CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-39676 – scsi: qla4xxx: Prevent a potential error pointer dereference
https://notcve.org/view.php?id=CVE-2025-39676
05 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: scsi: qla4xxx: Prevent a potential error pointer dereference The qla4xxx_get_ep_fwdb() function is supposed to return NULL on error, but qla4xxx_ep_connect() returns error pointers. Propagating the error pointers will lead to an Oops in the caller, so change the error pointers to NULL. In the Linux kernel, the following vulnerability has been resolved: scsi: qla4xxx: Prevent a potential error pointer dereference The qla4xxx_get_ep_fwdb() fu... • https://git.kernel.org/stable/c/13483730a13bef372894aefcf73760f5c6c297be •
CVSS: 6.6EPSS: 0%CPEs: 4EXPL: 0CVE-2025-38734 – net/smc: fix UAF on smcsk after smc_listen_out()
https://notcve.org/view.php?id=CVE-2025-38734
05 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: net/smc: fix UAF on smcsk after smc_listen_out() BPF CI testing report a UAF issue: [ 16.446633] BUG: kernel NULL pointer dereference, address: 000000000000003 0 [ 16.447134] #PF: supervisor read access in kernel mod e [ 16.447516] #PF: error_code(0x0000) - not-present pag e [ 16.447878] PGD 0 P4D 0 [ 16.448063] Oops: Oops: 0000 [#1] PREEMPT SMP NOPT I [ 16.448409] CPU: 0 UID: 0 PID: 9 Comm: kworker/0:1 Tainted: G OE 6.13.0-rc3-g89e8a75fda7... • https://git.kernel.org/stable/c/3b2dec2603d5b06ad3af71c1164ca0b92df3d2a8 •
CVSS: 7.2EPSS: 0%CPEs: 9EXPL: 0CVE-2025-38729 – ALSA: usb-audio: Validate UAC3 power domain descriptors, too
https://notcve.org/view.php?id=CVE-2025-38729
04 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Validate UAC3 power domain descriptors, too UAC3 power domain descriptors need to be verified with its variable bLength for avoiding the unexpected OOB accesses by malicious firmware, too. In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Validate UAC3 power domain descriptors, too UAC3 power domain descriptors need to be verified with its variable bLength for avoiding the unexpected OOB a... • https://git.kernel.org/stable/c/9a2fe9b801f585baccf8352d82839dcd54b300cf • CWE-125: Out-of-bounds Read •
CVSS: 6.9EPSS: 0%CPEs: 6EXPL: 0CVE-2025-38728 – smb3: fix for slab out of bounds on mount to ksmbd
https://notcve.org/view.php?id=CVE-2025-38728
04 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: smb3: fix for slab out of bounds on mount to ksmbd With KASAN enabled, it is possible to get a slab out of bounds during mount to ksmbd due to missing check in parse_server_interfaces() (see below): BUG: KASAN: slab-out-of-bounds in parse_server_interfaces+0x14ee/0x1880 [cifs] Read of size 4 at addr ffff8881433dba98 by task mount/9827 CPU: 5 UID: 0 PID: 9827 Comm: mount Tainted: G OE 6.16.0-rc2-kasan #2 PREEMPT(voluntary) Tainted: [O]=OOT_M... • https://git.kernel.org/stable/c/fe856be475f7cf5ffcde57341d175ce9fd09434b •
CVSS: 7.1EPSS: 0%CPEs: 9EXPL: 0CVE-2025-38724 – nfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm()
https://notcve.org/view.php?id=CVE-2025-38724
04 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: nfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm() Lei Lu recently reported that nfsd4_setclientid_confirm() did not check the return value from get_client_locked(). a SETCLIENTID_CONFIRM could race with a confirmed client expiring and fail to get a reference. That could later lead to a UAF. Fix this by getting a reference early in the case where there is an extant confirmed client. If that fails then treat it as if the... • https://git.kernel.org/stable/c/d20c11d86d8f821a64eac7d6c8f296f06d935f4f •
CVSS: 5.5EPSS: 0%CPEs: 9EXPL: 0CVE-2025-38721 – netfilter: ctnetlink: fix refcount leak on table dump
https://notcve.org/view.php?id=CVE-2025-38721
04 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: netfilter: ctnetlink: fix refcount leak on table dump There is a reference count leak in ctnetlink_dump_table(): if (res < 0) { nf_conntrack_get(&ct->ct_general); // HERE cb->args[1] = (unsigned long)ct; ... While its very unlikely, its possible that ct == last. If this happens, then the refcount of ct was already incremented. This 2nd increment is never undone. This prevents the conntrack object from being released, which in turn keeps pre... • https://git.kernel.org/stable/c/d205dc40798d97d63ad348bfaf7394f445d152d4 •
CVSS: 7.8EPSS: 0%CPEs: 9EXPL: 0CVE-2025-38718 – sctp: linearize cloned gso packets in sctp_rcv
https://notcve.org/view.php?id=CVE-2025-38718
04 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: sctp: linearize cloned gso packets in sctp_rcv A cloned head skb still shares these frag skbs in fraglist with the original head skb. It's not safe to access these frag skbs. syzbot reported two use-of-uninitialized-memory bugs caused by this: BUG: KMSAN: uninit-value in sctp_inq_pop+0x15b7/0x1920 net/sctp/inqueue.c:211 sctp_inq_pop+0x15b7/0x1920 net/sctp/inqueue.c:211 sctp_assoc_bh_rcv+0x1a7/0xc50 net/sctp/associola.c:998 sctp_inq_push+0x2... • https://git.kernel.org/stable/c/90017accff61ae89283ad9a51f9ac46ca01633fb • CWE-664: Improper Control of a Resource Through its Lifetime •
CVSS: 6.9EPSS: 0%CPEs: 4EXPL: 0CVE-2025-38717 – net: kcm: Fix race condition in kcm_unattach()
https://notcve.org/view.php?id=CVE-2025-38717
04 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: net: kcm: Fix race condition in kcm_unattach() syzbot found a race condition when kcm_unattach(psock) and kcm_release(kcm) are executed at the same time. kcm_unattach() is missing a check of the flag kcm->tx_stopped before calling queue_work(). If the kcm has a reserved psock, kcm_unattach() might get executed between cancel_work_sync() and unreserve_psock() in kcm_release(), requeuing kcm->tx_work right before kcm gets freed in kcm_done().... • https://git.kernel.org/stable/c/ab7ac4eb9832e32a09f4e8042705484d2fb0aad3 •
CVSS: 5.5EPSS: 0%CPEs: 10EXPL: 0CVE-2025-38716 – hfs: fix general protection fault in hfs_find_init()
https://notcve.org/view.php?id=CVE-2025-38716
04 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: hfs: fix general protection fault in hfs_find_init() The hfs_find_init() method can trigger the crash if tree pointer is NULL: [ 45.746290][ T9787] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000008: 0000 [#1] SMP KAI [ 45.747287][ T9787] KASAN: null-ptr-deref in range [0x0000000000000040-0x0000000000000047] [ 45.748716][ T9787] CPU: 2 UID: 0 PID: 9787 Comm: repro Not tainted 6.16.0-rc3 #10 PREEMPT(full) [... • https://git.kernel.org/stable/c/434a964daa14b9db083ce20404a4a2add54d037a •
CVSS: 7.1EPSS: 0%CPEs: 9EXPL: 0CVE-2025-38715 – hfs: fix slab-out-of-bounds in hfs_bnode_read()
https://notcve.org/view.php?id=CVE-2025-38715
04 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: hfs: fix slab-out-of-bounds in hfs_bnode_read() This patch introduces is_bnode_offset_valid() method that checks the requested offset value. Also, it introduces check_and_correct_requested_length() method that checks and correct the requested length (if it is necessary). These methods are used in hfs_bnode_read(), hfs_bnode_write(), hfs_bnode_clear(), hfs_bnode_copy(), and hfs_bnode_move() with the goal to prevent the access out of allocate... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •