2810 matches found
CVE-2025-38006
In the Linux kernel, the following vulnerability has been resolved: net: mctp: Don't access ifa_index when missing In mctp_dump_addrinfo, ifa_index can be used to filter interfaces, butonly when the struct ifaddrmsg is provided. Otherwise it will becomparing to uninitialised memory - reproducible i...
CVE-2025-38034
In the Linux kernel, the following vulnerability has been resolved: btrfs: correct the order of prelim_ref arguments in btrfs__prelim_ref btrfs_prelim_ref() calls the old and new reference variables in theincorrect order. This causes a NULL pointer dereference because oldrefis passed as NULL to tra...
CVE-2025-38038
In the Linux kernel, the following vulnerability has been resolved: cpufreq: amd-pstate: Remove unnecessary driver_lock in set_boost set_boost is a per-policy function call, hence a driver wide lock isunnecessary. Also this mutex_acquire can collide with the mutex_acquirefrom the mode-switch path i...
CVE-2025-38048
In the Linux kernel, the following vulnerability has been resolved: virtio_ring: Fix data race by tagging event_triggered as racy for KCSAN syzbot reports a data-race when accessing the event_triggered, here is thesimplified stack when the issue occurred: ===========================================...
CVE-2025-38051
In the Linux kernel, the following vulnerability has been resolved: smb: client: Fix use-after-free in cifs_fill_dirent There is a race condition in the readdir concurrency process, which mayaccess the rsp buffer after it has been released, triggering thefollowing KASAN warning. ===================...
CVE-2025-38062
In the Linux kernel, the following vulnerability has been resolved: genirq/msi: Store the IOMMU IOVA directly in msi_desc instead of iommu_cookie The IOMMU translation for MSI message addresses has been a 2-step process,separated in time: iommu_dma_prepare_msi(): A cookie pointer containing the IOV...
CVE-2025-38063
In the Linux kernel, the following vulnerability has been resolved: dm: fix unconditional IO throttle caused by REQ_PREFLUSH When a bio with REQ_PREFLUSH is submitted to dm, __send_empty_flush()generates a flush_bio with REQ_OP_WRITE | REQ_PREFLUSH | REQ_SYNC,which causes the flush_bio to be thrott...
CVE-2025-38071
In the Linux kernel, the following vulnerability has been resolved: x86/mm: Check return value from memblock_phys_alloc_range() At least with CONFIG_PHYSICAL_START=0x100000, if there is < 4 MiB ofcontiguous free memory available at this point, the kernel will crashand burn because memblock_phys_...
CVE-2025-38074
In the Linux kernel, the following vulnerability has been resolved: vhost-scsi: protect vq->log_used with vq->mutex The vhost-scsi completion path may access vq->log_base when vq->log_used isalready set to false. vhost-thread QEMU-thread vhost_scsi_complete_cmd_work()-> vhost_add_use...
CVE-2025-38075
In the Linux kernel, the following vulnerability has been resolved: scsi: target: iscsi: Fix timeout on deleted connection NOPIN response timer may expire on a deleted connection and crash withsuch logs: Did not receive response to NOPIN on CID: 0, failing connection for I_T Nexus (null),i,0x00023d...
CVE-2025-38109
In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix ECVF vports unload on shutdown flow Fix shutdown flow UAF when a virtual function is created on the embeddedchip (ECVF) of a BlueField device. In such case the vport acl ingresstable is not properly destroyed. ECVF fu...
CVE-2025-38115
In the Linux kernel, the following vulnerability has been resolved: net_sched: sch_sfq: fix a potential crash on gso_skb handling SFQ has an assumption of always being able to queue at least one packet. However, after the blamed commit, sch->q.len can be inflated by packetsin sch->gso_skb, an...
CVE-2025-38118
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Fix UAF on mgmt_remove_adv_monitor_complete This reworks MGMT_OP_REMOVE_ADV_MONITOR to not use mgmt_pending_add toavoid crashes like bellow: ==================================================================BUG: KA...
CVE-2025-38121
In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mld: avoid panic on init failure In case of an error during init, in_hw_restart will be set, but it willnever get cleared.Instead, we will retry to init again, and then we will act like we are in arestart when we are...
CVE-2025-38123
In the Linux kernel, the following vulnerability has been resolved: net: wwan: t7xx: Fix napi rx poll issue When driver handles the napi rx polling requests, the netdev mighthave been released by the dellink logic triggered by the disconnectoperation on user plane. However, in the logic of processi...
CVE-2025-38134
In the Linux kernel, the following vulnerability has been resolved: usb: acpi: Prevent null pointer dereference in usb_acpi_add_usb4_devlink() As demonstrated by the fix for update_port_device_state,commit 12783c0b9e2c ("usb: core: Prevent null pointer dereference in update_port_device_state"),usb_...
CVE-2025-38137
In the Linux kernel, the following vulnerability has been resolved: PCI/pwrctrl: Cancel outstanding rescan work when unregistering It's possible to trigger use-after-free here by: (a) forcing rescan_work_func() to take a long time and(b) utilizing a pwrctrl driver that may be unloaded for some reas...
CVE-2025-38138
In the Linux kernel, the following vulnerability has been resolved: dmaengine: ti: Add NULL check in udma_probe() devm_kasprintf() returns NULL when memory allocation fails. Currently,udma_probe() does not check for this case, which results in a NULLpointer dereference. Add NULL check after devm_ka...
CVE-2025-38141
In the Linux kernel, the following vulnerability has been resolved: dm: fix dm_blk_report_zones If dm_get_live_table() returned NULL, dm_put_live_table() was nevercalled. Also, it is possible that md->zone_revalidate_map will changewhile calling this function. Only read it once, so that we are a...
CVE-2025-38143
In the Linux kernel, the following vulnerability has been resolved: backlight: pm8941: Add NULL check in wled_configure() devm_kasprintf() returns NULL when memory allocation fails. Currently,wled_configure() does not check for this case, which results in a NULLpointer dereference. Add NULL check a...
CVE-2025-38144
In the Linux kernel, the following vulnerability has been resolved: watchdog: lenovo_se30_wdt: Fix possible devm_ioremap() NULL pointer dereference in lenovo_se30_wdt_probe() devm_ioremap() returns NULL on error. Currently, lenovo_se30_wdt_probe()does not check for this case, which results in a NUL...
CVE-2025-38150
In the Linux kernel, the following vulnerability has been resolved: af_packet: move notifier's packet_dev_mc out of rcu critical section Syzkaller reports the following issue: BUG: sleeping function called from invalid context at kernel/locking/mutex.c:578__mutex_lock+0x106/0xe80 kernel/locking/mut...
CVE-2025-38151
In the Linux kernel, the following vulnerability has been resolved: RDMA/cma: Fix hang when cma_netevent_callback fails to queue_work The cited commit fixed a crash when cma_netevent_callback was called fora cma_id while work on that id from a previous call had not yet started.The work item was re-...
CVE-2025-38157
In the Linux kernel, the following vulnerability has been resolved: wifi: ath9k_htc: Abort software beacon handling if disabled A malicious USB device can send a WMI_SWBA_EVENTID event from anath9k_htc-managed device before beaconing has been enabled. This causesa device-by-zero error in the driver...
CVE-2025-38158
In the Linux kernel, the following vulnerability has been resolved: hisi_acc_vfio_pci: fix XQE dma address error The dma addresses of EQE and AEQE are wrong after migration andresults in guest kernel-mode encryption services failure.Comparing the definition of hardware registers, we found thatthere...
CVE-2025-38160
In the Linux kernel, the following vulnerability has been resolved: clk: bcm: rpi: Add NULL check in raspberrypi_clk_register() devm_kasprintf() returns NULL when memory allocation fails. Currently,raspberrypi_clk_register() does not check for this case, which resultsin a NULL pointer dereference. ...
CVE-2025-38161
In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Fix error flow upon firmware failure for RQ destruction Upon RQ destruction if the firmware command fails which is thelast resource to be destroyed some SW resources were already cleanedregardless of the failure. Now pro...
CVE-2025-38163
In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to do sanity check on sbi->total_valid_block_count syzbot reported a f2fs bug as below: ------------[ cut here ]------------kernel BUG at fs/f2fs/f2fs.h:2521!RIP: 0010:dec_valid_block_count+0x3b2/0x3c0 fs/f2fs/f2fs.h:2...
CVE-2025-38168
In the Linux kernel, the following vulnerability has been resolved: perf: arm-ni: Unregister PMUs on probe failure When a resource allocation fails in one clock domain of an NI device,we need to properly roll back all previously registered perf PMUs inother clock domains of the same device. Otherwi...
CVE-2025-38169
In the Linux kernel, the following vulnerability has been resolved: arm64/fpsimd: Avoid clobbering kernel FPSIMD state with SMSTOP On system with SME, a thread's kernel FPSIMD state may be erroneouslyclobbered during a context switch immediately after that state isrestored. Systems without SME are ...
CVE-2025-38171
In the Linux kernel, the following vulnerability has been resolved: power: supply: max77705: Fix workqueue error handling in probe The create_singlethread_workqueue() doesn't return error pointers, itreturns NULL. Also cleanup the workqueue on the error paths.
CVE-2025-38172
In the Linux kernel, the following vulnerability has been resolved: erofs: avoid using multiple devices with different type For multiple devices, both primary and extra devices should be thesame type. erofs_init_device has already guaranteed that if theprimary is a file-backed device, extra devices...
CVE-2025-38175
In the Linux kernel, the following vulnerability has been resolved: binder: fix yet another UAF in binder_devices Commit e77aff5528a18 ("binderfs: fix use-after-free in binder_devices")addressed a use-after-free where devices could be released without firstbeing removed from the binder_devices list...
CVE-2025-38187
In the Linux kernel, the following vulnerability has been resolved: drm/nouveau: fix a use-after-free in r535_gsp_rpc_push() The RPC container is released after being passed to r535_gsp_rpc_send(). When sending the initial fragment of a large RPC and passing thecaller's RPC container, the container...
CVE-2025-38188
In the Linux kernel, the following vulnerability has been resolved: drm/msm/a7xx: Call CP_RESET_CONTEXT_STATE Calling this packet is necessary when we switch contexts because thereare various pieces of state used by userspace to synchronize between BRand BV that are persistent across submits and we...
CVE-2025-38192
In the Linux kernel, the following vulnerability has been resolved: net: clear the dst when changing skb protocol A not-so-careful NAT46 BPF program can crash the kernelif it indiscriminately flips ingress packets from v4 to v6: BUG: kernel NULL pointer dereference, address: 0000000000000000ip6_rcv...
CVE-2025-38204
In the Linux kernel, the following vulnerability has been resolved: jfs: fix array-index-out-of-bounds read in add_missing_indices stbl is s8 but it must contain offsets into slot which can go from 0 to127. Added a bound check for that error and return -EIO if the check fails.Also make jfs_readdir ...
CVE-2025-38205
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Avoid divide by zero by initializing dummy pitch to 1 [Why]If the dummy values in populate_dummy_dml_surface_cfg() aren't updatedthen they can lead to a divide by zero in downstream callers likeCalculateVMAndRowByt...
CVE-2025-38209
In the Linux kernel, the following vulnerability has been resolved: nvme-tcp: remove tag set when second admin queue config fails Commit 104d0e2f6222 ("nvme-fabrics: reset admin connection for secureconcatenation") modified nvme_tcp_setup_ctrl() to callnvme_tcp_configure_admin_queue() twice. The fi...
CVE-2025-38210
In the Linux kernel, the following vulnerability has been resolved: configfs-tsm-report: Fix NULL dereference of tsm_ops Unlike sysfs, the lifetime of configfs objects is controlled byuserspace. There is no mechanism for the kernel to find and delete allcreated config-items. Instead, the configfs-t...
CVE-2025-38217
In the Linux kernel, the following vulnerability has been resolved: hwmon: (ftsteutates) Fix TOCTOU race in fts_read() In the fts_read() function, when handling hwmon_pwm_auto_channels_temp,the code accesses the shared variable data->fan_source[channel] twicewithout holding any locks. It is firs...
CVE-2025-38220
In the Linux kernel, the following vulnerability has been resolved: ext4: only dirty folios when data journaling regular files fstest generic/388 occasionally reproduces a crash that looks asfollows: BUG: kernel NULL pointer dereference, address: 0000000000000000...Call Trace:<TASK>ext4_block...
CVE-2025-38224
In the Linux kernel, the following vulnerability has been resolved: can: kvaser_pciefd: refine error prone echo_skb_max handling logic echo_skb_max should define the supported upper limit of echo_skb[]allocated inside the netdevice's priv. The corresponding size valueprovided by this driver to allo...
CVE-2025-38233
In the Linux kernel, the following vulnerability has been resolved: powerpc64/ftrace: fix clobbered r15 during livepatching While r15 is clobbered always with PPC_FTRACE_OUT_OF_LINE, it isnot restored in livepatch sequence leading to not so obvious failslike below: BUG: Unable to handle kernel data...
CVE-2025-38238
In the Linux kernel, the following vulnerability has been resolved: scsi: fnic: Fix crash in fnic_wq_cmpl_handler when FDMI times out When both the RHBA and RPA FDMI requests time out, fnic reuses a frame tosend ABTS for each of them. On send completion, this causes an attempt tofree the same frame...
CVE-2025-38239
In the Linux kernel, the following vulnerability has been resolved: scsi: megaraid_sas: Fix invalid node index On a system with DRAM interleave enabled, out-of-bound access isdetected: megaraid_sas 0000:3f:00.0: requested/available msix 128/128 poll_queue 0------------[ cut here ]------------UBSAN:...
CVE-2025-38241
In the Linux kernel, the following vulnerability has been resolved: mm/shmem, swap: fix softlockup with mTHP swapin Following softlockup can be easily reproduced on my test machine with: echo always > /sys/kernel/mm/transparent_hugepage/hugepages-64kB/enabledswapon /dev/zram0 # zram0 is a 48G sw...
CVE-2025-38243
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix invalid inode pointer dereferences during log replay In a few places where we call read_one_inode(), if we get a NULL pointerwe end up jumping into an error path, or fallthrough in case of__add_inode_ref(), where we then...
CVE-2025-38244
In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential deadlock when reconnecting channels Fix cifs_signal_cifsd_for_reconnect() to take the correct lock orderand prevent the following deadlock from happening ==================================================...
CVE-2025-38247
In the Linux kernel, the following vulnerability has been resolved: userns and mnt_idmap leak in open_tree_attr(2) Once want_mount_setattr() has returned a positive, it does requirefinish_mount_kattr() to release ->mnt_userns. Failing do_mount_setattr()does not change that. As the result, we can...