CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2025-21718 – net: rose: fix timer races against user threads
https://notcve.org/view.php?id=CVE-2025-21718
27 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: net: rose: fix timer races against user threads Rose timers only acquire the socket spinlock, without checking if the socket is owned by one user thread. Add a check and rearm the timers if needed. BUG: KASAN: slab-use-after-free in rose_timer_expiry+0x31d/0x360 net/rose/rose_timer.c:174 Read of size 2 at addr ffff88802f09b82a by task swapper/0/0 CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.13.0-rc5-syzkaller-00172-gd1bf27c4e176 #0 Ha... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2025-21716 – vxlan: Fix uninit-value in vxlan_vnifilter_dump()
https://notcve.org/view.php?id=CVE-2025-21716
27 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: vxlan: Fix uninit-value in vxlan_vnifilter_dump() KMSAN reported an uninit-value access in vxlan_vnifilter_dump() [1]. If the length of the netlink message payload is less than sizeof(struct tunnel_msg), vxlan_vnifilter_dump() accesses bytes beyond the message. This can lead to uninit-value access. Fix this by returning an error in such situations. [1] BUG: KMSAN: uninit-value in vxlan_vnifilter_dump+0x328/0x920 drivers/net/vxlan/vxlan_vnif... • https://git.kernel.org/stable/c/f9c4bb0b245cee35ef66f75bf409c9573d934cf9 •
CVSS: -EPSS: 0%CPEs: 12EXPL: 0CVE-2025-21715 – net: davicom: fix UAF in dm9000_drv_remove
https://notcve.org/view.php?id=CVE-2025-21715
27 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: net: davicom: fix UAF in dm9000_drv_remove dm is netdev private data and it cannot be used after free_netdev() call. Using dm after free_netdev() can cause UAF bug. Fix it by moving free_netdev() at the end of the function. This is similar to the issue fixed in commit ad297cd2db89 ("net: qcom/emac: fix UAF in emac_remove"). This bug is detected by our static analysis tool. • https://git.kernel.org/stable/c/cf9e60aa69ae6c40d3e3e4c94dd6c8de31674e9b •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2025-21714 – RDMA/mlx5: Fix implicit ODP use after free
https://notcve.org/view.php?id=CVE-2025-21714
27 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Fix implicit ODP use after free Prevent double queueing of implicit ODP mr destroy work by using __xa_cmpxchg() to make sure this is the only time we are destroying this specific mr. Without this change, we could try to invalidate this mr twice, which in turn could result in queuing a MR work destroy twice, and eventually the second work could execute after the MR was freed due to the first work, causing a user after free and tra... • https://git.kernel.org/stable/c/5256edcb98a14b11409a2d323f56a70a8b366363 •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2025-21713 – powerpc/pseries/iommu: Don't unset window if it was never set
https://notcve.org/view.php?id=CVE-2025-21713
27 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: powerpc/pseries/iommu: Don't unset window if it was never set On pSeries, when user attempts to use the same vfio container used by different iommu group, the spapr_tce_set_window() returns -EPERM and the subsequent cleanup leads to the below crash. Kernel attempted to read user page (308) - exploit attempt? BUG: Kernel NULL pointer dereference on read at 0x00000308 Faulting instruction address: 0xc0000000001ce358 Oops: Kernel access of bad... • https://git.kernel.org/stable/c/f431a8cde7f102fce412546db6e62fdbde1131a7 •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2025-21712 – md/md-bitmap: Synchronize bitmap_get_stats() with bitmap lifetime
https://notcve.org/view.php?id=CVE-2025-21712
27 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: md/md-bitmap: Synchronize bitmap_get_stats() with bitmap lifetime After commit ec6bb299c7c3 ("md/md-bitmap: add 'sync_size' into struct md_bitmap_stats"), following panic is reported: Oops: general protection fault, probably for non-canonical address RIP: 0010:bitmap_get_stats+0x2b/0xa0 Call Trace:
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2025-21711 – net/rose: prevent integer overflows in rose_setsockopt()
https://notcve.org/view.php?id=CVE-2025-21711
27 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: net/rose: prevent integer overflows in rose_setsockopt() In case of possible unpredictably large arguments passed to rose_setsockopt() and multiplied by extra values on top of that, integer overflows may occur. Do the safest minimum and fix these issues by checking the contents of 'opt' and returning -EINVAL if they are too large. Also, switch to unsigned int and remove useless check for negative 'opt' in ROSE_IDLE case. • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2025-21710 – tcp: correct handling of extreme memory squeeze
https://notcve.org/view.php?id=CVE-2025-21710
27 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: tcp: correct handling of extreme memory squeeze Testing with iperf3 using the "pasta" protocol splicer has revealed a problem in the way tcp handles window advertising in extreme memory squeeze situations. Under memory pressure, a socket endpoint may temporarily advertise a zero-sized window, but this is not stored as part of the socket data. The reasoning behind this is that it is considered a temporary setting which shouldn't influence an... • https://git.kernel.org/stable/c/e2142825c120d4317abf7160a0fc34b3de532586 •
CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2025-21709 – kernel: be more careful about dup_mmap() failures and uprobe registering
https://notcve.org/view.php?id=CVE-2025-21709
27 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: kernel: be more careful about dup_mmap() failures and uprobe registering If a memory allocation fails during dup_mmap(), the maple tree can be left in an unsafe state for other iterators besides the exit path. All the locks are dropped before the exit_mmap() call (in mm/mmap.c), but the incomplete mm_struct can be reached through (at least) the rmap finding the vmas which have a pointer back to the mm_struct. Up to this point, there have be... • https://git.kernel.org/stable/c/d2406291483775ecddaee929231a39c70c08fda2 •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2025-21708 – net: usb: rtl8150: enable basic endpoint checking
https://notcve.org/view.php?id=CVE-2025-21708
27 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: net: usb: rtl8150: enable basic endpoint checking Syzkaller reports [1] encountering a common issue of utilizing a wrong usb endpoint type during URB submitting stage. This, in turn, triggers a warning shown below. For now, enable simple endpoint checking (specifically, bulk and interrupt eps, testing control one is not essential) to mitigate the issue with a view to do other related cosmetic changes later, if they are necessary. [1] Syzkal... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •