CVSS: 7.8EPSS: 0%CPEs: 9EXPL: 0CVE-2025-39998 – scsi: target: target_core_configfs: Add length check to avoid buffer overflow
https://notcve.org/view.php?id=CVE-2025-39998
15 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: scsi: target: target_core_configfs: Add length check to avoid buffer overflow A buffer overflow arises from the usage of snprintf to write into the buffer "buf" in target_lu_gp_members_show function located in /drivers/target/target_core_configfs.c. This buffer is allocated with size LU_GROUP_NAME_BUF (256 bytes). snprintf(...) formats multiple strings into buf with the HBA name (hba->hba_group.cg_item), a slash character, a devicename (dev... • https://git.kernel.org/stable/c/c66ac9db8d4ad9994a02b3e933ea2ccc643e1fe5 •
CVSS: 7.1EPSS: 0%CPEs: 9EXPL: 0CVE-2025-39996 – media: b2c2: Fix use-after-free causing by irq_check_work in flexcop_pci_remove
https://notcve.org/view.php?id=CVE-2025-39996
15 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: media: b2c2: Fix use-after-free causing by irq_check_work in flexcop_pci_remove The original code uses cancel_delayed_work() in flexcop_pci_remove(), which does not guarantee that the delayed work item irq_check_work has fully completed if it was already running. This leads to use-after-free scenarios where flexcop_pci_remove() may free the flexcop_device while irq_check_work is still active and attempts to dereference the device. A typical... • https://git.kernel.org/stable/c/382c5546d618f24dc7d6ae7ca33412083720efbf •
CVSS: 7.1EPSS: 0%CPEs: 9EXPL: 0CVE-2025-39995 – media: i2c: tc358743: Fix use-after-free bugs caused by orphan timer in probe
https://notcve.org/view.php?id=CVE-2025-39995
15 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: media: i2c: tc358743: Fix use-after-free bugs caused by orphan timer in probe The state->timer is a cyclic timer that schedules work_i2c_poll and delayed_work_enable_hotplug, while rearming itself. Using timer_delete() fails to guarantee the timer isn't still running when destroyed, similarly cancel_delayed_work() cannot ensure delayed_work_enable_hotplug has terminated if already executing. During probe failure after timer initialization, ... • https://git.kernel.org/stable/c/d32d98642de66048f9534a05f3641558e811bbc9 •
CVSS: 6.9EPSS: 0%CPEs: 9EXPL: 0CVE-2025-39994 – media: tuner: xc5000: Fix use-after-free in xc5000_release
https://notcve.org/view.php?id=CVE-2025-39994
15 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: media: tuner: xc5000: Fix use-after-free in xc5000_release The original code uses cancel_delayed_work() in xc5000_release(), which does not guarantee that the delayed work item timer_sleep has fully completed if it was already running. This leads to use-after-free scenarios where xc5000_release() may free the xc5000_priv while timer_sleep is still active and attempts to dereference the xc5000_priv. A typical race condition is illustrated be... • https://git.kernel.org/stable/c/f7a27ff1fb77e114d1059a5eb2ed1cffdc508ce8 •
CVSS: 7.1EPSS: 0%CPEs: 9EXPL: 0CVE-2025-39993 – media: rc: fix races with imon_disconnect()
https://notcve.org/view.php?id=CVE-2025-39993
15 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: media: rc: fix races with imon_disconnect() Syzbot reports a KASAN issue as below: BUG: KASAN: use-after-free in __create_pipe include/linux/usb.h:1945 [inline] BUG: KASAN: use-after-free in send_packet+0xa2d/0xbc0 drivers/media/rc/imon.c:627 Read of size 4 at addr ffff8880256fb000 by task syz-executor314/4465 CPU: 2 PID: 4465 Comm: syz-executor314 Not tainted 6.0.0-rc1-syzkaller #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1... • https://git.kernel.org/stable/c/21677cfc562a27e099719d413287bc8d1d24deb7 •
CVSS: 7.3EPSS: 0%CPEs: 8EXPL: 0CVE-2025-39987 – can: hi311x: populate ndo_change_mtu() to prevent buffer overflow
https://notcve.org/view.php?id=CVE-2025-39987
15 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: can: hi311x: populate ndo_change_mtu() to prevent buffer overflow Sending an PF_PACKET allows to bypass the CAN framework logic and to directly reach the xmit() function of a CAN driver. The only check which is performed by the PF_PACKET framework is to make sure that skb->len fits the interface's MTU. Unfortunately, because the sun4i_can driver does not populate its net_device_ops->ndo_change_mtu(), it is possible for an attacker to config... • https://git.kernel.org/stable/c/57e83fb9b7468c75cb65cde1d23043553c346c6d •
CVSS: 8.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-39986 – can: sun4i_can: populate ndo_change_mtu() to prevent buffer overflow
https://notcve.org/view.php?id=CVE-2025-39986
15 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: can: sun4i_can: populate ndo_change_mtu() to prevent buffer overflow Sending an PF_PACKET allows to bypass the CAN framework logic and to directly reach the xmit() function of a CAN driver. The only check which is performed by the PF_PACKET framework is to make sure that skb->len fits the interface's MTU. Unfortunately, because the sun4i_can driver does not populate its net_device_ops->ndo_change_mtu(), it is possible for an attacker to con... • https://git.kernel.org/stable/c/0738eff14d817a02ab082c392c96a1613006f158 •
CVSS: 8.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-39985 – can: mcba_usb: populate ndo_change_mtu() to prevent buffer overflow
https://notcve.org/view.php?id=CVE-2025-39985
15 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: can: mcba_usb: populate ndo_change_mtu() to prevent buffer overflow Sending an PF_PACKET allows to bypass the CAN framework logic and to directly reach the xmit() function of a CAN driver. The only check which is performed by the PF_PACKET framework is to make sure that skb->len fits the interface's MTU. Unfortunately, because the mcba_usb driver does not populate its net_device_ops->ndo_change_mtu(), it is possible for an attacker to confi... • https://git.kernel.org/stable/c/51f3baad7de943780ce0c17bd7975df567dd6e14 •
CVSS: 7.2EPSS: 0%CPEs: 8EXPL: 0CVE-2025-39973 – i40e: add validation for ring_len param
https://notcve.org/view.php?id=CVE-2025-39973
15 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: i40e: add validation for ring_len param The `ring_len` parameter provided by the virtual function (VF) is assigned directly to the hardware memory context (HMC) without any validation. To address this, introduce an upper boundary check for both Tx and Rx queue lengths. The maximum number of descriptors supported by the hardware is 8k-32. Additionally, enforce alignment constraints: Tx rings must be a multiple of 8, and Rx rings must be a mu... • https://git.kernel.org/stable/c/5c3c48ac6bf56367c4e89f6453cd2d61e50375bd •
CVSS: 7.2EPSS: 0%CPEs: 8EXPL: 0CVE-2025-39972 – i40e: fix idx validation in i40e_validate_queue_map
https://notcve.org/view.php?id=CVE-2025-39972
15 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: i40e: fix idx validation in i40e_validate_queue_map Ensure idx is within range of active/initialized TCs when iterating over vf->ch[idx] in i40e_validate_queue_map(). In the Linux kernel, the following vulnerability has been resolved: i40e: fix idx validation in i40e_validate_queue_map Ensure idx is within range of active/initialized TCs when iterating over vf->ch[idx] in i40e_validate_queue_map(). Several vulnerabilities have been discover... • https://git.kernel.org/stable/c/c27eac48160de72dee33d42b5a33cc7b8a2eb1f5 •