CVSS: 6.6EPSS: 0%CPEs: 5EXPL: 0CVE-2025-37897 – wifi: plfxlc: Remove erroneous assert in plfxlc_mac_release
https://notcve.org/view.php?id=CVE-2025-37897
20 May 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: plfxlc: Remove erroneous assert in plfxlc_mac_release plfxlc_mac_release() asserts that mac->lock is held. This assertion is incorrect, because even if it was possible, it would not be the valid behaviour. The function is used when probe fails or after the device is disconnected. In both cases mac->lock can not be held as the driver is not working with the device at the moment. All functions that use mac->lock unlock it just after it ... • https://git.kernel.org/stable/c/68d57a07bfe5bb29b80cd8b8fa24c9d1ea104124 •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2025-37896 – spi: spi-mem: Add fix to avoid divide error
https://notcve.org/view.php?id=CVE-2025-37896
20 May 2025 — In the Linux kernel, the following vulnerability has been resolved: spi: spi-mem: Add fix to avoid divide error For some SPI flash memory operations, dummy bytes are not mandatory. For example, in Winbond SPINAND flash memory devices, the `write_cache` and `update_cache` operation variants have zero dummy bytes. Calculating the duration for SPI memory operations with zero dummy bytes causes a divide error when `ncycles` is calculated in the spi_mem_calc_op_duration(). Add changes to skip the 'ncylcles' calc... • https://git.kernel.org/stable/c/226d6cb3cb799aae46d0dd19a521133997d9db11 •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-37895 – bnxt_en: Fix error handling path in bnxt_init_chip()
https://notcve.org/view.php?id=CVE-2025-37895
20 May 2025 — In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Fix error handling path in bnxt_init_chip() WARN_ON() is triggered in __flush_work() if bnxt_init_chip() fails because we call cancel_work_sync() on dim work that has not been initialized. WARNING: CPU: 37 PID: 5223 at kernel/workqueue.c:4201 __flush_work.isra.0+0x212/0x230 The driver relies on the BNXT_STATE_NAPI_DISABLED bit to check if dim work has already been cancelled. But in the bnxt_open() path, BNXT_STATE_NAPI_DISABLED is ... • https://git.kernel.org/stable/c/f697217f980ffc796c72c34dbf7d59a6b1996888 •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-37894 – net: use sock_gen_put() when sk_state is TCP_TIME_WAIT
https://notcve.org/view.php?id=CVE-2025-37894
20 May 2025 — In the Linux kernel, the following vulnerability has been resolved: net: use sock_gen_put() when sk_state is TCP_TIME_WAIT It is possible for a pointer of type struct inet_timewait_sock to be returned from the functions __inet_lookup_established() and __inet6_lookup_established(). This can cause a crash when the returned pointer is of type struct inet_timewait_sock and sock_put() is called on it. The following is a crash call stack that shows sk->sk_wmem_alloc being accessed in sk_free() during the call to ... • https://git.kernel.org/stable/c/c9d1d23e5239f41700be69133a5769ac5ebc88a8 •
CVSS: 5.5EPSS: 0%CPEs: 9EXPL: 0CVE-2025-37892 – mtd: inftlcore: Add error check for inftl_read_oob()
https://notcve.org/view.php?id=CVE-2025-37892
20 May 2025 — In the Linux kernel, the following vulnerability has been resolved: mtd: inftlcore: Add error check for inftl_read_oob() In INFTL_findwriteunit(), the return value of inftl_read_oob() need to be checked. A proper implementation can be found in INFTL_deleteblock(). The status will be set as SECTOR_IGNORE to break from the while-loop correctly if the inftl_read_oob() fails. In the Linux kernel, the following vulnerability has been resolved: mtd: inftlcore: Add error check for inftl_read_oob() In INFTL_findwri... • https://git.kernel.org/stable/c/8593fbc68b0df1168995de76d1af38eb62fd6b62 •
CVSS: 7.1EPSS: 0%CPEs: 4EXPL: 0CVE-2025-37891 – ALSA: ump: Fix buffer overflow at UMP SysEx message conversion
https://notcve.org/view.php?id=CVE-2025-37891
19 May 2025 — In the Linux kernel, the following vulnerability has been resolved: ALSA: ump: Fix buffer overflow at UMP SysEx message conversion The conversion function from MIDI 1.0 to UMP packet contains an internal buffer to keep the incoming MIDI bytes, and its size is 4, as it was supposed to be the max size for a MIDI1 UMP packet data. However, the implementation overlooked that SysEx is handled in a different format, and it can be up to 6 bytes, as found in do_convert_to_ump(). It leads eventually to a buffer over... • https://git.kernel.org/stable/c/0b5288f5fe63eab687c14e5940b9e0d532b129f2 •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2025-37890 – net_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc
https://notcve.org/view.php?id=CVE-2025-37890
16 May 2025 — In the Linux kernel, the following vulnerability has been resolved: net_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc As described in Gerrard's report [1], we have a UAF case when an hfsc class has a netem child qdisc. The crux of the issue is that hfsc is assuming that checking for cl->qdisc->q.qlen == 0 guarantees that it hasn't inserted the class in the vttree or eltree (which is not true for the netem duplicate case). This patch checks the n_active class variable to make sure t... • https://git.kernel.org/stable/c/37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea •
CVSS: 7.1EPSS: 0%CPEs: 6EXPL: 0CVE-2025-37889 – ASoC: ops: Consistently treat platform_max as control value
https://notcve.org/view.php?id=CVE-2025-37889
09 May 2025 — In the Linux kernel, the following vulnerability has been resolved: ASoC: ops: Consistently treat platform_max as control value This reverts commit 9bdd10d57a88 ("ASoC: ops: Shift tested values in snd_soc_put_volsw() by +min"), and makes some additional related updates. There are two ways the platform_max could be interpreted; the maximum register value, or the maximum value the control can be set to. The patch moved from treating the value as a control value to a register one. When the patch was applied it... • https://git.kernel.org/stable/c/c11fc224e58e7972ffd05b8f25e9b1d6a0b8d562 •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-37888 – net/mlx5: Fix null-ptr-deref in mlx5_create_{inner_,}ttc_table()
https://notcve.org/view.php?id=CVE-2025-37888
09 May 2025 — In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix null-ptr-deref in mlx5_create_{inner_,}ttc_table() Add NULL check for mlx5_get_flow_namespace() returns in mlx5_create_inner_ttc_table() and mlx5_create_ttc_table() to prevent NULL pointer dereference. In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix null-ptr-deref in mlx5_create_{inner_,}ttc_table() Add NULL check for mlx5_get_flow_namespace() returns in mlx5_create_inner_ttc_table() and mlx5_... • https://git.kernel.org/stable/c/137f3d50ad2a0f2e1ebe5181d6b32a5541786b99 •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-37887 – pds_core: handle unsupported PDS_CORE_CMD_FW_CONTROL result
https://notcve.org/view.php?id=CVE-2025-37887
09 May 2025 — In the Linux kernel, the following vulnerability has been resolved: pds_core: handle unsupported PDS_CORE_CMD_FW_CONTROL result If the FW doesn't support the PDS_CORE_CMD_FW_CONTROL command the driver might at the least print garbage and at the worst crash when the user runs the "devlink dev info" devlink command. This happens because the stack variable fw_list is not 0 initialized which results in fw_list.num_fw_slots being a garbage value from the stack. Then the driver tries to access fw_list.fw_names[i]... • https://git.kernel.org/stable/c/45d76f492938cdc27ddadc16e1e75103f4cfbf56 •