CVSS: 6.4EPSS: %CPEs: 4EXPL: 0CVE-2025-39965 – xfrm: xfrm_alloc_spi shouldn't use 0 as SPI
https://notcve.org/view.php?id=CVE-2025-39965
13 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: xfrm: xfrm_alloc_spi shouldn't use 0 as SPI x->id.spi == 0 means "no SPI assigned", but since commit 94f39804d891 ("xfrm: Duplicate SPI Handling"), we now create states and add them to the byspi list with this value. __xfrm_state_delete doesn't remove those states from the byspi list, since they shouldn't be there, and this shows up as a UAF the next time we go through the byspi list. In the Linux kernel, the following vulnerability has bee... • https://git.kernel.org/stable/c/3d8090bb53424432fa788fe9a49e8ceca74f0544 •
CVSS: 7.8EPSS: %CPEs: 7EXPL: 0CVE-2025-39964 – crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg
https://notcve.org/view.php?id=CVE-2025-39964
13 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg Issuing two writes to the same af_alg socket is bogus as the data will be interleaved in an unpredictable fashion. Furthermore, concurrent writes may create inconsistencies in the internal socket state. Disallow this by adding a new ctx->write field that indiciates exclusive ownership for writing. In the Linux kernel, the following vulnerability has been resolved: crypto: af_alg ... • https://git.kernel.org/stable/c/8ff590903d5fc7f5a0a988c38267a3d08e6393a2 •
CVSS: 7.1EPSS: 0%CPEs: 3EXPL: 0CVE-2025-39963 – io_uring: fix incorrect io_kiocb reference in io_link_skb
https://notcve.org/view.php?id=CVE-2025-39963
09 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: io_uring: fix incorrect io_kiocb reference in io_link_skb In io_link_skb function, there is a bug where prev_notif is incorrectly assigned using 'nd' instead of 'prev_nd'. This causes the context validation check to compare the current notification with itself instead of comparing it with the previous notification. Fix by using the correct prev_nd parameter when obtaining prev_notif. In the Linux kernel, the following vulnerability has been... • https://git.kernel.org/stable/c/6fe4220912d19152a26ce19713ab232f4263018d •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2025-39962 – rxrpc: Fix untrusted unsigned subtract
https://notcve.org/view.php?id=CVE-2025-39962
09 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix untrusted unsigned subtract Fix the following Smatch static checker warning: net/rxrpc/rxgk_app.c:65 rxgk_yfs_decode_ticket() warn: untrusted unsigned subtract. 'ticket_len - 10 * 4' by prechecking the length of what we're trying to extract in two places in the token and decoding for a response packet. Also use sizeof() on the struct we're extracting rather specifying the size numerically to be consistent with the other related s... • https://git.kernel.org/stable/c/9d1d2b59341f58126a69b51f9f5f8ccb9f12e54a •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2025-39961 – iommu/amd/pgtbl: Fix possible race while increase page table level
https://notcve.org/view.php?id=CVE-2025-39961
09 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: iommu/amd/pgtbl: Fix possible race while increase page table level The AMD IOMMU host page table implementation supports dynamic page table levels (up to 6 levels), starting with a 3-level configuration that expands based on IOVA address. The kernel maintains a root pointer and current page table level to enable proper page table walks in alloc_pte()/fetch_pte() operations. The IOMMU IOVA allocator initially starts with 32-bit address and o... • https://git.kernel.org/stable/c/754265bcab78a9014f0f99cd35e0d610fcd7dfa7 •
CVSS: 7.1EPSS: 0%CPEs: 2EXPL: 0CVE-2025-39960 – gpiolib: acpi: initialize acpi_gpio_info struct
https://notcve.org/view.php?id=CVE-2025-39960
09 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: gpiolib: acpi: initialize acpi_gpio_info struct Since commit 7c010d463372 ("gpiolib: acpi: Make sure we fill struct acpi_gpio_info"), uninitialized acpi_gpio_info struct are passed to __acpi_find_gpio() and later in the call stack info->quirks is used in acpi_populate_gpio_lookup. This breaks the i2c_hid_cpi driver: [ 58.122916] i2c_hid_acpi i2c-UNIW0001:00: HID over i2c has not been provided an Int IRQ [ 58.123097] i2c_hid_acpi i2c-UNIW000... • https://git.kernel.org/stable/c/7c010d463372140006bf96985a306d6cbfc6e118 •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2025-39959 – ASoC: amd: acp: Fix incorrect retrival of acp_chip_info
https://notcve.org/view.php?id=CVE-2025-39959
09 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: ASoC: amd: acp: Fix incorrect retrival of acp_chip_info Use dev_get_drvdata(dev->parent) instead of dev_get_platdata(dev) to correctly obtain acp_chip_info members in the acp I2S driver. Previously, some members were not updated properly due to incorrect data access, which could potentially lead to null pointer dereferences. This issue was missed in the earlier commit ("ASoC: amd: acp: Fix NULL pointer deref in acp_i2s_set_tdm_slot"), which... • https://git.kernel.org/stable/c/e3933683b25e2cc94485da4909e3338e1a177b39 •
CVSS: 7.1EPSS: 0%CPEs: 2EXPL: 0CVE-2025-39958 – iommu/s390: Make attach succeed when the device was surprise removed
https://notcve.org/view.php?id=CVE-2025-39958
09 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: iommu/s390: Make attach succeed when the device was surprise removed When a PCI device is removed with surprise hotplug, there may still be attempts to attach the device to the default domain as part of tear down via (__iommu_release_dma_ownership()), or because the removal happens during probe (__iommu_probe_device()). In both cases zpci_register_ioat() fails with a cc value indicating that the device handle is invalid. This is because the... • https://git.kernel.org/stable/c/359613f2fa009587154511e4842e8ab9532edd15 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-39957 – wifi: mac80211: increase scan_ies_len for S1G
https://notcve.org/view.php?id=CVE-2025-39957
09 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: increase scan_ies_len for S1G Currently the S1G capability element is not taken into account for the scan_ies_len, which leads to a buffer length validation failure in ieee80211_prep_hw_scan() and subsequent WARN in __ieee80211_start_scan(). This prevents hw scanning from functioning. To fix ensure we accommodate for the S1G capability length. In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211... • https://git.kernel.org/stable/c/16c9244a62116fe148f6961753b68e7160799f97 •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-39956 – igc: don't fail igc_probe() on LED setup error
https://notcve.org/view.php?id=CVE-2025-39956
09 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: igc: don't fail igc_probe() on LED setup error When igc_led_setup() fails, igc_probe() fails and triggers kernel panic in free_netdev() since unregister_netdev() is not called. [1] This behavior can be tested using fault-injection framework, especially the failslab feature. [2] Since LED support is not mandatory, treat LED setup failures as non-fatal and continue probe with a warning message, consequently avoiding the kernel panic. [1] kern... • https://git.kernel.org/stable/c/ea578703b03d5d651b091c39f717dc829155b520 •