CVE-2024-40935

In the Linux kernel, the following vulnerability has been resolved: cachefiles: flush all requests after setting CACHEFILES_DEAD In ondemand mode, when the daemon is processing an open request, if thekernel flags the cache as CACHEFILES_DEAD, the cachefiles_daemon_write()will always return -EIO, so...

CVE-2024-40947

In the Linux kernel, the following vulnerability has been resolved: ima: Avoid blocking in RCU read-side critical section A panic happens in ima_match_policy: BUG: unable to handle kernel NULL pointer dereference at 0000000000000010PGD 42f873067 P4D 0Oops: 0000 [#1] SMP NOPTICPU: 5 PID: 1286325 Com...

CVE-2024-41004

In the Linux kernel, the following vulnerability has been resolved: tracing: Build event generation tests only as modules The kprobes and synth event generation test modules add events and lock(get a reference) those event file reference in module init function,and unlock and delete it in module ex...

CVE-2024-41036

In the Linux kernel, the following vulnerability has been resolved: net: ks8851: Fix deadlock with the SPI chip variant When SMP is enabled and spinlocks are actually functional then there isa deadlock with the 'statelock' spinlock between ks8851_start_xmit_spiand ks8851_irq: watchdog: BUG: soft lo...

CVE-2024-41051

In the Linux kernel, the following vulnerability has been resolved: cachefiles: wait for ondemand_object_worker to finish when dropping object When queuing ondemand_object_worker() to re-open the object,cachefiles_object is not pinned. The cachefiles_object may be freed whenthe pending read request...

CVE-2024-42063

In the Linux kernel, the following vulnerability has been resolved: bpf: Mark bpf prog stack with kmsan_unposion_memory in interpreter mode syzbot reported uninit memory usages during map_{lookup,delete}_elem. ==========BUG: KMSAN: uninit-value in __dev_map_lookup_elem kernel/bpf/devmap.c:441 [inli...

CVE-2024-42119

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Skip finding free audio for unknown engine_id [WHY]ENGINE_ID_UNKNOWN = -1 and can not be used as an array index. Plus, italso means it is uninitialized and does not need free audio. [HOW]Skip and return NULL. This ...

CVE-2024-42137

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: qca: Fix BT enable failure again for QCA6390 after warm reboot Commit 272970be3dab ("Bluetooth: hci_qca: Fix driver shutdown on closedserdev") will cause below regression issue: BT can't be enabled after below steps:cold...

CVE-2024-42146

In the Linux kernel, the following vulnerability has been resolved: drm/xe: Add outer runtime_pm protection to xe_live_ktest@xe_dma_buf Any kunit doing any memory access should get their own runtime_pmouter references since they don't use the standard driver APIentries. In special this dma_buf from...

CVE-2024-43833

In the Linux kernel, the following vulnerability has been resolved: media: v4l: async: Fix NULL pointer dereference in adding ancillary links In v4l2_async_create_ancillary_links(), ancillary links are created forlens and flash sub-devices. These are sub-device to sub-device links andif the async n...

CVE-2024-43857

In the Linux kernel, the following vulnerability has been resolved: f2fs: fix null reference error when checking end of zone This patch fixes a potentially null pointer being accessed byis_end_zone_blkaddr() that checks the last block of a zonewhen f2fs is mounted as a single device.

CVE-2024-43876

In the Linux kernel, the following vulnerability has been resolved: PCI: rcar: Demote WARN() to dev_warn_ratelimited() in rcar_pcie_wakeup() Avoid large backtrace, it is sufficient to warn the user that there hasbeen a link problem. Either the link has failed and the system is in needof maintenance...

CVE-2024-44956

In the Linux kernel, the following vulnerability has been resolved: drm/xe/preempt_fence: enlarge the fence critical section It is really easy to introduce subtle deadlocks inpreempt_fence_work_func() since we operate on single global ordered-wqfor signalling our preempt fences behind the scenes, s...

CVE-2024-46676

In the Linux kernel, the following vulnerability has been resolved: nfc: pn533: Add poll mod list filling check In case of im_protocols value is 1 and tm_protocols value is 0 thiscombination successfully passes the check'if (!im_protocols && !tm_protocols)' in the nfc_start_poll().But then after pn...

CVE-2024-46697

In the Linux kernel, the following vulnerability has been resolved: nfsd: ensure that nfsd4_fattr_args.context is zeroed out If nfsd4_encode_fattr4 ends up doing a "goto out" before we get tochecking for the security label, then args.context will be set touninitialized junk on the stack, which we'l...

CVE-2024-46717

In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: SHAMPO, Fix incorrect page release Under the following conditions: No skb created yet header_size == 0 (no SHAMPO header) header_index + 1 % MLX5E_SHAMPO_WQ_HEADER_PER_PAGE == 0 (this is thelast page fragment of a SHAMPO...

CVE-2024-46732

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Assign linear_pitch_alignment even for VM [Description]Assign linear_pitch_alignment so we don't cause a divide by 0error in VM environments

CVE-2024-46773

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check denominator pbn_div before used [WHAT & HOW]A denominator cannot be 0, and is checked before used. This fixes 1 DIVIDE_BY_ZERO issue reported by Coverity.

CVE-2024-46824

In the Linux kernel, the following vulnerability has been resolved: iommufd: Require drivers to supply the cache_invalidate_user ops If drivers don't do this then iommufd will oops invalidation ioctls withsomething like: Unable to handle kernel NULL pointer dereference at virtual address 0000000000...

CVE-2024-47663

In the Linux kernel, the following vulnerability has been resolved: staging: iio: frequency: ad9834: Validate frequency parameter value In ad9834_write_frequency() clk_get_rate() can return 0. In such casead9834_calc_freqreg() call will lead to division by zero. Checking'if (fout > (clk_freq / 2...

CVE-2024-47669

In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix state management in error path of log writing function After commit a694291a6211 ("nilfs2: separate wait function fromnilfs_segctor_write") was applied, the log writing functionnilfs_segctor_do_construct() was able to i...

CVE-2024-47746

In the Linux kernel, the following vulnerability has been resolved: fuse: use exclusive lock when FUSE_I_CACHE_IO_MODE is set This may be a typo. The comment has said shared locks arenot allowed when this bit is set. If using shared lock, thewait in fuse_file_cached_io_open may be forever.

CVE-2024-47750

In the Linux kernel, the following vulnerability has been resolved: RDMA/hns: Fix Use-After-Free of rsv_qp on HIP08 Currently rsv_qp is freed before ib_unregister_device() is calledon HIP08. During the time interval, users can still dereg MR andrsv_qp will be used in this process, leading to a UAF....

CVE-2024-47751

In the Linux kernel, the following vulnerability has been resolved: PCI: kirin: Fix buffer overflow in kirin_pcie_parse_port() Within kirin_pcie_parse_port(), the pcie->num_slots is compared topcie->gpio_id_reset size (MAX_PCI_SLOTS) which is correct and would leadto an overflow. Thus, fix co...

CVE-2024-49915

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add NULL check for clk_mgr in dcn32_init_hw This commit addresses a potential null pointer dereference issue in thedcn32_init_hw function. The issue could occur when dc->clk_mgr isnull. The fix adds a check to e...

CVE-2024-49918

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add null check for head_pipe in dcn32_acquire_idle_pipe_for_head_pipe_in_layer This commit addresses a potential null pointer dereference issue in thedcn32_acquire_idle_pipe_for_head_pipe_in_layer function. The iss...

CVE-2024-50025

In the Linux kernel, the following vulnerability has been resolved: scsi: fnic: Move flush_work initialization out of if block After commit 379a58caa199 ("scsi: fnic: Move fnic_fnic_flush_tx() to awork queue"), it can happen that a work item is sent to an uninitializedwork queue. This may has the e...

CVE-2024-50104

In the Linux kernel, the following vulnerability has been resolved: ASoC: qcom: sdm845: add missing soundwire runtime stream alloc During the migration of Soundwire runtime stream allocation fromthe Qualcomm Soundwire controller to SoC's soundcard drivers the sdm845soundcard was forgotten. At this ...

CVE-2024-50112

In the Linux kernel, the following vulnerability has been resolved: x86/lam: Disable ADDRESS_MASKING in most cases Linear Address Masking (LAM) has a weakness related to transientexecution as described in the SLAM paper[1]. Unless Linear AddressSpace Separation (LASS) is enabled this weakness may b...

CVE-2024-50178

In the Linux kernel, the following vulnerability has been resolved: cpufreq: loongson3: Use raw_smp_processor_id() in do_service_request() Use raw_smp_processor_id() instead of plain smp_processor_id() indo_service_request(), otherwise we may get some errors with the driverenabled: BUG: using smp_p...

CVE-2024-56613

In the Linux kernel, the following vulnerability has been resolved: sched/numa: fix memory leak due to the overwritten vma->numab_state [Problem Description]When running the hackbench program of LTP, the following memory leak isreported by kmemleak. /opt/ltp/testcases/bin/hackbench 20 thread 100...

CVE-2024-56620

In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: qcom: Only free platform MSIs when ESI is enabled Otherwise, it will result in a NULL pointer dereference as below: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008Call trace:mutex_loc...

CVE-2024-56725

In the Linux kernel, the following vulnerability has been resolved: octeontx2-pf: handle otx2_mbox_get_rsp errors in otx2_dcbnl.c Add error pointer check after calling otx2_mbox_get_rsp().

CVE-2024-58057

In the Linux kernel, the following vulnerability has been resolved: idpf: convert workqueues to unbound When a workqueue is created with WQ_UNBOUND, its work items areserved by special worker-pools, whose host workers are not bound toany specific CPU. In the default configuration (i.e. whenqueue_de...

CVE-2024-58070

In the Linux kernel, the following vulnerability has been resolved: bpf: bpf_local_storage: Always use bpf_mem_alloc in PREEMPT_RT In PREEMPT_RT, kmalloc(GFP_ATOMIC) is still not safe in non preemptiblecontext. bpf_mem_alloc must be used in PREEMPT_RT. This patch isto enforce bpf_mem_alloc in the b...

CVE-2025-21732

In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Fix a race for an ODP MR which leads to CQE with error This patch addresses a race condition for an ODP MR that can result in aCQE with an error on the UMR QP. During the __mlx5_ib_dereg_mr() flow, the following sequence...

CVE-2025-21742

In the Linux kernel, the following vulnerability has been resolved: usbnet: ipheth: use static NDP16 location in URB Original code allowed for the start of NDP16 to be anywhere within theURB based on the wNdpIndex value in NTH16. Only the start position ofNDP16 was checked, so it was possible for e...

CVE-2025-21743

In the Linux kernel, the following vulnerability has been resolved: usbnet: ipheth: fix possible overflow in DPE length check Originally, it was possible for the DPE length check to overflow ifwDatagramIndex + wDatagramLength > U16_MAX. This could lead to an OoBread. Move the wDatagramIndex term...

CVE-2025-21786

In the Linux kernel, the following vulnerability has been resolved: workqueue: Put the pwq after detaching the rescuer from the pool The commit 68f83057b913("workqueue: Reap workers via kthread_stop() andremove detach_completion") adds code to reap the normal workers butmistakenly does not handle t...

CVE-2025-21810

In the Linux kernel, the following vulnerability has been resolved: driver core: class: Fix wild pointer dereferences in API class_dev_iter_next() There are a potential wild pointer dereferences issue regarding APIsclass_dev_iter_(init|next|exit)(), as explained by below typical usage: // All membe...

CVE-2025-21833

In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Avoid use of NULL after WARN_ON_ONCE There is a WARN_ON_ONCE to catch an unlikely situation whendomain_remove_dev_pasid can't find the pasid. In case it neverthelesshappens we must avoid using a NULL pointer.

CVE-2025-21868

In the Linux kernel, the following vulnerability has been resolved: net: allow small head cache usage with large MAX_SKB_FRAGS values Sabrina reported the following splat: WARNING: CPU: 0 PID: 1 at net/core/dev.c:6935 netif_napi_add_weight_locked+0x8f2/0xba0 Modules linked in: CPU: 0 UID: 0 PID: 1 ...

CVE-2025-21924

In the Linux kernel, the following vulnerability has been resolved: net: hns3: make sure ptp clock is unregister and freed if hclge_ptp_get_cycle returns an error During the initialization of ptp, hclge_ptp_get_cycle might return an errorand returned directly without unregister clock and free it. T...

CVE-2025-22037

In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix null pointer dereference in alloc_preauth_hash() The Client send malformed smb2 negotiate request. ksmbd return errorresponse. Subsequently, the client can send smb2 session setup eventhought conn->preauth_info is not...

CVE-2025-22043

In the Linux kernel, the following vulnerability has been resolved: ksmbd: add bounds check for durable handle context Add missing bounds check for durable handle context.

CVE-2025-22065

In the Linux kernel, the following vulnerability has been resolved: idpf: fix adapter NULL pointer dereference on reboot With SRIOV enabled, idpf ends up calling into idpf_remove() twice.First via idpf_shutdown() and then again when idpf_remove() calls intosriov_disable(), because the VF devices us...

CVE-2025-22068

In the Linux kernel, the following vulnerability has been resolved: ublk: make sure ubq->canceling is set when queue is frozen Now ublk driver depends on ubq->canceling for deciding if the requestcan be dispatched via uring_cmd & io_uring_cmd_complete_in_task(). Once ubq->canceling is set,...

CVE-2025-22117

In the Linux kernel, the following vulnerability has been resolved: ice: fix using untrusted value of pkt_len in ice_vc_fdir_parse_raw() Fix using the untrusted value of proto->raw.pkt_len in functionice_vc_fdir_parse_raw() by verifying if it does not exceed theVIRTCHNL_MAX_SIZE_RAW_PACKET value...

CVE-2025-23141

In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Acquire SRCU in KVM_GET_MP_STATE to protect guest memory accesses Acquire a lock on kvm->srcu when userspace is getting MP state to handle arather extreme edge case where "accepting" APIC events, i.e. processingpending...

CVE-2025-23157

In the Linux kernel, the following vulnerability has been resolved: media: venus: hfi_parser: add check to avoid out of bound access There is a possibility that init_codecs is invoked multiple times duringmanipulated payload from video firmware. In such case, if codecs_countcan get incremented to v...