9933 matches found
CVE-2025-38349
In the Linux kernel, the following vulnerability has been resolved: eventpoll: don't decrement ep refcount while still holding the ep mutex Jann Horn points out that epoll is decrementing the ep refcount and thendoing a mutex_unlock(&ep->mtx); afterwards. That's very wrong, because it can lead t...
CVE-2025-38415
In the Linux kernel, the following vulnerability has been resolved: Squashfs: check return result of sb_min_blocksize Syzkaller reports an "UBSAN: shift-out-of-bounds in squashfs_bio_read" bug. Syzkaller forks multiple processes which after mounting the Squashfsfilesystem, issues an ioctl("/dev/loo...
CVE-2025-38437
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix potential use-after-free in oplock/lease break ack If ksmbd_iov_pin_rsp return error, use-after-free can happen byaccessing opinfo->state and opinfo_put and ksmbd_fd_put couldcalled twice.
CVE-2025-38464
In the Linux kernel, the following vulnerability has been resolved: tipc: Fix use-after-free in tipc_conn_close(). syzbot reported a null-ptr-deref in tipc_conn_close() during netnsdismantle. [0] tipc_topsrv_stop() iterates tipc_net(net)->topsrv->conn_idr and callstipc_conn_close() for each t...
CVE-2025-38465
In the Linux kernel, the following vulnerability has been resolved: netlink: Fix wraparounds of sk->sk_rmem_alloc. Netlink has this pattern in some places if (atomic_read(&sk->sk_rmem_alloc) > sk->sk_rcvbuf)atomic_add(skb->truesize, &sk->sk_rmem_alloc); , which has the same proble...
CVE-2025-38497
In the Linux kernel, the following vulnerability has been resolved: usb: gadget: configfs: Fix OOB read on empty string write When writing an empty string to either 'qw_sign' or 'landingPage'sysfs attributes, the store functions attempt to access page[l - 1]before validating that the length 'l' is ...
CVE-2025-38051
In the Linux kernel, the following vulnerability has been resolved: smb: client: Fix use-after-free in cifs_fill_dirent There is a race condition in the readdir concurrency process, which mayaccess the rsp buffer after it has been released, triggering thefollowing KASAN warning. ===================...
CVE-2025-38073
In the Linux kernel, the following vulnerability has been resolved: block: fix race between set_blocksize and read paths With the new large sector size support, it's now the case thatset_blocksize can change i_blksize and the folio order in a manner thatconflicts with a concurrent reader and causes...
CVE-2025-38098
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Don't treat wb connector as physical in create_validate_stream_for_sink Don't try to operate on a drm_wb_connector as an amdgpu_dm_connector.While dereferencing aconnector->base will "work" it's wrong andmight l...
CVE-2025-38099
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Disable SCO support if READ_VOICE_SETTING is unsupported/broken A SCO connection without the proper voice_setting can causethe controller to lock up.
CVE-2025-38101
In the Linux kernel, the following vulnerability has been resolved: ring-buffer: Fix buffer locking in ring_buffer_subbuf_order_set() Enlarge the critical section in ring_buffer_subbuf_order_set() toensure that error handling takes place with per-buffer mutex held,thus preventing list corruption an...
CVE-2025-38106
In the Linux kernel, the following vulnerability has been resolved: io_uring: fix use-after-free of sq->thread in __io_uring_show_fdinfo() syzbot reports: BUG: KASAN: slab-use-after-free in getrusage+0x1109/0x1a60Read of size 8 at addr ffff88810de2d2c8 by task a.out/304 CPU: 0 UID: 0 PID: 304 Co...
CVE-2025-38116
In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix uaf in ath12k_core_init() When the execution of ath12k_core_hw_group_assign() orath12k_core_hw_group_create() fails, the registered notifier chain is notunregistered properly. Its memory is freed after rmmod, whic...
CVE-2025-38168
In the Linux kernel, the following vulnerability has been resolved: perf: arm-ni: Unregister PMUs on probe failure When a resource allocation fails in one clock domain of an NI device,we need to properly roll back all previously registered perf PMUs inother clock domains of the same device. Otherwi...
CVE-2025-38205
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Avoid divide by zero by initializing dummy pitch to 1 [Why]If the dummy values in populate_dummy_dml_surface_cfg() aren't updatedthen they can lead to a divide by zero in downstream callers likeCalculateVMAndRowByt...
CVE-2025-38270
In the Linux kernel, the following vulnerability has been resolved: net: drv: netdevsim: don't napi_complete() from netpoll netdevsim supports netpoll. Make sure we don't call napi_complete()from it, since it may not be scheduled. Breno reports hitting awarning in napi_complete_done(): WARNING: CPU...
CVE-2025-38273
In the Linux kernel, the following vulnerability has been resolved: net: tipc: fix refcount warning in tipc_aead_encrypt syzbot reported a refcount warning 1 caused by calling get_net() ona network namespace that is being destroyed (refcount=0). This happenswhen a TIPC discovery timer fires during ...
CVE-2025-38274
In the Linux kernel, the following vulnerability has been resolved: fpga: fix potential null pointer deref in fpga_mgr_test_img_load_sgt() fpga_mgr_test_img_load_sgt() allocates memory for sgt usingkunit_kzalloc() however it does not check if the allocation failed.It then passes sgt to sg_alloc_tab...
CVE-2025-38284
In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: pci: configure manual DAC mode via PCI config API only To support 36-bit DMA, configure chip proprietary bit via PCI config APIor chip DBI interface. However, the PCI device mmap isn't set yet andthe DBI is also inacce...
CVE-2025-38329
In the Linux kernel, the following vulnerability has been resolved: firmware: cs_dsp: Fix OOB memory read access in KUnit test (wmfw info) KASAN reported out of bounds access - cs_dsp_mock_wmfw_add_info(),because the source string length was rounded up to the allocation size.
CVE-2025-38338
In the Linux kernel, the following vulnerability has been resolved: fs/nfs/read: fix double-unlock bug in nfs_return_empty_folio() Sometimes, when a file was read while it was being truncated byanother NFS client, the kernel could deadlock because folio_unlock()was called twice, and the second call...
CVE-2025-38363
In the Linux kernel, the following vulnerability has been resolved: drm/tegra: Fix a possible null pointer dereference In tegra_crtc_reset(), new memory is allocated with kzalloc(), butno check is performed. Before calling __drm_atomic_helper_crtc_reset,state should be checked to prevent possible n...
CVE-2025-38391
In the Linux kernel, the following vulnerability has been resolved: usb: typec: altmodes/displayport: do not index invalid pin_assignments A poorly implemented DisplayPort Alt Mode port partner can indicatethat its pin assignment capabilities are greater than the maximumvalue, DP_PIN_ASSIGN_F. In t...
CVE-2025-38395
In the Linux kernel, the following vulnerability has been resolved: regulator: gpio: Fix the out-of-bounds access to drvdata::gpiods drvdata::gpiods is supposed to hold an array of 'gpio_desc' pointers. Butthe memory is allocated for only one pointer. This will lead toout-of-bounds access later in ...
CVE-2025-38396
In the Linux kernel, the following vulnerability has been resolved: fs: export anon_inode_make_secure_inode() and fix secretmem LSM bypass Export anon_inode_make_secure_inode() to allow KVM guest_memfd to createanonymous inodes with proper security context. This replaces the currentpattern of calli...
CVE-2025-38412
In the Linux kernel, the following vulnerability has been resolved: platform/x86: dell-wmi-sysman: Fix WMI data block retrieval in sysfs callbacks After retrieving WMI data blocks in sysfs callbacks, check for thevalidity of them before dereferencing their content.
CVE-2025-38436
In the Linux kernel, the following vulnerability has been resolved: drm/scheduler: signal scheduled fence when kill job When an entity from application B is killed, drm_sched_entity_kill()removes all jobs belonging to that entity throughdrm_sched_entity_kill_jobs_work(). If application A's job depe...
CVE-2025-38477
In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_qfq: Fix race condition on qfq_aggregate A race condition can occur when 'agg' is modified in qfq_change_agg(called during qfq_enqueue) while other threads access itconcurrently. For example, qfq_dump_class may trigg...
CVE-2025-38498
In the Linux kernel, the following vulnerability has been resolved: do_change_type(): refuse to operate on unmounted/not ours mounts Ensure that propagation settings can only be changed for mounts locatedin the caller's mount namespace. This change aligns permission checkingwith the rest of mount(2...
CVE-2022-50230
In the Linux kernel, the following vulnerability has been resolved: arm64: set UXN on swapper page tables [ This issue was fixed upstream by accident in c3cee924bd85 ("arm64:head: cover entire kernel image in initial ID map") as part of alarge refactoring of the arm64 boot flow. This simple fix is ...
CVE-2025-38006
In the Linux kernel, the following vulnerability has been resolved: net: mctp: Don't access ifa_index when missing In mctp_dump_addrinfo, ifa_index can be used to filter interfaces, butonly when the struct ifaddrmsg is provided. Otherwise it will becomparing to uninitialised memory - reproducible i...
CVE-2025-38034
In the Linux kernel, the following vulnerability has been resolved: btrfs: correct the order of prelim_ref arguments in btrfs__prelim_ref btrfs_prelim_ref() calls the old and new reference variables in theincorrect order. This causes a NULL pointer dereference because oldrefis passed as NULL to tra...
CVE-2025-38048
In the Linux kernel, the following vulnerability has been resolved: virtio_ring: Fix data race by tagging event_triggered as racy for KCSAN syzbot reports a data-race when accessing the event_triggered, here is thesimplified stack when the issue occurred: ===========================================...
CVE-2025-38063
In the Linux kernel, the following vulnerability has been resolved: dm: fix unconditional IO throttle caused by REQ_PREFLUSH When a bio with REQ_PREFLUSH is submitted to dm, __send_empty_flush()generates a flush_bio with REQ_OP_WRITE | REQ_PREFLUSH | REQ_SYNC,which causes the flush_bio to be thrott...
CVE-2025-38066
In the Linux kernel, the following vulnerability has been resolved: dm cache: prevent BUG_ON by blocking retries on failed device resumes A cache device failing to resume due to mapping errors should not beretried, as the failure leaves a partially initialized policy object.Repeating the resume ope...
CVE-2025-38074
In the Linux kernel, the following vulnerability has been resolved: vhost-scsi: protect vq->log_used with vq->mutex The vhost-scsi completion path may access vq->log_base when vq->log_used isalready set to false. vhost-thread QEMU-thread vhost_scsi_complete_cmd_work()-> vhost_add_use...
CVE-2025-38075
In the Linux kernel, the following vulnerability has been resolved: scsi: target: iscsi: Fix timeout on deleted connection NOPIN response timer may expire on a deleted connection and crash withsuch logs: Did not receive response to NOPIN on CID: 0, failing connection for I_T Nexus (null),i,0x00023d...
CVE-2025-38137
In the Linux kernel, the following vulnerability has been resolved: PCI/pwrctrl: Cancel outstanding rescan work when unregistering It's possible to trigger use-after-free here by: (a) forcing rescan_work_func() to take a long time and(b) utilizing a pwrctrl driver that may be unloaded for some reas...
CVE-2025-38155
In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7915: Fix null-ptr-deref in mt7915_mmio_wed_init() devm_ioremap() returns NULL on error. Currently, mt7915_mmio_wed_init()does not check for this case, which results in a NULL pointerdereference. Prevent null pointer ...
CVE-2025-38186
In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Fix double invocation of bnxt_ulp_stop()/bnxt_ulp_start() Before the commit under the Fixes tag below, bnxt_ulp_stop() andbnxt_ulp_start() were always invoked in pairs. After that commit,the new bnxt_ulp_restart() can be i...
CVE-2025-38210
In the Linux kernel, the following vulnerability has been resolved: configfs-tsm-report: Fix NULL dereference of tsm_ops Unlike sysfs, the lifetime of configfs objects is controlled byuserspace. There is no mechanism for the kernel to find and delete allcreated config-items. Instead, the configfs-t...
CVE-2025-38223
In the Linux kernel, the following vulnerability has been resolved: ceph: avoid kernel BUG for encrypted inode with unaligned file size The generic/397 test hits a BUG_ON for the case of encrypted inode withunaligned file size (for example, 33K or 1K): [ 877.737811] run fstests generic/397 at 2025-...
CVE-2025-38228
In the Linux kernel, the following vulnerability has been resolved: media: imagination: fix a potential memory leak in e5010_probe() Add video_device_release() to release the memory allocated byvideo_device_alloc() if something goes wrong.
CVE-2025-38253
In the Linux kernel, the following vulnerability has been resolved: HID: wacom: fix crash in wacom_aes_battery_handler() Commit fd2a9b29dc9c ("HID: wacom: Remove AES power_supply after extendedinactivity") introduced wacom_aes_battery_handler() which is scheduledas a delayed work (aes_battery_work)...
CVE-2025-38256
In the Linux kernel, the following vulnerability has been resolved: io_uring/rsrc: fix folio unpinning syzbot complains about an unmapping failure: [ 108.070381][ T14] kernel BUG at mm/gup.c:71![ 108.070502][ T14] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP[ 108.123672][ T14] Hardware nam...
CVE-2025-38267
In the Linux kernel, the following vulnerability has been resolved: ring-buffer: Do not trigger WARN_ON() due to a commit_overrun When reading a memory mapped buffer the reader page is just swapped outwith the last page written in the write buffer. If the reader page is thesame as the commit buffer...
CVE-2025-38268
In the Linux kernel, the following vulnerability has been resolved: usb: typec: tcpm: move tcpm_queue_vdm_unlocked to asynchronous work A state check was previously added to tcpm_queue_vdm_unlocked toprevent a deadlock where the DisplayPort Alt Mode driver would beexecuting work and attempting to g...
CVE-2025-38295
In the Linux kernel, the following vulnerability has been resolved: perf/amlogic: Replace smp_processor_id() with raw_smp_processor_id() in meson_ddr_pmu_create() The Amlogic DDR PMU driver meson_ddr_pmu_create() function incorrectly usessmp_processor_id(), which assumes disabled preemption. This l...
CVE-2025-38380
In the Linux kernel, the following vulnerability has been resolved: i2c/designware: Fix an initialization issue The i2c_dw_xfer_init() function requires msgs and msg_write_idx from thedev context to be initialized. amd_i2c_dw_xfer_quirk() inits msgs and msgs_num, but not msg_write_idx. This could a...
CVE-2025-38403
In the Linux kernel, the following vulnerability has been resolved: vsock/vmci: Clear the vmci transport packet properly when initializing it In vmci_transport_packet_init memset the vmci_transport_packet beforepopulating the fields to avoid any uninitialised data being left in thestructure.