CVSS: 5.5EPSS: %CPEs: 8EXPL: 0CVE-2025-40011 – drm/gma500: Fix null dereference in hdmi teardown
https://notcve.org/view.php?id=CVE-2025-40011
20 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/gma500: Fix null dereference in hdmi teardown pci_set_drvdata sets the value of pdev->driver_data to NULL, after which the driver_data obtained from the same dev is dereferenced in oaktrail_hdmi_i2c_exit, and the i2c_dev is extracted from it. To prevent this, swap these calls. Found by Linux Verification Center (linuxtesting.org) with Svacer. In the Linux kernel, the following vulnerability has been resolved: drm/gma500: Fix null derefe... • https://git.kernel.org/stable/c/1b082ccf5901108d3acd860a73d8c0442556c0bb •
CVSS: 7.1EPSS: %CPEs: 8EXPL: 0CVE-2025-40006 – mm/hugetlb: fix folio is still mapped when deleted
https://notcve.org/view.php?id=CVE-2025-40006
20 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: mm/hugetlb: fix folio is still mapped when deleted Migration may be raced with fallocating hole. remove_inode_single_folio will unmap the folio if the folio is still mapped. However, it's called without folio lock. If the folio is migrated and the mapped pte has been converted to migration entry, folio_mapped() returns false, and won't unmap it. Due to extra refcount held by remove_inode_single_folio, migration fails, restores migration ent... • https://git.kernel.org/stable/c/4aae8d1c051ea00b456da6811bc36d1f69de5445 •
CVSS: 7.1EPSS: %CPEs: 2EXPL: 0CVE-2025-40005 – spi: cadence-quadspi: Implement refcount to handle unbind during busy
https://notcve.org/view.php?id=CVE-2025-40005
20 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: spi: cadence-quadspi: Implement refcount to handle unbind during busy driver support indirect read and indirect write operation with assumption no force device removal(unbind) operation. However force device removal(removal) is still available to root superuser. Unbinding driver during operation causes kernel crash. This changes ensure driver able to handle such operation for indirect read and indirect write by implementing refcount to trac... • https://git.kernel.org/stable/c/b7ec8a2b094a33d0464958c2cbf75b8f229098b0 •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2025-40003 – net: mscc: ocelot: Fix use-after-free caused by cyclic delayed work
https://notcve.org/view.php?id=CVE-2025-40003
18 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: net: mscc: ocelot: Fix use-after-free caused by cyclic delayed work The origin code calls cancel_delayed_work() in ocelot_stats_deinit() to cancel the cyclic delayed work item ocelot->stats_work. However, cancel_delayed_work() may fail to cancel the work item if it is already executing. While destroy_workqueue() does wait for all pending work items in the work queue to complete before destroying the work queue, it cannot prevent the delayed... • https://git.kernel.org/stable/c/a556c76adc052c979ef9e80f0cd3fa1379ff4943 •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2025-40001 – scsi: mvsas: Fix use-after-free bugs in mvs_work_queue
https://notcve.org/view.php?id=CVE-2025-40001
18 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: scsi: mvsas: Fix use-after-free bugs in mvs_work_queue During the detaching of Marvell's SAS/SATA controller, the original code calls cancel_delayed_work() in mvs_free() to cancel the delayed work item mwq->work_q. However, if mwq->work_q is already running, the cancel_delayed_work() may fail to cancel it. This can lead to use-after-free scenarios where mvs_free() frees the mvs_info while mvs_work_queue() is still executing and attempts to ... • https://git.kernel.org/stable/c/20b09c2992fefbe78f8cede7b404fb143a413c52 •
CVSS: 7.8EPSS: 0%CPEs: 7EXPL: 0CVE-2025-39998 – scsi: target: target_core_configfs: Add length check to avoid buffer overflow
https://notcve.org/view.php?id=CVE-2025-39998
15 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: scsi: target: target_core_configfs: Add length check to avoid buffer overflow A buffer overflow arises from the usage of snprintf to write into the buffer "buf" in target_lu_gp_members_show function located in /drivers/target/target_core_configfs.c. This buffer is allocated with size LU_GROUP_NAME_BUF (256 bytes). snprintf(...) formats multiple strings into buf with the HBA name (hba->hba_group.cg_item), a slash character, a devicename (dev... • https://git.kernel.org/stable/c/ddc79fba132b807ff775467acceaf48b456e008b •
CVSS: 7.1EPSS: 0%CPEs: 7EXPL: 0CVE-2025-39996 – media: b2c2: Fix use-after-free causing by irq_check_work in flexcop_pci_remove
https://notcve.org/view.php?id=CVE-2025-39996
15 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: media: b2c2: Fix use-after-free causing by irq_check_work in flexcop_pci_remove The original code uses cancel_delayed_work() in flexcop_pci_remove(), which does not guarantee that the delayed work item irq_check_work has fully completed if it was already running. This leads to use-after-free scenarios where flexcop_pci_remove() may free the flexcop_device while irq_check_work is still active and attempts to dereference the device. A typical... • https://git.kernel.org/stable/c/382c5546d618f24dc7d6ae7ca33412083720efbf •
CVSS: 7.1EPSS: 0%CPEs: 7EXPL: 0CVE-2025-39995 – media: i2c: tc358743: Fix use-after-free bugs caused by orphan timer in probe
https://notcve.org/view.php?id=CVE-2025-39995
15 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: media: i2c: tc358743: Fix use-after-free bugs caused by orphan timer in probe The state->timer is a cyclic timer that schedules work_i2c_poll and delayed_work_enable_hotplug, while rearming itself. Using timer_delete() fails to guarantee the timer isn't still running when destroyed, similarly cancel_delayed_work() cannot ensure delayed_work_enable_hotplug has terminated if already executing. During probe failure after timer initialization, ... • https://git.kernel.org/stable/c/d32d98642de66048f9534a05f3641558e811bbc9 •
CVSS: 6.9EPSS: 0%CPEs: 7EXPL: 0CVE-2025-39994 – media: tuner: xc5000: Fix use-after-free in xc5000_release
https://notcve.org/view.php?id=CVE-2025-39994
15 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: media: tuner: xc5000: Fix use-after-free in xc5000_release The original code uses cancel_delayed_work() in xc5000_release(), which does not guarantee that the delayed work item timer_sleep has fully completed if it was already running. This leads to use-after-free scenarios where xc5000_release() may free the xc5000_priv while timer_sleep is still active and attempts to dereference the xc5000_priv. A typical race condition is illustrated be... • https://git.kernel.org/stable/c/f7a27ff1fb77e114d1059a5eb2ed1cffdc508ce8 •
CVSS: 7.1EPSS: 0%CPEs: 7EXPL: 0CVE-2025-39993 – media: rc: fix races with imon_disconnect()
https://notcve.org/view.php?id=CVE-2025-39993
15 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: media: rc: fix races with imon_disconnect() Syzbot reports a KASAN issue as below: BUG: KASAN: use-after-free in __create_pipe include/linux/usb.h:1945 [inline] BUG: KASAN: use-after-free in send_packet+0xa2d/0xbc0 drivers/media/rc/imon.c:627 Read of size 4 at addr ffff8880256fb000 by task syz-executor314/4465 CPU: 2 PID: 4465 Comm: syz-executor314 Not tainted 6.0.0-rc1-syzkaller #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1... • https://git.kernel.org/stable/c/21677cfc562a27e099719d413287bc8d1d24deb7 •