CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2025-40053 – net: dlink: handle copy_thresh allocation failure
https://notcve.org/view.php?id=CVE-2025-40053
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: net: dlink: handle copy_thresh allocation failure The driver did not handle failure of `netdev_alloc_skb_ip_align()`. If the allocation failed, dereferencing `skb->protocol` could lead to a NULL pointer dereference. This patch tries to allocate `skb`. If the allocation fails, it falls back to the normal path. Tested-on: D-Link DGE-550T Rev-A3 In the Linux kernel, the following vulnerability has been resolved: net: dlink: handle copy_thresh ... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 7.1EPSS: 0%CPEs: 4EXPL: 0CVE-2025-40052 – smb: client: fix crypto buffers in non-linear memory
https://notcve.org/view.php?id=CVE-2025-40052
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: smb: client: fix crypto buffers in non-linear memory The crypto API, through the scatterlist API, expects input buffers to be in linear memory. We handle this with the cifs_sg_set_buf() helper that converts vmalloc'd memory to their corresponding pages. However, when we allocate our aead_request buffer (@creq in smb2ops.c::crypt_message()), we do so with kvzalloc(), which possibly puts aead_request->__ctx in vmalloc area. AEAD algorithm the... • https://git.kernel.org/stable/c/d08089f649a0cfb2099c8551ac47eef0cc23fdf2 •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2025-40051 – vhost: vringh: Modify the return value check
https://notcve.org/view.php?id=CVE-2025-40051
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: vhost: vringh: Modify the return value check The return value of copy_from_iter and copy_to_iter can't be negative, check whether the copied lengths are equal. In the Linux kernel, the following vulnerability has been resolved: vhost: vringh: Modify the return value check The return value of copy_from_iter and copy_to_iter can't be negative, check whether the copied lengths are equal. Several vulnerabilities have been discovered in the Linu... • https://git.kernel.org/stable/c/309bba39c945ac8ab8083ac05cd6cfe5822968e0 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40049 – Squashfs: fix uninit-value in squashfs_get_parent
https://notcve.org/view.php?id=CVE-2025-40049
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: Squashfs: fix uninit-value in squashfs_get_parent Syzkaller reports a "KMSAN: uninit-value in squashfs_get_parent" bug. This is caused by open_by_handle_at() being called with a file handle containing an invalid parent inode number. In particular the inode number is that of a symbolic link, rather than a directory. Squashfs_get_parent() gets called with that symbolic link inode, and accesses the parent member field. unsigned int parent_ino ... • https://git.kernel.org/stable/c/122601408d20c77704268f1dea9f9ce4abf997c2 •
CVSS: 8.4EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40048 – uio_hv_generic: Let userspace take care of interrupt mask
https://notcve.org/view.php?id=CVE-2025-40048
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: uio_hv_generic: Let userspace take care of interrupt mask Remove the logic to set interrupt mask by default in uio_hv_generic driver as the interrupt mask value is supposed to be controlled completely by the user space. If the mask bit gets changed by the driver, concurrently with user mode operating on the ring, the mask bit may be set when it is supposed to be clear, and the user-mode driver will miss an interrupt which will cause a hang.... • https://git.kernel.org/stable/c/95096f2fbd10186d3e78a328b327afc71428f65f •
CVSS: 6.9EPSS: 0%CPEs: 3EXPL: 0CVE-2025-40047 – io_uring/waitid: always prune wait queue entry in io_waitid_wait()
https://notcve.org/view.php?id=CVE-2025-40047
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: io_uring/waitid: always prune wait queue entry in io_waitid_wait() For a successful return, always remove our entry from the wait queue entry list. Previously this was skipped if a cancelation was in progress, but this can race with another invocation of the wait queue entry callback. In the Linux kernel, the following vulnerability has been resolved: io_uring/waitid: always prune wait queue entry in io_waitid_wait() For a successful return... • https://git.kernel.org/stable/c/f31ecf671ddc498f20219453395794ff2383e06b •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2025-40045 – ASoC: codecs: wcd937x: set the comp soundwire port correctly
https://notcve.org/view.php?id=CVE-2025-40045
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: ASoC: codecs: wcd937x: set the comp soundwire port correctly For some reason we endup with setting soundwire port for HPHL_COMP and HPHR_COMP as zero, this can potentially result in a memory corruption due to accessing and setting -1 th element of port_map array. In the Linux kernel, the following vulnerability has been resolved: ASoC: codecs: wcd937x: set the comp soundwire port correctly For some reason we endup with setting soundwire por... • https://git.kernel.org/stable/c/82be8c62a38c6a44e64ecb29d7a9b5cb35c6cad4 •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40044 – fs: udf: fix OOB read in lengthAllocDescs handling
https://notcve.org/view.php?id=CVE-2025-40044
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: fs: udf: fix OOB read in lengthAllocDescs handling When parsing Allocation Extent Descriptor, lengthAllocDescs comes from on-disk data and must be validated against the block size. Crafted or corrupted images may set lengthAllocDescs so that the total descriptor length (sizeof(allocExtDesc) + lengthAllocDescs) exceeds the buffer, leading udf_update_tag() to call crc_itu_t() on out-of-bounds memory and trigger a KASAN use-after-free read. BU... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 5.6EPSS: 0%CPEs: 6EXPL: 0CVE-2025-40043 – net: nfc: nci: Add parameter validation for packet data
https://notcve.org/view.php?id=CVE-2025-40043
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: net: nfc: nci: Add parameter validation for packet data Syzbot reported an uninitialized value bug in nci_init_req, which was introduced by commit 5aca7966d2a7 ("Merge tag 'perf-tools-fixes-for-v6.17-2025-09-16' of git://git.kernel.org/pub/scm/linux/kernel/git/perf/perf-tools"). This bug arises due to very limited and poor input validation that was done at nic_valid_size(). This validation only validates the skb->len (directly reflects size... • https://git.kernel.org/stable/c/6a2968aaf50c7a22fced77a5e24aa636281efca8 •
CVSS: 4.7EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40042 – tracing: Fix race condition in kprobe initialization causing NULL pointer dereference
https://notcve.org/view.php?id=CVE-2025-40042
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: tracing: Fix race condition in kprobe initialization causing NULL pointer dereference There is a critical race condition in kprobe initialization that can lead to NULL pointer dereference and kernel crash. [1135630.084782] Unable to handle kernel paging request at virtual address 0000710a04630000 ... [1135630.260314] pstate: 404003c9 (nZcv DAIF +PAN -UAO) [1135630.269239] pc : kprobe_perf_func+0x30/0x260 [1135630.277643] lr : kprobe_dispatc... • https://git.kernel.org/stable/c/50d780560785b068c358675c5f0bf6c83b5c373e •