CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2025-37797 – net_sched: hfsc: Fix a UAF vulnerability in class handling
https://notcve.org/view.php?id=CVE-2025-37797
02 May 2025 — In the Linux kernel, the following vulnerability has been resolved: net_sched: hfsc: Fix a UAF vulnerability in class handling This patch fixes a Use-After-Free vulnerability in the HFSC qdisc class handling. The issue occurs due to a time-of-check/time-of-use condition in hfsc_change_class() when working with certain child qdiscs like netem or codel. The vulnerability works as follows: 1. hfsc_change_class() checks if a class has packets (q.qlen != 0) 2. It then calls qdisc_peek_len(), which for certain qd... • https://git.kernel.org/stable/c/21f4d5cc25ec0e6e8eb8420dd2c399e6d2fc7d14 •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2025-37796 – wifi: at76c50x: fix use after free access in at76_disconnect
https://notcve.org/view.php?id=CVE-2025-37796
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: at76c50x: fix use after free access in at76_disconnect The memory pointed to by priv is freed at the end of at76_delete_device function (using ieee80211_free_hw). But the code then accesses the udev field of the freed object to put the USB device. This may also lead to a memory leak of the usb device. Fix this by using udev from interface. In the Linux kernel, the following vulnerability has been resolved: wifi: at76c50x: fix use afte... • https://git.kernel.org/stable/c/29e20aa6c6aff35c81d4da2e2cd516dadb569061 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-37794 – wifi: mac80211: Purge vif txq in ieee80211_do_stop()
https://notcve.org/view.php?id=CVE-2025-37794
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: Purge vif txq in ieee80211_do_stop() After ieee80211_do_stop() SKB from vif's txq could still be processed. Indeed another concurrent vif schedule_and_wake_txq call could cause those packets to be dequeued (see ieee80211_handle_wake_tx_queue()) without checking the sdata current state. Because vif.drv_priv is now cleared in this function, this could lead to driver crash. For example in ath12k, ahvif is store in vif.drv_priv.... • https://git.kernel.org/stable/c/ba8c3d6f16a1f9305c23ac1d2fd3992508c5ac03 •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-37793 – ASoC: Intel: avs: Fix null-ptr-deref in avs_component_probe()
https://notcve.org/view.php?id=CVE-2025-37793
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: avs: Fix null-ptr-deref in avs_component_probe() devm_kasprintf() returns NULL when memory allocation fails. Currently, avs_component_probe() does not check for this case, which results in a NULL pointer dereference. In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: avs: Fix null-ptr-deref in avs_component_probe() devm_kasprintf() returns NULL when memory allocation fails. Currently, avs_component... • https://git.kernel.org/stable/c/739c031110da9ba966b0189fa25a2a1c0d42263c •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-37792 – Bluetooth: btrtl: Prevent potential NULL dereference
https://notcve.org/view.php?id=CVE-2025-37792
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btrtl: Prevent potential NULL dereference The btrtl_initialize() function checks that rtl_load_file() either had an error or it loaded a zero length file. However, if it loaded a zero length file then the error code is not set correctly. It results in an error pointer vs NULL bug, followed by a NULL pointer dereference. This was detected by Smatch: drivers/bluetooth/btrtl.c:592 btrtl_initialize() warn: passing zero to 'ERR_PTR' I... • https://git.kernel.org/stable/c/26503ad25de8c7c93a2037f919c2e49a62cf65f1 •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-37791 – ethtool: cmis_cdb: use correct rpl size in ethtool_cmis_module_poll()
https://notcve.org/view.php?id=CVE-2025-37791
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: ethtool: cmis_cdb: use correct rpl size in ethtool_cmis_module_poll() rpl is passed as a pointer to ethtool_cmis_module_poll(), so the correct size of rpl is sizeof(*rpl) which should be just 1 byte. Using the pointer size instead can cause stack corruption: Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: ethtool_cmis_wait_for_cond+0xf4/0x100 CPU: 72 UID: 0 PID: 4440 Comm: kworker/72:2 Kdump: loaded Tainted: G OE ... • https://git.kernel.org/stable/c/a39c84d796254e6b1662ca0c46dbc313379e9291 •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2025-37790 – net: mctp: Set SOCK_RCU_FREE
https://notcve.org/view.php?id=CVE-2025-37790
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: net: mctp: Set SOCK_RCU_FREE Bind lookup runs under RCU, so ensure that a socket doesn't go away in the middle of a lookup. In the Linux kernel, the following vulnerability has been resolved: net: mctp: Set SOCK_RCU_FREE Bind lookup runs under RCU, so ensure that a socket doesn't go away in the middle of a lookup. • https://git.kernel.org/stable/c/833ef3b91de692ef33b800bca6b1569c39dece74 •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2025-37789 – net: openvswitch: fix nested key length validation in the set() action
https://notcve.org/view.php?id=CVE-2025-37789
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: net: openvswitch: fix nested key length validation in the set() action It's not safe to access nla_len(ovs_key) if the data is smaller than the netlink header. Check that the attribute is OK first. In the Linux kernel, the following vulnerability has been resolved: net: openvswitch: fix nested key length validation in the set() action It's not safe to access nla_len(ovs_key) if the data is smaller than the netlink header. Check that the att... • https://git.kernel.org/stable/c/ccb1352e76cff0524e7ccb2074826a092dd13016 •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2025-37788 – cxgb4: fix memory leak in cxgb4_init_ethtool_filters() error path
https://notcve.org/view.php?id=CVE-2025-37788
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: cxgb4: fix memory leak in cxgb4_init_ethtool_filters() error path In the for loop used to allocate the loc_array and bmap for each port, a memory leak is possible when the allocation for loc_array succeeds, but the allocation for bmap fails. This is because when the control flow goes to the label free_eth_finfo, only the allocations starting from (i-1)th iteration are freed. Fix that by freeing the loc_array in the bmap allocation error pat... • https://git.kernel.org/stable/c/d915c299f1da68a7dbb43895b8741c7b916c9d08 •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2025-37787 – net: dsa: mv88e6xxx: avoid unregistering devlink regions which were never registered
https://notcve.org/view.php?id=CVE-2025-37787
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: net: dsa: mv88e6xxx: avoid unregistering devlink regions which were never registered Russell King reports that a system with mv88e6xxx dereferences a NULL pointer when unbinding this driver: https://lore.kernel.org/netdev/Z_lRkMlTJ1KQ0kVX@shell.armlinux.org.uk/ The crash seems to be in devlink_region_destroy(), which is not NULL tolerant but is given a NULL devlink global region pointer. At least on some chips, some devlink regions are cond... • https://git.kernel.org/stable/c/836021a2d0e0e4c90b895a35bd9c0342071855fb •