CVSS: 6.3EPSS: 0%CPEs: 7EXPL: 0CVE-2025-37948 – arm64: bpf: Add BHB mitigation to the epilogue for cBPF programs
https://notcve.org/view.php?id=CVE-2025-37948
20 May 2025 — In the Linux kernel, the following vulnerability has been resolved: arm64: bpf: Add BHB mitigation to the epilogue for cBPF programs A malicious BPF program may manipulate the branch history to influence what the hardware speculates will happen next. On exit from a BPF program, emit the BHB mititgation sequence. This is only applied for 'classic' cBPF programs that are loaded by seccomp. In the Linux kernel, the following vulnerability has been resolved: arm64: bpf: Add BHB mitigation to the epilogue for cB... • https://git.kernel.org/stable/c/c6a8735d841bcb7649734bb3a787bb174c67c0d8 •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-37942 – HID: pidff: Make sure to fetch pool before checking SIMULTANEOUS_MAX
https://notcve.org/view.php?id=CVE-2025-37942
20 May 2025 — In the Linux kernel, the following vulnerability has been resolved: HID: pidff: Make sure to fetch pool before checking SIMULTANEOUS_MAX As noted by Anssi some 20 years ago, pool report is sometimes messed up. This worked fine on many devices but casued oops on VRS DirectForce PRO. Here, we're making sure pool report is refetched before trying to access any of it's fields. While loop was replaced with a for loop + exit conditions were moved aroud to decrease the possibility of creating an infinite loop scen... • https://git.kernel.org/stable/c/211861869766a7bb7c72158aee0140ec67e182a7 •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2025-37932 – sch_htb: make htb_qlen_notify() idempotent
https://notcve.org/view.php?id=CVE-2025-37932
20 May 2025 — In the Linux kernel, the following vulnerability has been resolved: sch_htb: make htb_qlen_notify() idempotent htb_qlen_notify() always deactivates the HTB class and in fact could trigger a warning if it is already deactivated. Therefore, it is not idempotent and not friendly to its callers, like fq_codel_dequeue(). Let's make it idempotent to ease qdisc_tree_reduce_backlog() callers' life. In the Linux kernel, the following vulnerability has been resolved: sch_htb: make htb_qlen_notify() idempotent htb_qle... • https://git.kernel.org/stable/c/e6b45f4de763b00dc1c55e685e2dd1aaf525d3c1 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2023-53146 – media: dw2102: Fix null-ptr-deref in dw2102_i2c_transfer()
https://notcve.org/view.php?id=CVE-2023-53146
14 May 2025 — In the Linux kernel, the following vulnerability has been resolved: media: dw2102: Fix null-ptr-deref in dw2102_i2c_transfer() In dw2102_i2c_transfer, msg is controlled by user. When msg[i].buf is null and msg[i].len is zero, former checks on msg[i].buf would be passed. Malicious data finally reach dw2102_i2c_transfer. If accessing msg[i].buf[0] without sanity check, null ptr deref would happen. We add check on msg[i].len to prevent crash. Similar commit: commit 950e252cb469 ("[media] dw2102: limit messages... • https://git.kernel.org/stable/c/77cbd42d29de9ffc93d5529bab8813cde53af14c •
CVSS: 7.1EPSS: 0%CPEs: 7EXPL: 0CVE-2023-53145 – Bluetooth: btsdio: fix use after free bug in btsdio_remove due to race condition
https://notcve.org/view.php?id=CVE-2023-53145
10 May 2025 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btsdio: fix use after free bug in btsdio_remove due to race condition In btsdio_probe, the data->work is bound with btsdio_work. It will be started in btsdio_send_frame. If the btsdio_remove runs with a unfinished work, there may be a race condition that hdev is freed but used in btsdio_work. Fix it by canceling the work before do cleanup in btsdio_remove. In the Linux kernel, the following vulnerability has been resolved: Blueto... • https://git.kernel.org/stable/c/6c3653627397a0d6eab19b20a59423e118985a6b •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-37884 – bpf: Fix deadlock between rcu_tasks_trace and event_mutex.
https://notcve.org/view.php?id=CVE-2025-37884
09 May 2025 — In the Linux kernel, the following vulnerability has been resolved: bpf: Fix deadlock between rcu_tasks_trace and event_mutex. Fix the following deadlock: CPU A _free_event() perf_kprobe_destroy() mutex_lock(&event_mutex) perf_trace_event_unreg() synchronize_rcu_tasks_trace() There are several paths where _free_event() grabs event_mutex and calls sync_rcu_tasks_trace. Above is one such case. CPU B bpf_prog_test_run_syscall() rcu_read_lock_trace() bpf_prog_run_pin_on_cpu() bpf_prog_load() bpf_tracing_func_pr... • https://git.kernel.org/stable/c/255cbc9db7067a83713fd2f4b31034ddd266549a •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2025-37883 – s390/sclp: Add check for get_zeroed_page()
https://notcve.org/view.php?id=CVE-2025-37883
09 May 2025 — In the Linux kernel, the following vulnerability has been resolved: s390/sclp: Add check for get_zeroed_page() Add check for the return value of get_zeroed_page() in sclp_console_init() to prevent null pointer dereference. Furthermore, to solve the memory leak caused by the loop allocation, add a free helper to do the free job. In the Linux kernel, the following vulnerability has been resolved: s390/sclp: Add check for get_zeroed_page() Add check for the return value of get_zeroed_page() in sclp_console_ini... • https://git.kernel.org/stable/c/e1e00dc45648125ef7cb87ebc3b581ac224e7b39 •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-37882 – usb: xhci: Fix isochronous Ring Underrun/Overrun event handling
https://notcve.org/view.php?id=CVE-2025-37882
09 May 2025 — In the Linux kernel, the following vulnerability has been resolved: usb: xhci: Fix isochronous Ring Underrun/Overrun event handling The TRB pointer of these events points at enqueue at the time of error occurrence on xHCI 1.1+ HCs or it's NULL on older ones. By the time we are handling the event, a new TD may be queued at this ring position. I can trigger this race by rising interrupt moderation to increase IRQ handling delay. Similar delay may occur naturally due to system load. If this ever happens after ... • https://git.kernel.org/stable/c/16a7a8e6c47fea5c847beb696c8c21a7a44c1915 •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2025-37880 – um: work around sched_yield not yielding in time-travel mode
https://notcve.org/view.php?id=CVE-2025-37880
09 May 2025 — In the Linux kernel, the following vulnerability has been resolved: um: work around sched_yield not yielding in time-travel mode sched_yield by a userspace may not actually cause scheduling in time-travel mode as no time has passed. In the case seen it appears to be a badly implemented userspace spinlock in ASAN. Unfortunately, with time-travel it causes an extreme slowdown or even deadlock depending on the kernel configuration (CONFIG_UML_MAX_USERSPACE_ITERATIONS). Work around it by accounting time to the ... • https://git.kernel.org/stable/c/990ddc65173776f1e01e7135d8c1fd5f8fd4d5d2 •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2025-37879 – 9p/net: fix improper handling of bogus negative read/write replies
https://notcve.org/view.php?id=CVE-2025-37879
09 May 2025 — In the Linux kernel, the following vulnerability has been resolved: 9p/net: fix improper handling of bogus negative read/write replies In p9_client_write() and p9_client_read_once(), if the server incorrectly replies with success but a negative write/read count then we would consider written (negative) <= rsize (positive) because both variables were signed. Make variables unsigned to avoid this problem. The reproducer linked below now fails with the following error instead of a null pointer deref: 9pnet: bo... • https://git.kernel.org/stable/c/468ff4a7c61fb811c596a7c44b6a5455e40fd12b •