CVSS: 8.5EPSS: 0%CPEs: 6EXPL: 0CVE-2025-22042 – ksmbd: add bounds check for create lease context
https://notcve.org/view.php?id=CVE-2025-22042
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: add bounds check for create lease context Add missing bounds check for create lease context. • https://git.kernel.org/stable/c/629dd37acc336ad778979361c351e782053ea284 •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2025-22041 – ksmbd: fix use-after-free in ksmbd_sessions_deregister()
https://notcve.org/view.php?id=CVE-2025-22041
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in ksmbd_sessions_deregister() In multichannel mode, UAF issue can occur in session_deregister when the second channel sets up a session through the connection of the first channel. session that is freed through the global session table can be accessed again through ->sessions of connection. In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in ksmbd_sessions_deregister() ... • https://git.kernel.org/stable/c/f0eb3f575138b816da74697bd506682574742fcd •
CVSS: 7.0EPSS: 0%CPEs: 6EXPL: 0CVE-2025-22040 – ksmbd: fix session use-after-free in multichannel connection
https://notcve.org/view.php?id=CVE-2025-22040
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix session use-after-free in multichannel connection There is a race condition between session setup and ksmbd_sessions_deregister. The session can be freed before the connection is added to channel list of session. This patch check reference count of session before freeing it. In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix session use-after-free in multichannel connection There is a race condition be... • https://git.kernel.org/stable/c/596407adb9af1ee75fe7c7529607783d31b66e7f •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-22039 – ksmbd: fix overflow in dacloffset bounds check
https://notcve.org/view.php?id=CVE-2025-22039
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix overflow in dacloffset bounds check The dacloffset field was originally typed as int and used in an unchecked addition, which could overflow and bypass the existing bounds check in both smb_check_perm_dacl() and smb_inherit_dacl(). This could result in out-of-bounds memory access and a kernel crash when dereferencing the DACL pointer. This patch converts dacloffset to unsigned int and uses check_add_overflow() to validate access ... • https://git.kernel.org/stable/c/6a9cd9ff0fa2bcc30b2bfb8bdb161eb20e44b9dc •
CVSS: 5.6EPSS: 0%CPEs: 6EXPL: 0CVE-2025-22038 – ksmbd: validate zero num_subauth before sub_auth is accessed
https://notcve.org/view.php?id=CVE-2025-22038
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: validate zero num_subauth before sub_auth is accessed Access psid->sub_auth[psid->num_subauth - 1] without checking if num_subauth is non-zero leads to an out-of-bounds read. This patch adds a validation step to ensure num_subauth != 0 before sub_auth is accessed. In the Linux kernel, the following vulnerability has been resolved: ksmbd: validate zero num_subauth before sub_auth is accessed Access psid->sub_auth[psid->num_subauth - 1... • https://git.kernel.org/stable/c/3ac65de111c686c95316ade660f8ba7aea3cd3cc •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-22037 – ksmbd: fix null pointer dereference in alloc_preauth_hash()
https://notcve.org/view.php?id=CVE-2025-22037
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix null pointer dereference in alloc_preauth_hash() The Client send malformed smb2 negotiate request. ksmbd return error response. Subsequently, the client can send smb2 session setup even thought conn->preauth_info is not allocated. This patch add KSMBD_SESS_NEED_SETUP status of connection to ignore session setup request if smb2 negotiate phase is not complete. In the Linux kernel, the following vulnerability has been resolved: ksm... • https://git.kernel.org/stable/c/ca8bed31edf728a662ef9d6f39f50e7a7dc2b5ad •
CVSS: 9.3EPSS: 0%CPEs: 4EXPL: 0CVE-2025-22036 – exfat: fix random stack corruption after get_block
https://notcve.org/view.php?id=CVE-2025-22036
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: exfat: fix random stack corruption after get_block When get_block is called with a buffer_head allocated on the stack, such as do_mpage_readpage, stack corruption due to buffer_head UAF may occur in the following race condition situation.
CVSS: 7.1EPSS: 0%CPEs: 12EXPL: 0CVE-2025-22035 – tracing: Fix use-after-free in print_graph_function_flags during tracer switching
https://notcve.org/view.php?id=CVE-2025-22035
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: tracing: Fix use-after-free in print_graph_function_flags during tracer switching Kairui reported a UAF issue in print_graph_function_flags() during ftrace stress testing [1]. This issue can be reproduced if puting a 'mdelay(10)' after 'mutex_unlock(&trace_types_lock)' in s_start(), and executing the following script: $ echo function_graph > current_tracer $ cat trace > /dev/null & $ sleep 5 # Ensure the 'cat' reaches the 'mdelay(10)' point... • https://git.kernel.org/stable/c/05319d707732c728eb721ac616a50e7978eb499a •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-22034 – mm/gup: reject FOLL_SPLIT_PMD with hugetlb VMAs
https://notcve.org/view.php?id=CVE-2025-22034
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: mm/gup: reject FOLL_SPLIT_PMD with hugetlb VMAs Patch series "mm: fixes for device-exclusive entries (hmm)", v2. Discussing the PageTail() call in make_device_exclusive_range() with Willy, I recently discovered [1] that device-exclusive handling does not properly work with THP, making the hmm-tests selftests fail if THPs are enabled on the system. Looking into more details, I found that hugetlb is not properly fenced, and I realized that so... • https://git.kernel.org/stable/c/9cb28da54643ad464c47585cd5866c30b0218e67 •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2025-22033 – arm64: Don't call NULL in do_compat_alignment_fixup()
https://notcve.org/view.php?id=CVE-2025-22033
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: arm64: Don't call NULL in do_compat_alignment_fixup() do_alignment_t32_to_handler() only fixes up alignment faults for specific instructions; it returns NULL otherwise (e.g. LDREX). When that's the case, signal to the caller that it needs to proceed with the regular alignment fault handling (i.e. SIGBUS). Without this patch, the kernel panics: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 Mem abort inf... • https://git.kernel.org/stable/c/3fc24ef32d3b9368f4c103dcd21d6a3f959b4870 •