CVSS: 8.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-39985 – can: mcba_usb: populate ndo_change_mtu() to prevent buffer overflow
https://notcve.org/view.php?id=CVE-2025-39985
15 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: can: mcba_usb: populate ndo_change_mtu() to prevent buffer overflow Sending an PF_PACKET allows to bypass the CAN framework logic and to directly reach the xmit() function of a CAN driver. The only check which is performed by the PF_PACKET framework is to make sure that skb->len fits the interface's MTU. Unfortunately, because the mcba_usb driver does not populate its net_device_ops->ndo_change_mtu(), it is possible for an attacker to confi... • https://git.kernel.org/stable/c/51f3baad7de943780ce0c17bd7975df567dd6e14 •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2025-39984 – net: tun: Update napi->skb after XDP process
https://notcve.org/view.php?id=CVE-2025-39984
15 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: net: tun: Update napi->skb after XDP process The syzbot report a UAF issue: BUG: KASAN: slab-use-after-free in skb_reset_mac_header include/linux/skbuff.h:3150 [inline] BUG: KASAN: slab-use-after-free in napi_frags_skb net/core/gro.c:723 [inline] BUG: KASAN: slab-use-after-free in napi_gro_frags+0x6e/0x1030 net/core/gro.c:758 Read of size 8 at addr ffff88802ef22c18 by task syz.0.17/6079 CPU: 0 UID: 0 PID: 6079 Comm: syz.0.17 Not tainted syz... • https://git.kernel.org/stable/c/e6d5dbdd20aa6a86974af51deb9414cd2e7794cb •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2025-39983 – Bluetooth: hci_event: Fix UAF in hci_conn_tx_dequeue
https://notcve.org/view.php?id=CVE-2025-39983
15 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_event: Fix UAF in hci_conn_tx_dequeue This fixes the following UAF caused by not properly locking hdev when processing HCI_EV_NUM_COMP_PKTS: BUG: KASAN: slab-use-after-free in hci_conn_tx_dequeue+0x1be/0x220 net/bluetooth/hci_conn.c:3036 Read of size 4 at addr ffff8880740f0940 by task kworker/u11:0/54 CPU: 1 UID: 0 PID: 54 Comm: kworker/u11:0 Not tainted 6.16.0-rc7 #3 PREEMPT(full) Hardware name: QEMU Standard PC (i440FX + PI... • https://git.kernel.org/stable/c/134f4b39df7b77225a80ef585c15d46f964f5e6f •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2025-39982 – Bluetooth: hci_event: Fix UAF in hci_acl_create_conn_sync
https://notcve.org/view.php?id=CVE-2025-39982
15 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_event: Fix UAF in hci_acl_create_conn_sync This fixes the following UFA in hci_acl_create_conn_sync where a connection still pending is command submission (conn->state == BT_OPEN) maybe freed, also since this also can happen with the likes of hci_le_create_conn_sync fix it as well: BUG: KASAN: slab-use-after-free in hci_acl_create_conn_sync+0x5ef/0x790 net/bluetooth/hci_sync.c:6861 Write of size 2 at addr ffff88805ffcc038 by ... • https://git.kernel.org/stable/c/aef2aa4fa98e18ea5d9345bf777ee698c8598728 •
CVSS: 7.3EPSS: 0%CPEs: 2EXPL: 0CVE-2025-39981 – Bluetooth: MGMT: Fix possible UAFs
https://notcve.org/view.php?id=CVE-2025-39981
15 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Fix possible UAFs This attemps to fix possible UAFs caused by struct mgmt_pending being freed while still being processed like in the following trace, in order to fix mgmt_pending_valid is introduce and use to check if the mgmt_pending hasn't been removed from the pending list, on the complete callbacks it is used to check and in addtion remove the cmd from the list while holding mgmt_pending_lock to avoid TOCTOU problems s... • https://git.kernel.org/stable/c/cf75ad8b41d2aa06f98f365d42a3ae8b059daddd •
CVSS: 6.1EPSS: 0%CPEs: 7EXPL: 0CVE-2025-39980 – nexthop: Forbid FDB status change while nexthop is in a group
https://notcve.org/view.php?id=CVE-2025-39980
15 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: nexthop: Forbid FDB status change while nexthop is in a group The kernel forbids the creation of non-FDB nexthop groups with FDB nexthops: # ip nexthop add id 1 via 192.0.2.1 fdb # ip nexthop add id 2 group 1 Error: Non FDB nexthop group cannot have fdb nexthops. And vice versa: # ip nexthop add id 3 via 192.0.2.2 dev dummy1 # ip nexthop add id 4 group 3 fdb Error: FDB nexthop group can only have fdb nexthops. However, as long as no routes ... • https://git.kernel.org/stable/c/38428d68719c454d269cb03b776d8a4b0ad66111 •
CVSS: 6.6EPSS: 0%CPEs: 2EXPL: 0CVE-2025-39979 – net/mlx5: fs, fix UAF in flow counter release
https://notcve.org/view.php?id=CVE-2025-39979
15 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: net/mlx5: fs, fix UAF in flow counter release Fix a kernel trace [1] caused by releasing an HWS action of a local flow counter in mlx5_cmd_hws_delete_fte(), where the HWS action refcount and mutex were not initialized and the counter struct could already be freed when deleting the rule. Fix it by adding the missing initializations and adding refcount for the local flow counter struct. [1] Kernel log: Call Trace:
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2025-39978 – octeontx2-pf: Fix potential use after free in otx2_tc_add_flow()
https://notcve.org/view.php?id=CVE-2025-39978
15 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: octeontx2-pf: Fix potential use after free in otx2_tc_add_flow() This code calls kfree_rcu(new_node, rcu) and then dereferences "new_node" and then dereferences it on the next line. Two lines later, we take a mutex so I don't think this is an RCU safe region. Re-order it to do the dereferences before queuing up the free. In the Linux kernel, the following vulnerability has been resolved: octeontx2-pf: Fix potential use after free in otx2_tc... • https://git.kernel.org/stable/c/68fbff68dbea35f9e6f7649dd22fce492a5aedac •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2025-39977 – futex: Prevent use-after-free during requeue-PI
https://notcve.org/view.php?id=CVE-2025-39977
15 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: futex: Prevent use-after-free during requeue-PI syzbot managed to trigger the following race: T1 T2 futex_wait_requeue_pi() futex_do_wait() schedule() futex_requeue() futex_proxy_trylock_atomic() futex_requeue_pi_prepare() requeue_pi_wake_futex() futex_requeue_pi_complete() /* preempt */ * timeout/ signal wakes T1 * futex_requeue_pi_wakeup_sync() // Q_REQUEUE_PI_LOCKED futex_hash_put() // back to userland, on stack futex_q is garbage /* bac... • https://git.kernel.org/stable/c/07d91ef510fb16a2e0ca7453222105835b7ba3b8 •
CVSS: 6.6EPSS: 0%CPEs: 2EXPL: 0CVE-2025-39976 – futex: Use correct exit on failure from futex_hash_allocate_default()
https://notcve.org/view.php?id=CVE-2025-39976
15 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: futex: Use correct exit on failure from futex_hash_allocate_default() copy_process() uses the wrong error exit path from futex_hash_allocate_default(). After exiting from futex_hash_allocate_default(), neither tasklist_lock nor siglock has been acquired. The exit label bad_fork_core_free unlocks both of these locks which is wrong. The next exit label, bad_fork_cancel_cgroup, is the correct exit. sched_cgroup_fork() did not allocate any reso... • https://git.kernel.org/stable/c/7c4f75a21f636486d2969d9b6680403ea8483539 •