CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-40320 – smb: client: fix potential cfid UAF in smb2_query_info_compound
https://notcve.org/view.php?id=CVE-2025-40320
08 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential cfid UAF in smb2_query_info_compound When smb2_query_info_compound() retries, a previously allocated cfid may have been freed in the first attempt. Because cfid wasn't reset on replay, later cleanup could act on a stale pointer, leading to a potential use-after-free. Reinitialize cfid to NULL under the replay label. Example trace (trimmed): refcount_t: underflow; use-after-free. WARNING: CPU: 1 PID: 11224 at ../li... • https://git.kernel.org/stable/c/433042a91f9373241307725b52de573933ffedbf •
CVSS: 7.8EPSS: 0%CPEs: 7EXPL: 0CVE-2025-40319 – bpf: Sync pending IRQ work before freeing ring buffer
https://notcve.org/view.php?id=CVE-2025-40319
08 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: bpf: Sync pending IRQ work before freeing ring buffer Fix a race where irq_work can be queued in bpf_ringbuf_commit() but the ring buffer is freed before the work executes. In the syzbot reproducer, a BPF program attached to sched_switch triggers bpf_ringbuf_commit(), queuing an irq_work. If the ring buffer is freed before this work executes, the irq_work thread may accesses freed memory. Calling `irq_work_sync(&rb->work)` ensures that all ... • https://git.kernel.org/stable/c/457f44363a8894135c85b7a9afd2bd8196db24ab •
CVSS: 6.3EPSS: 0%CPEs: 6EXPL: 0CVE-2025-40318 – Bluetooth: hci_sync: fix race in hci_cmd_sync_dequeue_once
https://notcve.org/view.php?id=CVE-2025-40318
08 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sync: fix race in hci_cmd_sync_dequeue_once hci_cmd_sync_dequeue_once() does lookup and then cancel the entry under two separate lock sections. Meanwhile, hci_cmd_sync_work() can also delete the same entry, leading to double list_del() and "UAF". Fix this by holding cmd_sync_work_lock across both lookup and cancel, so that the entry cannot be removed concurrently. In the Linux kernel, the following vulnerability has been reso... • https://git.kernel.org/stable/c/f00f36db76eb8fd10d13e80e2590f23b5beaa54d •
CVSS: 7.2EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40317 – regmap: slimbus: fix bus_context pointer in regmap init calls
https://notcve.org/view.php?id=CVE-2025-40317
08 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: regmap: slimbus: fix bus_context pointer in regmap init calls Commit 4e65bda8273c ("ASoC: wcd934x: fix error handling in wcd934x_codec_parse_data()") revealed the problem in the slimbus regmap. That commit breaks audio playback, for instance, on sdm845 Thundercomm Dragonboard 845c board: Unable to handle kernel paging request at virtual address ffff8000847cbad4 ... CPU: 5 UID: 0 PID: 776 Comm: aplay Not tainted 6.18.0-rc1-00028-g7ea30958b30... • https://git.kernel.org/stable/c/7d6f7fb053ad543da74119df3c4cd7bb46220471 •
CVSS: 6.6EPSS: 0%CPEs: 5EXPL: 0CVE-2025-40316 – drm/mediatek: Fix device use-after-free on unbind
https://notcve.org/view.php?id=CVE-2025-40316
08 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/mediatek: Fix device use-after-free on unbind A recent change fixed device reference leaks when looking up drm platform device driver data during bind() but failed to remove a partial fix which had been added by commit 80805b62ea5b ("drm/mediatek: Fix kobject put for component sub-drivers"). This results in a reference imbalance on component bind() failures and on unbind() which could lead to a user-after-free. Make sure to only drop th... • https://git.kernel.org/stable/c/7d98166183d627c0b9daca7672b2191fae0f8a03 •
CVSS: 5.5EPSS: 0%CPEs: 11EXPL: 0CVE-2025-40315 – usb: gadget: f_fs: Fix epfile null pointer access after ep enable.
https://notcve.org/view.php?id=CVE-2025-40315
08 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_fs: Fix epfile null pointer access after ep enable. A race condition occurs when ffs_func_eps_enable() runs concurrently with ffs_data_reset(). The ffs_data_clear() called in ffs_data_reset() sets ffs->epfiles to NULL before resetting ffs->eps_count to 0, leading to a NULL pointer dereference when accessing epfile->ep in ffs_func_eps_enable() after successful usb_ep_enable(). The ffs->epfiles pointer is set to NULL in both ff... • https://git.kernel.org/stable/c/c9fc422c9a43e3d58d246334a71f3390401781dc •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2025-40314 – usb: cdns3: gadget: Use-after-free during failed initialization and exit of cdnsp gadget
https://notcve.org/view.php?id=CVE-2025-40314
08 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: usb: cdns3: gadget: Use-after-free during failed initialization and exit of cdnsp gadget In the __cdnsp_gadget_init() and cdnsp_gadget_exit() functions, the gadget structure (pdev->gadget) was freed before its endpoints. The endpoints are linked via the ep_list in the gadget structure. Freeing the gadget first leaves dangling pointers in the endpoint list. When the endpoints are subsequently freed, this results in a use-after-free. Fix: By ... • https://git.kernel.org/stable/c/8bc1901ca7b07d864fca11461b3875b31f949765 •
CVSS: 5.6EPSS: 0%CPEs: 6EXPL: 0CVE-2025-40313 – ntfs3: pretend $Extend records as regular files
https://notcve.org/view.php?id=CVE-2025-40313
08 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: ntfs3: pretend $Extend records as regular files Since commit af153bb63a33 ("vfs: catch invalid modes in may_open()") requires any inode be one of S_IFDIR/S_IFLNK/S_IFREG/S_IFCHR/S_IFBLK/ S_IFIFO/S_IFSOCK type, use S_IFREG for $Extend records. In the Linux kernel, the following vulnerability has been resolved: ntfs3: pretend $Extend records as regular files Since commit af153bb63a33 ("vfs: catch invalid modes in may_open()") requires any ino... • https://git.kernel.org/stable/c/4534a70b7056fd4b9a1c6db5a4ce3c98546b291e •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40312 – jfs: Verify inode mode when loading from disk
https://notcve.org/view.php?id=CVE-2025-40312
08 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: jfs: Verify inode mode when loading from disk The inode mode loaded from corrupted disk can be invalid. Do like what commit 0a9e74051313 ("isofs: Verify inode mode when loading from disk") does. In the Linux kernel, the following vulnerability has been resolved: jfs: Verify inode mode when loading from disk The inode mode loaded from corrupted disk can be invalid. Do like what commit 0a9e74051313 ("isofs: Verify inode mode when loading from... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 5.6EPSS: 0%CPEs: 4EXPL: 0CVE-2025-40311 – accel/habanalabs: support mapping cb with vmalloc-backed coherent memory
https://notcve.org/view.php?id=CVE-2025-40311
08 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: accel/habanalabs: support mapping cb with vmalloc-backed coherent memory When IOMMU is enabled, dma_alloc_coherent() with GFP_USER may return addresses from the vmalloc range. If such an address is mapped without VM_MIXEDMAP, vm_insert_page() will trigger a BUG_ON due to the VM_PFNMAP restriction. Fix this by checking for vmalloc addresses and setting VM_MIXEDMAP in the VMA before mapping. This ensures safe mapping and avoids kernel crashes... • https://git.kernel.org/stable/c/ac0ae6a96aa58eeba4aed97b12ef1dea8c5bf399 •