syzkaller bug reported recently with the following trace: listdel corruption, ffff888058bea080-prev is LISTPOISON2 dead000000000122 -----------...
CVE-2025-71093
In the Linux kernel, the following vulnerability has been resolved: e1000: fix OOB in e1000tbishouldaccept In e1000tbishouldaccept we read the last byte of the frame via 'datalength - 1' to evaluate the TBI workaround. If the descriptor- reported length is zero or larger than the actual RX buffer...