CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2025-22010 – RDMA/hns: Fix soft lockup during bt pages loop
https://notcve.org/view.php?id=CVE-2025-22010
08 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: RDMA/hns: Fix soft lockup during bt pages loop Driver runs a for-loop when allocating bt pages and mapping them with buffer pages. When a large buffer (e.g. MR over 100GB) is being allocated, it may require a considerable loop count. This will lead to soft lockup: watchdog: BUG: soft lockup - CPU#27 stuck for 22s! ... • https://git.kernel.org/stable/c/38389eaa4db192648916464b60f6086d6bbaa6de •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-22009 – regulator: dummy: force synchronous probing
https://notcve.org/view.php?id=CVE-2025-22009
08 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: regulator: dummy: force synchronous probing Sometimes I get a NULL pointer dereference at boot time in kobject_get() with the following call stack: anatop_regulator_probe() devm_regulator_register() regulator_register() regulator_resolve_supply() kobject_get() By placing some extra BUG_ON() statements I could verify that this is raised because probing of the 'dummy' regulator driver is not completed ('dummy_regulator_rdev' is still NULL). I... • https://git.kernel.org/stable/c/259b93b21a9ffe5117af4dfb5505437e463c6a5a •
CVSS: 9.8EPSS: 0%CPEs: 7EXPL: 0CVE-2025-22008 – regulator: check that dummy regulator has been probed before using it
https://notcve.org/view.php?id=CVE-2025-22008
08 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: regulator: check that dummy regulator has been probed before using it Due to asynchronous driver probing there is a chance that the dummy regulator hasn't already been probed when first accessing it. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: regulador: comprobar que el regulador ficticio haya sido probado antes de usarlo Debido al sondeo asincrónico del controlador existe la posibilidad de que el regulador ficticio ... • https://git.kernel.org/stable/c/3a9c46af5654783f99015727ac65bc2a23e2735a •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-22007 – Bluetooth: Fix error code in chan_alloc_skb_cb()
https://notcve.org/view.php?id=CVE-2025-22007
03 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix error code in chan_alloc_skb_cb() The chan_alloc_skb_cb() function is supposed to return error pointers on error. Returning NULL will lead to a NULL dereference. In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix error code in chan_alloc_skb_cb() The chan_alloc_skb_cb() function is supposed to return error pointers on error. Returning NULL will lead to a NULL dereference. Several vulnerabilitie... • https://git.kernel.org/stable/c/6b8d4a6a03144c5996f98db7f8256267b0d72a3a •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-22005 – ipv6: Fix memleak of nhc_pcpu_rth_output in fib_check_nh_v6_gw().
https://notcve.org/view.php?id=CVE-2025-22005
03 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: ipv6: Fix memleak of nhc_pcpu_rth_output in fib_check_nh_v6_gw(). fib_check_nh_v6_gw() expects that fib6_nh_init() cleans up everything when it fails. Commit 7dd73168e273 ("ipv6: Always allocate pcpu memory in a fib6_nh") moved fib_nh_common_init() before alloc_percpu_gfp() within fib6_nh_init() but forgot to add cleanup for fib6_nh->nh_common.nhc_pcpu_rth_output in case it fails to allocate fib6_nh->rt6i_pcpu, resulting in memleak. Let's c... • https://git.kernel.org/stable/c/7dd73168e273938b9e9bb42ca51b0c27d807992b •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2025-22004 – net: atm: fix use after free in lec_send()
https://notcve.org/view.php?id=CVE-2025-22004
03 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: net: atm: fix use after free in lec_send() The ->send() operation frees skb so save the length before calling ->send() to avoid a use after free. In the Linux kernel, the following vulnerability has been resolved: net: atm: fix use after free in lec_send() The ->send() operation frees skb so save the length before calling ->send() to avoid a use after free. Several vulnerabilities have been discovered in the Linux kernel that may lead to a ... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 • CWE-416: Use After Free •
CVSS: 7.1EPSS: 0%CPEs: 4EXPL: 0CVE-2025-22003 – can: ucan: fix out of bound read in strscpy() source
https://notcve.org/view.php?id=CVE-2025-22003
03 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: can: ucan: fix out of bound read in strscpy() source Commit 7fdaf8966aae ("can: ucan: use strscpy() to instead of strncpy()") unintentionally introduced a one byte out of bound read on strscpy()'s source argument (which is kind of ironic knowing that strscpy() is meant to be a more secure alternative :)). Let's consider below buffers: dest[len + 1]; /* will be NUL terminated */ src[len]; /* may not be NUL terminated */ When doing: strncpy(d... • https://git.kernel.org/stable/c/7fdaf8966aae476deafe11f9a0067ff588615444 •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-22002 – netfs: Call `invalidate_cache` only if implemented
https://notcve.org/view.php?id=CVE-2025-22002
03 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: netfs: Call `invalidate_cache` only if implemented Many filesystems such as NFS and Ceph do not implement the `invalidate_cache` method. On those filesystems, if writing to the cache (`NETFS_WRITE_TO_CACHE`) fails for some reason, the kernel crashes like this: BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor instruction fetch in kernel mode #PF: error_code(0x0010) - not-present page PGD 0 P4D 0 Oops: Oops: 001... • https://git.kernel.org/stable/c/0e0f2dfe880fb19e4b15a7ca468623eb0b4ba586 •
CVSS: 9.0EPSS: 0%CPEs: 4EXPL: 0CVE-2025-22001 – accel/qaic: Fix integer overflow in qaic_validate_req()
https://notcve.org/view.php?id=CVE-2025-22001
03 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: accel/qaic: Fix integer overflow in qaic_validate_req() These are u64 variables that come from the user via qaic_attach_slice_bo_ioctl(). Use check_add_overflow() to ensure that the math doesn't have an integer wrapping bug. In the Linux kernel, the following vulnerability has been resolved: accel/qaic: Fix integer overflow in qaic_validate_req() These are u64 variables that come from the user via qaic_attach_slice_bo_ioctl(). Use check_add... • https://git.kernel.org/stable/c/ff13be8303336ead5621712f2c55012d738878b5 •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-22000 – mm/huge_memory: drop beyond-EOF folios with the right number of refs
https://notcve.org/view.php?id=CVE-2025-22000
03 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: mm/huge_memory: drop beyond-EOF folios with the right number of refs When an after-split folio is large and needs to be dropped due to EOF, folio_put_refs(folio, folio_nr_pages(folio)) should be used to drop all page cache refs. Otherwise, the folio will not be freed, causing memory leak. This leak would happen on a filesystem with blocksize > page_size and a truncate is performed, where the blocksize makes folios split to >0 order ones, ca... • https://git.kernel.org/stable/c/c010d47f107f609b9f4d6a103b6dfc53889049e9 •