CVSS: 7.1EPSS: 0%CPEs: 2EXPL: 0CVE-2025-39933 – smb: client: let recv_done verify data_offset, data_length and remaining_data_length
https://notcve.org/view.php?id=CVE-2025-39933
04 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: smb: client: let recv_done verify data_offset, data_length and remaining_data_length This is inspired by the related server fixes. • https://git.kernel.org/stable/c/f198186aa9bbd60fae7a2061f4feec614d880299 •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-39932 – smb: client: let smbd_destroy() call disable_work_sync(&info->post_send_credits_work)
https://notcve.org/view.php?id=CVE-2025-39932
04 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: smb: client: let smbd_destroy() call disable_work_sync(&info->post_send_credits_work) In smbd_destroy() we may destroy the memory so we better wait until post_send_credits_work is no longer pending and will never be started again. I actually just hit the case using rxe: WARNING: CPU: 0 PID: 138 at drivers/infiniband/sw/rxe/rxe_verbs.c:1032 rxe_post_recv+0x1ee/0x480 [rdma_rxe] ... [ 5305.686979] [ T138] smbd_post_recv+0x445/0xc10 [cifs] [ 53... • https://git.kernel.org/stable/c/f198186aa9bbd60fae7a2061f4feec614d880299 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-39931 – crypto: af_alg - Set merge to zero early in af_alg_sendmsg
https://notcve.org/view.php?id=CVE-2025-39931
04 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: crypto: af_alg - Set merge to zero early in af_alg_sendmsg If an error causes af_alg_sendmsg to abort, ctx->merge may contain a garbage value from the previous loop. This may then trigger a crash on the next entry into af_alg_sendmsg when it attempts to do a merge that can't be done. Fix this by setting ctx->merge to zero near the start of the loop. In the Linux kernel, the following vulnerability has been resolved: crypto: af_alg - Set mer... • https://git.kernel.org/stable/c/8ff590903d5fc7f5a0a988c38267a3d08e6393a2 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-39929 – smb: client: fix smbdirect_recv_io leak in smbd_negotiate() error path
https://notcve.org/view.php?id=CVE-2025-39929
04 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: smb: client: fix smbdirect_recv_io leak in smbd_negotiate() error path During tests of another unrelated patch I was able to trigger this error: Objects remaining on __kmem_cache_shutdown() In the Linux kernel, the following vulnerability has been resolved: smb: client: fix smbdirect_recv_io leak in smbd_negotiate() error path During tests of another unrelated patch I was able to trigger this error: Objects remaining on __kmem_cache_shutdow... • https://git.kernel.org/stable/c/f198186aa9bbd60fae7a2061f4feec614d880299 •
CVSS: 5.6EPSS: 0%CPEs: 2EXPL: 0CVE-2023-53529 – wifi: rtw88: Fix memory leak in rtw88_usb
https://notcve.org/view.php?id=CVE-2023-53529
01 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: rtw88: Fix memory leak in rtw88_usb Kmemleak shows the following leak arising from routine in the usb probe routine: unreferenced object 0xffff895cb29bba00 (size 512): comm "(udev-worker)", pid 534, jiffies 4294903932 (age 102751.088s) hex dump (first 32 bytes): 77 30 30 30 00 00 00 00 02 2f 2d 2b 30 00 00 00 w000...../-+0... 02 00 2a 28 00 00 00 00 ff 55 ff ff ff 00 00 00 ..*(.....U...... backtrace: [
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2023-53526 – jbd2: check 'jh->b_transaction' before removing it from checkpoint
https://notcve.org/view.php?id=CVE-2023-53526
01 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: jbd2: check 'jh->b_transaction' before removing it from checkpoint Following process will corrupt ext4 image: Step 1: jbd2_journal_commit_transaction __jbd2_journal_insert_checkpoint(jh, commit_transaction) // Put jh into trans1->t_checkpoint_list journal->j_checkpoint_transactions = commit_transaction // Put trans1 into journal->j_checkpoint_transactions Step 2: do_get_write_access test_clear_buffer_dirty(bh) // clear buffer dirty,set jbd ... • https://git.kernel.org/stable/c/b832174b7f89df3ebab02f5b485d00127a0e1a6e •
CVSS: 7.8EPSS: 0%CPEs: 7EXPL: 0CVE-2023-53525 – RDMA/cma: Allow UD qp_type to join multicast only
https://notcve.org/view.php?id=CVE-2023-53525
01 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: RDMA/cma: Allow UD qp_type to join multicast only As for multicast: - The SIDR is the only mode that makes sense; - Besides PS_UDP, other port spaces like PS_IB is also allowed, as it is UD compatible. In this case qkey also needs to be set [1]. This patch allows only UD qp_type to join multicast, and set qkey to default if it's not set, to fix an uninit-value error: the ib->rec.qkey field is accessed without being initialized. ============... • https://git.kernel.org/stable/c/b5de0c60cc30c2a3513c7188c73f3f29acc29234 • CWE-908: Use of Uninitialized Resource •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2023-53524 – wifi: iwlwifi: pcie: Fix integer overflow in iwl_write_to_user_buf
https://notcve.org/view.php?id=CVE-2023-53524
01 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: pcie: Fix integer overflow in iwl_write_to_user_buf An integer overflow occurs in the iwl_write_to_user_buf() function, which is called by the iwl_dbgfs_monitor_data_read() function. static bool iwl_write_to_user_buf(char __user *user_buf, ssize_t count, void *buf, ssize_t *size, ssize_t *bytes_copied) { int buf_size_left = count - *bytes_copied; buf_size_left = buf_size_left - (buf_size_left % sizeof(u32)); if (*size > buf_s... • https://git.kernel.org/stable/c/f7805b33f9b13a87b1fcf9dfbc3dcbce281a1436 •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2023-53521 – scsi: ses: Fix slab-out-of-bounds in ses_intf_remove()
https://notcve.org/view.php?id=CVE-2023-53521
01 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: scsi: ses: Fix slab-out-of-bounds in ses_intf_remove() A fix for: BUG: KASAN: slab-out-of-bounds in ses_intf_remove+0x23f/0x270 [ses] Read of size 8 at addr ffff88a10d32e5d8 by task rmmod/12013 When edev->components is zero, accessing edev->component[0] members is wrong. In the Linux kernel, the following vulnerability has been resolved: scsi: ses: Fix slab-out-of-bounds in ses_intf_remove() A fix for: BUG: KASAN: slab-out-of-bounds in ses_... • https://git.kernel.org/stable/c/9927c68864e9c39cc317b4f559309ba29e642168 • CWE-125: Out-of-bounds Read •
CVSS: 5.7EPSS: 0%CPEs: 4EXPL: 0CVE-2023-53520 – Bluetooth: Fix hci_suspend_sync crash
https://notcve.org/view.php?id=CVE-2023-53520
01 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix hci_suspend_sync crash If hci_unregister_dev() frees the hci_dev object but hci_suspend_notifier may still be accessing it, it can cause the program to crash. Here's the call trace: <4>[102152.653246] Call Trace: <4>[102152.653254] hci_suspend_sync+0x109/0x301 [bluetooth] <4>[102152.653259] hci_suspend_dev+0x78/0xcd [bluetooth] <4>[102152.653263] hci_suspend_notifier+0x42/0x7a [bluetooth] <4>[102152.653268] notifier_call_chai... • https://git.kernel.org/stable/c/9952d90ea2885d7cbf80cd233f694f09a9c0eaec •