CVSS: -EPSS: %CPEs: 3EXPL: 0CVE-2025-21985 – drm/amd/display: Fix out-of-bound accesses
https://notcve.org/view.php?id=CVE-2025-21985
01 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix out-of-bound accesses [WHAT & HOW] hpo_stream_to_link_encoder_mapping has size MAX_HPO_DP2_ENCODERS(=4), but location can have size up to 6. As a result, it is necessary to check location against MAX_HPO_DP2_ENCODERS. Similiarly, disp_cfg_stream_location can be used as an array index which should be 0..5, so the ASSERT's conditions should be less without equal. • https://git.kernel.org/stable/c/36793d90d76f667d26c6dd025571481ee0c96abc •
CVSS: -EPSS: %CPEs: 5EXPL: 0CVE-2025-21981 – ice: fix memory leak in aRFS after reset
https://notcve.org/view.php?id=CVE-2025-21981
01 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: ice: fix memory leak in aRFS after reset Fix aRFS (accelerated Receive Flow Steering) structures memory leak by adding a checker to verify if aRFS memory is already allocated while configuring VSI. aRFS objects are allocated in two cases: - as part of VSI initialization (at probe), and - as part of reset handling However, VSI reconfiguration executed during reset involves memory allocation one more time, without prior releasing already allo... • https://git.kernel.org/stable/c/28bf26724fdb0e02267d19e280d6717ee810a10d •
CVSS: -EPSS: %CPEs: 3EXPL: 0CVE-2025-21976 – fbdev: hyperv_fb: Allow graceful removal of framebuffer
https://notcve.org/view.php?id=CVE-2025-21976
01 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: fbdev: hyperv_fb: Allow graceful removal of framebuffer When a Hyper-V framebuffer device is unbind, hyperv_fb driver tries to release the framebuffer forcefully. If this framebuffer is in use it produce the following WARN and hence this framebuffer is never released. [ 44.111220] WARNING: CPU: 35 PID: 1882 at drivers/video/fbdev/core/fb_info.c:70 framebuffer_release+0x2c/0x40 < snip > [ 44.111289] Call Trace: [ 44.111290]
CVSS: -EPSS: %CPEs: 5EXPL: 0CVE-2025-21975 – net/mlx5: handle errors in mlx5_chains_create_table()
https://notcve.org/view.php?id=CVE-2025-21975
01 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: net/mlx5: handle errors in mlx5_chains_create_table() In mlx5_chains_create_table(), the return value of mlx5_get_fdb_sub_ns() and mlx5_get_flow_namespace() must be checked to prevent NULL pointer dereferences. If either function fails, the function should log error message with mlx5_core_warn() and return error pointer. • https://git.kernel.org/stable/c/39ac237ce00968545e7298faa9e07ecb7e440fb5 •
CVSS: -EPSS: %CPEs: 3EXPL: 0CVE-2025-21972 – net: mctp: unshare packets when reassembling
https://notcve.org/view.php?id=CVE-2025-21972
01 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: net: mctp: unshare packets when reassembling Ensure that the frag_list used for reassembly isn't shared with other packets. This avoids incorrect reassembly when packets are cloned, and prevents a memory leak due to circular references between fragments and their skb_shared_info. The upcoming MCTP-over-USB driver uses skb_clone which can trigger the problem - other MCTP drivers don't share SKBs. A kunit test is added to reproduce the issue. • https://git.kernel.org/stable/c/4a992bbd365094730a31bae1e12a6ca695336d57 •
CVSS: -EPSS: %CPEs: 5EXPL: 0CVE-2025-21971 – net_sched: Prevent creation of classes with TC_H_ROOT
https://notcve.org/view.php?id=CVE-2025-21971
01 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: net_sched: Prevent creation of classes with TC_H_ROOT The function qdisc_tree_reduce_backlog() uses TC_H_ROOT as a termination condition when traversing up the qdisc tree to update parent backlog counters. However, if a class is created with classid TC_H_ROOT, the traversal terminates prematurely at this class instead of reaching the actual root qdisc, causing parent statistics to be incorrectly maintained. In case of DRR, this could lead t... • https://git.kernel.org/stable/c/066a3b5b2346febf9a655b444567b7138e3bb939 •
CVSS: -EPSS: %CPEs: 5EXPL: 0CVE-2025-21970 – net/mlx5: Bridge, fix the crash caused by LAG state check
https://notcve.org/view.php?id=CVE-2025-21970
01 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Bridge, fix the crash caused by LAG state check When removing LAG device from bridge, NETDEV_CHANGEUPPER event is triggered. Driver finds the lower devices (PFs) to flush all the offloaded entries. And mlx5_lag_is_shared_fdb is checked, it returns false if one of PF is unloaded. In such case, mlx5_esw_bridge_lag_rep_get() and its caller return NULL, instead of the alive PF, and the flush is skipped. Besides, the bridge fdb entry's... • https://git.kernel.org/stable/c/ff9b7521468bc2909293c1cda66a245a49688f6f •
CVSS: -EPSS: %CPEs: 4EXPL: 0CVE-2025-21969 – Bluetooth: L2CAP: Fix slab-use-after-free Read in l2cap_send_cmd
https://notcve.org/view.php?id=CVE-2025-21969
01 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix slab-use-after-free Read in l2cap_send_cmd After the hci sync command releases l2cap_conn, the hci receive data work queue references the released l2cap_conn when sending to the upper layer. Add hci dev lock to the hci receive data work queue to synchronize the two. [1] BUG: KASAN: slab-use-after-free in l2cap_send_cmd+0x187/0x8d0 net/bluetooth/l2cap_core.c:954 Read of size 8 at addr ffff8880271a4000 by task kworker/u9... • https://git.kernel.org/stable/c/c96cce853542b3b13da3738f35ef1be8cfcc9d1d •
CVSS: -EPSS: %CPEs: 5EXPL: 0CVE-2025-21968 – drm/amd/display: Fix slab-use-after-free on hdcp_work
https://notcve.org/view.php?id=CVE-2025-21968
01 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix slab-use-after-free on hdcp_work [Why] A slab-use-after-free is reported when HDCP is destroyed but the property_validate_dwork queue is still running. [How] Cancel the delayed work when destroying workqueue. (cherry picked from commit 725a04ba5a95e89c89633d4322430cfbca7ce128) • https://git.kernel.org/stable/c/da3fd7ac0bcf372cc57117bdfcd725cca7ef975a •
CVSS: -EPSS: %CPEs: 4EXPL: 0CVE-2025-21967 – ksmbd: fix use-after-free in ksmbd_free_work_struct
https://notcve.org/view.php?id=CVE-2025-21967
01 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in ksmbd_free_work_struct ->interim_entry of ksmbd_work could be deleted after oplock is freed. We don't need to manage it with linked list. The interim request could be immediately sent whenever a oplock break wait is needed. • https://git.kernel.org/stable/c/fb776765bfc21d5e4ed03bb3d4406c2b86ff1ac3 •