CVSS: -EPSS: %CPEs: 3EXPL: 0CVE-2025-38082 – gpio: virtuser: fix potential out-of-bound write
https://notcve.org/view.php?id=CVE-2025-38082
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: gpio: virtuser: fix potential out-of-bound write If the caller wrote more characters, count is truncated to the max available space in "simple_write_to_buffer". Check that the input size does not exceed the buffer size. Write a zero termination afterwards. • https://git.kernel.org/stable/c/afe090366f470f77e140ff3407db813f57852c04 •
CVSS: -EPSS: %CPEs: 4EXPL: 0CVE-2025-38081 – spi-rockchip: Fix register out of bounds access
https://notcve.org/view.php?id=CVE-2025-38081
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: spi-rockchip: Fix register out of bounds access Do not write native chip select stuff for GPIO chip selects. GPIOs can be numbered much higher than native CS. Also, it makes no sense. • https://git.kernel.org/stable/c/4a120221661fcecb253448d7b041a52d47f1d91f •
CVSS: -EPSS: %CPEs: 4EXPL: 0CVE-2025-38080 – drm/amd/display: Increase block_sequence array size
https://notcve.org/view.php?id=CVE-2025-38080
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Increase block_sequence array size [Why] It's possible to generate more than 50 steps in hwss_build_fast_sequence, for example with a 6-pipe asic where all pipes are in one MPC chain. This overflows the block_sequence buffer and corrupts block_sequence_steps, causing a crash. [How] Expand block_sequence to 100 items. A naive upper bound on the possible number of steps for a 6-pipe asic, ignoring the potential for steps to b... • https://git.kernel.org/stable/c/de67e80ab48f1f23663831007a2fa3c1471a7757 •
CVSS: -EPSS: %CPEs: 8EXPL: 0CVE-2025-38079 – crypto: algif_hash - fix double free in hash_accept
https://notcve.org/view.php?id=CVE-2025-38079
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: crypto: algif_hash - fix double free in hash_accept If accept(2) is called on socket type algif_hash with MSG_MORE flag set and crypto_ahash_import fails, sk2 is freed. However, it is also freed in af_alg_release, leading to slab-use-after-free error. • https://git.kernel.org/stable/c/fe869cdb89c95d060c77eea20204d6c91f233b53 •
CVSS: -EPSS: %CPEs: 8EXPL: 0CVE-2025-38078 – ALSA: pcm: Fix race of buffer access at PCM OSS layer
https://notcve.org/view.php?id=CVE-2025-38078
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: ALSA: pcm: Fix race of buffer access at PCM OSS layer The PCM OSS layer tries to clear the buffer with the silence data at initialization (or reconfiguration) of a stream with the explicit call of snd_pcm_format_set_silence() with runtime->dma_area. But this may lead to a UAF because the accessed runtime->dma_area might be freed concurrently, as it's performed outside the PCM ops. For avoiding it, move the code into the PCM core and perform... • https://git.kernel.org/stable/c/c0e05a76fc727929524ef24a19c302e6dd40233f •
CVSS: -EPSS: %CPEs: 8EXPL: 0CVE-2025-38075 – scsi: target: iscsi: Fix timeout on deleted connection
https://notcve.org/view.php?id=CVE-2025-38075
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: scsi: target: iscsi: Fix timeout on deleted connection NOPIN response timer may expire on a deleted connection and crash with such logs: Did not receive response to NOPIN on CID: 0, failing connection for I_T Nexus (null),i,0x00023d000125,iqn.2017-01.com.iscsi.target,t,0x3d BUG: Kernel NULL pointer dereference on read at 0x00000000 NIP strlcpy+0x8/0xb0 LR iscsit_fill_cxn_timeout_err_stats+0x5c/0xc0 [iscsi_target_mod] Call Trace: iscsit_hand... • https://git.kernel.org/stable/c/571ce6b6f5cbaf7d24af03cad592fc0e2a54de35 •
CVSS: -EPSS: %CPEs: 4EXPL: 0CVE-2025-38074 – vhost-scsi: protect vq->log_used with vq->mutex
https://notcve.org/view.php?id=CVE-2025-38074
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: vhost-scsi: protect vq->log_used with vq->mutex The vhost-scsi completion path may access vq->log_base when vq->log_used is already set to false. vhost-thread QEMU-thread vhost_scsi_complete_cmd_work() -> vhost_add_used() -> vhost_add_used_n() if (unlikely(vq->log_used)) QEMU disables vq->log_used via VHOST_SET_VRING_ADDR. mutex_lock(&vq->mutex); vq->log_used = false now! mutex_unlock(&vq->mutex); QEMU gfree(vq->log_base) log_used() -> log_... • https://git.kernel.org/stable/c/ca85c2d0db5f8309832be45858b960d933c2131c •
CVSS: -EPSS: %CPEs: 3EXPL: 0CVE-2025-38073 – block: fix race between set_blocksize and read paths
https://notcve.org/view.php?id=CVE-2025-38073
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: block: fix race between set_blocksize and read paths With the new large sector size support, it's now the case that set_blocksize can change i_blksize and the folio order in a manner that conflicts with a concurrent reader and causes a kernel crash. Specifically, let's say that udev-worker calls libblkid to detect the labels on a block device. The read call can create an order-0 folio to read the first 4096 bytes from the disk. But then ude... • https://git.kernel.org/stable/c/64f505b08e0cfd8163491c8c082d4f47a88e51d4 •
CVSS: -EPSS: %CPEs: 8EXPL: 0CVE-2025-38072 – libnvdimm/labels: Fix divide error in nd_label_data_init()
https://notcve.org/view.php?id=CVE-2025-38072
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: libnvdimm/labels: Fix divide error in nd_label_data_init() If a faulty CXL memory device returns a broken zero LSA size in its memory device information (Identify Memory Device (Opcode 4000h), CXL spec. 3.1, 8.2.9.9.1.1), a divide error occurs in the libnvdimm driver: Oops: divide error: 0000 [#1] PREEMPT SMP NOPTI RIP: 0010:nd_label_data_init+0x10e/0x800 [libnvdimm] Code and flow: 1) CXL Command 4000h returns LSA size = 0 2) config_size is... • https://git.kernel.org/stable/c/2bd4a938d2eda96ab7288b8fa5aae84a1de8c4ca •
CVSS: -EPSS: %CPEs: 5EXPL: 0CVE-2025-38071 – x86/mm: Check return value from memblock_phys_alloc_range()
https://notcve.org/view.php?id=CVE-2025-38071
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: x86/mm: Check return value from memblock_phys_alloc_range() At least with CONFIG_PHYSICAL_START=0x100000, if there is < 4 MiB of contiguous free memory available at this point, the kernel will crash and burn because memblock_phys_alloc_range() returns 0 on failure, which leads memblock_phys_free() to throw the first 4 MiB of physical memory to the wolves. At a minimum it should fail gracefully with a meaningful diagnostic, but in fact every... • https://git.kernel.org/stable/c/8c18c904d301ffeb33b071eadc55cd6131e1e9be •