CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38086 – net: ch9200: fix uninitialised access during mii_nway_restart
https://notcve.org/view.php?id=CVE-2025-38086
28 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: net: ch9200: fix uninitialised access during mii_nway_restart In mii_nway_restart() the code attempts to call mii->mdio_read which is ch9200_mdio_read(). ch9200_mdio_read() utilises a local buffer called "buff", which is initialised with control_read(). However "buff" is conditionally initialised inside control_read(): if (err == size) { memcpy(data, buf, size); } If the condition of "err == size" is not met, then "buff" remains uninitialis... • https://git.kernel.org/stable/c/4a476bd6d1d923922ec950ddc4c27b279f6901eb •
CVSS: 7.1EPSS: 0%CPEs: 7EXPL: 0CVE-2025-38085 – mm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race
https://notcve.org/view.php?id=CVE-2025-38085
28 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: mm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race huge_pmd_unshare() drops a reference on a page table that may have previously been shared across processes, potentially turning it into a normal page table used in another process in which unrelated VMAs can afterwards be installed. If this happens in the middle of a concurrent gup_fast(), gup_fast() could end up walking the page tables of another process. While I don't see any way in whic... • https://git.kernel.org/stable/c/39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa •
CVSS: 5.6EPSS: 0%CPEs: 7EXPL: 0CVE-2025-38084 – mm/hugetlb: unshare page tables during VMA split, not before
https://notcve.org/view.php?id=CVE-2025-38084
28 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: mm/hugetlb: unshare page tables during VMA split, not before Currently, __split_vma() triggers hugetlb page table unsharing through vm_ops->may_split(). This happens before the VMA lock and rmap locks are taken - which is too early, it allows racing VMA-locked page faults in our process and racing rmap walks from other processes to cause page tables to be shared again before we actually perform the split. Fix it by explicitly calling into t... • https://git.kernel.org/stable/c/39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa •
CVSS: 7.0EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38083 – net_sched: prio: fix a race in prio_tune()
https://notcve.org/view.php?id=CVE-2025-38083
20 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: net_sched: prio: fix a race in prio_tune() Gerrard Tai reported a race condition in PRIO, whenever SFQ perturb timer fires at the wrong time. The race is as follows: CPU 0 CPU 1 [1]: lock root [2]: qdisc_tree_flush_backlog() [3]: unlock root | | [5]: lock root | [6]: rehash | [7]: qdisc_tree_reduce_backlog() | [4]: qdisc_put() This can be abused to underflow a parent's qlen. Calling qdisc_purge_queue() instead of qdisc_tree_flush_backlog() ... • https://git.kernel.org/stable/c/7b8e0b6e659983154c8d7e756cdb833d89a3d4d7 •
CVSS: 7.1EPSS: 0%CPEs: 4EXPL: 0CVE-2025-38081 – spi-rockchip: Fix register out of bounds access
https://notcve.org/view.php?id=CVE-2025-38081
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: spi-rockchip: Fix register out of bounds access Do not write native chip select stuff for GPIO chip selects. GPIOs can be numbered much higher than native CS. Also, it makes no sense. In the Linux kernel, the following vulnerability has been resolved: spi-rockchip: Fix register out of bounds access Do not write native chip select stuff for GPIO chip selects. GPIOs can be numbered much higher than native CS. Also, it makes no sense. • https://git.kernel.org/stable/c/4a120221661fcecb253448d7b041a52d47f1d91f •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-38080 – drm/amd/display: Increase block_sequence array size
https://notcve.org/view.php?id=CVE-2025-38080
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Increase block_sequence array size [Why] It's possible to generate more than 50 steps in hwss_build_fast_sequence, for example with a 6-pipe asic where all pipes are in one MPC chain. This overflows the block_sequence buffer and corrupts block_sequence_steps, causing a crash. [How] Expand block_sequence to 100 items. A naive upper bound on the possible number of steps for a 6-pipe asic, ignoring the potential for steps to b... • https://git.kernel.org/stable/c/de67e80ab48f1f23663831007a2fa3c1471a7757 •
CVSS: 7.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38079 – crypto: algif_hash - fix double free in hash_accept
https://notcve.org/view.php?id=CVE-2025-38079
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: crypto: algif_hash - fix double free in hash_accept If accept(2) is called on socket type algif_hash with MSG_MORE flag set and crypto_ahash_import fails, sk2 is freed. However, it is also freed in af_alg_release, leading to slab-use-after-free error. In the Linux kernel, the following vulnerability has been resolved: crypto: algif_hash - fix double free in hash_accept If accept(2) is called on socket type algif_hash with MSG_MORE flag set ... • https://git.kernel.org/stable/c/fe869cdb89c95d060c77eea20204d6c91f233b53 •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38078 – ALSA: pcm: Fix race of buffer access at PCM OSS layer
https://notcve.org/view.php?id=CVE-2025-38078
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: ALSA: pcm: Fix race of buffer access at PCM OSS layer The PCM OSS layer tries to clear the buffer with the silence data at initialization (or reconfiguration) of a stream with the explicit call of snd_pcm_format_set_silence() with runtime->dma_area. But this may lead to a UAF because the accessed runtime->dma_area might be freed concurrently, as it's performed outside the PCM ops. For avoiding it, move the code into the PCM core and perform... • https://git.kernel.org/stable/c/c0e05a76fc727929524ef24a19c302e6dd40233f •
CVSS: 10.0EPSS: 0%CPEs: 6EXPL: 0CVE-2025-38077 – platform/x86: dell-wmi-sysman: Avoid buffer overflow in current_password_store()
https://notcve.org/view.php?id=CVE-2025-38077
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: platform/x86: dell-wmi-sysman: Avoid buffer overflow in current_password_store() If the 'buf' array received from the user contains an empty string, the 'length' variable will be zero. Accessing the 'buf' array element with index 'length - 1' will result in a buffer overflow. Add a check for an empty string. Found by Linux Verification Center (linuxtesting.org) with SVACE. In the Linux kernel, the following vulnerability has been resolved: ... • https://git.kernel.org/stable/c/e8a60aa7404bfef37705da5607c97737073ac38d •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38075 – scsi: target: iscsi: Fix timeout on deleted connection
https://notcve.org/view.php?id=CVE-2025-38075
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: scsi: target: iscsi: Fix timeout on deleted connection NOPIN response timer may expire on a deleted connection and crash with such logs: Did not receive response to NOPIN on CID: 0, failing connection for I_T Nexus (null),i,0x00023d000125,iqn.2017-01.com.iscsi.target,t,0x3d BUG: Kernel NULL pointer dereference on read at 0x00000000 NIP strlcpy+0x8/0xb0 LR iscsit_fill_cxn_timeout_err_stats+0x5c/0xc0 [iscsi_target_mod] Call Trace: iscsit_hand... • https://git.kernel.org/stable/c/571ce6b6f5cbaf7d24af03cad592fc0e2a54de35 •