CVSS: 7.2EPSS: 0%CPEs: 8EXPL: 0CVE-2025-39911 – i40e: fix IRQ freeing in i40e_vsi_request_irq_msix error path
https://notcve.org/view.php?id=CVE-2025-39911
01 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: i40e: fix IRQ freeing in i40e_vsi_request_irq_msix error path If request_irq() in i40e_vsi_request_irq_msix() fails in an iteration later than the first, the error path wants to free the IRQs requested so far. However, it uses the wrong dev_id argument for free_irq(), so it does not free the IRQs correctly and instead triggers the warning: Trying to free already-free IRQ 173 WARNING: CPU: 25 PID: 1091 at kernel/irq/manage.c:1829 __free_irq+... • https://git.kernel.org/stable/c/493fb30011b3ab5173cef96f1d1ce126da051792 •
CVSS: 7.2EPSS: 0%CPEs: 2EXPL: 0CVE-2025-39910 – mm/vmalloc, mm/kasan: respect gfp mask in kasan_populate_vmalloc()
https://notcve.org/view.php?id=CVE-2025-39910
01 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: mm/vmalloc, mm/kasan: respect gfp mask in kasan_populate_vmalloc() kasan_populate_vmalloc() and its helpers ignore the caller's gfp_mask and always allocate memory using the hardcoded GFP_KERNEL flag. This makes them inconsistent with vmalloc(), which was recently extended to support GFP_NOFS and GFP_NOIO allocations. Page table allocations performed during shadow population also ignore the external gfp_mask. To preserve the intended semant... • https://git.kernel.org/stable/c/451769ebb7e792c3404db53b3c2a422990de654e •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-39909 – mm/damon/lru_sort: avoid divide-by-zero in damon_lru_sort_apply_parameters()
https://notcve.org/view.php?id=CVE-2025-39909
01 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: mm/damon/lru_sort: avoid divide-by-zero in damon_lru_sort_apply_parameters() Patch series "mm/damon: avoid divide-by-zero in DAMON module's parameters application". DAMON's RECLAIM and LRU_SORT modules perform no validation on user-configured parameters during application, which may lead to division-by-zero errors. Avoid the divide-by-zero by adding validation checks when DAMON modules attempt to apply the parameters. This patch (of 2): Dur... • https://git.kernel.org/stable/c/40e983cca9274e177bd5b9379299b44d9536ac68 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-39907 – mtd: rawnand: stm32_fmc2: avoid overlapping mappings on ECC buffer
https://notcve.org/view.php?id=CVE-2025-39907
01 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: mtd: rawnand: stm32_fmc2: avoid overlapping mappings on ECC buffer Avoid below overlapping mappings by using a contiguous non-cacheable buffer. [ 4.077708] DMA-API: stm32_fmc2_nfc 48810000.nand-controller: cacheline tracking EEXIST, overlapping mappings aren't supported [ 4.089103] WARNING: CPU: 1 PID: 44 at kernel/dma/debug.c:568 add_dma_entry+0x23c/0x300 [ 4.097071] Modules linked in: [ 4.100101] CPU: 1 PID: 44 Comm: kworker/u4:2 Not tain... • https://git.kernel.org/stable/c/2cd457f328c100bc98e36d55fe210e9ab067c704 •
CVSS: 7.1EPSS: 0%CPEs: 2EXPL: 0CVE-2025-39905 – net: phylink: add lock for serializing concurrent pl->phydev writes with resolver
https://notcve.org/view.php?id=CVE-2025-39905
01 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: net: phylink: add lock for serializing concurrent pl->phydev writes with resolver Currently phylink_resolve() protects itself against concurrent phylink_bringup_phy() or phylink_disconnect_phy() calls which modify pl->phydev by relying on pl->state_mutex. The problem is that in phylink_resolve(), pl->state_mutex is in a lock inversion state with pl->phydev->lock. So pl->phydev->lock needs to be acquired prior to pl->state_mutex. But that re... • https://git.kernel.org/stable/c/56fe63b05ec84ae6674269d78397cec43a7a295a •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-39902 – mm/slub: avoid accessing metadata when pointer is invalid in object_err()
https://notcve.org/view.php?id=CVE-2025-39902
01 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: mm/slub: avoid accessing metadata when pointer is invalid in object_err() object_err() reports details of an object for further debugging, such as the freelist pointer, redzone, etc. However, if the pointer is invalid, attempting to access object metadata can lead to a crash since it does not point to a valid object. One known path to the crash is when alloc_consistency_checks() determines the pointer to the allocated object is invalid beca... • https://git.kernel.org/stable/c/81819f0fc8285a2a5a921c019e3e3d7b6169d225 •
CVSS: 7.1EPSS: 0%CPEs: 3EXPL: 0CVE-2025-39901 – i40e: remove read access to debugfs files
https://notcve.org/view.php?id=CVE-2025-39901
01 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: i40e: remove read access to debugfs files The 'command' and 'netdev_ops' debugfs files are a legacy debugging interface supported by the i40e driver since its early days by commit 02e9c290814c ("i40e: debugfs interface"). Both of these debugfs files provide a read handler which is mostly useless, and which is implemented with questionable logic. They both use a static 256 byte buffer which is initialized to the empty string. In the case of ... • https://git.kernel.org/stable/c/02e9c290814cc143ceccecb14eac3e7a05da745e •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-39895 – sched: Fix sched_numa_find_nth_cpu() if mask offline
https://notcve.org/view.php?id=CVE-2025-39895
01 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: sched: Fix sched_numa_find_nth_cpu() if mask offline sched_numa_find_nth_cpu() uses a bsearch to look for the 'closest' CPU in sched_domains_numa_masks and given cpus mask. However they might not intersect if all CPUs in the cpus mask are offline. bsearch will return NULL in that case, bail out instead of dereferencing a bogus pointer. The previous behaviour lead to this bug when using maxcpus=4 on an rk3399 (LLLLbb) (i.e. booting with all ... • https://git.kernel.org/stable/c/cd7f55359c90a4108e6528e326b8623fce1ad72a •
CVSS: 6.6EPSS: 0%CPEs: 7EXPL: 0CVE-2025-39894 – netfilter: br_netfilter: do not check confirmed bit in br_nf_local_in() after confirm
https://notcve.org/view.php?id=CVE-2025-39894
01 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: netfilter: br_netfilter: do not check confirmed bit in br_nf_local_in() after confirm When send a broadcast packet to a tap device, which was added to a bridge, br_nf_local_in() is called to confirm the conntrack. If another conntrack with the same hash value is added to the hash table, which can be triggered by a normal packet to a non-bridge device, the below warning may happen. ------------[ cut here ]------------ WARNING: CPU: 1 PID: 96... • https://git.kernel.org/stable/c/7c3f28599652acf431a2211168de4a583f30b6d5 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-39891 – wifi: mwifiex: Initialize the chan_stats array to zero
https://notcve.org/view.php?id=CVE-2025-39891
01 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: mwifiex: Initialize the chan_stats array to zero The adapter->chan_stats[] array is initialized in mwifiex_init_channel_scan_gap() with vmalloc(), which doesn't zero out memory. The array is filled in mwifiex_update_chan_statistics() and then the user can query the data in mwifiex_cfg80211_dump_survey(). There are two potential issues here. What if the user calls mwifiex_cfg80211_dump_survey() before the data has been filled in. Also ... • https://git.kernel.org/stable/c/bf35443314acb43fa8a3f9f8046e14cbe178762b •