CVSS: 9.8EPSS: %CPEs: 5EXPL: 0CVE-2025-21866 – powerpc/code-patching: Fix KASAN hit by not flagging text patching area as VM_ALLOC
https://notcve.org/view.php?id=CVE-2025-21866
12 Mar 2025 — In the Linux kernel, the following vulnerability has been resolved: powerpc/code-patching: Fix KASAN hit by not flagging text patching area as VM_ALLOC Erhard reported the following KASAN hit while booting his PowerMac G4 with a KASAN-enabled kernel 6.13-rc6: BUG: KASAN: vmalloc-out-of-bounds in copy_to_kernel_nofault+0xd8/0x1c8 Write of size 8 at addr f1000000 by task chronyd/1293 CPU: 0 UID: 123 PID: 1293 Comm: chronyd Tainted: G W 6.13.0-rc6-PMacG4 #2 Tainted: [W]=WARN Hardware name: PowerMac3,6 7455 0x8... • https://git.kernel.org/stable/c/37bc3e5fd764fb258ff4fcbb90b6d1b67fb466c1 •
CVSS: 7.2EPSS: %CPEs: 8EXPL: 0CVE-2025-21865 – gtp: Suppress list corruption splat in gtp_net_exit_batch_rtnl().
https://notcve.org/view.php?id=CVE-2025-21865
12 Mar 2025 — In the Linux kernel, the following vulnerability has been resolved: gtp: Suppress list corruption splat in gtp_net_exit_batch_rtnl(). Brad Spengler reported the list_del() corruption splat in gtp_net_exit_batch_rtnl(). [0] Commit eb28fd76c0a0 ("gtp: Destroy device along with udp socket's netns dismantle.") added the for_each_netdev() loop in gtp_net_exit_batch_rtnl() to destroy devices in each netns as done in geneve and ip tunnels. However, this could trigger ->dellink() twice for the same device during ->... • https://git.kernel.org/stable/c/efec287cbac92ac6ee8312a89221854760e13b34 •
CVSS: 7.8EPSS: %CPEs: 5EXPL: 0CVE-2025-21864 – tcp: drop secpath at the same time as we currently drop dst
https://notcve.org/view.php?id=CVE-2025-21864
12 Mar 2025 — In the Linux kernel, the following vulnerability has been resolved: tcp: drop secpath at the same time as we currently drop dst Xiumei reported hitting the WARN in xfrm6_tunnel_net_exit while running tests that boil down to: - create a pair of netns - run a basic TCP test over ipcomp6 - delete the pair of netns The xfrm_state found on spi_byaddr was not deleted at the time we delete the netns, because we still have a reference on it. This lingering reference comes from a secpath (which holds a ref on the xf... • https://git.kernel.org/stable/c/68822bdf76f10c3dc80609d4e2cdc1e847429086 •
CVSS: 9.8EPSS: %CPEs: 4EXPL: 0CVE-2025-21863 – io_uring: prevent opcode speculation
https://notcve.org/view.php?id=CVE-2025-21863
12 Mar 2025 — In the Linux kernel, the following vulnerability has been resolved: io_uring: prevent opcode speculation sqe->opcode is used for different tables, make sure we santitise it against speculations. In the Linux kernel, the following vulnerability has been resolved: io_uring: prevent opcode speculation sqe->opcode is used for different tables, make sure we santitise it against speculations. • https://git.kernel.org/stable/c/d3656344fea0339fb0365c8df4d2beba4e0089cd •
CVSS: 6.6EPSS: %CPEs: 5EXPL: 0CVE-2025-21862 – drop_monitor: fix incorrect initialization order
https://notcve.org/view.php?id=CVE-2025-21862
12 Mar 2025 — In the Linux kernel, the following vulnerability has been resolved: drop_monitor: fix incorrect initialization order Syzkaller reports the following bug: BUG: spinlock bad magic on CPU#1, syz-executor.0/7995 lock: 0xffff88805303f3e0, .magic: 00000000, .owner:
CVSS: 9.8EPSS: %CPEs: 3EXPL: 0CVE-2025-21861 – mm/migrate_device: don't add folio to be freed to LRU in migrate_device_finalize()
https://notcve.org/view.php?id=CVE-2025-21861
12 Mar 2025 — In the Linux kernel, the following vulnerability has been resolved: mm/migrate_device: don't add folio to be freed to LRU in migrate_device_finalize() If migration succeeded, we called folio_migrate_flags()->mem_cgroup_migrate() to migrate the memcg from the old to the new folio. This will set memcg_data of the old folio to 0. Similarly, if migration failed, memcg_data of the dst folio is left unset. If we call folio_putback_lru() on such folios (memcg_data == 0), we will add the folio to be freed to the LR... • https://git.kernel.org/stable/c/8763cb45ab967a92a5ee49e9c544c0f0ea90e2d6 •
CVSS: 5.5EPSS: %CPEs: 2EXPL: 0CVE-2025-21860 – mm/zswap: fix inconsistency when zswap_store_page() fails
https://notcve.org/view.php?id=CVE-2025-21860
12 Mar 2025 — In the Linux kernel, the following vulnerability has been resolved: mm/zswap: fix inconsistency when zswap_store_page() fails Commit b7c0ccdfbafd ("mm: zswap: support large folios in zswap_store()") skips charging any zswap entries when it failed to zswap the entire folio. However, when some base pages are zswapped but it failed to zswap the entire folio, the zswap operation is rolled back. When freeing zswap entries for those pages, zswap_entry_free() uncharges the zswap entries that were not previously ch... • https://git.kernel.org/stable/c/b7c0ccdfbafdec98699ddb6f164beebf16f0bc45 •
CVSS: 5.5EPSS: %CPEs: 5EXPL: 0CVE-2025-21859 – USB: gadget: f_midi: f_midi_complete to call queue_work
https://notcve.org/view.php?id=CVE-2025-21859
12 Mar 2025 — In the Linux kernel, the following vulnerability has been resolved: USB: gadget: f_midi: f_midi_complete to call queue_work When using USB MIDI, a lock is attempted to be acquired twice through a re-entrant call to f_midi_transmit, causing a deadlock. Fix it by using queue_work() to schedule the inner f_midi_transmit() via a high priority work queue from the completion handler. In the Linux kernel, the following vulnerability has been resolved: USB: gadget: f_midi: f_midi_complete to call queue_work When us... • https://git.kernel.org/stable/c/d5daf49b58661ec4af7a55b277176efbf945ca05 •
CVSS: 7.8EPSS: %CPEs: 5EXPL: 0CVE-2025-21858 – geneve: Fix use-after-free in geneve_find_dev().
https://notcve.org/view.php?id=CVE-2025-21858
12 Mar 2025 — In the Linux kernel, the following vulnerability has been resolved: geneve: Fix use-after-free in geneve_find_dev(). syzkaller reported a use-after-free in geneve_find_dev() [0] without repro. geneve_configure() links struct geneve_dev.next to net_generic(net, geneve_net_id)->geneve_list. The net here could differ from dev_net(dev) if IFLA_NET_NS_PID, IFLA_NET_NS_FD, or IFLA_TARGET_NETNSID is set. When dev_net(dev) is dismantled, geneve_exit_batch_rtnl() finally calls unregister_netdevice_queue() for each d... • https://git.kernel.org/stable/c/2d07dc79fe04a43d82a346ced6bbf07bdb523f1b • CWE-416: Use After Free •
CVSS: 5.5EPSS: %CPEs: 4EXPL: 0CVE-2025-21857 – net/sched: cls_api: fix error handling causing NULL dereference
https://notcve.org/view.php?id=CVE-2025-21857
12 Mar 2025 — In the Linux kernel, the following vulnerability has been resolved: net/sched: cls_api: fix error handling causing NULL dereference tcf_exts_miss_cookie_base_alloc() calls xa_alloc_cyclic() which can return 1 if the allocation succeeded after wrapping. This was treated as an error, with value 1 returned to caller tcf_exts_init_ex() which sets exts->actions to NULL and returns 1 to caller fl_change(). fl_change() treats err == 1 as success, calling tcf_exts_validate_ex() which calls tcf_action_init() with ex... • https://git.kernel.org/stable/c/80cd22c35c9001fe72bf614d29439de41933deca •