CVSS: -EPSS: %CPEs: 8EXPL: 0CVE-2025-38001 – net_sched: hfsc: Address reentrant enqueue adding class to eltree twice
https://notcve.org/view.php?id=CVE-2025-38001
06 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: net_sched: hfsc: Address reentrant enqueue adding class to eltree twice Savino says: "We are writing to report that this recent patch (141d34391abbb315d68556b7c67ad97885407547) [1] can be bypassed, and a UAF can still occur when HFSC is utilized with NETEM. The patch only checks the cl->cl_nactive field to determine whether it is the first insertion or not [2], but this field is only incremented by init_vf [3]. By using HFSC_RSC (which uses... • https://git.kernel.org/stable/c/e5bee633cc276410337d54b99f77fbc1ad8801e5 •
CVSS: -EPSS: %CPEs: 8EXPL: 0CVE-2025-38000 – sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue()
https://notcve.org/view.php?id=CVE-2025-38000
06 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue() When enqueuing the first packet to an HFSC class, hfsc_enqueue() calls the child qdisc's peek() operation before incrementing sch->q.qlen and sch->qstats.backlog. If the child qdisc uses qdisc_peek_dequeued(), this may trigger an immediate dequeue and potential packet drop. In such cases, qdisc_tree_reduce_backlog() is called, but the HFSC qdisc's qlen and backlog have not ... • https://git.kernel.org/stable/c/12d0ad3be9c3854e52ec74bb83bb6f43612827c7 •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2025-37998 – openvswitch: Fix unsafe attribute parsing in output_userspace()
https://notcve.org/view.php?id=CVE-2025-37998
29 May 2025 — In the Linux kernel, the following vulnerability has been resolved: openvswitch: Fix unsafe attribute parsing in output_userspace() This patch replaces the manual Netlink attribute iteration in output_userspace() with nla_for_each_nested(), which ensures that only well-formed attributes are processed. In the Linux kernel, the following vulnerability has been resolved: openvswitch: Fix unsafe attribute parsing in output_userspace() This patch replaces the manual Netlink attribute iteration in output_userspac... • https://git.kernel.org/stable/c/ccb1352e76cff0524e7ccb2074826a092dd13016 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-37995 – module: ensure that kobject_put() is safe for module type kobjects
https://notcve.org/view.php?id=CVE-2025-37995
29 May 2025 — In the Linux kernel, the following vulnerability has been resolved: module: ensure that kobject_put() is safe for module type kobjects In 'lookup_or_create_module_kobject()', an internal kobject is created using 'module_ktype'. So call to 'kobject_put()' on error handling path causes an attempt to use an uninitialized completion pointer in 'module_kobject_release()'. In this scenario, we just want to release kobject without an extra synchronization required for a regular module unloading process, so adding ... • https://git.kernel.org/stable/c/942e443127e928a5631c3d5102aca8c8b3c2dd98 •
CVSS: 6.4EPSS: 0%CPEs: 7EXPL: 0CVE-2025-37992 – net_sched: Flush gso_skb list too during ->change()
https://notcve.org/view.php?id=CVE-2025-37992
26 May 2025 — In the Linux kernel, the following vulnerability has been resolved: net_sched: Flush gso_skb list too during ->change() Previously, when reducing a qdisc's limit via the ->change() operation, only the main skb queue was trimmed, potentially leaving packets in the gso_skb list. This could result in NULL pointer dereference when we only check sch->limit against sch->q.qlen. This patch introduces a new helper, qdisc_dequeue_internal(), which ensures both the gso_skb list and the main queue are properly flushed... • https://git.kernel.org/stable/c/76e3cc126bb223013a6b9a0e2a51238d1ef2e409 •
CVSS: 6.9EPSS: 0%CPEs: 8EXPL: 0CVE-2025-37991 – parisc: Fix double SIGFPE crash
https://notcve.org/view.php?id=CVE-2025-37991
20 May 2025 — In the Linux kernel, the following vulnerability has been resolved: parisc: Fix double SIGFPE crash Camm noticed that on parisc a SIGFPE exception will crash an application with a second SIGFPE in the signal handler. Dave analyzed it, and it happens because glibc uses a double-word floating-point store to atomically update function descriptors. As a result of lazy binding, we hit a floating-point store in fpe_func almost immediately. When the T bit is set, an assist exception trap occurs when when the co-pr... • https://git.kernel.org/stable/c/2a1aff3616b3b57aa4a5f8a7762cce1e82493fe6 •
CVSS: 5.0EPSS: 0%CPEs: 8EXPL: 0CVE-2025-37990 – wifi: brcm80211: fmac: Add error handling for brcmf_usb_dl_writeimage()
https://notcve.org/view.php?id=CVE-2025-37990
20 May 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: brcm80211: fmac: Add error handling for brcmf_usb_dl_writeimage() The function brcmf_usb_dl_writeimage() calls the function brcmf_usb_dl_cmd() but dose not check its return value. The 'state.state' and the 'state.bytes' are uninitialized if the function brcmf_usb_dl_cmd() fails. It is dangerous to use uninitialized variables in the conditions. Add error handling for brcmf_usb_dl_cmd() to jump to error handling path if the brcmf_usb_dl... • https://git.kernel.org/stable/c/71bb244ba2fd5390eefe4ee9054abdb3f8b05922 •
CVSS: 7.1EPSS: 0%CPEs: 2EXPL: 0CVE-2025-37984 – crypto: ecdsa - Harden against integer overflows in DIV_ROUND_UP()
https://notcve.org/view.php?id=CVE-2025-37984
20 May 2025 — In the Linux kernel, the following vulnerability has been resolved: crypto: ecdsa - Harden against integer overflows in DIV_ROUND_UP() Herbert notes that DIV_ROUND_UP() may overflow unnecessarily if an ecdsa implementation's ->key_size() callback returns an unusually large value. Herbert instead suggests (for a division by 8): X / 8 + !!(X & 7) Based on this formula, introduce a generic DIV_ROUND_UP_POW2() macro and use it in lieu of DIV_ROUND_UP() for ->key_size() return values. Additionally, use the macro... • https://git.kernel.org/stable/c/921b8167f10708e38080f84e195cdc68a7a561f1 •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2025-37983 – qibfs: fix _another_ leak
https://notcve.org/view.php?id=CVE-2025-37983
20 May 2025 — In the Linux kernel, the following vulnerability has been resolved: qibfs: fix _another_ leak failure to allocate inode => leaked dentry... this one had been there since the initial merge; to be fair, if we are that far OOM, the odds of failing at that particular allocation are low... In the Linux kernel, the following vulnerability has been resolved: qibfs: fix _another_ leak failure to allocate inode => leaked dentry... this one had been there since the initial merge; to be fair, if we are that far OOM, t... • https://git.kernel.org/stable/c/5e280cce3a29b7fe7b828c6ccd5aa5ba87ceb6b6 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-37982 – wifi: wl1251: fix memory leak in wl1251_tx_work
https://notcve.org/view.php?id=CVE-2025-37982
20 May 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: wl1251: fix memory leak in wl1251_tx_work The skb dequeued from tx_queue is lost when wl1251_ps_elp_wakeup fails with a -ETIMEDOUT error. Fix that by queueing the skb back to tx_queue. In the Linux kernel, the following vulnerability has been resolved: wifi: wl1251: fix memory leak in wl1251_tx_work The skb dequeued from tx_queue is lost when wl1251_ps_elp_wakeup fails with a -ETIMEDOUT error. Fix that by queueing the skb back to tx_q... • https://git.kernel.org/stable/c/c5483b71936333ba9474f57d0f3a7a7abf9b87a0 •