
CVE-2025-38363 – drm/tegra: Fix a possible null pointer dereference
https://notcve.org/view.php?id=CVE-2025-38363
25 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/tegra: Fix a possible null pointer dereference In tegra_crtc_reset(), new memory is allocated with kzalloc(), but no check is performed. Before calling __drm_atomic_helper_crtc_reset, state should be checked to prevent possible null pointer dereference. • https://git.kernel.org/stable/c/b7e0b04ae450a0f2f73c376c3057fb05d798e33c •

CVE-2025-38362 – drm/amd/display: Add null pointer check for get_first_active_display()
https://notcve.org/view.php?id=CVE-2025-38362
25 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add null pointer check for get_first_active_display() The function mod_hdcp_hdcp1_enable_encryption() calls the function get_first_active_display(), but does not check its return value. The return value is a null pointer if the display list is empty. This will lead to a null pointer dereference in mod_hdcp_hdcp2_enable_encryption(). Add a null pointer check for get_first_active_display() and return MOD_HDCP_STATUS_DISPLAY_N... • https://git.kernel.org/stable/c/2deade5ede56581722c0d7672f28b09548dc0fc4 •

CVE-2025-38361 – drm/amd/display: Check dce_hwseq before dereferencing it
https://notcve.org/view.php?id=CVE-2025-38361
25 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check dce_hwseq before dereferencing it [WHAT] hws was checked for null earlier in dce110_blank_stream, indicating hws can be null, and should be checked whenever it is used. (cherry picked from commit 79db43611ff61280b6de58ce1305e0b2ecf675ad) • https://git.kernel.org/stable/c/4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c •

CVE-2025-38359 – s390/mm: Fix in_atomic() handling in do_secure_storage_access()
https://notcve.org/view.php?id=CVE-2025-38359
25 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: s390/mm: Fix in_atomic() handling in do_secure_storage_access() Kernel user spaces accesses to not exported pages in atomic context incorrectly try to resolve the page fault. With debug options enabled call traces like this can be seen: BUG: sleeping function called from invalid context at kernel/locking/rwsem.c:1523 in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 419074, name: qemu-system-s39 preempt_count: 1, expected: 0 RCU nest d... • https://git.kernel.org/stable/c/d2e317dfd2d1fe416c77315d17c5d57dbe374915 •

CVE-2025-38354 – drm/msm/gpu: Fix crash when throttling GPU immediately during boot
https://notcve.org/view.php?id=CVE-2025-38354
25 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/msm/gpu: Fix crash when throttling GPU immediately during boot There is a small chance that the GPU is already hot during boot. In that case, the call to of_devfreq_cooling_register() will immediately try to apply devfreq cooling, as seen in the following crash: Unable to handle kernel paging request at virtual address 0000000000014110 pc : a6xx_gpu_busy+0x1c/0x58 [msm] lr : msm_devfreq_get_dev_status+0xbc/0x140 [msm] Call trace: a6xx_g... • https://git.kernel.org/stable/c/6694482a70e9536efbf2ac233cbf0c302d6e2dae •

CVE-2025-38352 – posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del()
https://notcve.org/view.php?id=CVE-2025-38352
22 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del() If an exiting non-autoreaping task has already passed exit_notify() and calls handle_posix_cpu_timers() from IRQ, it can be reaped by its parent or debugger right after unlock_task_sighand(). If a concurrent posix_cpu_timer_del() runs at that moment, it won't be able to detect timer->it.cpu.firing != 0: cpu_timer_task_rcu() and/or lock_task_sighand() will... • https://git.kernel.org/stable/c/0bdd2ed4138ec04e09b4f8165981efc99e439f55 •

CVE-2025-38351 – KVM: x86/hyper-v: Skip non-canonical addresses during PV TLB flush
https://notcve.org/view.php?id=CVE-2025-38351
19 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: KVM: x86/hyper-v: Skip non-canonical addresses during PV TLB flush In KVM guests with Hyper-V hypercalls enabled, the hypercalls HVCALL_FLUSH_VIRTUAL_ADDRESS_LIST and HVCALL_FLUSH_VIRTUAL_ADDRESS_LIST_EX allow a guest to request invalidation of portions of a virtual TLB. For this, the hypercall parameter includes a list of GVAs that are supposed to be invalidated. However, when non-canonical GVAs are passed, there is currently no filtering ... • https://git.kernel.org/stable/c/260970862c88b4130e9e12be023c7e2c2d37a966 •

CVE-2025-38350 – net/sched: Always pass notifications when child class becomes empty
https://notcve.org/view.php?id=CVE-2025-38350
19 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: net/sched: Always pass notifications when child class becomes empty Certain classful qdiscs may invoke their classes' dequeue handler on an enqueue operation. This may unexpectedly empty the child qdisc and thus make an in-flight class passive via qlen_notify(). Most qdiscs do not expect such behaviour at this point in time and may re-activate the class eventually anyways which will lead to a use-after-free. The referenced fix commit attemp... • https://git.kernel.org/stable/c/1034e3310752e8675e313f7271b348914008719a •

CVE-2025-38349 – eventpoll: don't decrement ep refcount while still holding the ep mutex
https://notcve.org/view.php?id=CVE-2025-38349
18 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: eventpoll: don't decrement ep refcount while still holding the ep mutex Jann Horn points out that epoll is decrementing the ep refcount and then doing a mutex_unlock(&ep->mtx); afterwards. That's very wrong, because it can lead to a use-after-free. That pattern is actually fine for the very last reference, because the code in question will delay the actual call to "ep_free(ep)" until after it has unlocked the mutex. But it's wrong for the m... • https://git.kernel.org/stable/c/58c9b016e12855286370dfb704c08498edbc857a •

CVE-2025-38348 – wifi: p54: prevent buffer-overflow in p54_rx_eeprom_readback()
https://notcve.org/view.php?id=CVE-2025-38348
10 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: p54: prevent buffer-overflow in p54_rx_eeprom_readback() Robert Morris reported: |If a malicious USB device pretends to be an Intersil p54 wifi |interface and generates an eeprom_readback message with a large |eeprom->v1.len, p54_rx_eeprom_readback() will copy data from the |message beyond the end of priv->eeprom. | |static void p54_rx_eeprom_readback(struct p54_common *priv, | struct sk_buff *skb) |{ | struct p54_hdr *hdr = (struct p... • https://git.kernel.org/stable/c/7cb770729ba895f73253dfcd46c3fcba45d896f9 •