CVE-2025-38456 ipmi:msghandler: Fix potential memory corruption in ipmi_create_user()

In the Linux kernel, the following vulnerability has been resolved: ipmi:msghandler: Fix potential memory corruption in ipmi_create_user() The "intf" list iterator is an invalid pointer if the correct"intf->intf_num" is not found. Calling atomic_dec(&intf->nr_users) onand invalid pointer will...

CVE-2025-38457 net/sched: Abort __tc_modify_qdisc if parent class does not exist

In the Linux kernel, the following vulnerability has been resolved: net/sched: Abort __tc_modify_qdisc if parent class does not exist Lion's patch [1] revealed an ancient bug in the qdisc API.Whenever a user creates/modifies a qdisc specifying as a parent anotherqdisc, the qdisc API will, during gr...

CVE-2025-38458 atm: clip: Fix NULL pointer dereference in vcc_sendmsg()

In the Linux kernel, the following vulnerability has been resolved: atm: clip: Fix NULL pointer dereference in vcc_sendmsg() atmarpd_dev_ops does not implement the send method, which may cause crashas bellow. BUG: kernel NULL pointer dereference, address: 0000000000000000PGD 0 P4D 0Oops: Oops: 0010...

CVE-2025-38459 atm: clip: Fix infinite recursive call of clip_push().

In the Linux kernel, the following vulnerability has been resolved: atm: clip: Fix infinite recursive call of clip_push(). syzbot reported the splat below. [0] This happens if we call ioctl(ATMARP_MKIP) more than once. During the first call, clip_mkip() sets clip_push() to vcc->push(),and the se...

CVE-2025-38460 atm: clip: Fix potential null-ptr-deref in to_atmarpd().

In the Linux kernel, the following vulnerability has been resolved: atm: clip: Fix potential null-ptr-deref in to_atmarpd(). atmarpd is protected by RTNL since commit f3a0592b37b8 ("[ATM]: clipcauses unregister hang"). However, it is not enough because to_atmarpd() is called without RTNL,especially...

CVE-2025-38461 vsock: Fix transport_* TOCTOU

In the Linux kernel, the following vulnerability has been resolved: vsock: Fix transport_* TOCTOU Transport assignment may race with module unload. Protect new_transportfrom becoming a stale pointer. This also takes care of an insecure call in vsock_use_local_transport();add a lockdep assert. BUG: ...

CVE-2025-38462 vsock: Fix transport_{g2h,h2g} TOCTOU

In the Linux kernel, the following vulnerability has been resolved: vsock: Fix transport_{g2h,h2g} TOCTOU vsock_find_cid() and vsock_dev_do_ioctl() may race with module unload.transport_{g2h,h2g} may become NULL after the NULL check. Introduce vsock_transport_local_cid() to protect from a potential...

CVE-2025-38463 tcp: Correct signedness in skb remaining space calculation

In the Linux kernel, the following vulnerability has been resolved: tcp: Correct signedness in skb remaining space calculation Syzkaller reported a bug 1 where sk->sk_forward_alloc can overflow. When we send data, if an skb exists at the tail of the write queue, thekernel will attempt to append ...

CVE-2025-38464 tipc: Fix use-after-free in tipc_conn_close().

In the Linux kernel, the following vulnerability has been resolved: tipc: Fix use-after-free in tipc_conn_close(). syzbot reported a null-ptr-deref in tipc_conn_close() during netnsdismantle. [0] tipc_topsrv_stop() iterates tipc_net(net)->topsrv->conn_idr and callstipc_conn_close() for each t...

CVE-2025-38465 netlink: Fix wraparounds of sk->sk_rmem_alloc.

In the Linux kernel, the following vulnerability has been resolved: netlink: Fix wraparounds of sk->sk_rmem_alloc. Netlink has this pattern in some places if (atomic_read(&sk->sk_rmem_alloc) > sk->sk_rcvbuf)atomic_add(skb->truesize, &sk->sk_rmem_alloc); , which has the same proble...

CVE-2025-38466 perf: Revert to requiring CAP_SYS_ADMIN for uprobes

In the Linux kernel, the following vulnerability has been resolved: perf: Revert to requiring CAP_SYS_ADMIN for uprobes Jann reports that uprobes can be used destructively when used in themiddle of an instruction. The kernel only verifies there is a validinstruction at the requested offset, but due...

CVE-2025-38467 drm/exynos: exynos7_drm_decon: add vblank check in IRQ handling

In the Linux kernel, the following vulnerability has been resolved: drm/exynos: exynos7_drm_decon: add vblank check in IRQ handling If there's support for another console device (such as a TTY serial),the kernel occasionally panics during boot. The panic message and arelevant snippet of the call st...