CVSS: 7.0EPSS: 0%CPEs: 8EXPL: 0CVE-2025-39713 – media: rainshadow-cec: fix TOCTOU race condition in rain_interrupt()
https://notcve.org/view.php?id=CVE-2025-39713
05 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: media: rainshadow-cec: fix TOCTOU race condition in rain_interrupt() In the interrupt handler rain_interrupt(), the buffer full check on rain->buf_len is performed before acquiring rain->buf_lock. This creates a Time-of-Check to Time-of-Use (TOCTOU) race condition, as rain->buf_len is concurrently accessed and modified in the work handler rain_irq_work_handler() under the same lock. Multiple interrupt invocations can race, with each reading... • https://git.kernel.org/stable/c/0f314f6c2e77beb1a232be21dd6be4e1849ba5ac •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-39712 – media: mt9m114: Fix deadlock in get_frame_interval/set_frame_interval
https://notcve.org/view.php?id=CVE-2025-39712
05 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: media: mt9m114: Fix deadlock in get_frame_interval/set_frame_interval Getting / Setting the frame interval using the V4L2 subdev pad ops get_frame_interval/set_frame_interval causes a deadlock, as the subdev state is locked in the [1] but also in the driver itself. In [2] it's described that the caller is responsible to acquire and release the lock in this case. Therefore, acquiring the lock in the driver is wrong. Remove the lock acquisiti... • https://git.kernel.org/stable/c/24d756e914fc3418bad7897b0657aefa9ef848e8 •
CVSS: 6.6EPSS: 0%CPEs: 4EXPL: 0CVE-2025-39711 – media: ivsc: Fix crash at shutdown due to missing mei_cldev_disable() calls
https://notcve.org/view.php?id=CVE-2025-39711
05 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: media: ivsc: Fix crash at shutdown due to missing mei_cldev_disable() calls Both the ACE and CSI driver are missing a mei_cldev_disable() call in their remove() function. This causes the mei_cl client to stay part of the mei_device->file_list list even though its memory is freed by mei_cl_bus_dev_release() calling kfree(cldev->cl). This leads to a use-after-free when mei_vsc_remove() runs mei_stop() which first removes all mei bus devices c... • https://git.kernel.org/stable/c/29006e196a5661d9afc8152fa2bf8a5347ac17b4 •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2025-39710 – media: venus: Add a check for packet size after reading from shared memory
https://notcve.org/view.php?id=CVE-2025-39710
05 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: media: venus: Add a check for packet size after reading from shared memory Add a check to ensure that the packet size does not exceed the number of available words after reading the packet header from shared memory. This ensures that the size provided by the firmware is safe to process and prevent potential out-of-bounds memory access. In the Linux kernel, the following vulnerability has been resolved: media: venus: Add a check for packet s... • https://git.kernel.org/stable/c/d96d3f30c0f2f564f6922bf4ccdf4464992e31fb •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-39709 – media: venus: protect against spurious interrupts during probe
https://notcve.org/view.php?id=CVE-2025-39709
05 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: media: venus: protect against spurious interrupts during probe Make sure the interrupt handler is initialized before the interrupt is registered. If the IRQ is registered before hfi_create(), it's possible that an interrupt fires before the handler setup is complete, leading to a NULL dereference. This error condition has been observed during system boot on Rb3Gen2. In the Linux kernel, the following vulnerability has been resolved: media: ... • https://git.kernel.org/stable/c/af2c3834c8ca7cc65d15592ac671933df8848115 •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-39707 – drm/amdgpu: check if hubbub is NULL in debugfs/amdgpu_dm_capabilities
https://notcve.org/view.php?id=CVE-2025-39707
05 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: check if hubbub is NULL in debugfs/amdgpu_dm_capabilities HUBBUB structure is not initialized on DCE hardware, so check if it is NULL to avoid null dereference while accessing amdgpu_dm_capabilities file in debugfs. In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: check if hubbub is NULL in debugfs/amdgpu_dm_capabilities HUBBUB structure is not initialized on DCE hardware, so check if it is NULL to... • https://git.kernel.org/stable/c/4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-39706 – drm/amdkfd: Destroy KFD debugfs after destroy KFD wq
https://notcve.org/view.php?id=CVE-2025-39706
05 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Destroy KFD debugfs after destroy KFD wq Since KFD proc content was moved to kernel debugfs, we can't destroy KFD debugfs before kfd_process_destroy_wq. Move kfd_process_destroy_wq prior to kfd_debugfs_fini to fix a kernel NULL pointer problem. It happens when /sys/kernel/debug/kfd was already destroyed in kfd_debugfs_fini but kfd_process_destroy_wq calls kfd_debugfs_remove_process. This line debugfs_remove_recursive(entry->proc... • https://git.kernel.org/stable/c/4a488a7ad71401169cecee75dc94bcce642e2c53 •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-39705 – drm/amd/display: fix a Null pointer dereference vulnerability
https://notcve.org/view.php?id=CVE-2025-39705
05 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: fix a Null pointer dereference vulnerability [Why] A null pointer dereference vulnerability exists in the AMD display driver's (DC module) cleanup function dc_destruct(). When display control context (dc->ctx) construction fails (due to memory allocation failure), this pointer remains NULL. During subsequent error handling when dc_destruct() is called, there's no NULL check before dereferencing the perf_trace member (dc->ct... • https://git.kernel.org/stable/c/4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c •
CVSS: 6.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-39703 – net, hsr: reject HSR frame if skb can't hold tag
https://notcve.org/view.php?id=CVE-2025-39703
05 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: net, hsr: reject HSR frame if skb can't hold tag Receiving HSR frame with insufficient space to hold HSR tag in the skb can result in a crash (kernel BUG): [ 45.390915] skbuff: skb_under_panic: text:ffffffff86f32cac len:26 put:14 head:ffff888042418000 data:ffff888042417ff4 tail:0xe end:0x180 dev:bridge_slave_1 [ 45.392559] ------------[ cut here ]------------ [ 45.392912] kernel BUG at net/core/skbuff.c:211! [ 45.393276] Oops: invalid opcod... • https://git.kernel.org/stable/c/f6442ee08fe66c8e45c4f246531a2aaf4f17a7a7 •
CVSS: 7.1EPSS: 0%CPEs: 7EXPL: 0CVE-2025-39702 – ipv6: sr: Fix MAC comparison to be constant-time
https://notcve.org/view.php?id=CVE-2025-39702
05 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: ipv6: sr: Fix MAC comparison to be constant-time To prevent timing attacks, MACs need to be compared in constant time. Use the appropriate helper function for this. In the Linux kernel, the following vulnerability has been resolved: ipv6: sr: Fix MAC comparison to be constant-time To prevent timing attacks, MACs need to be compared in constant time. Use the appropriate helper function for this. It was discovered that improper initialization... • https://git.kernel.org/stable/c/bf355b8d2c30a289232042cacc1cfaea4923936c • CWE-208: Observable Timing Discrepancy •