CVSS: 7.2EPSS: 0%CPEs: 5EXPL: 0CVE-2025-37903 – drm/amd/display: Fix slab-use-after-free in hdcp
https://notcve.org/view.php?id=CVE-2025-37903
20 May 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix slab-use-after-free in hdcp The HDCP code in amdgpu_dm_hdcp.c copies pointers to amdgpu_dm_connector objects without incrementing the kref reference counts. When using a USB-C dock, and the dock is unplugged, the corresponding amdgpu_dm_connector objects are freed, creating dangling pointers in the HDCP code. When the dock is plugged back, the dangling pointers are dereferenced, resulting in a slab-use-after-free: [ 66.... • https://git.kernel.org/stable/c/da3fd7ac0bcf372cc57117bdfcd725cca7ef975a •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-37901 – irqchip/qcom-mpm: Prevent crash when trying to handle non-wake GPIOs
https://notcve.org/view.php?id=CVE-2025-37901
20 May 2025 — In the Linux kernel, the following vulnerability has been resolved: irqchip/qcom-mpm: Prevent crash when trying to handle non-wake GPIOs On Qualcomm chipsets not all GPIOs are wakeup capable. Those GPIOs do not have a corresponding MPM pin and should not be handled inside the MPM driver. The IRQ domain hierarchy is always applied, so it's required to explicitly disconnect the hierarchy for those. The pinctrl-msm driver marks these with GPIO_NO_WAKE_IRQ. qcom-pdc has a check for this, but irq-qcom-mpm is cur... • https://git.kernel.org/stable/c/a6199bb514d8a63f61c2a22c1f912376e14d0fb2 •
CVSS: 5.6EPSS: 0%CPEs: 3EXPL: 0CVE-2025-37900 – iommu: Fix two issues in iommu_copy_struct_from_user()
https://notcve.org/view.php?id=CVE-2025-37900
20 May 2025 — In the Linux kernel, the following vulnerability has been resolved: iommu: Fix two issues in iommu_copy_struct_from_user() In the review for iommu_copy_struct_to_user() helper, Matt pointed out that a NULL pointer should be rejected prior to dereferencing it: https://lore.kernel.org/all/86881827-8E2D-461C-BDA3-FA8FD14C343C@nvidia.com And Alok pointed out a typo at the same time: https://lore.kernel.org/all/480536af-6830-43ce-a327-adbd13dc3f1d@oracle.com Since both issues were copied from iommu_copy_struct_f... • https://git.kernel.org/stable/c/e9d36c07bb787840e4813fb09a929a17d522a69f •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 2CVE-2025-37899 – ksmbd: fix use-after-free in session logoff
https://notcve.org/view.php?id=CVE-2025-37899
20 May 2025 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in session logoff The sess->user object can currently be in use by another thread, for example if another connection has sent a session setup request to bind to the session being free'd. The handler for that connection could be in the smb2_sess_setup function which makes use of sess->user. In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in session logoff The sess->user ... • https://github.com/SeanHeelan/o3_finds_cve-2025-37899 •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2025-37898 – powerpc64/ftrace: fix module loading without patchable function entries
https://notcve.org/view.php?id=CVE-2025-37898
20 May 2025 — In the Linux kernel, the following vulnerability has been resolved: powerpc64/ftrace: fix module loading without patchable function entries get_stubs_size assumes that there must always be at least one patchable function entry, which is not always the case (modules that export data but no code), otherwise it returns -ENOEXEC and thus the section header sh_size is set to that value. During module_memory_alloc() the size is passed to execmem_alloc() after being page-aligned and thus set to zero which will cau... • https://git.kernel.org/stable/c/eec37961a56aa4f3fe1c33ffd48eec7d1bb0c009 •
CVSS: 6.6EPSS: 0%CPEs: 5EXPL: 0CVE-2025-37897 – wifi: plfxlc: Remove erroneous assert in plfxlc_mac_release
https://notcve.org/view.php?id=CVE-2025-37897
20 May 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: plfxlc: Remove erroneous assert in plfxlc_mac_release plfxlc_mac_release() asserts that mac->lock is held. This assertion is incorrect, because even if it was possible, it would not be the valid behaviour. The function is used when probe fails or after the device is disconnected. In both cases mac->lock can not be held as the driver is not working with the device at the moment. All functions that use mac->lock unlock it just after it ... • https://git.kernel.org/stable/c/68d57a07bfe5bb29b80cd8b8fa24c9d1ea104124 •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2025-37896 – spi: spi-mem: Add fix to avoid divide error
https://notcve.org/view.php?id=CVE-2025-37896
20 May 2025 — In the Linux kernel, the following vulnerability has been resolved: spi: spi-mem: Add fix to avoid divide error For some SPI flash memory operations, dummy bytes are not mandatory. For example, in Winbond SPINAND flash memory devices, the `write_cache` and `update_cache` operation variants have zero dummy bytes. Calculating the duration for SPI memory operations with zero dummy bytes causes a divide error when `ncycles` is calculated in the spi_mem_calc_op_duration(). Add changes to skip the 'ncylcles' calc... • https://git.kernel.org/stable/c/226d6cb3cb799aae46d0dd19a521133997d9db11 •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-37895 – bnxt_en: Fix error handling path in bnxt_init_chip()
https://notcve.org/view.php?id=CVE-2025-37895
20 May 2025 — In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Fix error handling path in bnxt_init_chip() WARN_ON() is triggered in __flush_work() if bnxt_init_chip() fails because we call cancel_work_sync() on dim work that has not been initialized. WARNING: CPU: 37 PID: 5223 at kernel/workqueue.c:4201 __flush_work.isra.0+0x212/0x230 The driver relies on the BNXT_STATE_NAPI_DISABLED bit to check if dim work has already been cancelled. But in the bnxt_open() path, BNXT_STATE_NAPI_DISABLED is ... • https://git.kernel.org/stable/c/f697217f980ffc796c72c34dbf7d59a6b1996888 •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-37894 – net: use sock_gen_put() when sk_state is TCP_TIME_WAIT
https://notcve.org/view.php?id=CVE-2025-37894
20 May 2025 — In the Linux kernel, the following vulnerability has been resolved: net: use sock_gen_put() when sk_state is TCP_TIME_WAIT It is possible for a pointer of type struct inet_timewait_sock to be returned from the functions __inet_lookup_established() and __inet6_lookup_established(). This can cause a crash when the returned pointer is of type struct inet_timewait_sock and sock_put() is called on it. The following is a crash call stack that shows sk->sk_wmem_alloc being accessed in sk_free() during the call to ... • https://git.kernel.org/stable/c/c9d1d23e5239f41700be69133a5769ac5ebc88a8 •
CVSS: 5.5EPSS: 0%CPEs: 9EXPL: 0CVE-2025-37892 – mtd: inftlcore: Add error check for inftl_read_oob()
https://notcve.org/view.php?id=CVE-2025-37892
20 May 2025 — In the Linux kernel, the following vulnerability has been resolved: mtd: inftlcore: Add error check for inftl_read_oob() In INFTL_findwriteunit(), the return value of inftl_read_oob() need to be checked. A proper implementation can be found in INFTL_deleteblock(). The status will be set as SECTOR_IGNORE to break from the while-loop correctly if the inftl_read_oob() fails. In the Linux kernel, the following vulnerability has been resolved: mtd: inftlcore: Add error check for inftl_read_oob() In INFTL_findwri... • https://git.kernel.org/stable/c/8593fbc68b0df1168995de76d1af38eb62fd6b62 •