CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2025-40051 – vhost: vringh: Modify the return value check
https://notcve.org/view.php?id=CVE-2025-40051
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: vhost: vringh: Modify the return value check The return value of copy_from_iter and copy_to_iter can't be negative, check whether the copied lengths are equal. In the Linux kernel, the following vulnerability has been resolved: vhost: vringh: Modify the return value check The return value of copy_from_iter and copy_to_iter can't be negative, check whether the copied lengths are equal. Several vulnerabilities have been discovered in the Linu... • https://git.kernel.org/stable/c/309bba39c945ac8ab8083ac05cd6cfe5822968e0 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40049 – Squashfs: fix uninit-value in squashfs_get_parent
https://notcve.org/view.php?id=CVE-2025-40049
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: Squashfs: fix uninit-value in squashfs_get_parent Syzkaller reports a "KMSAN: uninit-value in squashfs_get_parent" bug. This is caused by open_by_handle_at() being called with a file handle containing an invalid parent inode number. In particular the inode number is that of a symbolic link, rather than a directory. Squashfs_get_parent() gets called with that symbolic link inode, and accesses the parent member field. unsigned int parent_ino ... • https://git.kernel.org/stable/c/122601408d20c77704268f1dea9f9ce4abf997c2 •
CVSS: 8.4EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40048 – uio_hv_generic: Let userspace take care of interrupt mask
https://notcve.org/view.php?id=CVE-2025-40048
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: uio_hv_generic: Let userspace take care of interrupt mask Remove the logic to set interrupt mask by default in uio_hv_generic driver as the interrupt mask value is supposed to be controlled completely by the user space. If the mask bit gets changed by the driver, concurrently with user mode operating on the ring, the mask bit may be set when it is supposed to be clear, and the user-mode driver will miss an interrupt which will cause a hang.... • https://git.kernel.org/stable/c/95096f2fbd10186d3e78a328b327afc71428f65f •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40044 – fs: udf: fix OOB read in lengthAllocDescs handling
https://notcve.org/view.php?id=CVE-2025-40044
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: fs: udf: fix OOB read in lengthAllocDescs handling When parsing Allocation Extent Descriptor, lengthAllocDescs comes from on-disk data and must be validated against the block size. Crafted or corrupted images may set lengthAllocDescs so that the total descriptor length (sizeof(allocExtDesc) + lengthAllocDescs) exceeds the buffer, leading udf_update_tag() to call crc_itu_t() on out-of-bounds memory and trigger a KASAN use-after-free read. BU... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 5.6EPSS: 0%CPEs: 6EXPL: 0CVE-2025-40043 – net: nfc: nci: Add parameter validation for packet data
https://notcve.org/view.php?id=CVE-2025-40043
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: net: nfc: nci: Add parameter validation for packet data Syzbot reported an uninitialized value bug in nci_init_req, which was introduced by commit 5aca7966d2a7 ("Merge tag 'perf-tools-fixes-for-v6.17-2025-09-16' of git://git.kernel.org/pub/scm/linux/kernel/git/perf/perf-tools"). This bug arises due to very limited and poor input validation that was done at nic_valid_size(). This validation only validates the skb->len (directly reflects size... • https://git.kernel.org/stable/c/6a2968aaf50c7a22fced77a5e24aa636281efca8 •
CVSS: 4.7EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40042 – tracing: Fix race condition in kprobe initialization causing NULL pointer dereference
https://notcve.org/view.php?id=CVE-2025-40042
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: tracing: Fix race condition in kprobe initialization causing NULL pointer dereference There is a critical race condition in kprobe initialization that can lead to NULL pointer dereference and kernel crash. [1135630.084782] Unable to handle kernel paging request at virtual address 0000710a04630000 ... [1135630.260314] pstate: 404003c9 (nZcv DAIF +PAN -UAO) [1135630.269239] pc : kprobe_perf_func+0x30/0x260 [1135630.277643] lr : kprobe_dispatc... • https://git.kernel.org/stable/c/50d780560785b068c358675c5f0bf6c83b5c373e •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 3CVE-2025-40040 – mm/ksm: fix flag-dropping behavior in ksm_madvise
https://notcve.org/view.php?id=CVE-2025-40040
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: mm/ksm: fix flag-dropping behavior in ksm_madvise syzkaller discovered the following crash: (kernel BUG) [ 44.607039] ------------[ cut here ]------------ [ 44.607422] kernel BUG at mm/userfaultfd.c:2067! [ 44.608148] Oops: invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN NOPTI [ 44.608814] CPU: 1 UID: 0 PID: 2475 Comm: reproducer Not tainted 6.16.0-rc6 #1 PREEMPT(none) [ 44.609635] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), ... • https://packetstorm.news/files/id/212396 •
CVSS: 7.0EPSS: 0%CPEs: 6EXPL: 0CVE-2025-40039 – ksmbd: Fix race condition in RPC handle list access
https://notcve.org/view.php?id=CVE-2025-40039
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: Fix race condition in RPC handle list access The 'sess->rpc_handle_list' XArray manages RPC handles within a ksmbd session. Access to this list is intended to be protected by 'sess->rpc_lock' (an rw_semaphore). However, the locking implementation was flawed, leading to potential race conditions. In ksmbd_session_rpc_open(), the code incorrectly acquired only a read lock before calling xa_store() and xa_erase(). Since these operations... • https://git.kernel.org/stable/c/b685757c7b08d5073046fb379be965fd6c06aafc •
CVSS: 5.6EPSS: 0%CPEs: 5EXPL: 0CVE-2025-40036 – misc: fastrpc: fix possible map leak in fastrpc_put_args
https://notcve.org/view.php?id=CVE-2025-40036
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: misc: fastrpc: fix possible map leak in fastrpc_put_args copy_to_user() failure would cause an early return without cleaning up the fdlist, which has been updated by the DSP. This could lead to map leak. Fix this by redirecting to a cleanup path on failure, ensuring that all mapped buffers are properly released before returning. In the Linux kernel, the following vulnerability has been resolved: misc: fastrpc: fix possible map leak in fastr... • https://git.kernel.org/stable/c/c68cfb718c8f97b7f7a50ed66be5feb42d0c8988 •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40035 – Input: uinput - zero-initialize uinput_ff_upload_compat to avoid info leak
https://notcve.org/view.php?id=CVE-2025-40035
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: Input: uinput - zero-initialize uinput_ff_upload_compat to avoid info leak Struct ff_effect_compat is embedded twice inside uinput_ff_upload_compat, contains internal padding. In particular, there is a hole after struct ff_replay to satisfy alignment requirements for the following union member. Without clearing the structure, copy_to_user() may leak stack data to userspace. Initialize ff_up_compat to zero before filling valid fields. In the... • https://git.kernel.org/stable/c/2d56f3a32c0e62f99c043d2579840f9731fe5855 •