CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-40206 – netfilter: nft_objref: validate objref and objrefmap expressions
https://notcve.org/view.php?id=CVE-2025-40206
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_objref: validate objref and objrefmap expressions Referencing a synproxy stateful object from OUTPUT hook causes kernel crash due to infinite recursive calls: BUG: TASK stack guard page was hit at 000000008bda5b8c (stack is 000000003ab1c4a5..00000000494d8b12) [...] Call Trace: __find_rr_leaf+0x99/0x230 fib6_table_lookup+0x13b/0x2d0 ip6_pol_route+0xa4/0x400 fib6_rule_lookup+0x156/0x240 ip6_route_output_flags+0xc6/0x150 __nf_ip... • https://git.kernel.org/stable/c/ee394f96ad7517fbc0de9106dcc7ce9efb14f264 •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40205 – btrfs: avoid potential out-of-bounds in btrfs_encode_fh()
https://notcve.org/view.php?id=CVE-2025-40205
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: btrfs: avoid potential out-of-bounds in btrfs_encode_fh() The function btrfs_encode_fh() does not properly account for the three cases it handles. Before writing to the file handle (fh), the function only returns to the user BTRFS_FID_SIZE_NON_CONNECTABLE (5 dwords, 20 bytes) or BTRFS_FID_SIZE_CONNECTABLE (8 dwords, 32 bytes). However, when a parent exists and the root ID of the parent and the inode are different, the function writes BTRFS_... • https://git.kernel.org/stable/c/be6e8dc0ba84029997075a1ec77b4ddb863cbe15 •
CVSS: 6.3EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40204 – sctp: Fix MAC comparison to be constant-time
https://notcve.org/view.php?id=CVE-2025-40204
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: sctp: Fix MAC comparison to be constant-time To prevent timing attacks, MACs need to be compared in constant time. Use the appropriate helper function for this. In the Linux kernel, the following vulnerability has been resolved: sctp: Fix MAC comparison to be constant-time To prevent timing attacks, MACs need to be compared in constant time. Use the appropriate helper function for this. • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 6.3EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40200 – Squashfs: reject negative file sizes in squashfs_read_inode()
https://notcve.org/view.php?id=CVE-2025-40200
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: Squashfs: reject negative file sizes in squashfs_read_inode() Syskaller reports a "WARNING in ovl_copy_up_file" in overlayfs. This warning is ultimately caused because the underlying Squashfs file system returns a file with a negative file size. This commit checks for a negative file size and returns EINVAL. [phillip@squashfs.org.uk: only need to check 64 bit quantity] In the Linux kernel, the following vulnerability has been resolved: Squa... • https://git.kernel.org/stable/c/6545b246a2c815a8fcd07d58240effb6ec3481b1 •
CVSS: 7.1EPSS: 0%CPEs: 7EXPL: 0CVE-2025-40198 – ext4: avoid potential buffer over-read in parse_apply_sb_mount_options()
https://notcve.org/view.php?id=CVE-2025-40198
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: ext4: avoid potential buffer over-read in parse_apply_sb_mount_options() Unlike other strings in the ext4 superblock, we rely on tune2fs to make sure s_mount_opts is NUL terminated. Harden parse_apply_sb_mount_options() by treating s_mount_opts as a potential __nonstring. In the Linux kernel, the following vulnerability has been resolved: ext4: avoid potential buffer over-read in parse_apply_sb_mount_options() Unlike other strings in the ex... • https://git.kernel.org/stable/c/8b67f04ab9de5d8f3a71aef72bf02c995a506db5 •
CVSS: 6.6EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40197 – media: mc: Clear minor number before put device
https://notcve.org/view.php?id=CVE-2025-40197
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: media: mc: Clear minor number before put device The device minor should not be cleared after the device is released. • https://git.kernel.org/stable/c/dd156f44ea82cc249f46c519eed3b2f8983c8002 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40196 – fs: quota: create dedicated workqueue for quota_release_work
https://notcve.org/view.php?id=CVE-2025-40196
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: fs: quota: create dedicated workqueue for quota_release_work There is a kernel panic due to WARN_ONCE when panic_on_warn is set. This issue occurs when writeback is triggered due to sync call for an opened file(ie, writeback reason is WB_REASON_SYNC). When f2fs balance is needed at sync path, flush for quota_release_work is triggered. By default quota_release_work is queued to "events_unbound" queue which does not have WQ_MEM_RECLAIM flag. ... • https://git.kernel.org/stable/c/bcacb52a985f1b6d280f698a470b873dfe52728a •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-40195 – mount: handle NULL values in mnt_ns_release()
https://notcve.org/view.php?id=CVE-2025-40195
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: mount: handle NULL values in mnt_ns_release() When calling in listmount() mnt_ns_release() may be passed a NULL pointer. Handle that case gracefully. In the Linux kernel, the following vulnerability has been resolved: mount: handle NULL values in mnt_ns_release() When calling in listmount() mnt_ns_release() may be passed a NULL pointer. Handle that case gracefully. • https://git.kernel.org/stable/c/2d68f8a7379d9c61005e982600c61948d4d019bd •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40194 – cpufreq: intel_pstate: Fix object lifecycle issue in update_qos_request()
https://notcve.org/view.php?id=CVE-2025-40194
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: cpufreq: intel_pstate: Fix object lifecycle issue in update_qos_request() The cpufreq_cpu_put() call in update_qos_request() takes place too early because the latter subsequently calls freq_qos_update_request() that indirectly accesses the policy object in question through the QoS request object passed to it. Fortunately, update_qos_request() is called under intel_pstate_driver_lock, so this issue does not matter for changing the intel_psta... • https://git.kernel.org/stable/c/da5c504c7aae96db68c4b38e2564a88e91842d89 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-40193 – xtensa: simdisk: add input size check in proc_write_simdisk
https://notcve.org/view.php?id=CVE-2025-40193
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: xtensa: simdisk: add input size check in proc_write_simdisk A malicious user could pass an arbitrarily bad value to memdup_user_nul(), potentially causing kernel crash. This follows the same pattern as commit ee76746387f6 ("netdevsim: prevent bad user input in nsim_dev_health_break_write()") In the Linux kernel, the following vulnerability has been resolved: xtensa: simdisk: add input size check in proc_write_simdisk A malicious user could ... • https://git.kernel.org/stable/c/b6c7e873daf765e41233b9752083b66442703b7a •