CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-40107 – can: hi311x: fix null pointer dereference when resuming from sleep before interface was enabled
https://notcve.org/view.php?id=CVE-2025-40107
03 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: can: hi311x: fix null pointer dereference when resuming from sleep before interface was enabled This issue is similar to the vulnerability in the `mcp251x` driver, which was fixed in commit 03c427147b2d ("can: mcp251x: fix resume from sleep before interface was brought up"). In the `hi311x` driver, when the device resumes from sleep, the driver schedules `priv->restart_work`. However, if the network interface was not previously enabled, the... • https://git.kernel.org/stable/c/d1fc4c041459e2d4856c1b2501486ba4f0cbf96b •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40106 – comedi: fix divide-by-zero in comedi_buf_munge()
https://notcve.org/view.php?id=CVE-2025-40106
31 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: comedi: fix divide-by-zero in comedi_buf_munge() The comedi_buf_munge() function performs a modulo operation `async->munge_chan %= async->cmd.chanlist_len` without first checking if chanlist_len is zero. If a user program submits a command with chanlist_len set to zero, this causes a divide-by-zero error when the device processes data in the interrupt handler path. Add a check for zero chanlist_len at the beginning of the function, similar ... • https://git.kernel.org/stable/c/4ffea48c69cb2b96a281cb7e5e42d706996631db •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-40099 – cifs: parse_dfs_referrals: prevent oob on malformed input
https://notcve.org/view.php?id=CVE-2025-40099
30 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: cifs: parse_dfs_referrals: prevent oob on malformed input Malicious SMB server can send invalid reply to FSCTL_DFS_GET_REFERRALS - reply smaller than sizeof(struct get_dfs_referral_rsp) - reply with number of referrals smaller than NumberOfReferrals in the header Processing of such replies will cause oob. Return -EINVAL error on such replies to prevent oob-s. In the Linux kernel, the following vulnerability has been resolved: cifs: parse_df... • https://git.kernel.org/stable/c/cfacc7441f760e4a73cc71b6ff1635261d534657 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-40095 – usb: gadget: f_rndis: Refactor bind path to use __free()
https://notcve.org/view.php?id=CVE-2025-40095
30 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_rndis: Refactor bind path to use __free() After an bind/unbind cycle, the rndis->notify_req is left stale. If a subsequent bind fails, the unified error label attempts to free this stale request, leading to a NULL pointer dereference when accessing ep->ops->free_request. Refactor the error handling in the bind path to use the __free() automatic cleanup mechanism. In the Linux kernel, the following vulnerability has been resol... • https://git.kernel.org/stable/c/45fe3b8e5342cd1ce307099459c74011d8e01986 •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2025-40094 – usb: gadget: f_acm: Refactor bind path to use __free()
https://notcve.org/view.php?id=CVE-2025-40094
30 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_acm: Refactor bind path to use __free() After an bind/unbind cycle, the acm->notify_req is left stale. If a subsequent bind fails, the unified error label attempts to free this stale request, leading to a NULL pointer dereference when accessing ep->ops->free_request. Refactor the error handling in the bind path to use the __free() automatic cleanup mechanism. Unable to handle kernel NULL pointer dereference at virtual address... • https://git.kernel.org/stable/c/1f1ba11b64947051fc32aa15fcccef6463b433f7 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-40093 – usb: gadget: f_ecm: Refactor bind path to use __free()
https://notcve.org/view.php?id=CVE-2025-40093
30 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_ecm: Refactor bind path to use __free() After an bind/unbind cycle, the ecm->notify_req is left stale. If a subsequent bind fails, the unified error label attempts to free this stale request, leading to a NULL pointer dereference when accessing ep->ops->free_request. Refactor the error handling in the bind path to use the __free() automatic cleanup mechanism. In the Linux kernel, the following vulnerability has been resolved:... • https://git.kernel.org/stable/c/da741b8c56d612b5dd26ffa31341911a5fea23ee •
CVSS: 5.0EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40088 – hfsplus: fix slab-out-of-bounds read in hfsplus_strcasecmp()
https://notcve.org/view.php?id=CVE-2025-40088
30 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix slab-out-of-bounds read in hfsplus_strcasecmp() The hfsplus_strcasecmp() logic can trigger the issue: [ 117.317703][ T9855] ================================================================== [ 117.318353][ T9855] BUG: KASAN: slab-out-of-bounds in hfsplus_strcasecmp+0x1bc/0x490 [ 117.318991][ T9855] Read of size 2 at addr ffff88802160f40c by task repro/9855 [ 117.319577][ T9855] [ 117.319773][ T9855] CPU: 0 UID: 0 PID: 9855 Comm... • https://git.kernel.org/stable/c/603158d4efa98a13a746bd586c20f194f4a31ec8 •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2023-7324 – scsi: ses: Fix possible addl_desc_ptr out-of-bounds accesses
https://notcve.org/view.php?id=CVE-2023-7324
29 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: scsi: ses: Fix possible addl_desc_ptr out-of-bounds accesses Sanitize possible addl_desc_ptr out-of-bounds accesses in ses_enclosure_data_process(). In the Linux kernel, the following vulnerability has been resolved: scsi: ses: Fix possible addl_desc_ptr out-of-bounds accesses Sanitize possible addl_desc_ptr out-of-bounds accesses in ses_enclosure_data_process(). • https://git.kernel.org/stable/c/af5114d824f3511a69d68beff49ca9a7c32d44e0 •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-40083 – net/sched: sch_qfq: Fix null-deref in agg_dequeue
https://notcve.org/view.php?id=CVE-2025-40083
29 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_qfq: Fix null-deref in agg_dequeue To prevent a potential crash in agg_dequeue (net/sched/sch_qfq.c) when cl->qdisc->ops->peek(cl->qdisc) returns NULL, we check the return value before using it, similar to the existing approach in sch_hfsc.c. To avoid code duplication, the following changes are made: 1. Changed qdisc_warn_nonwc(include/net/pkt_sched.h) into a static inline function. 2. Moved qdisc_peek_len from net/sched/sch_... • https://git.kernel.org/stable/c/6ffa9d66187188e3068b5a3895e6ae1ee34f9199 •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2025-40053 – net: dlink: handle copy_thresh allocation failure
https://notcve.org/view.php?id=CVE-2025-40053
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: net: dlink: handle copy_thresh allocation failure The driver did not handle failure of `netdev_alloc_skb_ip_align()`. If the allocation failed, dereferencing `skb->protocol` could lead to a NULL pointer dereference. This patch tries to allocate `skb`. If the allocation fails, it falls back to the normal path. Tested-on: D-Link DGE-550T Rev-A3 In the Linux kernel, the following vulnerability has been resolved: net: dlink: handle copy_thresh ... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •