CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38465 – netlink: Fix wraparounds of sk->sk_rmem_alloc.
https://notcve.org/view.php?id=CVE-2025-38465
25 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: netlink: Fix wraparounds of sk->sk_rmem_alloc. Netlink has this pattern in some places if (atomic_read(&sk->sk_rmem_alloc) > sk->sk_rcvbuf) atomic_add(skb->truesize, &sk->sk_rmem_alloc); , which has the same problem fixed by commit 5a465a0da13e ("udp: Fix multiple wraparounds of sk->sk_rmem_alloc."). For example, if we set INT_MAX to SO_RCVBUFFORCE, the condition is always false as the two operands are of int. Then, a single socket can eat ... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 7.2EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38464 – tipc: Fix use-after-free in tipc_conn_close().
https://notcve.org/view.php?id=CVE-2025-38464
25 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: tipc: Fix use-after-free in tipc_conn_close(). syzbot reported a null-ptr-deref in tipc_conn_close() during netns dismantle. [0] tipc_topsrv_stop() iterates tipc_net(net)->topsrv->conn_idr and calls tipc_conn_close() for each tipc_conn. The problem is that tipc_conn_close() is called after releasing the IDR lock. At the same time, there might be tipc_conn_recv_work() running and it could call tipc_conn_close() for the same tipc_conn and rel... • https://git.kernel.org/stable/c/c5fa7b3cf3cb22e4ac60485fc2dc187fe012910f •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2025-38462 – vsock: Fix transport_{g2h,h2g} TOCTOU
https://notcve.org/view.php?id=CVE-2025-38462
25 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: vsock: Fix transport_{g2h,h2g} TOCTOU vsock_find_cid() and vsock_dev_do_ioctl() may race with module unload. transport_{g2h,h2g} may become NULL after the NULL check. Introduce vsock_transport_local_cid() to protect from a potential null-ptr-deref. KASAN: null-ptr-deref in range [0x0000000000000118-0x000000000000011f] RIP: 0010:vsock_find_cid+0x47/0x90 Call Trace: __vsock_bind+0x4b2/0x720 vsock_bind+0x90/0xe0 __sys_bind+0x14d/0x1e0 __x64_sy... • https://git.kernel.org/stable/c/c0cfa2d8a788fcf45df5bf4070ab2474c88d543a •
CVSS: 6.3EPSS: 0%CPEs: 7EXPL: 0CVE-2025-38461 – vsock: Fix transport_* TOCTOU
https://notcve.org/view.php?id=CVE-2025-38461
25 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: vsock: Fix transport_* TOCTOU Transport assignment may race with module unload. Protect new_transport from becoming a stale pointer. This also takes care of an insecure call in vsock_use_local_transport(); add a lockdep assert. BUG: unable to handle page fault for address: fffffbfff8056000 Oops: Oops: 0000 [#1] SMP KASAN RIP: 0010:vsock_assign_transport+0x366/0x600 Call Trace: vsock_connect+0x59c/0xc40 __sys_connect+0xe8/0x100 __x64_sys_con... • https://git.kernel.org/stable/c/c0cfa2d8a788fcf45df5bf4070ab2474c88d543a •
CVSS: 5.6EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38460 – atm: clip: Fix potential null-ptr-deref in to_atmarpd().
https://notcve.org/view.php?id=CVE-2025-38460
25 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: atm: clip: Fix potential null-ptr-deref in to_atmarpd(). atmarpd is protected by RTNL since commit f3a0592b37b8 ("[ATM]: clip causes unregister hang"). However, it is not enough because to_atmarpd() is called without RTNL, especially clip_neigh_solicit() / neigh_ops->solicit() is unsleepable. Also, there is no RTNL dependency around atmarpd. Let's use a private mutex and RCU to protect access to atmarpd in to_atmarpd(). En el kernel de Linu... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 5.6EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38459 – atm: clip: Fix infinite recursive call of clip_push().
https://notcve.org/view.php?id=CVE-2025-38459
25 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: atm: clip: Fix infinite recursive call of clip_push(). syzbot reported the splat below. [0] This happens if we call ioctl(ATMARP_MKIP) more than once. During the first call, clip_mkip() sets clip_push() to vcc->push(), and the second call copies it to clip_vcc->old_push(). Later, when the socket is close()d, vcc_destroy_socket() passes NULL skb to clip_push(), which calls clip_vcc->old_push(), triggering the infinite recursion. Let's preven... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38458 – atm: clip: Fix NULL pointer dereference in vcc_sendmsg()
https://notcve.org/view.php?id=CVE-2025-38458
25 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: atm: clip: Fix NULL pointer dereference in vcc_sendmsg() atmarpd_dev_ops does not implement the send method, which may cause crash as bellow. BUG: kernel NULL pointer dereference, address: 0000000000000000 PGD 0 P4D 0 Oops: Oops: 0010 [#1] SMP KASAN NOPTI CPU: 0 UID: 0 PID: 5324 Comm: syz.0.0 Not tainted 6.15.0-rc6-syzkaller-00346-g5723cc3450bc #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 7.2EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38457 – net/sched: Abort __tc_modify_qdisc if parent class does not exist
https://notcve.org/view.php?id=CVE-2025-38457
25 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: net/sched: Abort __tc_modify_qdisc if parent class does not exist Lion's patch [1] revealed an ancient bug in the qdisc API. Whenever a user creates/modifies a qdisc specifying as a parent another qdisc, the qdisc API will, during grafting, detect that the user is not trying to attach to a class and reject. However grafting is performed after qdisc_create (and thus the qdiscs' init callback) is executed. In qdiscs that eventually call qdisc... • https://git.kernel.org/stable/c/5e50da01d0ce7ef0ba3ed6cfabd62f327da0aca6 •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38456 – ipmi:msghandler: Fix potential memory corruption in ipmi_create_user()
https://notcve.org/view.php?id=CVE-2025-38456
25 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: ipmi:msghandler: Fix potential memory corruption in ipmi_create_user() The "intf" list iterator is an invalid pointer if the correct "intf->intf_num" is not found. Calling atomic_dec(&intf->nr_users) on and invalid pointer will lead to memory corruption. We don't really need to call atomic_dec() if we haven't called atomic_add_return() so update the if (intf->in_shutdown) path as well. En el kernel de Linux, se ha resuelto la siguiente vuln... • https://git.kernel.org/stable/c/8e76741c3d8b20dfa2d6c30fa10ff927cfd93d82 •
CVSS: 8.8EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38455 – KVM: SVM: Reject SEV{-ES} intra host migration if vCPU creation is in-flight
https://notcve.org/view.php?id=CVE-2025-38455
25 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: KVM: SVM: Reject SEV{-ES} intra host migration if vCPU creation is in-flight Reject migration of SEV{-ES} state if either the source or destination VM is actively creating a vCPU, i.e. if kvm_vm_ioctl_create_vcpu() is in the section between incrementing created_vcpus and online_vcpus. The bulk of vCPU creation runs _outside_ of kvm->lock to allow creating multiple vCPUs in parallel, and so sev_info.es_active can get toggled from false=>true... • https://git.kernel.org/stable/c/b56639318bb2be66aceba92836279714488709b4 •