CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-21700 – net: sched: Disallow replacing of child qdisc from one parent to another
https://notcve.org/view.php?id=CVE-2025-21700
13 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: net: sched: Disallow replacing of child qdisc from one parent to another Lion Ackermann was able to create a UAF which can be abused for privilege escalation with the following script Step 1. create root qdisc tc qdisc add dev lo root handle 1:0 drr step2. a class for packet aggregation do demonstrate uaf tc class add dev lo classid 1:1 drr step3. a class for nesting tc class add dev lo classid 1:2 drr step4. a class to graft qdisc to tc cl... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 • CWE-416: Use After Free •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2025-21699 – gfs2: Truncate address space when flipping GFS2_DIF_JDATA flag
https://notcve.org/view.php?id=CVE-2025-21699
12 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: gfs2: Truncate address space when flipping GFS2_DIF_JDATA flag Truncate an inode's address space when flipping the GFS2_DIF_JDATA flag: depending on that flag, the pages in the address space will either use buffer heads or iomap_folio_state structs, and we cannot mix the two. In the Linux kernel, the following vulnerability has been resolved: gfs2: Truncate address space when flipping GFS2_DIF_JDATA flag Truncate an inode's address space wh... • https://git.kernel.org/stable/c/2b0bd5051ad1c1e9ef4879f18e15a7712c974f3e •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2025-21690 – scsi: storvsc: Ratelimit warning logs to prevent VM denial of service
https://notcve.org/view.php?id=CVE-2025-21690
10 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: scsi: storvsc: Ratelimit warning logs to prevent VM denial of service If there's a persistent error in the hypervisor, the SCSI warning for failed I/O can flood the kernel log and max out CPU utilization, preventing troubleshooting from the VM side. Ratelimit the warning so it doesn't DoS the VM. In the Linux kernel, the following vulnerability has been resolved: scsi: storvsc: Ratelimit warning logs to prevent VM denial of service If there... • https://git.kernel.org/stable/c/81d4dd05c412ba04f9f6b85b718e6da833be290c •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2025-21689 – USB: serial: quatech2: fix null-ptr-deref in qt2_process_read_urb()
https://notcve.org/view.php?id=CVE-2025-21689
10 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: USB: serial: quatech2: fix null-ptr-deref in qt2_process_read_urb() This patch addresses a null-ptr-deref in qt2_process_read_urb() due to an incorrect bounds check in the following: if (newport > serial->num_ports) { dev_err(&port->dev, "%s - port change to invalid port: %i\n", __func__, newport); break; } The condition doesn't account for the valid range of the serial->port buffer, which is from 0 to serial->num_ports - 1. When newport is... • https://git.kernel.org/stable/c/f7a33e608d9ae022b7f49307921627e34e9484ed •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2025-21687 – vfio/platform: check the bounds of read/write syscalls
https://notcve.org/view.php?id=CVE-2025-21687
10 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: vfio/platform: check the bounds of read/write syscalls count and offset are passed from user space and not checked, only offset is capped to 40 bits, which can be used to read/write out of bounds of the device. In the Linux kernel, the following vulnerability has been resolved: vfio/platform: check the bounds of read/write syscalls count and offset are passed from user space and not checked, only offset is capped to 40 bits, which can be us... • https://git.kernel.org/stable/c/6e3f264560099869f68830cb14b3b3e71e5ac76a •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-57950 – drm/amd/display: Initialize denominator defaults to 1
https://notcve.org/view.php?id=CVE-2024-57950
10 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Initialize denominator defaults to 1 [WHAT & HOW] Variables, used as denominators and maybe not assigned to other values, should be initialized to non-zero to avoid DIVIDE_BY_ZERO, as reported by Coverity. (cherry picked from commit e2c4c6c10542ccfe4a0830bb6c9fd5b177b7bbb7) In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Initialize denominator defaults to 1 [WHAT & HOW] Variables, used a... • https://git.kernel.org/stable/c/c9d6afb4f9c338049662d27d169fba7dd60e337d •
CVSS: 7.1EPSS: 0%CPEs: 7EXPL: 0CVE-2023-52924 – netfilter: nf_tables: don't skip expired elements during walk
https://notcve.org/view.php?id=CVE-2023-52924
05 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: don't skip expired elements during walk There is an asymmetry between commit/abort and preparation phase if the following conditions are met: 1. set is a verdict map ("1.2.3.4 : jump foo") 2. timeouts are enabled In this case, following sequence is problematic: 1. element E in set S refers to chain C 2. userspace requests removal of set S 3. kernel does a set walk to decrement chain->use count for all elements from pre... • https://git.kernel.org/stable/c/9d0982927e79049675cb6c6c04a0ebb3dad5a434 •
CVSS: 7.8EPSS: 0%CPEs: 7EXPL: 0CVE-2025-21678 – gtp: Destroy device along with udp socket's netns dismantle.
https://notcve.org/view.php?id=CVE-2025-21678
31 Jan 2025 — In the Linux kernel, the following vulnerability has been resolved: gtp: Destroy device along with udp socket's netns dismantle. gtp_newlink() links the device to a list in dev_net(dev) instead of src_net, where a udp tunnel socket is created. Even when src_net is removed, the device stays alive on dev_net(dev). Then, removing src_net triggers the splat below. [0] In this example, gtp0 is created in ns2, and the udp socket is created in ns1. ip netns add ns1 ip netns add ns2 ip -n ns1 link add netns ns2 nam... • https://git.kernel.org/stable/c/459aa660eb1d8ce67080da1983bb81d716aa5a69 •
CVSS: 5.6EPSS: 0%CPEs: 2EXPL: 0CVE-2025-21672 – afs: Fix merge preference rule failure condition
https://notcve.org/view.php?id=CVE-2025-21672
31 Jan 2025 — In the Linux kernel, the following vulnerability has been resolved: afs: Fix merge preference rule failure condition syzbot reported a lock held when returning to userspace[1]. This is because if argc is less than 0 and the function returns directly, the held inode lock is not released. Fix this by store the error in ret and jump to done to clean up instead of returning directly. [dh: Modified Lizhi Xu's original patch to make it honour the error code from afs_split_string()] [1] WARNING: lock held when ret... • https://git.kernel.org/stable/c/22be1d90a6211c88dd093b25d1f3aa974d0d9f9d •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-21667 – iomap: avoid avoid truncating 64-bit offset to 32 bits
https://notcve.org/view.php?id=CVE-2025-21667
31 Jan 2025 — In the Linux kernel, the following vulnerability has been resolved: iomap: avoid avoid truncating 64-bit offset to 32 bits on 32-bit kernels, iomap_write_delalloc_scan() was inadvertently using a 32-bit position due to folio_next_index() returning an unsigned long. This could lead to an infinite loop when writing to an xfs filesystem. In the Linux kernel, the following vulnerability has been resolved: iomap: avoid avoid truncating 64-bit offset to 32 bits on 32-bit kernels, iomap_write_delalloc_scan() was i... • https://git.kernel.org/stable/c/7ca4bd6b754913910151acce00be093f03642725 •