CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2025-21745 – blk-cgroup: Fix class @block_class's subsystem refcount leakage
https://notcve.org/view.php?id=CVE-2025-21745
27 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: blk-cgroup: Fix class @block_class's subsystem refcount leakage blkcg_fill_root_iostats() iterates over @block_class's devices by class_dev_iter_(init|next)(), but does not end iterating with class_dev_iter_exit(), so causes the class's subsystem refcount leakage. Fix by ending the iterating with class_dev_iter_exit(). In the Linux kernel, the following vulnerability has been resolved: blk-cgroup: Fix class @block_class's subsystem refcount... • https://git.kernel.org/stable/c/ef45fe470e1e5410db4af87abc5d5055427945ac •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-21744 – wifi: brcmfmac: fix NULL pointer dereference in brcmf_txfinalize()
https://notcve.org/view.php?id=CVE-2025-21744
27 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: fix NULL pointer dereference in brcmf_txfinalize() On removal of the device or unloading of the kernel module a potential NULL pointer dereference occurs. The following sequence deletes the interface: brcmf_detach() brcmf_remove_interface() brcmf_del_if() Inside the brcmf_del_if() function the drvr->if2bss[ifidx] is updated to BRCMF_BSSIDX_INVALID (-1) if the bsscfgidx matches. After brcmf_remove_interface() call the brcmf_p... • https://git.kernel.org/stable/c/4e51d6d093e763348916e69d06d87e0a5593661b •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-21743 – usbnet: ipheth: fix possible overflow in DPE length check
https://notcve.org/view.php?id=CVE-2025-21743
27 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: usbnet: ipheth: fix possible overflow in DPE length check Originally, it was possible for the DPE length check to overflow if wDatagramIndex + wDatagramLength > U16_MAX. This could lead to an OoB read. Move the wDatagramIndex term to the other side of the inequality. An existing condition ensures that wDatagramIndex < urb->actual_length. In the Linux kernel, the following vulnerability has been resolved: usbnet: ipheth: fix possible overflo... • https://git.kernel.org/stable/c/a2d274c62e44b1995c170595db3865c6fe701226 •
CVSS: 7.1EPSS: 0%CPEs: 4EXPL: 0CVE-2025-21742 – usbnet: ipheth: use static NDP16 location in URB
https://notcve.org/view.php?id=CVE-2025-21742
27 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: usbnet: ipheth: use static NDP16 location in URB Original code allowed for the start of NDP16 to be anywhere within the URB based on the `wNdpIndex` value in NTH16. Only the start position of NDP16 was checked, so it was possible for even the fixed-length part of NDP16 to extend past the end of URB, leading to an out-of-bounds read. On iOS devices, the NDP16 header always directly follows NTH16. Rely on and check for this specific format. T... • https://git.kernel.org/stable/c/a2d274c62e44b1995c170595db3865c6fe701226 •
CVSS: 7.1EPSS: 0%CPEs: 4EXPL: 0CVE-2025-21741 – usbnet: ipheth: fix DPE OoB read
https://notcve.org/view.php?id=CVE-2025-21741
27 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: usbnet: ipheth: fix DPE OoB read Fix an out-of-bounds DPE read, limit the number of processed DPEs to the amount that fits into the fixed-size NDP16 header. In the Linux kernel, the following vulnerability has been resolved: usbnet: ipheth: fix DPE OoB read Fix an out-of-bounds DPE read, limit the number of processed DPEs to the amount that fits into the fixed-size NDP16 header. • https://git.kernel.org/stable/c/a2d274c62e44b1995c170595db3865c6fe701226 •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2025-21739 – scsi: ufs: core: Fix use-after free in init error and remove paths
https://notcve.org/view.php?id=CVE-2025-21739
27 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Fix use-after free in init error and remove paths devm_blk_crypto_profile_init() registers a cleanup handler to run when the associated (platform-) device is being released. For UFS, the crypto private data and pointers are stored as part of the ufs_hba's data structure 'struct ufs_hba::crypto_profile'. This structure is allocated as part of the underlying ufshcd and therefore Scsi_host allocation. During driver release or ... • https://git.kernel.org/stable/c/d76d9d7d1009968dd3a0fc30e5f5ee9fbffc1350 • CWE-416: Use After Free •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2025-21738 – ata: libata-sff: Ensure that we cannot write outside the allocated buffer
https://notcve.org/view.php?id=CVE-2025-21738
27 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: ata: libata-sff: Ensure that we cannot write outside the allocated buffer reveliofuzzing reported that a SCSI_IOCTL_SEND_COMMAND ioctl with out_len set to 0xd42, SCSI command set to ATA_16 PASS-THROUGH, ATA command set to ATA_NOP, and protocol set to ATA_PROT_PIO, can cause ata_pio_sector() to write outside the allocated buffer, overwriting random memory. While a ATA device is supposed to abort a ATA_NOP command, there does seem to be a bug... • https://git.kernel.org/stable/c/a8f8cf87059ed1905c2a5c72f8b39a4f57b11b4c •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-21736 – nilfs2: fix possible int overflows in nilfs_fiemap()
https://notcve.org/view.php?id=CVE-2025-21736
27 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix possible int overflows in nilfs_fiemap() Since nilfs_bmap_lookup_contig() in nilfs_fiemap() calculates its result by being prepared to go through potentially maxblocks == INT_MAX blocks, the value in n may experience an overflow caused by left shift of blkbits. While it is extremely unlikely to occur, play it safe and cast right hand expression to wider type to mitigate the issue. Found by Linux Verification Center (linuxtesting... • https://git.kernel.org/stable/c/622daaff0a8975fb5c5b95f24f3234550ba32e92 •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2025-21735 – NFC: nci: Add bounds checking in nci_hci_create_pipe()
https://notcve.org/view.php?id=CVE-2025-21735
27 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: NFC: nci: Add bounds checking in nci_hci_create_pipe() The "pipe" variable is a u8 which comes from the network. If it's more than 127, then it results in memory corruption in the caller, nci_hci_connect_gate(). In the Linux kernel, the following vulnerability has been resolved: NFC: nci: Add bounds checking in nci_hci_create_pipe() The "pipe" variable is a u8 which comes from the network. If it's more than 127, then it results in memory co... • https://git.kernel.org/stable/c/a1b0b9415817c14d207921582f269d03f848b69f •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2025-21734 – misc: fastrpc: Fix copy buffer page size
https://notcve.org/view.php?id=CVE-2025-21734
27 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: misc: fastrpc: Fix copy buffer page size For non-registered buffer, fastrpc driver copies the buffer and pass it to the remote subsystem. There is a problem with current implementation of page size calculation which is not considering the offset in the calculation. This might lead to passing of improper and out-of-bounds page size which could result in memory issue. Calculate page start and page end using the offset adjusted address instead... • https://git.kernel.org/stable/c/02b45b47fbe84e23699bb6bdc74d4c2780e282b4 •