CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40254 – net: openvswitch: remove never-working support for setting nsh fields
https://notcve.org/view.php?id=CVE-2025-40254
04 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: net: openvswitch: remove never-working support for setting nsh fields The validation of the set(nsh(...)) action is completely wrong. It runs through the nsh_key_put_from_nlattr() function that is the same function that validates NSH keys for the flow match and the push_nsh() action. However, the set(nsh(...)) has a very different memory layout. Nested attributes in there are doubled in size in case of the masked set(). That makes proper va... • https://git.kernel.org/stable/c/b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3 •
CVSS: 5.5EPSS: 0%CPEs: 12EXPL: 0CVE-2025-40253 – s390/ctcm: Fix double-kfree
https://notcve.org/view.php?id=CVE-2025-40253
04 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: s390/ctcm: Fix double-kfree The function 'mpc_rcvd_sweep_req(mpcginfo)' is called conditionally from function 'ctcmpc_unpack_skb'. It frees passed mpcginfo. After that a call to function 'kfree' in function 'ctcmpc_unpack_skb' frees it again. Remove 'kfree' call in function 'mpc_rcvd_sweep_req(mpcginfo)'. Bug detected by the clang static analyzer. In the Linux kernel, the following vulnerability has been resolved: s390/ctcm: Fix double-kfre... • https://git.kernel.org/stable/c/467ddbbe7e749d558f13e640f50f546149c930b3 •
CVSS: 7.1EPSS: 0%CPEs: 6EXPL: 0CVE-2025-40252 – net: qlogic/qede: fix potential out-of-bounds read in qede_tpa_cont() and qede_tpa_end()
https://notcve.org/view.php?id=CVE-2025-40252
04 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: net: qlogic/qede: fix potential out-of-bounds read in qede_tpa_cont() and qede_tpa_end() The loops in 'qede_tpa_cont()' and 'qede_tpa_end()', iterate over 'cqe->len_list[]' using only a zero-length terminator as the stopping condition. If the terminator was missing or malformed, the loop could run past the end of the fixed-size array. Add an explicit bound check using ARRAY_SIZE() in both loops to prevent a potential out-of-bounds access. F... • https://git.kernel.org/stable/c/55482edc25f0606851de42e73618f813f310d009 •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-40251 – devlink: rate: Unset parent pointer in devl_rate_nodes_destroy
https://notcve.org/view.php?id=CVE-2025-40251
04 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: devlink: rate: Unset parent pointer in devl_rate_nodes_destroy The function devl_rate_nodes_destroy is documented to "Unset parent for all rate objects". However, it was only calling the driver-specific `rate_leaf_parent_set` or `rate_node_parent_set` ops and decrementing the parent's refcount, without actually setting the `devlink_rate->parent` pointer to NULL. This leaves a dangling pointer in the `devlink_rate` struct, which cause refcou... • https://git.kernel.org/stable/c/d7555984507822458b32a6405881038241d140be •
CVSS: 7.1EPSS: 0%CPEs: 4EXPL: 0CVE-2025-40250 – net/mlx5: Clean up only new IRQ glue on request_irq() failure
https://notcve.org/view.php?id=CVE-2025-40250
04 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Clean up only new IRQ glue on request_irq() failure The mlx5_irq_alloc() function can inadvertently free the entire rmap and end up in a crash[1] when the other threads tries to access this, when request_irq() fails due to exhausted IRQ vectors. This commit modifies the cleanup to remove only the specific IRQ mapping that was just added. This prevents removal of other valid mappings and ensures precise cleanup of the failed IRQ al... • https://git.kernel.org/stable/c/3354822cde5a9f72aa725b3c619188b149a71a33 •
CVSS: 6.3EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40248 – vsock: Ignore signal/timeout on connect() if already established
https://notcve.org/view.php?id=CVE-2025-40248
04 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: vsock: Ignore signal/timeout on connect() if already established During connect(), acting on a signal/timeout by disconnecting an already established socket leads to several issues: 1. connect() invoking vsock_transport_cancel_pkt() -> virtio_transport_purge_skbs() may race with sendmsg() invoking virtio_transport_get_credit(). This results in a permanently elevated `vvs->bytes_unsent`. Which, in turn, confuses the SOCK_LINGER handling. 2. ... • https://git.kernel.org/stable/c/d021c344051af91f42c5ba9fdedc176740cbd238 •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2025-40247 – drm/msm: Fix pgtable prealloc error path
https://notcve.org/view.php?id=CVE-2025-40247
04 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/msm: Fix pgtable prealloc error path The following splat was reported: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010 Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation fault Data abort info: ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, Dir... • https://git.kernel.org/stable/c/0cf6c71d70d8aa39b8fd0e39c9009602a0e0d300 •
CVSS: 7.1EPSS: 0%CPEs: 3EXPL: 0CVE-2025-40246 – xfs: fix out of bounds memory read error in symlink repair
https://notcve.org/view.php?id=CVE-2025-40246
04 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: xfs: fix out of bounds memory read error in symlink repair xfs/286 produced this report on my test fleet: ================================================================== BUG: KFENCE: out-of-bounds read in memcpy_orig+0x54/0x110 Out-of-bounds read at 0xffff88843fe9e038 (184B right of kfence-#184): memcpy_orig+0x54/0x110 xrep_symlink_salvage_inline+0xb3/0xf0 [xfs] xrep_symlink_salvage+0x100/0x110 [xfs] xrep_symlink+0x2e/0x80 [xfs] xrep_att... • https://git.kernel.org/stable/c/2651923d8d8db00a57665822f017fa7c76758044 •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2025-40245 – nios2: ensure that memblock.current_limit is set when setting pfn limits
https://notcve.org/view.php?id=CVE-2025-40245
04 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: nios2: ensure that memblock.current_limit is set when setting pfn limits On nios2, with CONFIG_FLATMEM set, the kernel relies on memblock_get_current_limit() to determine the limits of mem_map, in particular for max_low_pfn. Unfortunately, memblock.current_limit is only default initialized to MEMBLOCK_ALLOC_ANYWHERE at this point of the bootup, potentially leading to situations where max_low_pfn can erroneously exceed the value of max_pfn a... • https://git.kernel.org/stable/c/7f7bc20bc41a4fbcd2db75b375ac95e5faf958ae •
CVSS: 6.3EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40244 – hfsplus: fix KMSAN uninit-value issue in __hfsplus_ext_cache_extent()
https://notcve.org/view.php?id=CVE-2025-40244
04 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix KMSAN uninit-value issue in __hfsplus_ext_cache_extent() The syzbot reported issue in __hfsplus_ext_cache_extent(): [ 70.194323][ T9350] BUG: KMSAN: uninit-value in __hfsplus_ext_cache_extent+0x7d0/0x990 [ 70.195022][ T9350] __hfsplus_ext_cache_extent+0x7d0/0x990 [ 70.195530][ T9350] hfsplus_file_extend+0x74f/0x1cf0 [ 70.195998][ T9350] hfsplus_get_block+0xe16/0x17b0 [ 70.196458][ T9350] __block_write_begin_int+0x962/0x2ce0 [ 7... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •