CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-40211 – ACPI: video: Fix use-after-free in acpi_video_switch_brightness()
https://notcve.org/view.php?id=CVE-2025-40211
21 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: ACPI: video: Fix use-after-free in acpi_video_switch_brightness() The switch_brightness_work delayed work accesses device->brightness and device->backlight, freed by acpi_video_dev_unregister_backlight() during device removal. If the work executes after acpi_video_bus_unregister_backlight() frees these resources, it causes a use-after-free when acpi_video_switch_brightness() dereferences device->brightness or device->backlight. Fix this by ... • https://git.kernel.org/stable/c/8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7 •
CVSS: 6.6EPSS: 0%CPEs: 2EXPL: 0CVE-2025-40210 – Revert "NFSD: Remove the cap on number of operations per NFSv4 COMPOUND"
https://notcve.org/view.php?id=CVE-2025-40210
21 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: Revert "NFSD: Remove the cap on number of operations per NFSv4 COMPOUND" I've found that pynfs COMP6 now leaves the connection or lease in a strange state, which causes CLOSE9 to hang indefinitely. I've dug into it a little, but I haven't been able to root-cause it yet. However, I bisected to commit 48aab1606fa8 ("NFSD: Remove the cap on number of operations per NFSv4 COMPOUND"). Tianshuo Han also reports a potential vulnerability when deco... • https://git.kernel.org/stable/c/b3ee7ce432289deac87b9d14e01f2fe6958f7f0b •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-40209 – btrfs: fix memory leak of qgroup_list in btrfs_add_qgroup_relation
https://notcve.org/view.php?id=CVE-2025-40209
21 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: btrfs: fix memory leak of qgroup_list in btrfs_add_qgroup_relation When btrfs_add_qgroup_relation() is called with invalid qgroup levels (src >= dst), the function returns -EINVAL directly without freeing the preallocated qgroup_list structure passed by the caller. This causes a memory leak because the caller unconditionally sets the pointer to NULL after the call, preventing any cleanup. The issue occurs because the level validation check ... • https://git.kernel.org/stable/c/4addc1ffd67ad34394674dc91379dc04cfdd2537 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-40207 – media: v4l2-subdev: Fix alloc failure check in v4l2_subdev_call_state_try()
https://notcve.org/view.php?id=CVE-2025-40207
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: media: v4l2-subdev: Fix alloc failure check in v4l2_subdev_call_state_try() v4l2_subdev_call_state_try() macro allocates a subdev state with __v4l2_subdev_state_alloc(), but does not check the returned value. If __v4l2_subdev_state_alloc fails, it returns an ERR_PTR, and that would cause v4l2_subdev_call_state_try() to crash. Add proper error handling to v4l2_subdev_call_state_try(). In the Linux kernel, the following vulnerability has been... • https://git.kernel.org/stable/c/982c0487185bd466059ff618f398a8d074ddb654 •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-40206 – netfilter: nft_objref: validate objref and objrefmap expressions
https://notcve.org/view.php?id=CVE-2025-40206
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_objref: validate objref and objrefmap expressions Referencing a synproxy stateful object from OUTPUT hook causes kernel crash due to infinite recursive calls: BUG: TASK stack guard page was hit at 000000008bda5b8c (stack is 000000003ab1c4a5..00000000494d8b12) [...] Call Trace: __find_rr_leaf+0x99/0x230 fib6_table_lookup+0x13b/0x2d0 ip6_pol_route+0xa4/0x400 fib6_rule_lookup+0x156/0x240 ip6_route_output_flags+0xc6/0x150 __nf_ip... • https://git.kernel.org/stable/c/ee394f96ad7517fbc0de9106dcc7ce9efb14f264 •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40205 – btrfs: avoid potential out-of-bounds in btrfs_encode_fh()
https://notcve.org/view.php?id=CVE-2025-40205
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: btrfs: avoid potential out-of-bounds in btrfs_encode_fh() The function btrfs_encode_fh() does not properly account for the three cases it handles. Before writing to the file handle (fh), the function only returns to the user BTRFS_FID_SIZE_NON_CONNECTABLE (5 dwords, 20 bytes) or BTRFS_FID_SIZE_CONNECTABLE (8 dwords, 32 bytes). However, when a parent exists and the root ID of the parent and the inode are different, the function writes BTRFS_... • https://git.kernel.org/stable/c/be6e8dc0ba84029997075a1ec77b4ddb863cbe15 •
CVSS: 6.3EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40204 – sctp: Fix MAC comparison to be constant-time
https://notcve.org/view.php?id=CVE-2025-40204
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: sctp: Fix MAC comparison to be constant-time To prevent timing attacks, MACs need to be compared in constant time. Use the appropriate helper function for this. In the Linux kernel, the following vulnerability has been resolved: sctp: Fix MAC comparison to be constant-time To prevent timing attacks, MACs need to be compared in constant time. Use the appropriate helper function for this. • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 7.2EPSS: 0%CPEs: 3EXPL: 0CVE-2025-40203 – listmount: don't call path_put() under namespace semaphore
https://notcve.org/view.php?id=CVE-2025-40203
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: listmount: don't call path_put() under namespace semaphore Massage listmount() and make sure we don't call path_put() under the namespace semaphore. If we put the last reference we're fscked. In the Linux kernel, the following vulnerability has been resolved: listmount: don't call path_put() under namespace semaphore Massage listmount() and make sure we don't call path_put() under the namespace semaphore. If we put the last reference we're ... • https://git.kernel.org/stable/c/b4c2bea8ceaa50cd42a8f73667389d801a3ecf2d •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-40202 – ipmi: Rework user message limit handling
https://notcve.org/view.php?id=CVE-2025-40202
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: ipmi: Rework user message limit handling The limit on the number of user messages had a number of issues, improper counting in some cases and a use after free. Restructure how this is all done to handle more in the receive message allocation routine, so all refcouting and user message limit counts are done in that routine. It's a lot cleaner and safer. In the Linux kernel, the following vulnerability has been resolved: ipmi: Rework user mes... • https://git.kernel.org/stable/c/8e76741c3d8b20dfa2d6c30fa10ff927cfd93d82 •
CVSS: 6.2EPSS: 0%CPEs: 5EXPL: 0CVE-2025-40201 – kernel/sys.c: fix the racy usage of task_lock(tsk->group_leader) in sys_prlimit64() paths
https://notcve.org/view.php?id=CVE-2025-40201
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: kernel/sys.c: fix the racy usage of task_lock(tsk->group_leader) in sys_prlimit64() paths The usage of task_lock(tsk->group_leader) in sys_prlimit64()->do_prlimit() path is very broken. sys_prlimit64() does get_task_struct(tsk) but this only protects task_struct itself. If tsk != current and tsk is not a leader, this process can exit/exec and task_lock(tsk->group_leader) may use the already freed task_struct. Another problem is that sys_prl... • https://git.kernel.org/stable/c/18c91bb2d87268d23868bf13508f5bc9cf04e89a •