CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-21683 – bpf: Fix bpf_sk_select_reuseport() memory leak
https://notcve.org/view.php?id=CVE-2025-21683
31 Jan 2025 — In the Linux kernel, the following vulnerability has been resolved: bpf: Fix bpf_sk_select_reuseport() memory leak As pointed out in the original comment, lookup in sockmap can return a TCP ESTABLISHED socket. Such TCP socket may have had SO_ATTACH_REUSEPORT_EBPF set before it was ESTABLISHED. In other words, a non-NULL sk_reuseport_cb does not imply a non-refcounted socket. Drop sk's reference in both error paths. unreferenced object 0xffff888101911800 (size 2048): comm "test_progs", pid 44109, jiffies 429... • https://git.kernel.org/stable/c/64d85290d79c0677edb5a8ee2295b36c022fa5df •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2025-21682 – eth: bnxt: always recalculate features after XDP clearing, fix null-deref
https://notcve.org/view.php?id=CVE-2025-21682
31 Jan 2025 — In the Linux kernel, the following vulnerability has been resolved: eth: bnxt: always recalculate features after XDP clearing, fix null-deref Recalculate features when XDP is detached. Before: # ip li set dev eth0 xdp obj xdp_dummy.bpf.o sec xdp # ip li set dev eth0 xdp off # ethtool -k eth0 | grep gro rx-gro-hw: off [requested on] After: # ip li set dev eth0 xdp obj xdp_dummy.bpf.o sec xdp # ip li set dev eth0 xdp off # ethtool -k eth0 | grep gro rx-gro-hw: on The fact that HW-GRO doesn't get re-enabled au... • https://git.kernel.org/stable/c/1054aee82321483dceabbb9b9e5d6512e8fe684b •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-21681 – openvswitch: fix lockup on tx to unregistering netdev with carrier
https://notcve.org/view.php?id=CVE-2025-21681
31 Jan 2025 — In the Linux kernel, the following vulnerability has been resolved: openvswitch: fix lockup on tx to unregistering netdev with carrier Commit in a fixes tag attempted to fix the issue in the following sequence of calls: do_output -> ovs_vport_send -> dev_queue_xmit -> __dev_queue_xmit -> netdev_core_pick_tx -> skb_tx_hash When device is unregistering, the 'dev->real_num_tx_queues' goes to zero and the 'while (unlikely(hash >= qcount))' loop inside the 'skb_tx_hash' becomes infinite, locking up the core fore... • https://git.kernel.org/stable/c/644b3051b06ba465bc7401bfae9b14963cbc8c1c •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2025-21680 – pktgen: Avoid out-of-bounds access in get_imix_entries
https://notcve.org/view.php?id=CVE-2025-21680
31 Jan 2025 — In the Linux kernel, the following vulnerability has been resolved: pktgen: Avoid out-of-bounds access in get_imix_entries Passing a sufficient amount of imix entries leads to invalid access to the pkt_dev->imix_entries array because of the incorrect boundary check. UBSAN: array-index-out-of-bounds in net/core/pktgen.c:874:24 index 20 is out of range for type 'imix_pkt [20]' CPU: 2 PID: 1210 Comm: bash Not tainted 6.10.0-rc1 #121 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) Call Trace:
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2025-21678 – gtp: Destroy device along with udp socket's netns dismantle.
https://notcve.org/view.php?id=CVE-2025-21678
31 Jan 2025 — In the Linux kernel, the following vulnerability has been resolved: gtp: Destroy device along with udp socket's netns dismantle. gtp_newlink() links the device to a list in dev_net(dev) instead of src_net, where a udp tunnel socket is created. Even when src_net is removed, the device stays alive on dev_net(dev). Then, removing src_net triggers the splat below. [0] In this example, gtp0 is created in ns2, and the udp socket is created in ns1. ip netns add ns1 ip netns add ns2 ip -n ns1 link add netns ns2 nam... • https://git.kernel.org/stable/c/459aa660eb1d8ce67080da1983bb81d716aa5a69 •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-21676 – net: fec: handle page_pool_dev_alloc_pages error
https://notcve.org/view.php?id=CVE-2025-21676
31 Jan 2025 — In the Linux kernel, the following vulnerability has been resolved: net: fec: handle page_pool_dev_alloc_pages error The fec_enet_update_cbd function calls page_pool_dev_alloc_pages but did not handle the case when it returned NULL. There was a WARN_ON(!new_page) but it would still proceed to use the NULL pointer and then crash. This case does seem somewhat rare but when the system is under memory pressure it can happen. One case where I can duplicate this with some frequency is when writing over a smbd sha... • https://git.kernel.org/stable/c/95698ff6177b5f1f13f251da60e7348413046ae4 •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-21675 – net/mlx5: Clear port select structure when fail to create
https://notcve.org/view.php?id=CVE-2025-21675
31 Jan 2025 — In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Clear port select structure when fail to create Clear the port select structure on error so no stale values left after definers are destroyed. That's because the mlx5_lag_destroy_definers() always try to destroy all lag definers in the tt_map, so in the flow below lag definers get double-destroyed and cause kernel crash: mlx5_lag_port_sel_create() mlx5_lag_create_definers() mlx5_lag_create_definer() <- Failed on tt 1 mlx5_lag_dest... • https://git.kernel.org/stable/c/dc48516ec7d369c6b80bf9f14d774287b6c428aa •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-21673 – smb: client: fix double free of TCP_Server_Info::hostname
https://notcve.org/view.php?id=CVE-2025-21673
31 Jan 2025 — In the Linux kernel, the following vulnerability has been resolved: smb: client: fix double free of TCP_Server_Info::hostname When shutting down the server in cifs_put_tcp_session(), cifsd thread might be reconnecting to multiple DFS targets before it realizes it should exit the loop, so @server->hostname can't be freed as long as cifsd thread isn't done. Otherwise the following can happen: RIP: 0010:__slab_free+0x223/0x3c0 Code: 5e 41 5f c3 cc cc cc cc 4c 89 de 4c 89 cf 44 89 44 24 08 4c 89 1c 24 e8 fb cf ... • https://git.kernel.org/stable/c/7be3248f313930ff3d3436d4e9ddbe9fccc1f541 •
CVSS: 5.6EPSS: 0%CPEs: 2EXPL: 0CVE-2025-21672 – afs: Fix merge preference rule failure condition
https://notcve.org/view.php?id=CVE-2025-21672
31 Jan 2025 — In the Linux kernel, the following vulnerability has been resolved: afs: Fix merge preference rule failure condition syzbot reported a lock held when returning to userspace[1]. This is because if argc is less than 0 and the function returns directly, the held inode lock is not released. Fix this by store the error in ret and jump to done to clean up instead of returning directly. [dh: Modified Lizhi Xu's original patch to make it honour the error code from afs_split_string()] [1] WARNING: lock held when ret... • https://git.kernel.org/stable/c/22be1d90a6211c88dd093b25d1f3aa974d0d9f9d •
CVSS: 5.6EPSS: 0%CPEs: 3EXPL: 0CVE-2025-21671 – zram: fix potential UAF of zram table
https://notcve.org/view.php?id=CVE-2025-21671
31 Jan 2025 — In the Linux kernel, the following vulnerability has been resolved: zram: fix potential UAF of zram table If zram_meta_alloc failed early, it frees allocated zram->table without setting it NULL. Which will potentially cause zram_meta_free to access the table if user reset an failed and uninitialized device. In the Linux kernel, the following vulnerability has been resolved: zram: fix potential UAF of zram table If zram_meta_alloc failed early, it frees allocated zram->table without setting it NULL. Which wi... • https://git.kernel.org/stable/c/ac3b5366b9b7c9d97b606532ceab43d2329a22f3 •