CVE-2025-38325

In the Linux kernel, the following vulnerability has been resolved: ksmbd: add free_transport ops in ksmbd connection free_transport function for tcp connection can be called from smbdirect.It will cause kernel oops. This patch add free_transport ops in ksmbdconnection, and add each free_transports...

CVE-2025-38307

In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: avs: Verify content returned by parse_int_array() The first element of the returned array stores its length. If it is 0,any manipulation beyond the element at index 0 ends with null-ptr-deref.

CVE-2025-38314

In the Linux kernel, the following vulnerability has been resolved: virtio-pci: Fix result size returned for the admin command completion The result size returned by virtio_pci_admin_dev_parts_get() is 8 byteslarger than the actual result data size. This occurs because theresult_sg_size field of th...

CVE-2025-38315

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btintel: Check dsbr size from EFI variable Since the size of struct btintel_dsbr is already known, we can juststart there instead of querying the EFI variable size. If the finalresult doesn't match what we expect also fa...

CVE-2025-38317

In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: Fix buffer overflow in debugfs If the user tries to write more than 32 bytes then it results in memorycorruption. Fortunately, this is debugfs so it's limited to root users.

CVE-2025-38328

In the Linux kernel, the following vulnerability has been resolved: jffs2: check jffs2_prealloc_raw_node_refs() result in few other places Fuzzing hit another invalid pointer dereference due to the lack ofchecking whether jffs2_prealloc_raw_node_refs() completed successfully.Subsequent logic implie...

CVE-2025-38329

In the Linux kernel, the following vulnerability has been resolved: firmware: cs_dsp: Fix OOB memory read access in KUnit test (wmfw info) KASAN reported out of bounds access - cs_dsp_mock_wmfw_add_info(),because the source string length was rounded up to the allocation size.

CVE-2025-38343

In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7996: drop fragments with multicast or broadcast RA IEEE 802.11 fragmentation can only be applied to unicast frames.Therefore, drop fragments with multicast or broadcast RA. This patchaddresses vulnerabilities such as...

CVE-2025-38351

In the Linux kernel, the following vulnerability has been resolved: KVM: x86/hyper-v: Skip non-canonical addresses during PV TLB flush In KVM guests with Hyper-V hypercalls enabled, the hypercallsHVCALL_FLUSH_VIRTUAL_ADDRESS_LIST and HVCALL_FLUSH_VIRTUAL_ADDRESS_LIST_EXallow a guest to request inva...

CVE-2022-49955

In the Linux kernel, the following vulnerability has been resolved: powerpc/rtas: Fix RTAS MSR[HV] handling for Cell The semi-recent changes to MSR handling when entering RTAS (firmware)cause crashes on IBM Cell machines. An example trace: kernel tried to execute user page (2fff01a8) - exploit atte...

CVE-2022-49973

In the Linux kernel, the following vulnerability has been resolved: skmsg: Fix wrong last sg check in sk_msg_recvmsg() Fix one kernel NULL pointer dereference as below: [ 224.462334] Call Trace:[ 224.462394] __tcp_bpf_recvmsg+0xd3/0x380[ 224.462441] ? sock_has_perm+0x78/0xa0[ 224.462463] tcp_bpf_re...

CVE-2022-50048

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: possible module reference underflow in error path dst->ops is set on when nft_expr_clone() fails, but module refcount hasnot been bumped yet, therefore nft_expr_destroy() leads to modulereference underflow.

CVE-2022-50049

In the Linux kernel, the following vulnerability has been resolved: ASoC: DPCM: Don't pick up BE without substream When DPCM tries to add valid BE connections at dpcm_add_paths(), itdoesn't check whether the picked BE actually supports for the givenstream direction. Due to that, when an asymmetric ...

CVE-2022-50071

In the Linux kernel, the following vulnerability has been resolved: mptcp: move subflow cleanup in mptcp_destroy_common() If the mptcp socket creation fails due to a CGROUP_INET_SOCK_CREATEeBPF program, the MPTCP protocol ends-up leaking all the subflows:the related cleanup happens in __mptcp_destr...

CVE-2022-50119

In the Linux kernel, the following vulnerability has been resolved: rpmsg: Fix possible refcount leak in rpmsg_register_device_override() rpmsg_register_device_override need to call put_device to free vch whendriver_set_override fails. Fix this by adding a put_device() to the error path.

CVE-2022-50167

In the Linux kernel, the following vulnerability has been resolved: bpf: fix potential 32-bit overflow when accessing ARRAY map element If BPF array map is bigger than 4GB, element pointer calculation canoverflow because both index and elem_size are u32. Fix this everywhereby forcing 64-bit multipl...

CVE-2022-50174

In the Linux kernel, the following vulnerability has been resolved: net: hinic: avoid kernel hung in hinic_get_stats64() When using hinic device as a bond slave device, and reading device statsof master bond device, the kernel may hung. The kernel panic calltrace as follows:Kernel panic - not synci...

CVE-2022-50223

In the Linux kernel, the following vulnerability has been resolved: LoongArch: cpuinfo: Fix a warning for CONFIG_CPUMASK_OFFSTACK When CONFIG_CPUMASK_OFFSTACK and CONFIG_DEBUG_PER_CPU_MAPS is selected,cpu_max_bits_warn() generates a runtime warning similar as below whilewe show /proc/cpuinfo. Fix t...

CVE-2022-50230

In the Linux kernel, the following vulnerability has been resolved: arm64: set UXN on swapper page tables [ This issue was fixed upstream by accident in c3cee924bd85 ("arm64:head: cover entire kernel image in initial ID map") as part of alarge refactoring of the arm64 boot flow. This simple fix is ...

CVE-2025-38039

In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Avoid WARN_ON when configuring MQPRIO with HTB offload enabled When attempting to enable MQPRIO while HTB offload is alreadyconfigured, the driver currently returns -EINVAL and triggers aWARN_ON, leading to an unnecessar...

CVE-2025-38047

In the Linux kernel, the following vulnerability has been resolved: x86/fred: Fix system hang during S4 resume with FRED enabled Upon a wakeup from S4, the restore kernel starts and initializes theFRED MSRs as needed from its perspective. It then loads a hibernationimage, including the image kernel...

CVE-2025-38048

In the Linux kernel, the following vulnerability has been resolved: virtio_ring: Fix data race by tagging event_triggered as racy for KCSAN syzbot reports a data-race when accessing the event_triggered, here is thesimplified stack when the issue occurred: ===========================================...

CVE-2025-38091

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: check stream id dml21 wrapper to get plane_id [Why & How]Fix a false positive warning which occurs due to lack of correct checkswhen querying plane_id in DML21. This fixes the warning when performing amode1 reset (...

CVE-2025-38144

In the Linux kernel, the following vulnerability has been resolved: watchdog: lenovo_se30_wdt: Fix possible devm_ioremap() NULL pointer dereference in lenovo_se30_wdt_probe() devm_ioremap() returns NULL on error. Currently, lenovo_se30_wdt_probe()does not check for this case, which results in a NUL...

CVE-2025-38150

In the Linux kernel, the following vulnerability has been resolved: af_packet: move notifier's packet_dev_mc out of rcu critical section Syzkaller reports the following issue: BUG: sleeping function called from invalid context at kernel/locking/mutex.c:578__mutex_lock+0x106/0xe80 kernel/locking/mut...

CVE-2025-38156

In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7996: Fix null-ptr-deref in mt7996_mmio_wed_init() devm_ioremap() returns NULL on error. Currently, mt7996_mmio_wed_init()does not check for this case, which results in a NULL pointerdereference. Prevent null pointer ...

CVE-2025-38171

In the Linux kernel, the following vulnerability has been resolved: power: supply: max77705: Fix workqueue error handling in probe The create_singlethread_workqueue() doesn't return error pointers, itreturns NULL. Also cleanup the workqueue on the error paths.

CVE-2025-38242

In the Linux kernel, the following vulnerability has been resolved: mm: userfaultfd: fix race of userfaultfd_move and swap cache This commit fixes two kinds of races, they may have different results: Barry reported a BUG_ON in commit c50f8e6053b0, we may see the sameBUG_ON if the filemap lookup ret...

CVE-2025-38247

In the Linux kernel, the following vulnerability has been resolved: userns and mnt_idmap leak in open_tree_attr(2) Once want_mount_setattr() has returned a positive, it does requirefinish_mount_kattr() to release ->mnt_userns. Failing do_mount_setattr()does not change that. As the result, we can...

CVE-2025-38255

In the Linux kernel, the following vulnerability has been resolved: lib/group_cpus: fix NULL pointer dereference from group_cpus_evenly() While testing null_blk with configfs, echo 0 > poll_queues will triggerfollowing panic: BUG: kernel NULL pointer dereference, address: 0000000000000010Oops: O...

CVE-2025-38271

In the Linux kernel, the following vulnerability has been resolved: net: prevent a NULL deref in rtnl_create_link() At the time rtnl_create_link() is running, dev->netdev_ops is NULL,we must not use netdev_lock_ops() or risk a NULL deref ifCONFIG_NET_SHAPER is defined. Use netif_set_group() inst...

CVE-2025-38274

In the Linux kernel, the following vulnerability has been resolved: fpga: fix potential null pointer deref in fpga_mgr_test_img_load_sgt() fpga_mgr_test_img_load_sgt() allocates memory for sgt usingkunit_kzalloc() however it does not check if the allocation failed.It then passes sgt to sg_alloc_tab...

CVE-2025-38281

In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7996: Add NULL check in mt7996_thermal_init devm_kasprintf() can return a NULL pointer on failure,but thisreturned value in mt7996_thermal_init() is not checked.Add NULL check in mt7996_thermal_init(), to handle kerne...

CVE-2025-38288

In the Linux kernel, the following vulnerability has been resolved: scsi: smartpqi: Fix smp_processor_id() call trace for preemptible kernels Correct kernel call trace when calling smp_processor_id() when called inpreemptible kernels by using raw_smp_processor_id(). smp_processor_id() checks to see...

CVE-2025-38295

In the Linux kernel, the following vulnerability has been resolved: perf/amlogic: Replace smp_processor_id() with raw_smp_processor_id() in meson_ddr_pmu_create() The Amlogic DDR PMU driver meson_ddr_pmu_create() function incorrectly usessmp_processor_id(), which assumes disabled preemption. This l...

CVE-2025-38296

In the Linux kernel, the following vulnerability has been resolved: ACPI: platform_profile: Avoid initializing on non-ACPI platforms The platform profile driver is loaded even on platforms that do not haveACPI enabled. The initialization of the sysfs entries was recently movedfrom platform_profile_...

CVE-2025-38297

In the Linux kernel, the following vulnerability has been resolved: PM: EM: Fix potential division-by-zero error in em_compute_costs() When the device is of a non-CPU type, table[i].performance won't beinitialized in the previous em_init_performance(), resulting in divisionby zero when calculating ...

CVE-2025-38299

In the Linux kernel, the following vulnerability has been resolved: ASoC: mediatek: mt8195: Set ETDM1/2 IN/OUT to COMP_DUMMY() ETDM2_IN_BE and ETDM1_OUT_BE are defined as COMP_EMPTY(),in the case the codec dai_name will be null. Avoid a crash if the device tree is not assigning a codecto these link...

CVE-2025-38301

In the Linux kernel, the following vulnerability has been resolved: nvmem: zynqmp_nvmem: unbreak driver after cleanup Commit 29be47fcd6a0 ("nvmem: zynqmp_nvmem: zynqmp_nvmem_probe cleanup")changed the driver to expect the device pointer to be passed as the"context", but in nvmem the context paramet...

CVE-2025-38308

In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: avs: Fix possible null-ptr-deref when initing hw Search result of avs_dai_find_path_template() shall be verified beforebeing used. As 'template' is already known whenavs_hw_constraints_init() is fired, drop the search ...

CVE-2025-38309

In the Linux kernel, the following vulnerability has been resolved: drm/xe/vm: move xe_svm_init() earlier In xe_vm_close_and_put() we need to be able to call xe_svm_fini(),however during vm creation we can call this on the error path, beforehaving actually initialised the svm state, leading to vari...

CVE-2025-38316

In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7996: avoid NULL pointer dereference in mt7996_set_monitor() The function mt7996_set_monitor() dereferences phy beforethe NULL sanity check. Fix this to avoid NULL pointer dereference by moving thedereference after th...

CVE-2025-38318

In the Linux kernel, the following vulnerability has been resolved: perf: arm-ni: Fix missing platform_set_drvdata() Add missing platform_set_drvdata in arm_ni_probe(), otherwisecalling platform_get_drvdata() in remove returns NULL.

CVE-2025-38330

In the Linux kernel, the following vulnerability has been resolved: firmware: cs_dsp: Fix OOB memory read access in KUnit test (ctl cache) KASAN reported out of bounds access - cs_dsp_ctl_cache_init_multiple_offsets().The code uses mock_coeff_template.length_bytes (4 bytes) for register valuealloca...

CVE-2025-38338

In the Linux kernel, the following vulnerability has been resolved: fs/nfs/read: fix double-unlock bug in nfs_return_empty_folio() Sometimes, when a file was read while it was being truncated byanother NFS client, the kernel could deadlock because folio_unlock()was called twice, and the second call...

CVE-2025-38340

In the Linux kernel, the following vulnerability has been resolved: firmware: cs_dsp: Fix OOB memory read access in KUnit test KASAN reported out of bounds access - cs_dsp_mock_bin_add_name_or_info(),because the source string length was rounded up to the allocation size.

CVE-2025-38341

In the Linux kernel, the following vulnerability has been resolved: eth: fbnic: avoid double free when failing to DMA-map FW msg The semantics are that caller of fbnic_mbx_map_msg() retainsthe ownership of the message on error. All existing callersdutifully free the page.

CVE-2025-38349

In the Linux kernel, the following vulnerability has been resolved: eventpoll: don't decrement ep refcount while still holding the ep mutex Jann Horn points out that epoll is decrementing the ep refcount and thendoing a mutex_unlock(&ep->mtx); afterwards. That's very wrong, because it can lead t...

CVE-2022-49974

In the Linux kernel, the following vulnerability has been resolved: HID: nintendo: fix rumble worker null pointer deref We can dereference a null pointer trying to queue work to a destroyedworkqueue. If the device is disconnected, nintendo_hid_remove is called, in whichthe rumble_queue is destroyed...

CVE-2022-49976

In the Linux kernel, the following vulnerability has been resolved: platform/x86: x86-android-tablets: Fix broken touchscreen on Chuwi Hi8 with Windows BIOS The x86-android-tablets handling for the Chuwi Hi8 is only necessary withthe Android BIOS and it is causing problems with the Windows BIOS ver...