CVSS: 7.2EPSS: 0%CPEs: 9EXPL: 0CVE-2025-40280 – tipc: Fix use-after-free in tipc_mon_reinit_self().
https://notcve.org/view.php?id=CVE-2025-40280
06 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: tipc: Fix use-after-free in tipc_mon_reinit_self(). syzbot reported use-after-free of tipc_net(net)->monitors[] in tipc_mon_reinit_self(). [0] The array is protected by RTNL, but tipc_mon_reinit_self() iterates over it without RTNL. tipc_mon_reinit_self() is called from tipc_net_finalize(), which is always under RTNL except for tipc_net_finalize_work(). Let's hold RTNL in tipc_net_finalize_work(). [0]: BUG: KASAN: slab-use-after-free in __r... • https://git.kernel.org/stable/c/28845c28f842e9e55e75b2c116bff714bb039055 •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2025-40279 – net: sched: act_connmark: initialize struct tc_ife to fix kernel leak
https://notcve.org/view.php?id=CVE-2025-40279
06 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: net: sched: act_connmark: initialize struct tc_ife to fix kernel leak In tcf_connmark_dump(), the variable 'opt' was partially initialized using a designatied initializer. While the padding bytes are reamined uninitialized. nla_put() copies the entire structure into a netlink message, these uninitialized bytes leaked to userspace. Initialize the structure with memset before assigning its fields to ensure all members and padding are cleared ... • https://git.kernel.org/stable/c/22a5dc0e5e3e8fef804230cd73ed7b0afd4c7bae •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40278 – net: sched: act_ife: initialize struct tc_ife to fix KMSAN kernel-infoleak
https://notcve.org/view.php?id=CVE-2025-40278
06 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: net: sched: act_ife: initialize struct tc_ife to fix KMSAN kernel-infoleak Fix a KMSAN kernel-infoleak detected by the syzbot . [net?] KMSAN: kernel-infoleak in __skb_datagram_iter In tcf_ife_dump(), the variable 'opt' was partially initialized using a designatied initializer. While the padding bytes are reamined uninitialized. nla_put() copies the entire structure into a netlink message, these uninitialized bytes leaked to userspace. Initi... • https://git.kernel.org/stable/c/ef6980b6becb1afd9d82a4f043749a10ae81bf14 •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40277 – drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE
https://notcve.org/view.php?id=CVE-2025-40277
06 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE This data originates from userspace and is used in buffer offset calculations which could potentially overflow causing an out-of-bounds access. In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE This data originates from userspace and is used in buffer offset calculations which could ... • https://git.kernel.org/stable/c/8ce75f8ab9044fe11caaaf2b2c82471023212f9f •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40275 – ALSA: usb-audio: Fix NULL pointer dereference in snd_usb_mixer_controls_badd
https://notcve.org/view.php?id=CVE-2025-40275
06 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix NULL pointer dereference in snd_usb_mixer_controls_badd In snd_usb_create_streams(), for UAC version 3 devices, the Interface Association Descriptor (IAD) is retrieved via usb_ifnum_to_if(). If this call fails, a fallback routine attempts to obtain the IAD from the next interface and sets a BADD profile. However, snd_usb_mixer_controls_badd() assumes that the IAD retrieved from usb_ifnum_to_if() is always valid, without... • https://git.kernel.org/stable/c/17156f23e93c0f59e06dd2aaffd06221341caaee •
CVSS: 7.1EPSS: 0%CPEs: 7EXPL: 0CVE-2025-40273 – NFSD: free copynotify stateid in nfs4_free_ol_stateid()
https://notcve.org/view.php?id=CVE-2025-40273
06 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: NFSD: free copynotify stateid in nfs4_free_ol_stateid() Typically copynotify stateid is freed either when parent's stateid is being close/freed or in nfsd4_laundromat if the stateid hasn't been used in a lease period. However, in case when the server got an OPEN (which created a parent stateid), followed by a COPY_NOTIFY using that stateid, followed by a client reboot. New client instance while doing CREATE_SESSION would force expire previo... • https://git.kernel.org/stable/c/624322f1adc58acd0b69f77a6ddc764207e97241 •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2025-40272 – mm/secretmem: fix use-after-free race in fault handler
https://notcve.org/view.php?id=CVE-2025-40272
06 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: mm/secretmem: fix use-after-free race in fault handler When a page fault occurs in a secret memory file created with `memfd_secret(2)`, the kernel will allocate a new folio for it, mark the underlying page as not-present in the direct map, and add it to the file mapping. If two tasks cause a fault in the same page concurrently, both could end up allocating a folio and removing the page from the direct map, but only one would succeed in addi... • https://git.kernel.org/stable/c/1507f51255c9ff07d75909a84e7c0d7f3c4b2f49 •
CVSS: 6.6EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40271 – fs/proc: fix uaf in proc_readdir_de()
https://notcve.org/view.php?id=CVE-2025-40271
06 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: fs/proc: fix uaf in proc_readdir_de() Pde is erased from subdir rbtree through rb_erase(), but not set the node to EMPTY, which may result in uaf access. We should use RB_CLEAR_NODE() set the erased node to EMPTY, then pde_subdir_next() will return NULL to avoid uaf access. We found an uaf issue while using stress-ng testing, need to run testcase getdent and tun in the same time. The steps of the issue is as follows: 1) use getdent to trave... • https://git.kernel.org/stable/c/710585d4922fd315f2cada8fbe550ae8ed23e994 •
CVSS: 4.6EPSS: 0%CPEs: 13EXPL: 0CVE-2025-40269 – ALSA: usb-audio: Fix potential overflow of PCM transfer buffer
https://notcve.org/view.php?id=CVE-2025-40269
06 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix potential overflow of PCM transfer buffer The PCM stream data in USB-audio driver is transferred over USB URB packet buffers, and each packet size is determined dynamically. The packet sizes are limited by some factors such as wMaxPacketSize USB descriptor. OTOH, in the current code, the actually used packet sizes are determined only by the rate and the PPS, which may be bigger than the size limit above. This results in... • https://git.kernel.org/stable/c/02c56650f3c118d3752122996d96173d26bb13aa •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-40268 – cifs: client: fix memory leak in smb3_fs_context_parse_param
https://notcve.org/view.php?id=CVE-2025-40268
06 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: cifs: client: fix memory leak in smb3_fs_context_parse_param The user calls fsconfig twice, but when the program exits, free() only frees ctx->source for the second fsconfig, not the first. Regarding fc->source, there is no code in the fs context related to its memory reclamation. To fix this memory leak, release the source memory corresponding to ctx or fc before each parsing. syzbot reported: BUG: memory leak unreferenced object 0xffff888... • https://git.kernel.org/stable/c/af1a3d2ba9543e99d78914d8fb88b61d0531d9a1 •