CVSS: 5.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-40303 – btrfs: ensure no dirty metadata is written back for an fs with errors
https://notcve.org/view.php?id=CVE-2025-40303
08 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: btrfs: ensure no dirty metadata is written back for an fs with errors [BUG] During development of a minor feature (make sure all btrfs_bio::end_io() is called in task context), I noticed a crash in generic/388, where metadata writes triggered new works after btrfs_stop_all_workers(). It turns out that it can even happen without any code modification, just using RAID5 for metadata and the same workload from generic/388 is going to trigger th... • https://git.kernel.org/stable/c/13e6c37b989859e70b0d73d3f2cb0aa022159b17 •
CVSS: 7.2EPSS: 0%CPEs: 5EXPL: 0CVE-2025-40301 – Bluetooth: hci_event: validate skb length for unknown CC opcode
https://notcve.org/view.php?id=CVE-2025-40301
08 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_event: validate skb length for unknown CC opcode In hci_cmd_complete_evt(), if the command complete event has an unknown opcode, we assume the first byte of the remaining skb->data contains the return status. However, parameter data has previously been pulled in hci_event_func(), which may leave the skb empty. If so, using skb->data[0] for the return status uses un-init memory. The fix is to check skb->len before using skb->d... • https://git.kernel.org/stable/c/afcb3369f46ed5dc883a7b92f2dd1e264d79d388 •
CVSS: 7.0EPSS: 0%CPEs: 5EXPL: 0CVE-2025-40297 – net: bridge: fix use-after-free due to MST port state bypass
https://notcve.org/view.php?id=CVE-2025-40297
08 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: net: bridge: fix use-after-free due to MST port state bypass syzbot reported[1] a use-after-free when deleting an expired fdb. It is due to a race condition between learning still happening and a port being deleted, after all its fdbs have been flushed. The port's state has been toggled to disabled so no learning should happen at that time, but if we have MST enabled, it will bypass the port's state, that together with VLAN filtering disabl... • https://git.kernel.org/stable/c/ec7328b59176227216c461601c6bd0e922232a9b •
CVSS: 5.6EPSS: 0%CPEs: 5EXPL: 0CVE-2025-40294 – Bluetooth: MGMT: Fix OOB access in parse_adv_monitor_pattern()
https://notcve.org/view.php?id=CVE-2025-40294
08 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Fix OOB access in parse_adv_monitor_pattern() In the parse_adv_monitor_pattern() function, the value of the 'length' variable is currently limited to HCI_MAX_EXT_AD_LENGTH(251). The size of the 'value' array in the mgmt_adv_pattern structure is 31. If the value of 'pattern[i].length' is set in the user space and exceeds 31, the 'patterns[i].value' array can be accessed out of bound when copied. Increasing the size of the 'v... • https://git.kernel.org/stable/c/99f30e12e588f9982a6eb1916e53510bff25b3b8 •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2025-40293 – iommufd: Don't overflow during division for dirty tracking
https://notcve.org/view.php?id=CVE-2025-40293
08 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: iommufd: Don't overflow during division for dirty tracking If pgshift is 63 then BITS_PER_TYPE(*bitmap->bitmap) * pgsize will overflow to 0 and this triggers divide by 0. In this case the index should just be 0, so reorganize things to divide by shift and avoid hitting any overflows. In the Linux kernel, the following vulnerability has been resolved: iommufd: Don't overflow during division for dirty tracking If pgshift is 63 then BITS_PER_T... • https://git.kernel.org/stable/c/58ccf0190d19d9a8a41f8a02b9e06742b58df4a1 •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2025-40292 – virtio-net: fix received length check in big packets
https://notcve.org/view.php?id=CVE-2025-40292
08 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: virtio-net: fix received length check in big packets Since commit 4959aebba8c0 ("virtio-net: use mtu size as buffer length for big packets"), when guest gso is off, the allocated size for big packets is not MAX_SKB_FRAGS * PAGE_SIZE anymore but depends on negotiated MTU. The number of allocated frags for big packets is stored in vi->big_packets_num_skbfrags. Because the host announced buffer length can be malicious (e.g. the host vhost_net ... • https://git.kernel.org/stable/c/4959aebba8c06992abafa09d1e80965e0825af54 •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-40289 – drm/amdgpu: hide VRAM sysfs attributes on GPUs without VRAM
https://notcve.org/view.php?id=CVE-2025-40289
06 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: hide VRAM sysfs attributes on GPUs without VRAM Otherwise accessing them can cause a crash. • https://git.kernel.org/stable/c/d38ceaf99ed015f2a0b9af3499791bd3a3daae21 •
CVSS: 6.3EPSS: 0%CPEs: 5EXPL: 0CVE-2025-40288 – drm/amdgpu: Fix NULL pointer dereference in VRAM logic for APU devices
https://notcve.org/view.php?id=CVE-2025-40288
06 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix NULL pointer dereference in VRAM logic for APU devices Previously, APU platforms (and other scenarios with uninitialized VRAM managers) triggered a NULL pointer dereference in `ttm_resource_manager_usage()`. The root cause is not that the `struct ttm_resource_manager *man` pointer itself is NULL, but that `man->bdev` (the backing device pointer within the manager) remains uninitialized (NULL) on APUs—since APUs lack dedicate... • https://git.kernel.org/stable/c/d38ceaf99ed015f2a0b9af3499791bd3a3daae21 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-40286 – smb/server: fix possible memory leak in smb2_read()
https://notcve.org/view.php?id=CVE-2025-40286
06 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: smb/server: fix possible memory leak in smb2_read() Memory leak occurs when ksmbd_vfs_read() fails. Fix this by adding the missing kvfree(). In the Linux kernel, the following vulnerability has been resolved: smb/server: fix possible memory leak in smb2_read() Memory leak occurs when ksmbd_vfs_read() fails. Fix this by adding the missing kvfree(). • https://git.kernel.org/stable/c/e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 •
CVSS: 7.1EPSS: 0%CPEs: 6EXPL: 0CVE-2025-40285 – smb/server: fix possible refcount leak in smb2_sess_setup()
https://notcve.org/view.php?id=CVE-2025-40285
06 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: smb/server: fix possible refcount leak in smb2_sess_setup() Reference count of ksmbd_session will leak when session need reconnect. Fix this by adding the missing ksmbd_user_session_put(). In the Linux kernel, the following vulnerability has been resolved: smb/server: fix possible refcount leak in smb2_sess_setup() Reference count of ksmbd_session will leak when session need reconnect. Fix this by adding the missing ksmbd_user_session_put()... • https://git.kernel.org/stable/c/37a0e2b362b3150317fb6e2139de67b1e29ae5ff •