CVSS: 7.1EPSS: 0%CPEs: 4EXPL: 0CVE-2025-38258 – mm/damon/sysfs-schemes: free old damon_sysfs_scheme_filter->memcg_path on write
https://notcve.org/view.php?id=CVE-2025-38258
09 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: mm/damon/sysfs-schemes: free old damon_sysfs_scheme_filter->memcg_path on write memcg_path_store() assigns a newly allocated memory buffer to filter->memcg_path, without deallocating the previously allocated and assigned memory buffer. As a result, users can leak kernel memory by continuously writing a data to memcg_path DAMOS sysfs file. Fix the leak by deallocating the previously set memory buffer. In the Linux kernel, the following vulne... • https://git.kernel.org/stable/c/7ee161f18b5da5170b5d6a51aace49d312099128 •
CVSS: 7.1EPSS: 0%CPEs: 6EXPL: 0CVE-2025-38257 – s390/pkey: Prevent overflow in size calculation for memdup_user()
https://notcve.org/view.php?id=CVE-2025-38257
09 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: s390/pkey: Prevent overflow in size calculation for memdup_user() Number of apqn target list entries contained in 'nr_apqns' variable is determined by userspace via an ioctl call so the result of the product in calculation of size passed to memdup_user() may overflow. In this case the actual size of the allocated area and the value describing it won't be in sync leading to various types of unpredictable behaviour later. Use a proper memdup_... • https://git.kernel.org/stable/c/f2bbc96e7cfad3891b7bf9bd3e566b9b7ab4553d •
CVSS: 7.1EPSS: 0%CPEs: 3EXPL: 0CVE-2025-38256 – io_uring/rsrc: fix folio unpinning
https://notcve.org/view.php?id=CVE-2025-38256
09 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: io_uring/rsrc: fix folio unpinning syzbot complains about an unmapping failure: [ 108.070381][ T14] kernel BUG at mm/gup.c:71! [ 108.070502][ T14] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP [ 108.123672][ T14] Hardware name: QEMU KVM Virtual Machine, BIOS edk2-20250221-8.fc42 02/21/2025 [ 108.127458][ T14] Workqueue: iou_exit io_ring_exit_work [ 108.174205][ T14] Call trace: [ 108.175649][ T14] sanity_check_pinned_pages+0x7cc/0x7... • https://git.kernel.org/stable/c/a8edbb424b1391b077407c75d8f5d2ede77aa70d •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-38255 – lib/group_cpus: fix NULL pointer dereference from group_cpus_evenly()
https://notcve.org/view.php?id=CVE-2025-38255
09 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: lib/group_cpus: fix NULL pointer dereference from group_cpus_evenly() While testing null_blk with configfs, echo 0 > poll_queues will trigger following panic: BUG: kernel NULL pointer dereference, address: 0000000000000010 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 27 UID: 0 PID: 920 Comm: bash Not tainted 6.15.0-02023-gadbdb95c8696-dirty #1238 PREEMPT(undef) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014 RIP... • https://git.kernel.org/stable/c/6a6dcae8f486c3f3298d0767d34505121c7b0b81 •
CVSS: 7.1EPSS: 0%CPEs: 2EXPL: 0CVE-2025-38254 – drm/amd/display: Add sanity checks for drm_edid_raw()
https://notcve.org/view.php?id=CVE-2025-38254
09 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add sanity checks for drm_edid_raw() When EDID is retrieved via drm_edid_raw(), it doesn't guarantee to return proper EDID bytes the caller wants: it may be either NULL (that leads to an Oops) or with too long bytes over the fixed size raw_edid array (that may lead to memory corruption). The latter was reported actually when connected with a bad adapter. Add sanity checks for drm_edid_raw() to address the above corner cases... • https://git.kernel.org/stable/c/48edb2a4256eedf6c92eecf2bc7744e6ecb44b5e •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-38253 – HID: wacom: fix crash in wacom_aes_battery_handler()
https://notcve.org/view.php?id=CVE-2025-38253
09 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: HID: wacom: fix crash in wacom_aes_battery_handler() Commit fd2a9b29dc9c ("HID: wacom: Remove AES power_supply after extended inactivity") introduced wacom_aes_battery_handler() which is scheduled as a delayed work (aes_battery_work). In wacom_remove(), aes_battery_work is not canceled. Consequently, if the device is removed while aes_battery_work is still pending, then hard crashes or "Oops: general protection fault..." are experienced whe... • https://git.kernel.org/stable/c/fd2a9b29dc9c4c35def91d5d1c5b470843539de6 •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2025-38252 – cxl/ras: Fix CPER handler device confusion
https://notcve.org/view.php?id=CVE-2025-38252
09 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: cxl/ras: Fix CPER handler device confusion By inspection, cxl_cper_handle_prot_err() is making a series of fragile assumptions that can lead to crashes: 1/ It assumes that endpoints identified in the record are a CXL-type-3 device, nothing guarantees that. 2/ It assumes that the device is bound to the cxl_pci driver, nothing guarantees that. 3/ Minor, it holds the device lock over the switch-port tracing for no reason as the trace is 100% g... • https://git.kernel.org/stable/c/36f257e3b0ba904f5a4e7fa8dafaa60e88cdd28c •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2025-38251 – atm: clip: prevent NULL deref in clip_push()
https://notcve.org/view.php?id=CVE-2025-38251
09 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: atm: clip: prevent NULL deref in clip_push() Blamed commit missed that vcc_destroy_socket() calls clip_push() with a NULL skb. If clip_devs is NULL, clip_push() then crashes when reading skb->truesize. In the Linux kernel, the following vulnerability has been resolved: atm: clip: prevent NULL deref in clip_push() Blamed commit missed that vcc_destroy_socket() calls clip_push() with a NULL skb. If clip_devs is NULL, clip_push() then crashes ... • https://git.kernel.org/stable/c/93a2014afbace907178afc3c9c1e62c9a338595a •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-38250 – Bluetooth: hci_core: Fix use-after-free in vhci_flush()
https://notcve.org/view.php?id=CVE-2025-38250
09 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_core: Fix use-after-free in vhci_flush() syzbot reported use-after-free in vhci_flush() without repro. [0] From the splat, a thread close()d a vhci file descriptor while its device was being used by iotcl() on another thread. Once the last fd refcnt is released, vhci_release() calls hci_unregister_dev(), hci_free_dev(), and kfree() for struct vhci_data, which is set to hci_dev->dev->driver_data. The problem is that there is n... • https://git.kernel.org/stable/c/bf18c7118cf83ad4b9aa476354b4a06bcb9d0c4f •
CVSS: 7.1EPSS: 0%CPEs: 6EXPL: 0CVE-2025-38249 – ALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3()
https://notcve.org/view.php?id=CVE-2025-38249
09 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3() In snd_usb_get_audioformat_uac3(), the length value returned from snd_usb_ctl_msg() is used directly for memory allocation without validation. This length is controlled by the USB device. The allocated buffer is cast to a uac3_cluster_header_descriptor and its fields are accessed without verifying that the buffer is large enough. If the device returns a smaller than e... • https://git.kernel.org/stable/c/9a2fe9b801f585baccf8352d82839dcd54b300cf •