CVE-2025-38179

In the Linux kernel, the following vulnerability has been resolved: smb: client: fix max_sge overflow in smb_extract_folioq_to_rdma() This fixes the following problem: [ 749.901015] [ T8673] run fstests cifs/001 at 2025-06-17 09:40:30[ 750.346409] [ T9870] ==========================================...

CVE-2025-38180

In the Linux kernel, the following vulnerability has been resolved: net: atm: fix /proc/net/atm/lec handling /proc/net/atm/lec must ensure safety against dev_lec[] changes. It appears it had dev_put() calls without prior dev_hold(),leading to imbalance and UAF.

CVE-2025-38186

In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Fix double invocation of bnxt_ulp_stop()/bnxt_ulp_start() Before the commit under the Fixes tag below, bnxt_ulp_stop() andbnxt_ulp_start() were always invoked in pairs. After that commit,the new bnxt_ulp_restart() can be i...

CVE-2025-38196

In the Linux kernel, the following vulnerability has been resolved: io_uring/rsrc: validate buffer count with offset for cloning syzbot reports that it can trigger a WARN_ON() for kmalloc() attemptthat's too big: WARNING: CPU: 0 PID: 6488 at mm/slub.c:5024 __kvmalloc_node_noprof+0x520/0x640 mm/slub...

CVE-2025-38208

In the Linux kernel, the following vulnerability has been resolved: smb: client: add NULL check in automount_fullpath page is checked for null in __build_path_from_dentry_optional_prefixwhen tcon->origin_fullpath is not set. However, the check is missing whenit is set.Add a check to prevent a po...

CVE-2025-38215

In the Linux kernel, the following vulnerability has been resolved: fbdev: Fix do_register_framebuffer to prevent null-ptr-deref in fb_videomode_to_var If fb_add_videomode() in do_register_framebuffer() fails to allocatememory for fb_videomode, it will later lead to a null-ptr dereference infb_vide...

CVE-2025-38221

In the Linux kernel, the following vulnerability has been resolved: ext4: fix out of bounds punch offset Punching a hole with a start offset that exceeds max_end is notpermitted and will result in a negative length in thetruncate_inode_partial_folio() function while truncating the page cache,potent...

CVE-2025-38223

In the Linux kernel, the following vulnerability has been resolved: ceph: avoid kernel BUG for encrypted inode with unaligned file size The generic/397 test hits a BUG_ON for the case of encrypted inode withunaligned file size (for example, 33K or 1K): [ 877.737811] run fstests generic/397 at 2025-...

CVE-2025-38224

In the Linux kernel, the following vulnerability has been resolved: can: kvaser_pciefd: refine error prone echo_skb_max handling logic echo_skb_max should define the supported upper limit of echo_skb[]allocated inside the netdevice's priv. The corresponding size valueprovided by this driver to allo...

CVE-2025-38228

In the Linux kernel, the following vulnerability has been resolved: media: imagination: fix a potential memory leak in e5010_probe() Add video_device_release() to release the memory allocated byvideo_device_alloc() if something goes wrong.

CVE-2025-38231

In the Linux kernel, the following vulnerability has been resolved: nfsd: Initialize ssc before laundromat_work to prevent NULL dereference In nfs4_state_start_net(), laundromat_work may access nfsd_ssc throughnfs4_laundromat -> nfsd4_ssc_expire_umount. If nfsd_ssc isn't initialized,this can cau...

CVE-2025-38245

In the Linux kernel, the following vulnerability has been resolved: atm: Release atm_dev_mutex after removing procfs in atm_dev_deregister(). syzbot reported a warning below during atm_dev_register(). [0] Before creating a new device and procfs/sysfs for it, atm_dev_register()looks up a duplicated ...

CVE-2025-38246

In the Linux kernel, the following vulnerability has been resolved: bnxt: properly flush XDP redirect lists We encountered following crash when testing a XDP_REDIRECT featurein production: [56251.579676] list_add corruption. next->prev should be prev (ffff93120dd40f30), but was ffffb301ef3a6740....

CVE-2025-38248

In the Linux kernel, the following vulnerability has been resolved: bridge: mcast: Fix use-after-free during router port configuration The bridge maintains a global list of ports behind which a multicastrouter resides. The list is consulted during forwarding to ensuremulticast packets are forwarded...

CVE-2025-38249

In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3() In snd_usb_get_audioformat_uac3(), the length value returned fromsnd_usb_ctl_msg() is used directly for memory allocation withoutvalidation. This length is c...

CVE-2025-38251

In the Linux kernel, the following vulnerability has been resolved: atm: clip: prevent NULL deref in clip_push() Blamed commit missed that vcc_destroy_socket() callsclip_push() with a NULL skb. If clip_devs is NULL, clip_push() then crashes when readingskb->truesize.

CVE-2025-38254

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add sanity checks for drm_edid_raw() When EDID is retrieved via drm_edid_raw(), it doesn't guarantee toreturn proper EDID bytes the caller wants: it may be either NULL (thatleads to an Oops) or with too long bytes ...

CVE-2025-38257

In the Linux kernel, the following vulnerability has been resolved: s390/pkey: Prevent overflow in size calculation for memdup_user() Number of apqn target list entries contained in 'nr_apqns' variable isdetermined by userspace via an ioctl call so the result of the product incalculation of size pa...

CVE-2025-38259

In the Linux kernel, the following vulnerability has been resolved: ASoC: codecs: wcd9335: Fix missing free of regulator supplies Driver gets and enables all regulator supplies in probe path(wcd9335_parse_dt() and wcd9335_power_on_reset()), but does not cleanupin final error paths and in unbind (mi...

CVE-2025-38262

In the Linux kernel, the following vulnerability has been resolved: tty: serial: uartlite: register uart driver in init When two instances of uart devices are probing, a concurrency race canoccur. If one thread calls uart_register_driver function, which firstallocates and assigns memory to 'uart_st...

CVE-2025-38264

In the Linux kernel, the following vulnerability has been resolved: nvme-tcp: sanitize request list handling Validate the request in nvme_tcp_handle_r2t() to ensure it's not part ofany list, otherwise a malicious R2T PDU might inject a loop in requestlist processing.

CVE-2025-38265

In the Linux kernel, the following vulnerability has been resolved: serial: jsm: fix NPE during jsm_uart_port_init No device was set which caused serial_base_ctrl_add to crash. BUG: kernel NULL pointer dereference, address: 0000000000000050Oops: Oops: 0000 [#1] PREEMPT SMP NOPTICPU: 16 UID: 0 PID: ...

CVE-2025-38268

In the Linux kernel, the following vulnerability has been resolved: usb: typec: tcpm: move tcpm_queue_vdm_unlocked to asynchronous work A state check was previously added to tcpm_queue_vdm_unlocked toprevent a deadlock where the DisplayPort Alt Mode driver would beexecuting work and attempting to g...

CVE-2025-38272

In the Linux kernel, the following vulnerability has been resolved: net: dsa: b53: do not enable EEE on bcm63xx BCM63xx internal switches do not support EEE, but provide multiple RGMIIports where external PHYs may be connected. If one of these PHYs are EEEcapable, we may try to enable EEE for the M...

CVE-2025-38273

In the Linux kernel, the following vulnerability has been resolved: net: tipc: fix refcount warning in tipc_aead_encrypt syzbot reported a refcount warning 1 caused by calling get_net() ona network namespace that is being destroyed (refcount=0). This happenswhen a TIPC discovery timer fires during ...

CVE-2025-38275

In the Linux kernel, the following vulnerability has been resolved: phy: qcom-qmp-usb: Fix an NULL vs IS_ERR() bug The qmp_usb_iomap() helper function currently returns the raw result ofdevm_ioremap() for non-exclusive mappings. Since devm_ioremap() may returna NULL pointer and the caller only chec...

CVE-2025-38280

In the Linux kernel, the following vulnerability has been resolved: bpf: Avoid __bpf_prog_ret0_warn when jit fails syzkaller reported an issue: WARNING: CPU: 3 PID: 217 at kernel/bpf/core.c:2357 __bpf_prog_ret0_warn+0xa/0x20 kernel/bpf/core.c:2357Modules linked in:CPU: 3 UID: 0 PID: 217 Comm: kwork...

CVE-2025-38282

In the Linux kernel, the following vulnerability has been resolved: kernfs: Relax constraint in draining guard The active reference lifecycle provides the break/unbreak mechanism butthe active reference is not truly active after unbreak -- callers don'tuse it afterwards but it's important for prope...

CVE-2025-38285

In the Linux kernel, the following vulnerability has been resolved: bpf: Fix WARN() in get_bpf_raw_tp_regs syzkaller reported an issue: WARNING: CPU: 3 PID: 5971 at kernel/trace/bpf_trace.c:1861 get_bpf_raw_tp_regs+0xa4/0x100 kernel/trace/bpf_trace.c:1861Modules linked in:CPU: 3 UID: 0 PID: 5971 Co...

CVE-2025-38291

In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: Prevent sending WMI commands to firmware during firmware crash Currently, we encounter the following kernel call trace when a firmwarecrash occurs. This happens because the host sends WMI commands to thefirmware while...

CVE-2025-38298

In the Linux kernel, the following vulnerability has been resolved: EDAC/skx_common: Fix general protection fault After loading i10nm_edac (which automatically loads skx_edac_common), ifunload only i10nm_edac, then reload it and perform error injection testing,a general protection fault may occur: ...

CVE-2025-38300

In the Linux kernel, the following vulnerability has been resolved: crypto: sun8i-ce-cipher - fix error handling in sun8i_ce_cipher_prepare() Fix two DMA cleanup issues on the error path in sun8i_ce_cipher_prepare(): 1] If dma_map_sg() fails for areq->dst, the device driver would try to freeDMA ...

CVE-2025-38311

In the Linux kernel, the following vulnerability has been resolved: iavf: get rid of the crit lock Get rid of the crit lock.That frees us from the error prone logic of try_locks. Thanks to netdev_lock() by Jakub it is now easy, and in most cases we wereprotected by it already - replace crit lock by...

CVE-2025-38313

In the Linux kernel, the following vulnerability has been resolved: bus: fsl-mc: fix double-free on mc_dev The blamed commit tried to simplify how the deallocations are done but,in the process, introduced a double-free on the mc_dev variable. In case the MC device is a DPRC, a new mc_bus is allocat...

CVE-2025-38321

In the Linux kernel, the following vulnerability has been resolved: smb: Log an error when close_all_cached_dirs fails Under low-memory conditions, close_all_cached_dirs() can't move thedentries to a separate list to dput() them once the locks are dropped.This will result in a "Dentry still in use"...

CVE-2025-38322

In the Linux kernel, the following vulnerability has been resolved: perf/x86/intel: Fix crash in icl_update_topdown_event() The perf_fuzzer found a hard-lockup crash on a RaptorLake machine: Oops: general protection fault, maybe for address 0xffff89aeceab400: 0000CPU: 23 UID: 0 PID: 0 Comm: swapper...

CVE-2025-38323

In the Linux kernel, the following vulnerability has been resolved: net: atm: add lec_mutex syzbot found its way in net/atm/lec.c, and found an error pathin lecd_attach() could leave a dangling pointer in dev_lec[]. Add a mutex to protect dev_lecp[] uses from lecd_attach(),lec_vcc_attach() and lec_...

CVE-2025-38332

In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Use memcpy() for BIOS version The strlcat() with FORTIFY support is triggering a panic because itthinks the target buffer will overflow although the correct targetbuffer size is passed in. Anyway, instead of memset() wi...

CVE-2025-38333

In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to bail out in get_new_segment() ------------[ cut here ]------------WARNING: CPU: 3 PID: 579 at fs/f2fs/segment.c:2832 new_curseg+0x5e8/0x6dcpc : new_curseg+0x5e8/0x6dcCall trace:new_curseg+0x5e8/0x6dcf2fs_allocate_data_...

CVE-2025-38347

In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to do sanity check on ino and xnid syzbot reported a f2fs bug as below: INFO: task syz-executor140:5308 blocked for more than 143 seconds.Not tainted 6.14.0-rc7-syzkaller-00069-g81e4f8d68c66 #0"echo 0 > /proc/sys/kerne...

CVE-2022-49939

In the Linux kernel, the following vulnerability has been resolved: binder: fix UAF of ref->proc caused by race condition A transaction of type BINDER_TYPE_WEAK_HANDLE can fail to increment thereference for a node. In this case, the target proc normally releasesthe failed reference upon close as...

CVE-2022-49947

In the Linux kernel, the following vulnerability has been resolved: binder: fix alloc->vma_vm_mm null-ptr dereference Syzbot reported a couple issues introduced by commit 44e602b4e52f("binder_alloc: add missing mmap_lock calls when using the VMA"), inwhich we attempt to acquire the mmap_lock whe...

CVE-2022-49959

In the Linux kernel, the following vulnerability has been resolved: openvswitch: fix memory leak at failed datapath creation ovs_dp_cmd_new()->ovs_dp_change()->ovs_dp_set_upcall_portids()allocates array via kmalloc.If for some reason new_vport() fails during ovs_dp_cmd_new()dp->upcall_port...

CVE-2022-49967

In the Linux kernel, the following vulnerability has been resolved: bpf: Fix a data-race around bpf_jit_limit. While reading bpf_jit_limit, it can be changed concurrently via sysctl,WRITE_ONCE() in __do_proc_doulongvec_minmax(). The size of bpf_jit_limitis long, so we need to add a paired READ_ONCE...

CVE-2022-49970

In the Linux kernel, the following vulnerability has been resolved: bpf, cgroup: Fix kernel BUG in purge_effective_progs Syzkaller reported a triggered kernel BUG as follows: ------------[ cut here ]------------kernel BUG at kernel/bpf/cgroup.c:925!invalid opcode: 0000 [#1] PREEMPT SMP NOPTICPU: 1 ...

CVE-2022-49992

In the Linux kernel, the following vulnerability has been resolved: mm/mprotect: only reference swap pfn page if type match Yu Zhao reported a bug after the commit "mm/swap: Add swp_offset_pfn() tofetch PFN from swap entry" added a check in swp_offset_pfn() for swap type [1]: kernel BUG at include/...

CVE-2022-49994

In the Linux kernel, the following vulnerability has been resolved: bootmem: remove the vmemmap pages from kmemleak in put_page_bootmem The vmemmap pages is marked by kmemleak when allocated from memblock.Remove it from kmemleak when freeing the page. Otherwise, when we reusethe page, kmemleak may ...

CVE-2022-49996

In the Linux kernel, the following vulnerability has been resolved: btrfs: fix possible memory leak in btrfs_get_dev_args_from_path() In btrfs_get_dev_args_from_path(), btrfs_get_bdev_and_sb() can fail ifthe path is invalid. In this case, btrfs_get_dev_args_from_path()returns directly without freei...

CVE-2022-50001

In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_tproxy: restrict to prerouting hook TPROXY is only allowed from prerouting, but nft_tproxy doesn't check this.This fixes a crash (null dereference) when using tproxy from e.g. output.

CVE-2022-50004

In the Linux kernel, the following vulnerability has been resolved: xfrm: policy: fix metadata dst->dev xmit null pointer dereference When we try to transmit an skb with metadata_dst attached (i.e. dst->dev== NULL) through xfrm interface we can hit a null pointer dereference[1]in xfrmi_xmit2(...