CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-22068 – ublk: make sure ubq->canceling is set when queue is frozen
https://notcve.org/view.php?id=CVE-2025-22068
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: ublk: make sure ubq->canceling is set when queue is frozen Now ublk driver depends on `ubq->canceling` for deciding if the request can be dispatched via uring_cmd & io_uring_cmd_complete_in_task(). Once ubq->canceling is set, the uring_cmd can be done via ublk_cancel_cmd() and io_uring_cmd_done(). So set ubq->canceling when queue is frozen, this way makes sure that the flag can be observed from ublk_queue_rq() reliably, and avoids use-after... • https://git.kernel.org/stable/c/216c8f5ef0f209a3797292c487bdaa6991ab4b92 •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-22067 – spi: cadence: Fix out-of-bounds array access in cdns_mrvl_xspi_setup_clock()
https://notcve.org/view.php?id=CVE-2025-22067
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: spi: cadence: Fix out-of-bounds array access in cdns_mrvl_xspi_setup_clock() If requested_clk > 128, cdns_mrvl_xspi_setup_clock() iterates over the entire cdns_mrvl_xspi_clk_div_list array without breaking out early, causing 'i' to go beyond the array bounds. Fix that by stopping the loop when it gets to the last entry, clamping the clock to the minimum 6.25 MHz. Fixes the following warning with an UBSAN kernel: vmlinux.o: warning: objtool:... • https://git.kernel.org/stable/c/26d34fdc49712ddbd42b11102f5d9d78a0f42097 •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2025-22066 – ASoC: imx-card: Add NULL check in imx_card_probe()
https://notcve.org/view.php?id=CVE-2025-22066
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: ASoC: imx-card: Add NULL check in imx_card_probe() devm_kasprintf() returns NULL when memory allocation fails. Currently, imx_card_probe() does not check for this case, which results in a NULL pointer dereference. Add NULL check after devm_kasprintf() to prevent this issue. In the Linux kernel, the following vulnerability has been resolved: ASoC: imx-card: Add NULL check in imx_card_probe() devm_kasprintf() returns NULL when memory allocati... • https://git.kernel.org/stable/c/aa736700f42fa0813e286ca2f9274ffaa25163b9 •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-22065 – idpf: fix adapter NULL pointer dereference on reboot
https://notcve.org/view.php?id=CVE-2025-22065
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: idpf: fix adapter NULL pointer dereference on reboot With SRIOV enabled, idpf ends up calling into idpf_remove() twice. First via idpf_shutdown() and then again when idpf_remove() calls into sriov_disable(), because the VF devices use the idpf driver, hence the same remove routine. When that happens, it is possible for the adapter to be NULL from the first call to idpf_remove(), leading to a NULL pointer dereference. echo 1 > /sys/class/net... • https://git.kernel.org/stable/c/e850efed5e152e6bdd367d5b82019f21298c0653 •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2025-22064 – netfilter: nf_tables: don't unregister hook when table is dormant
https://notcve.org/view.php?id=CVE-2025-22064
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: don't unregister hook when table is dormant When nf_tables_updchain encounters an error, hook registration needs to be rolled back. This should only be done if the hook has been registered, which won't happen when the table is flagged as dormant (inactive). Just move the assignment into the registration block. In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: don't unregister hoo... • https://git.kernel.org/stable/c/b9703ed44ffbfba85c103b9de01886a225e14b38 •
CVSS: 5.5EPSS: 0%CPEs: 9EXPL: 0CVE-2025-22063 – netlabel: Fix NULL pointer exception caused by CALIPSO on IPv4 sockets
https://notcve.org/view.php?id=CVE-2025-22063
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: netlabel: Fix NULL pointer exception caused by CALIPSO on IPv4 sockets When calling netlbl_conn_setattr(), addr->sa_family is used to determine the function behavior. If sk is an IPv4 socket, but the connect function is called with an IPv6 address, the function calipso_sock_setattr() is triggered. Inside this function, the following code is executed: sk_fullsock(__sk) ? inet_sk(__sk)->pinet6 : NULL; Since sk is an IPv4 socket, pinet6 is NUL... • https://git.kernel.org/stable/c/ceba1832b1b2da0149c51de62a847c00bca1677a •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-22062 – sctp: add mutual exclusion in proc_sctp_do_udp_port()
https://notcve.org/view.php?id=CVE-2025-22062
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: sctp: add mutual exclusion in proc_sctp_do_udp_port() We must serialize calls to sctp_udp_sock_stop() and sctp_udp_sock_start() or risk a crash as syzbot reported: Oops: general protection fault, probably for non-canonical address 0xdffffc000000000d: 0000 [#1] SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000068-0x000000000000006f] CPU: 1 UID: 0 PID: 6551 Comm: syz.1.44 Not tainted 6.14.0-syzkaller-g7f2ff7b62617 #0 PREEMPT(full)... • https://git.kernel.org/stable/c/046c052b475e7119b6a30e3483e2888fc606a2f8 •
CVSS: 7.1EPSS: 0%CPEs: 7EXPL: 0CVE-2025-22060 – net: mvpp2: Prevent parser TCAM memory corruption
https://notcve.org/view.php?id=CVE-2025-22060
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: net: mvpp2: Prevent parser TCAM memory corruption Protect the parser TCAM/SRAM memory, and the cached (shadow) SRAM information, from concurrent modifications. Both the TCAM and SRAM tables are indirectly accessed by configuring an index register that selects the row to read or write to. This means that operations must be atomic in order to, e.g., avoid spreading writes across multiple rows. Since the shadow SRAM array is used to find free ... • https://git.kernel.org/stable/c/3f518509dedc99f0b755d2ce68d24f610e3a005a •
CVSS: 7.1EPSS: 0%CPEs: 4EXPL: 0CVE-2025-22059 – udp: Fix multiple wraparounds of sk->sk_rmem_alloc.
https://notcve.org/view.php?id=CVE-2025-22059
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: udp: Fix multiple wraparounds of sk->sk_rmem_alloc. __udp_enqueue_schedule_skb() has the following condition: if (atomic_read(&sk->sk_rmem_alloc) > sk->sk_rcvbuf) goto drop; sk->sk_rcvbuf is initialised by net.core.rmem_default and later can be configured by SO_RCVBUF, which is limited by net.core.rmem_max, or SO_RCVBUFFORCE. If we set INT_MAX to sk->sk_rcvbuf, the condition is always false as sk->sk_rmem_alloc is also signed int. Then, the... • https://git.kernel.org/stable/c/6a1f12dd85a8b24f871dfcf467378660af9c064d •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2025-22058 – udp: Fix memory accounting leak.
https://notcve.org/view.php?id=CVE-2025-22058
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: udp: Fix memory accounting leak. Matt Dowling reported a weird UDP memory usage issue. Under normal operation, the UDP memory usage reported in /proc/net/sockstat remains close to zero. However, it occasionally spiked to 524,288 pages and never dropped. Moreover, the value doubled when the application was terminated. • https://git.kernel.org/stable/c/f970bd9e3a06f06df8d8ecf1f8ad2c8615cc17eb •