CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-40207 – media: v4l2-subdev: Fix alloc failure check in v4l2_subdev_call_state_try()
https://notcve.org/view.php?id=CVE-2025-40207
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: media: v4l2-subdev: Fix alloc failure check in v4l2_subdev_call_state_try() v4l2_subdev_call_state_try() macro allocates a subdev state with __v4l2_subdev_state_alloc(), but does not check the returned value. If __v4l2_subdev_state_alloc fails, it returns an ERR_PTR, and that would cause v4l2_subdev_call_state_try() to crash. Add proper error handling to v4l2_subdev_call_state_try(). In the Linux kernel, the following vulnerability has been... • https://git.kernel.org/stable/c/982c0487185bd466059ff618f398a8d074ddb654 •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-40206 – netfilter: nft_objref: validate objref and objrefmap expressions
https://notcve.org/view.php?id=CVE-2025-40206
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_objref: validate objref and objrefmap expressions Referencing a synproxy stateful object from OUTPUT hook causes kernel crash due to infinite recursive calls: BUG: TASK stack guard page was hit at 000000008bda5b8c (stack is 000000003ab1c4a5..00000000494d8b12) [...] Call Trace: __find_rr_leaf+0x99/0x230 fib6_table_lookup+0x13b/0x2d0 ip6_pol_route+0xa4/0x400 fib6_rule_lookup+0x156/0x240 ip6_route_output_flags+0xc6/0x150 __nf_ip... • https://git.kernel.org/stable/c/ee394f96ad7517fbc0de9106dcc7ce9efb14f264 •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40205 – btrfs: avoid potential out-of-bounds in btrfs_encode_fh()
https://notcve.org/view.php?id=CVE-2025-40205
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: btrfs: avoid potential out-of-bounds in btrfs_encode_fh() The function btrfs_encode_fh() does not properly account for the three cases it handles. Before writing to the file handle (fh), the function only returns to the user BTRFS_FID_SIZE_NON_CONNECTABLE (5 dwords, 20 bytes) or BTRFS_FID_SIZE_CONNECTABLE (8 dwords, 32 bytes). However, when a parent exists and the root ID of the parent and the inode are different, the function writes BTRFS_... • https://git.kernel.org/stable/c/be6e8dc0ba84029997075a1ec77b4ddb863cbe15 •
CVSS: 6.3EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40204 – sctp: Fix MAC comparison to be constant-time
https://notcve.org/view.php?id=CVE-2025-40204
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: sctp: Fix MAC comparison to be constant-time To prevent timing attacks, MACs need to be compared in constant time. Use the appropriate helper function for this. In the Linux kernel, the following vulnerability has been resolved: sctp: Fix MAC comparison to be constant-time To prevent timing attacks, MACs need to be compared in constant time. Use the appropriate helper function for this. • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 7.2EPSS: 0%CPEs: 3EXPL: 0CVE-2025-40203 – listmount: don't call path_put() under namespace semaphore
https://notcve.org/view.php?id=CVE-2025-40203
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: listmount: don't call path_put() under namespace semaphore Massage listmount() and make sure we don't call path_put() under the namespace semaphore. If we put the last reference we're fscked. In the Linux kernel, the following vulnerability has been resolved: listmount: don't call path_put() under namespace semaphore Massage listmount() and make sure we don't call path_put() under the namespace semaphore. If we put the last reference we're ... • https://git.kernel.org/stable/c/b4c2bea8ceaa50cd42a8f73667389d801a3ecf2d •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-40202 – ipmi: Rework user message limit handling
https://notcve.org/view.php?id=CVE-2025-40202
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: ipmi: Rework user message limit handling The limit on the number of user messages had a number of issues, improper counting in some cases and a use after free. Restructure how this is all done to handle more in the receive message allocation routine, so all refcouting and user message limit counts are done in that routine. It's a lot cleaner and safer. In the Linux kernel, the following vulnerability has been resolved: ipmi: Rework user mes... • https://git.kernel.org/stable/c/8e76741c3d8b20dfa2d6c30fa10ff927cfd93d82 •
CVSS: 6.2EPSS: 0%CPEs: 5EXPL: 0CVE-2025-40201 – kernel/sys.c: fix the racy usage of task_lock(tsk->group_leader) in sys_prlimit64() paths
https://notcve.org/view.php?id=CVE-2025-40201
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: kernel/sys.c: fix the racy usage of task_lock(tsk->group_leader) in sys_prlimit64() paths The usage of task_lock(tsk->group_leader) in sys_prlimit64()->do_prlimit() path is very broken. sys_prlimit64() does get_task_struct(tsk) but this only protects task_struct itself. If tsk != current and tsk is not a leader, this process can exit/exec and task_lock(tsk->group_leader) may use the already freed task_struct. Another problem is that sys_prl... • https://git.kernel.org/stable/c/18c91bb2d87268d23868bf13508f5bc9cf04e89a •
CVSS: 6.3EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40200 – Squashfs: reject negative file sizes in squashfs_read_inode()
https://notcve.org/view.php?id=CVE-2025-40200
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: Squashfs: reject negative file sizes in squashfs_read_inode() Syskaller reports a "WARNING in ovl_copy_up_file" in overlayfs. This warning is ultimately caused because the underlying Squashfs file system returns a file with a negative file size. This commit checks for a negative file size and returns EINVAL. [phillip@squashfs.org.uk: only need to check 64 bit quantity] In the Linux kernel, the following vulnerability has been resolved: Squa... • https://git.kernel.org/stable/c/6545b246a2c815a8fcd07d58240effb6ec3481b1 •
CVSS: 7.1EPSS: 0%CPEs: 7EXPL: 0CVE-2025-40198 – ext4: avoid potential buffer over-read in parse_apply_sb_mount_options()
https://notcve.org/view.php?id=CVE-2025-40198
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: ext4: avoid potential buffer over-read in parse_apply_sb_mount_options() Unlike other strings in the ext4 superblock, we rely on tune2fs to make sure s_mount_opts is NUL terminated. Harden parse_apply_sb_mount_options() by treating s_mount_opts as a potential __nonstring. In the Linux kernel, the following vulnerability has been resolved: ext4: avoid potential buffer over-read in parse_apply_sb_mount_options() Unlike other strings in the ex... • https://git.kernel.org/stable/c/8b67f04ab9de5d8f3a71aef72bf02c995a506db5 •
CVSS: 6.6EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40197 – media: mc: Clear minor number before put device
https://notcve.org/view.php?id=CVE-2025-40197
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: media: mc: Clear minor number before put device The device minor should not be cleared after the device is released. • https://git.kernel.org/stable/c/dd156f44ea82cc249f46c519eed3b2f8983c8002 •