11047 matches found
CVE-2022-50090
In the Linux kernel, the following vulnerability has been resolved: btrfs: replace BTRFS_MAX_EXTENT_SIZE with fs_info->max_extent_size On zoned filesystem, data write out is limited by max_zone_append_size,and a large ordered extent is split according the size of a bio. OTOH,the number of extent...
CVE-2022-50167
In the Linux kernel, the following vulnerability has been resolved: bpf: fix potential 32-bit overflow when accessing ARRAY map element If BPF array map is bigger than 4GB, element pointer calculation canoverflow because both index and elem_size are u32. Fix this everywhereby forcing 64-bit multipl...
CVE-2025-38128
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: reject malformed HCI_CMD_SYNC commands In 'mgmt_hci_cmd_sync()', check whether the size of parameters passedin 'struct mgmt_cp_hci_cmd_sync' matches the total size of the data(i.e. 'sizeof(struct mgmt_cp_hci_cmd_sy...
CVE-2025-38176
In the Linux kernel, the following vulnerability has been resolved: binder: fix use-after-free in binderfs_evict_inode() Running 'stress-ng --binderfs 16 --timeout 300' under KASAN-enabledkernel, I've noticed the following: BUG: KASAN: slab-use-after-free in binderfs_evict_inode+0x1de/0x2d0Write of...
CVE-2025-38254
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add sanity checks for drm_edid_raw() When EDID is retrieved via drm_edid_raw(), it doesn't guarantee toreturn proper EDID bytes the caller wants: it may be either NULL (thatleads to an Oops) or with too long bytes ...
CVE-2025-38372
In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Fix unsafe xarray access in implicit ODP handling __xa_store() and __xa_erase() were used without holding the proper lock,which led to a lockdep warning due to unsafe RCU usage. This patchreplaces them with xa_store() an...
CVE-2025-38381
In the Linux kernel, the following vulnerability has been resolved: Input: cs40l50-vibra - fix potential NULL dereference in cs40l50_upload_owt() The cs40l50_upload_owt() function allocates memory via kmalloc()without checking for allocation failure, which could lead to aNULL pointer dereference. R...
CVE-2025-38383
In the Linux kernel, the following vulnerability has been resolved: mm/vmalloc: fix data race in show_numa_info() The following data-race was found in show_numa_info(): ==================================================================BUG: KCSAN: data-race in vmalloc_info_show / vmalloc_info_show r...
CVE-2025-38423
In the Linux kernel, the following vulnerability has been resolved: ASoC: codecs: wcd9375: Fix double free of regulator supplies Driver gets regulator supplies in probe path withdevm_regulator_bulk_get(), so should not call regulator_bulk_free() inerror and remove paths to avoid double free.
CVE-2025-38434
In the Linux kernel, the following vulnerability has been resolved: Revert "riscv: Define TASK_SIZE_MAX for __access_ok()" This reverts commit ad5643cf2f69 ("riscv: Define TASK_SIZE_MAX for__access_ok()"). This commit changes TASK_SIZE_MAX to be LONG_MAX to optimize access_ok(),because the previous...
CVE-2025-38501
In the Linux kernel, the following vulnerability has been resolved: ksmbd: limit repeated connections from clients with the same IP Repeated connections from clients with the same IP address may exhaustthe max connections and prevent other normal client connections.This patch limit repeated connect...
CVE-2025-38512
In the Linux kernel, the following vulnerability has been resolved: wifi: prevent A-MSDU attacks in mesh networks This patch is a mitigation to prevent the A-MSDU spoofing vulnerabilityfor mesh networks. The initial update to the IEEE 802.11 standard, inresponse to the FragAttacks, missed this case...
CVE-2025-38520
In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Don't call mmput from MMU notifier callback If the process is exiting, the mmput inside mmu notifier callback fromcompactd or fork or numa balancing could release the last referenceof mm struct to call exit_mmap and fre...
CVE-2025-38524
In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix recv-recv race of completed call If a call receives an event (such as incoming data), the call gets placedon the socket's queue and a thread in recvmsg can be awakened to go andprocess it. Once the thread has picked up t...
CVE-2025-38526
In the Linux kernel, the following vulnerability has been resolved: ice: add NULL check in eswitch lag check The function ice_lag_is_switchdev_running() is being called from outside ofthe LAG event handler code. This results in the lag->upper_netdev beingNULL sometimes. To avoid a NULL-pointer d...
CVE-2025-38539
In the Linux kernel, the following vulnerability has been resolved: tracing: Add down_write(trace_event_sem) when adding trace event When a module is loaded, it adds trace events defined by the module. Itmay also need to modify the modules trace printk formats to replace enumnames with their values...
CVE-2025-38552
In the Linux kernel, the following vulnerability has been resolved: mptcp: plug races between subflow fail and subflow creation We have races similar to the one addressed by the previous patch betweensubflow failing and additional subflow creation. They are just harder totrigger. The solution is si...
CVE-2025-38563
In the Linux kernel, the following vulnerability has been resolved: perf/core: Prevent VMA split of buffer mappings The perf mmap code is careful about mmap()'ing the user page with theringbuffer and additionally the auxiliary buffer, when the event supportsit. Once the first mapping is established...
CVE-2025-38568
In the Linux kernel, the following vulnerability has been resolved: net/sched: mqprio: fix stack out-of-bounds write in tc entry parsing TCA_MQPRIO_TC_ENTRY_INDEX is validated usingNLA_POLICY_MAX(NLA_U32, TC_QOPT_MAX_QUEUE), which allows the valueTC_QOPT_MAX_QUEUE (16). This leads to a 4-byte out-o...
CVE-2025-38571
In the Linux kernel, the following vulnerability has been resolved: sunrpc: fix client side handling of tls alerts A security exploit was discovered in NFS over TLS in tls_alert_recvdue to its assumption that there is valid data in the msghdr'siterator's kvec. Instead, this patch proposes the rewor...
CVE-2025-38572
In the Linux kernel, the following vulnerability has been resolved: ipv6: reject malicious packets in ipv6_gso_segment() syzbot was able to craft a packet with very long IPv6 extension headersleading to an overflow of skb->transport_header. This 16bit field has a limited range. Add skb_reset_tra...
CVE-2025-38574
In the Linux kernel, the following vulnerability has been resolved: pptp: ensure minimal skb length in pptp_xmit() Commit aabc6596ffb3 ("net: ppp: Add bound checking for skb dataon ppp_sync_txmung") fixed ppp_sync_txmunge() We need a similar fix in pptp_xmit(), otherwise we mightread uninit data as...
CVE-2025-38577
In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid panic in f2fs_evict_inode As syzbot [1] reported as below: R10: 0000000000000100 R11: 0000000000000206 R12: 00007ffe17473450R13: 00007f28b1c10854 R14: 000000000000dae5 R15: 00007ffe17474520---[ end trace 00000000...
CVE-2025-38581
In the Linux kernel, the following vulnerability has been resolved: crypto: ccp - Fix crash when rebind ccp device for ccp.ko When CONFIG_CRYPTO_DEV_CCP_DEBUGFS is enabled, rebindingthe ccp device causes the following crash: $ echo '0000:0a:00.2' > /sys/bus/pci/drivers/ccp/unbind$ echo '0000:0a:...
CVE-2025-38582
In the Linux kernel, the following vulnerability has been resolved: RDMA/hns: Fix double destruction of rsv_qp rsv_qp may be double destroyed in error flow, first in free_mr_init(),and then in hns_roce_exit(). Fix it by moving the free_mr_init() callinto hns_roce_v2_init(). list_del corruption, fff...
CVE-2025-38590
In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Remove skb secpath if xfrm state is not found Hardware returns a unique identifier for a decrypted packet's xfrmstate, this state is looked up in an xarray. However, the state mighthave been freed by the time of this loo...
CVE-2025-38595
In the Linux kernel, the following vulnerability has been resolved: xen: fix UAF in dmabuf_exp_from_pages() [dma_buf_fd() fixes; no preferences regarding the tree it goes through -up to xen folks] As soon as we'd inserted a file reference into descriptor table, anotherthread could close it. That's ...
CVE-2025-38614
In the Linux kernel, the following vulnerability has been resolved: eventpoll: Fix semi-unbounded recursion Ensure that epoll instances can never form a graph deeper thanEP_MAX_NESTS+1 links. Currently, ep_loop_check_proc() ensures that the graph is loop-free anddoes some recursion depth checks, bu...
CVE-2025-38615
In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: cancle set bad inode after removing name fails The reproducer uses a file0 on a ntfs3 file system with a corrupted i_link.When renaming, the file0's inode is marked as a bad inode because the filename cannot be deleted. T...
CVE-2022-50009
In the Linux kernel, the following vulnerability has been resolved: f2fs: fix null-ptr-deref in f2fs_get_dnode_of_data There is issue as follows when test f2fs atomic write:F2FS-fs (loop0): Can't find valid F2FS filesystem in 2th superblockF2FS-fs (loop0): invalid crc_offset: 0F2FS-fs (loop0): f2fs...
CVE-2022-50070
In the Linux kernel, the following vulnerability has been resolved: mptcp: do not queue data on closed subflows Dipanjan reported a syzbot splat at close time: WARNING: CPU: 1 PID: 10818 at net/ipv4/af_inet.c:153inet_sock_destruct+0x6d0/0x8e0 net/ipv4/af_inet.c:153Modules linked in: uio_ivshmem(OE)...
CVE-2023-4515
In the Linux kernel, the following vulnerability has been resolved: ksmbd: validate command request size In commit 2b9b8f3b68ed ("ksmbd: validate command payload size"), exceptfor SMB2_OPLOCK_BREAK_HE command, the request size of other commandsis not checked, it's not expected. Fix it by add check ...
CVE-2025-38121
In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mld: avoid panic on init failure In case of an error during init, in_hw_restart will be set, but it willnever get cleared.Instead, we will retry to init again, and then we will act like we are in arestart when we are...
CVE-2025-38130
In the Linux kernel, the following vulnerability has been resolved: drm/connector: only call HDMI audio helper plugged cb if non-null On driver remove, sound/soc/codecs/hdmi-codec.c calls the plugged_cbwith NULL as the callback function and codec_dev, as seen in itshdmi_remove function. The HDMI au...
CVE-2025-38413
In the Linux kernel, the following vulnerability has been resolved: virtio-net: xsk: rx: fix the frame's length check When calling buf_to_xdp, the len argument is the frame data's lengthwithout virtio header's length (vi->hdr_len). We check that len with xsk_pool_get_rx_frame_size() + vi->hdr...
CVE-2025-38507
In the Linux kernel, the following vulnerability has been resolved: HID: nintendo: avoid bluetooth suspend/resume stalls Ensure we don't stall or panic the kernel when using bluetooth-connectedcontrollers. This was reported as an issue on android devices usingkernel 6.6 due to the resume hook which...
CVE-2025-38513
In the Linux kernel, the following vulnerability has been resolved: wifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev() There is a potential NULL pointer dereference in zd_mac_tx_to_dev(). Forexample, the following is possible: T0 T1 zd_mac_tx_to_dev()/* len == skb_queue_le...
CVE-2025-38521
In the Linux kernel, the following vulnerability has been resolved: drm/imagination: Fix kernel crash when hard resetting the GPU The GPU hard reset sequence calls pm_runtime_force_suspend() andpm_runtime_force_resume(), which according to their documentation shouldonly be used during system-wide P...
CVE-2025-38527
In the Linux kernel, the following vulnerability has been resolved: smb: client: fix use-after-free in cifs_oplock_break A race condition can occur in cifs_oplock_break() leading to ause-after-free of the cinode structure when unmounting: cifs_oplock_break()_cifsFileInfo_put(cfile)cifsFileInfo_put_...
CVE-2025-38533
In the Linux kernel, the following vulnerability has been resolved: net: libwx: fix the using of Rx buffer DMA The wx_rx_buffer structure contained two DMA address fields: 'dma' and'page_dma'. However, only 'page_dma' was actually initialized and usedto program the Rx descriptor. But 'dma' was unin...
CVE-2025-38540
In the Linux kernel, the following vulnerability has been resolved: HID: quirks: Add quirk for 2 Chicony Electronics HP 5MP Cameras The Chicony Electronics HP 5MP Cameras (USB ID 04F2:B824 & 04F2:B82C)report a HID sensor interface that is not actually implemented.Attempting to access this non-funct...
CVE-2025-38542
In the Linux kernel, the following vulnerability has been resolved: net: appletalk: Fix device refcount leak in atrtr_create() When updating an existing route entry in atrtr_create(), the old devicereference was not being released before assigning the new device,leading to a device refcount leak. F...
CVE-2025-38550
In the Linux kernel, the following vulnerability has been resolved: ipv6: mcast: Delay put pmc->idev in mld_del_delrec() pmc->idev is still used in ip6_mc_clear_src(), so as mld_clear_delrec()does, the reference should be put after ip6_mc_clear_src() return.
CVE-2025-38556
In the Linux kernel, the following vulnerability has been resolved: HID: core: Harden s32ton() against conversion to 0 bits Testing by the syzbot fuzzer showed that the HID core gets ashift-out-of-bounds exception when it tries to convert a 32-bitquantity to a 0-bit quantity. Ideally this should ne...
CVE-2025-38561
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix Preauh_HashValue race condition If client send multiple session setup requests to ksmbd,Preauh_HashValue race condition could happen.There is no need to free sess->Preauh_HashValue at session setup phase.It can be fre...
CVE-2025-38562
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix null pointer dereference error in generate_encryptionkey If client send two session setups with krb5 authenticate to ksmbd,null pointer dereference error in generate_encryptionkey could happen.sess->Preauth_HashValue ...
CVE-2025-38569
In the Linux kernel, the following vulnerability has been resolved: benet: fix BUG when creating VFs benet crashes as soon as SRIOV VFs are created: kernel BUG at mm/vmalloc.c:3457!Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTICPU: 4 UID: 0 PID: 7408 Comm: test.sh Kdump: loaded Not tainted 6.16.0+...
CVE-2025-38578
In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid UAF in f2fs_sync_inode_meta() syzbot reported an UAF issue as below: [1] [2] [1] https://syzkaller.appspot.com/text?tag=CrashReport&x=16594c60580000 ===============================================================...
CVE-2025-38583
In the Linux kernel, the following vulnerability has been resolved: clk: xilinx: vcu: unregister pll_post only if registered correctly If registration of pll_post is failed, it will be set to NULL or ERR,unregistering same will fail with following call trace: Unable to handle kernel NULL pointer de...
CVE-2025-38585
In the Linux kernel, the following vulnerability has been resolved: staging: media: atomisp: Fix stack buffer overflow in gmin_get_var_int() When gmin_get_config_var() calls efi.get_variable() and the EFI variableis larger than the expected buffer size, two behaviors combine to createa stack buffer...