CVE-2025-38143

In the Linux kernel, the following vulnerability has been resolved: backlight: pm8941: Add NULL check in wled_configure() devm_kasprintf() returns NULL when memory allocation fails. Currently,wled_configure() does not check for this case, which results in a NULLpointer dereference. Add NULL check a...

CVE-2025-38149

In the Linux kernel, the following vulnerability has been resolved: net: phy: clear phydev->devlink when the link is deleted There is a potential crash issue when disabling and re-enabling thenetwork port. When disabling the network port, phy_detach() callsdevice_link_del() to remove the device ...

CVE-2025-38151

In the Linux kernel, the following vulnerability has been resolved: RDMA/cma: Fix hang when cma_netevent_callback fails to queue_work The cited commit fixed a crash when cma_netevent_callback was called fora cma_id while work on that id from a previous call had not yet started.The work item was re-...

CVE-2025-38157

In the Linux kernel, the following vulnerability has been resolved: wifi: ath9k_htc: Abort software beacon handling if disabled A malicious USB device can send a WMI_SWBA_EVENTID event from anath9k_htc-managed device before beaconing has been enabled. This causesa device-by-zero error in the driver...

CVE-2025-38158

In the Linux kernel, the following vulnerability has been resolved: hisi_acc_vfio_pci: fix XQE dma address error The dma addresses of EQE and AEQE are wrong after migration andresults in guest kernel-mode encryption services failure.Comparing the definition of hardware registers, we found thatthere...

CVE-2025-38160

In the Linux kernel, the following vulnerability has been resolved: clk: bcm: rpi: Add NULL check in raspberrypi_clk_register() devm_kasprintf() returns NULL when memory allocation fails. Currently,raspberrypi_clk_register() does not check for this case, which resultsin a NULL pointer dereference. ...

CVE-2025-38161

In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Fix error flow upon firmware failure for RQ destruction Upon RQ destruction if the firmware command fails which is thelast resource to be destroyed some SW resources were already cleanedregardless of the failure. Now pro...

CVE-2025-38163

In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to do sanity check on sbi->total_valid_block_count syzbot reported a f2fs bug as below: ------------[ cut here ]------------kernel BUG at fs/f2fs/f2fs.h:2521!RIP: 0010:dec_valid_block_count+0x3b2/0x3c0 fs/f2fs/f2fs.h:2...

CVE-2025-38168

In the Linux kernel, the following vulnerability has been resolved: perf: arm-ni: Unregister PMUs on probe failure When a resource allocation fails in one clock domain of an NI device,we need to properly roll back all previously registered perf PMUs inother clock domains of the same device. Otherwi...

CVE-2025-38178

In the Linux kernel, the following vulnerability has been resolved: EDAC/igen6: Fix NULL pointer dereference A kernel panic was reported with the following kernel log: EDAC igen6: Expected 2 mcs, but only 1 detected.BUG: unable to handle page fault for address: 000000000000d570...Hardware name: Not...

CVE-2025-38179

In the Linux kernel, the following vulnerability has been resolved: smb: client: fix max_sge overflow in smb_extract_folioq_to_rdma() This fixes the following problem: [ 749.901015] [ T8673] run fstests cifs/001 at 2025-06-17 09:40:30[ 750.346409] [ T9870] ==========================================...

CVE-2025-38186

In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Fix double invocation of bnxt_ulp_stop()/bnxt_ulp_start() Before the commit under the Fixes tag below, bnxt_ulp_stop() andbnxt_ulp_start() were always invoked in pairs. After that commit,the new bnxt_ulp_restart() can be i...

CVE-2025-38192

In the Linux kernel, the following vulnerability has been resolved: net: clear the dst when changing skb protocol A not-so-careful NAT46 BPF program can crash the kernelif it indiscriminately flips ingress packets from v4 to v6: BUG: kernel NULL pointer dereference, address: 0000000000000000ip6_rcv...

CVE-2025-38196

In the Linux kernel, the following vulnerability has been resolved: io_uring/rsrc: validate buffer count with offset for cloning syzbot reports that it can trigger a WARN_ON() for kmalloc() attemptthat's too big: WARNING: CPU: 0 PID: 6488 at mm/slub.c:5024 __kvmalloc_node_noprof+0x520/0x640 mm/slub...

CVE-2025-38204

In the Linux kernel, the following vulnerability has been resolved: jfs: fix array-index-out-of-bounds read in add_missing_indices stbl is s8 but it must contain offsets into slot which can go from 0 to127. Added a bound check for that error and return -EIO if the check fails.Also make jfs_readdir ...

CVE-2025-38221

In the Linux kernel, the following vulnerability has been resolved: ext4: fix out of bounds punch offset Punching a hole with a start offset that exceeds max_end is notpermitted and will result in a negative length in thetruncate_inode_partial_folio() function while truncating the page cache,potent...

CVE-2025-38223

In the Linux kernel, the following vulnerability has been resolved: ceph: avoid kernel BUG for encrypted inode with unaligned file size The generic/397 test hits a BUG_ON for the case of encrypted inode withunaligned file size (for example, 33K or 1K): [ 877.737811] run fstests generic/397 at 2025-...

CVE-2025-38224

In the Linux kernel, the following vulnerability has been resolved: can: kvaser_pciefd: refine error prone echo_skb_max handling logic echo_skb_max should define the supported upper limit of echo_skb[]allocated inside the netdevice's priv. The corresponding size valueprovided by this driver to allo...

CVE-2025-38228

In the Linux kernel, the following vulnerability has been resolved: media: imagination: fix a potential memory leak in e5010_probe() Add video_device_release() to release the memory allocated byvideo_device_alloc() if something goes wrong.

CVE-2025-38239

In the Linux kernel, the following vulnerability has been resolved: scsi: megaraid_sas: Fix invalid node index On a system with DRAM interleave enabled, out-of-bound access isdetected: megaraid_sas 0000:3f:00.0: requested/available msix 128/128 poll_queue 0------------[ cut here ]------------UBSAN:...

CVE-2025-38244

In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential deadlock when reconnecting channels Fix cifs_signal_cifsd_for_reconnect() to take the correct lock orderand prevent the following deadlock from happening ==================================================...

CVE-2025-38250

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_core: Fix use-after-free in vhci_flush() syzbot reported use-after-free in vhci_flush() without repro. [0] From the splat, a thread close()d a vhci file descriptor whileits device was being used by iotcl() on another...

CVE-2025-38254

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add sanity checks for drm_edid_raw() When EDID is retrieved via drm_edid_raw(), it doesn't guarantee toreturn proper EDID bytes the caller wants: it may be either NULL (thatleads to an Oops) or with too long bytes ...

CVE-2025-38265

In the Linux kernel, the following vulnerability has been resolved: serial: jsm: fix NPE during jsm_uart_port_init No device was set which caused serial_base_ctrl_add to crash. BUG: kernel NULL pointer dereference, address: 0000000000000050Oops: Oops: 0000 [#1] PREEMPT SMP NOPTICPU: 16 UID: 0 PID: ...

CVE-2025-38268

In the Linux kernel, the following vulnerability has been resolved: usb: typec: tcpm: move tcpm_queue_vdm_unlocked to asynchronous work A state check was previously added to tcpm_queue_vdm_unlocked toprevent a deadlock where the DisplayPort Alt Mode driver would beexecuting work and attempting to g...

CVE-2025-38277

In the Linux kernel, the following vulnerability has been resolved: mtd: nand: ecc-mxic: Fix use of uninitialized variable ret If ctx->steps is zero, the loop processing ECC steps is skipped,and the variable ret remains uninitialized. It is later checkedand returned, which leads to undefined beh...

CVE-2025-38283

In the Linux kernel, the following vulnerability has been resolved: hisi_acc_vfio_pci: bugfix live migration function without VF device driver If the VF device driver is not loaded in the Guest OS and we attempt toperform device data migration, the address of the migrated data willbe NULL.The live ...

CVE-2025-38286

In the Linux kernel, the following vulnerability has been resolved: pinctrl: at91: Fix possible out-of-boundary access at91_gpio_probe() doesn't check that given OF alias is not available orsomething went wrong when trying to get it. This might have consequenceswhen accessing gpio_chips array with ...

CVE-2025-38291

In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: Prevent sending WMI commands to firmware during firmware crash Currently, we encounter the following kernel call trace when a firmwarecrash occurs. This happens because the host sends WMI commands to thefirmware while...

CVE-2025-38293

In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: fix node corruption in ar->arvifs list In current WLAN recovery code flow, ath11k_core_halt() onlyreinitializes the "arvifs" list head. This will cause thelist node immediately following the list head to become ani...

CVE-2025-38304

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix NULL pointer deference on eir_get_service_data The len parameter is considered optional so it can be NULL so it cannotbe used for skipping to next entry of EIR_SERVICE_DATA.

CVE-2025-38305

In the Linux kernel, the following vulnerability has been resolved: ptp: remove ptp->n_vclocks check logic in ptp_vclock_in_use() There is no disagreement that we should check both ptp->is_virtual_clockand ptp->n_vclocks to check if the ptp virtual clock is in use. However, when we acquire...

CVE-2025-38310

In the Linux kernel, the following vulnerability has been resolved: seg6: Fix validation of nexthop addresses The kernel currently validates that the length of the provided nexthopaddress does not exceed the specified length. This can lead to thekernel reading uninitialized memory if user space pro...

CVE-2025-38319

In the Linux kernel, the following vulnerability has been resolved: drm/amd/pp: Fix potential NULL pointer dereference in atomctrl_initialize_mc_reg_table The function atomctrl_initialize_mc_reg_table() andatomctrl_initialize_mc_reg_table_v2_2() does not check the returnvalue of smu_atom_get_data_t...

CVE-2025-38320

In the Linux kernel, the following vulnerability has been resolved: arm64/ptrace: Fix stack-out-of-bounds read in regs_get_kernel_stack_nth() KASAN reports a stack-out-of-bounds read in regs_get_kernel_stack_nth(). Call Trace:[ 97.283505] BUG: KASAN: stack-out-of-bounds in regs_get_kernel_stack_nth...

CVE-2025-38324

In the Linux kernel, the following vulnerability has been resolved: mpls: Use rcu_dereference_rtnl() in mpls_route_input_rcu(). As syzbot reported [0], mpls_route_input_rcu() can be calledfrom mpls_getroute(), where is under RTNL. net->mpls.platform_label is only updated under RTNL. Let's use rc...

CVE-2025-38326

In the Linux kernel, the following vulnerability has been resolved: aoe: clean device rq_list in aoedev_downdev() An aoe device's rq_list contains accepted block requests that arewaiting to be transmitted to the aoe target. This queue was added aspart of the conversion to blk_mq. However, the queue...

CVE-2025-38331

In the Linux kernel, the following vulnerability has been resolved: net: ethernet: cortina: Use TOE/TSO on all TCP It is desireable to push the hardware accelerator to alsoprocess non-segmented TCP frames: we pass the skb->lento the "TOE/TSO" offloader and it will handle them. Without this quirk...

CVE-2025-38344

In the Linux kernel, the following vulnerability has been resolved: ACPICA: fix acpi parse and parseext cache leaks ACPICA commit 8829e70e1360c81e7a5a901b5d4f48330e021ea5 I'm Seunghun Han, and I work for National Security Research Institute ofSouth Korea. I have been doing a research on ACPI and fo...

CVE-2025-38345

In the Linux kernel, the following vulnerability has been resolved: ACPICA: fix acpi operand cache leak in dswstate.c ACPICA commit 987a3b5cf7175916e2a4b6ea5b8e70f830dfe732 I found an ACPI cache leak in ACPI early termination and boot continuing case. When early termination occurs due to malicious ...

CVE-2022-49939

In the Linux kernel, the following vulnerability has been resolved: binder: fix UAF of ref->proc caused by race condition A transaction of type BINDER_TYPE_WEAK_HANDLE can fail to increment thereference for a node. In this case, the target proc normally releasesthe failed reference upon close as...

CVE-2022-49947

In the Linux kernel, the following vulnerability has been resolved: binder: fix alloc->vma_vm_mm null-ptr dereference Syzbot reported a couple issues introduced by commit 44e602b4e52f("binder_alloc: add missing mmap_lock calls when using the VMA"), inwhich we attempt to acquire the mmap_lock whe...

CVE-2022-49959

In the Linux kernel, the following vulnerability has been resolved: openvswitch: fix memory leak at failed datapath creation ovs_dp_cmd_new()->ovs_dp_change()->ovs_dp_set_upcall_portids()allocates array via kmalloc.If for some reason new_vport() fails during ovs_dp_cmd_new()dp->upcall_port...

CVE-2022-49967

In the Linux kernel, the following vulnerability has been resolved: bpf: Fix a data-race around bpf_jit_limit. While reading bpf_jit_limit, it can be changed concurrently via sysctl,WRITE_ONCE() in __do_proc_doulongvec_minmax(). The size of bpf_jit_limitis long, so we need to add a paired READ_ONCE...

CVE-2022-49970

In the Linux kernel, the following vulnerability has been resolved: bpf, cgroup: Fix kernel BUG in purge_effective_progs Syzkaller reported a triggered kernel BUG as follows: ------------[ cut here ]------------kernel BUG at kernel/bpf/cgroup.c:925!invalid opcode: 0000 [#1] PREEMPT SMP NOPTICPU: 1 ...

CVE-2022-49992

In the Linux kernel, the following vulnerability has been resolved: mm/mprotect: only reference swap pfn page if type match Yu Zhao reported a bug after the commit "mm/swap: Add swp_offset_pfn() tofetch PFN from swap entry" added a check in swp_offset_pfn() for swap type [1]: kernel BUG at include/...

CVE-2022-49994

In the Linux kernel, the following vulnerability has been resolved: bootmem: remove the vmemmap pages from kmemleak in put_page_bootmem The vmemmap pages is marked by kmemleak when allocated from memblock.Remove it from kmemleak when freeing the page. Otherwise, when we reusethe page, kmemleak may ...

CVE-2022-49996

In the Linux kernel, the following vulnerability has been resolved: btrfs: fix possible memory leak in btrfs_get_dev_args_from_path() In btrfs_get_dev_args_from_path(), btrfs_get_bdev_and_sb() can fail ifthe path is invalid. In this case, btrfs_get_dev_args_from_path()returns directly without freei...

CVE-2022-50001

In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_tproxy: restrict to prerouting hook TPROXY is only allowed from prerouting, but nft_tproxy doesn't check this.This fixes a crash (null dereference) when using tproxy from e.g. output.

CVE-2022-50004

In the Linux kernel, the following vulnerability has been resolved: xfrm: policy: fix metadata dst->dev xmit null pointer dereference When we try to transmit an skb with metadata_dst attached (i.e. dst->dev== NULL) through xfrm interface we can hit a null pointer dereference[1]in xfrmi_xmit2(...