CVE-2025-21932

In the Linux kernel, the following vulnerability has been resolved: mm: abort vma_modify() on merge out of memory failure The remainder of vma_modify() relies upon the vmg state remaining pristineafter a merge attempt. Usually this is the case, however in the one edge case scenario of a mergeattemp...

CVE-2025-37895

In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Fix error handling path in bnxt_init_chip() WARN_ON() is triggered in __flush_work() if bnxt_init_chip() failsbecause we call cancel_work_sync() on dim work that has not beeninitialized. WARNING: CPU: 37 PID: 5223 at kerne...

CVE-2025-37906

In the Linux kernel, the following vulnerability has been resolved: ublk: fix race between io_uring_cmd_complete_in_task and ublk_cancel_cmd ublk_cancel_cmd() calls io_uring_cmd_done() to complete uring_cmd, butwe may have scheduled task work via io_uring_cmd_complete_in_task() fordispatching reque...

CVE-2025-37971

In the Linux kernel, the following vulnerability has been resolved: staging: bcm2835-camera: Initialise dev in v4l2_dev Commit 42a2f6664e18 ("staging: vc04_services: Move global g_state tovchiq_state") changed mmal_init to pass dev->v4l2_dev.dev tovchiq_mmal_init, however nothing iniitialised de...

CVE-2025-37977

In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: exynos: Disable iocc if dma-coherent property isn't set If dma-coherent property isn't set then descriptors are non-cacheableand the iocc shareability bits should be disabled. Without this UFS canend up in an incompatibl...

CVE-2025-37988

In the Linux kernel, the following vulnerability has been resolved: fix a couple of races in MNT_TREE_BENEATH handling by do_move_mount() Normally do_lock_mount(path, _) is locking a mountpoint pinned by*path and at the time when matching unlock_mount() unlocks thatlocation it is still pinned by th...

CVE-2025-38013

In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: Set n_channels after allocating struct cfg80211_scan_request Make sure that n_channels is set after allocating thestruct cfg80211_registered_device::int_scan_req member. Seen withsyzkaller: UBSAN: array-index-out-of...

CVE-2025-38027

In the Linux kernel, the following vulnerability has been resolved: regulator: max20086: fix invalid memory access max20086_parse_regulators_dt() calls of_regulator_match() using anarray of struct of_regulator_match allocated on the stack for thematches argument. of_regulator_match() calls devm_of_...

CVE-2025-38059

In the Linux kernel, the following vulnerability has been resolved: btrfs: avoid NULL pointer dereference if no valid csum tree [BUG]When trying read-only scrub on a btrfs with rescue=idatacsums mountoption, it will crash with the following call trace: BUG: kernel NULL pointer dereference, address:...

CVE-2025-38072

In the Linux kernel, the following vulnerability has been resolved: libnvdimm/labels: Fix divide error in nd_label_data_init() If a faulty CXL memory device returns a broken zero LSA size in itsmemory device information (Identify Memory Device (Opcode 4000h), CXLspec. 3.1, 8.2.9.9.1.1), a divide er...

CVE-2025-38077

In the Linux kernel, the following vulnerability has been resolved: platform/x86: dell-wmi-sysman: Avoid buffer overflow in current_password_store() If the 'buf' array received from the user contains an empty string, the'length' variable will be zero. Accessing the 'buf' array element withindex 'le...

CVE-2025-38214

In the Linux kernel, the following vulnerability has been resolved: fbdev: Fix fb_set_var to prevent null-ptr-deref in fb_videomode_to_var If fb_add_videomode() in fb_set_var() fails to allocate memory forfb_videomode, later it may lead to a null-ptr dereference infb_videomode_to_var(), as the fb_i...

CVE-2025-38352

In the Linux kernel, the following vulnerability has been resolved: posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del() If an exiting non-autoreaping task has already passed exit_notify() andcalls handle_posix_cpu_timers() from IRQ, it can be reaped by its parento...

CVE-2001-0907

Linux kernel 2.2.1 through 2.2.19, and 2.4.1 through 2.4.10, allows local users to cause a denial of service via a series of deeply nested symlinks, which causes the kernel to spend extra time when trying to access the link.

CVE-2001-1399

Certain operations in Linux kernel before 2.2.19 on the x86 architecture copy the wrong number of bytes, which might allow attackers to modify memory, aka "User access asm bug on x86."

CVE-2009-3043

The tty_ldisc_hangup function in drivers/char/tty_ldisc.c in the Linux kernel 2.6.31-rc before 2.6.31-rc8 allows local users to cause a denial of service (system crash, sometimes preceded by a NULL pointer dereference) or possibly gain privileges via certain pseudo-terminal I/O activity, as demonst...

CVE-2009-3623

The lookup_cb_cred function in fs/nfsd/nfs4callback.c in the nfsd4 subsystem in the Linux kernel before 2.6.31.2 attempts to access a credentials cache even when a client specifies the AUTH_NULL authentication flavor, which allows remote attackers to cause a denial of service (NULL pointer derefere...

CVE-2009-3888

The do_mmap_pgoff function in mm/nommu.c in the Linux kernel before 2.6.31.6, when the CPU lacks a memory management unit, allows local users to cause a denial of service (OOPS) via an application that attempts to allocate a large amount of memory.

CVE-2021-47271

In the Linux kernel, the following vulnerability has been resolved: usb: cdnsp: Fix deadlock issue in cdnsp_thread_irq_handler Patch fixes the following critical issue caused by deadlock which has beendetected during testing NCM class: smp: csd: Detected non-responsive CSD lock (#1) on CPU#0smp: cs...

CVE-2022-48894

In the Linux kernel, the following vulnerability has been resolved: iommu/arm-smmu-v3: Don't unregister on shutdown Similar to SMMUv2, this driver calls iommu_device_unregister() from theshutdown path, which removes the IOMMU groups with no coordinationwhatsoever with their users - shutdown methods...

CVE-2022-48964

In the Linux kernel, the following vulnerability has been resolved: ravb: Fix potential use-after-free in ravb_rx_gbeth() The skb is delivered to napi_gro_receive() which may free it, after calling this,dereferencing skb may trigger use-after-free.

CVE-2022-48965

In the Linux kernel, the following vulnerability has been resolved: gpio/rockchip: fix refcount leak in rockchip_gpiolib_register() The node returned by of_get_parent() with refcount incremented,of_node_put() needs be called when finish using it. So add it in theend of of_pinctrl_get().

CVE-2022-49919

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: release flow rule object from commit path No need to postpone this to the commit release path, since no packetsare walking over this object, this is accessed from control plane only.This helped uncovered UAF t...

CVE-2022-49934

In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: Fix UAF in ieee80211_scan_rx() ieee80211_scan_rx() tries to access scan_req->flags after anull check, but a UAF is observed when the scan is completedand __ieee80211_scan_completed() executes, which then callscfg...

CVE-2022-49964

In the Linux kernel, the following vulnerability has been resolved: arm64: cacheinfo: Fix incorrect assignment of signed error value to unsigned fw_level Though acpi_find_last_cache_level() always returned signed value and thedocument states it will return any errors caused by lack of a PPTT table,...

CVE-2022-50131

In the Linux kernel, the following vulnerability has been resolved: HID: mcp2221: prevent a buffer overflow in mcp_smbus_write() Smatch Warning:drivers/hid/hid-mcp2221.c:388 mcp_smbus_write() error: __memcpy()'&mcp->txbuf[5]' too small (59 vs 255)drivers/hid/hid-mcp2221.c:388 mcp_smbus_write() e...

CVE-2023-52987

In the Linux kernel, the following vulnerability has been resolved: ASoC: SOF: ipc4-mtrace: prevent underflow in sof_ipc4_priority_mask_dfs_write() The "id" comes from the user. Change the type to unsigned to preventan array underflow.

CVE-2023-53136

In the Linux kernel, the following vulnerability has been resolved: af_unix: fix struct pid leaks in OOB support syzbot reported struct pid leak [1]. Issue is that queue_oob() calls maybe_add_creds() which potentiallyholds a reference on a pid. But skb->destructor is not set (either directly or ...

CVE-2024-46696

In the Linux kernel, the following vulnerability has been resolved: nfsd: fix potential UAF in nfsd4_cb_getattr_release Once we drop the delegation reference, the fields embedded in it are nolonger safe to access. Do that last.

CVE-2024-46799

In the Linux kernel, the following vulnerability has been resolved: net: ethernet: ti: am65-cpsw: Fix NULL dereference on XDP_TX If number of TX queues are set to 1 we get a NULL pointerdereference during XDP_TX. ~# ethtool -L eth0 tx 1~# ./xdp-trafficgen udp -A -a eth0 -t 2Transmitting on eth0 (...

CVE-2024-54191

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: iso: Fix circular lock in iso_conn_big_sync This fixes the circular locking dependency warning below, by reworkingiso_sock_recvmsg, to ensure that the socket lock is always releasedbefore calling a function that locks hd...

CVE-2024-56666

In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Dereference null return value In the function pqm_uninit there is a call-assignment of "pdd =kfd_get_process_device_data" which could be null, and this value waslater dereferenced without checking.

CVE-2025-21717

In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: add missing cpu_to_node to kvzalloc_node in mlx5e_open_xdpredirect_sq kvzalloc_node is not doing a runtime check on the node argument(__alloc_pages_node_noprof does have a VM_BUG_ON, but it expands tonothing on !CONFIG_D...

CVE-2025-37919

In the Linux kernel, the following vulnerability has been resolved: ASoC: amd: acp: Fix NULL pointer deref in acp_i2s_set_tdm_slot Update chip data using dev_get_drvdata(dev->parent) to fixNULL pointer deref in acp_i2s_set_tdm_slot.

CVE-2025-37962

In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix memory leak in parse_lease_state() The previous patch that added bounds check for create lease contextintroduced a memory leak. When the bounds check fails, the functionreturns NULL without freeing the previously allocat...

CVE-2025-38043

In the Linux kernel, the following vulnerability has been resolved: firmware: arm_ffa: Set dma_mask for ffa devices Set dma_mask for FFA devices, otherwise DMA allocation using the device pointerlead to following warning: WARNING: CPU: 1 PID: 1 at kernel/dma/mapping.c:597 dma_alloc_attrs+0xe0/0x124

CVE-2025-38044

In the Linux kernel, the following vulnerability has been resolved: media: cx231xx: set device_caps for 417 The video_device for the MPEG encoder did not set device_caps. Add this, otherwise the video device can't be registered (you get aWARN_ON instead). Not seen before since currently 417 support...

CVE-2025-38078

In the Linux kernel, the following vulnerability has been resolved: ALSA: pcm: Fix race of buffer access at PCM OSS layer The PCM OSS layer tries to clear the buffer with the silence data atinitialization (or reconfiguration) of a stream with the explicit callof snd_pcm_format_set_silence() with ru...

CVE-2025-38212

In the Linux kernel, the following vulnerability has been resolved: ipc: fix to protect IPCS lookups using RCU syzbot reported that it discovered a use-after-free vulnerability, 0 idr_for_each() is protected by rwsem, but this is not enough. If it isnot protected by RCU read-critical region, when i...

CVE-2025-38292

In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix invalid access to memory In ath12k_dp_rx_msdu_coalesce(), rxcb is fetched from skb and booleanis_continuation is part of rxcb.Currently, after freeing the skb, the rxcb->is_continuation accessedagain which is w...

CVE-1999-1341

Linux kernel before 2.3.18 or 2.2.13pre15, with SLIP and PPP options, allows local unprivileged users to forge IP packets via the TIOCSETD option on tty devices.

CVE-2013-3233

The llcp_sock_recvmsg function in net/nfc/llcp/sock.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable and a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.

CVE-2022-48871

In the Linux kernel, the following vulnerability has been resolved: tty: serial: qcom-geni-serial: fix slab-out-of-bounds on RX FIFO buffer Driver's probe allocates memory for RX FIFO (port->rx_fifo) based ondefault RX FIFO depth, e.g. 16. Later during serial startup theqcom_geni_serial_port_set...

CVE-2022-48888

In the Linux kernel, the following vulnerability has been resolved: drm/msm/dpu: Fix memory leak in msm_mdss_parse_data_bus_icc_path of_icc_get() alloc resources for path1, we should release it when notneed anymore. Early return when IS_ERR_OR_NULL(path0) may leak path1.Defer getting path1 to fix t...

CVE-2022-48984

In the Linux kernel, the following vulnerability has been resolved: can: slcan: fix freed work crash The LTP test pty03 is causing a crash in slcan:BUG: kernel NULL pointer dereference, address: 0000000000000008#PF: supervisor read access in kernel mode#PF: error_code(0x0000) - not-present pagePGD ...

CVE-2022-49844

In the Linux kernel, the following vulnerability has been resolved: can: dev: fix skb drop check In commit a6d190f8c767 ("can: skb: drop tx skb if in listen onlymode") the priv->ctrlmode element is read even on virtual CANinterfaces that do not create the struct can_priv at startup. Thisout-of-b...

CVE-2022-49985

In the Linux kernel, the following vulnerability has been resolved: bpf: Don't use tnum_range on array range checking for poke descriptors Hsin-Wei reported a KASAN splat triggered by their BPF runtime fuzzer whichis based on a customized syzkaller: BUG: KASAN: slab-out-of-bounds in bpf_int_jit_com...

CVE-2022-50021

In the Linux kernel, the following vulnerability has been resolved: ext4: block range must be validated before use in ext4_mb_clear_bb() Block range to free is validated in ext4_free_blocks() usingext4_inode_block_valid() and then it's passed to ext4_mb_clear_bb().However in some situations on biga...

CVE-2022-50087

In the Linux kernel, the following vulnerability has been resolved: firmware: arm_scpi: Ensure scpi_info is not assigned if the probe fails When scpi probe fails, at any point, we need to ensure that the scpi_infois not set and will remain NULL until the probe succeeds. If it is nottaken care, then...

CVE-2022-50092

In the Linux kernel, the following vulnerability has been resolved: dm thin: fix use-after-free crash in dm_sm_register_threshold_callback Fault inject on pool metadata device reports:BUG: KASAN: use-after-free in dm_pool_register_metadata_threshold+0x40/0x80Read of size 8 at addr ffff8881b9d50068 ...