CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2025-38025 – iio: adc: ad7606: check for NULL before calling sw_mode_config()
https://notcve.org/view.php?id=CVE-2025-38025
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: iio: adc: ad7606: check for NULL before calling sw_mode_config() Check that the sw_mode_config function pointer is not NULL before calling it. Not all buses define this callback, which resulted in a NULL pointer dereference. In the Linux kernel, the following vulnerability has been resolved: iio: adc: ad7606: check for NULL before calling sw_mode_config() Check that the sw_mode_config function pointer is not NULL before calling it. Not all ... • https://git.kernel.org/stable/c/e571c1902116a376c96e59639820662d7d6a13da •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38024 – RDMA/rxe: Fix slab-use-after-free Read in rxe_queue_cleanup bug
https://notcve.org/view.php?id=CVE-2025-38024
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix slab-use-after-free Read in rxe_queue_cleanup bug Call Trace:
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38023 – nfs: handle failure of nfs_get_lock_context in unlock path
https://notcve.org/view.php?id=CVE-2025-38023
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: nfs: handle failure of nfs_get_lock_context in unlock path When memory is insufficient, the allocation of nfs_lock_context in nfs_get_lock_context() fails and returns -ENOMEM. If we mistakenly treat an nfs4_unlockdata structure (whose l_ctx member has been set to -ENOMEM) as valid and proceed to execute rpc_run_task(), this will trigger a NULL pointer dereference in nfs4_locku_prepare. For example: BUG: kernel NULL pointer dereference, addr... • https://git.kernel.org/stable/c/f30cb757f680f965ba8a2e53cb3588052a01aeb5 •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38022 – RDMA/core: Fix "KASAN: slab-use-after-free Read in ib_register_device" problem
https://notcve.org/view.php?id=CVE-2025-38022
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: RDMA/core: Fix "KASAN: slab-use-after-free Read in ib_register_device" problem Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0xc3/0x670 mm/kasan/report.c:521 kasan_report+0xe0/0x110 mm/kasan/report.c:634 strlen+0x93/0xa0 lib/string.c:420 __fortify_strlen include/linux/fortify-string.h:268 [inline] get_kobj_path_lengt... • https://git.kernel.org/stable/c/779e0bf47632c609c59f527f9711ecd3214dccb0 •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2025-38021 – drm/amd/display: Fix null check of pipe_ctx->plane_state for update_dchubp_dpp
https://notcve.org/view.php?id=CVE-2025-38021
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix null check of pipe_ctx->plane_state for update_dchubp_dpp Similar to commit 6a057072ddd1 ("drm/amd/display: Fix null check for pipe_ctx->plane_state in dcn20_program_pipe") that addresses a null pointer dereference on dcn20_update_dchubp_dpp. This is the same function hooked for update_dchubp_dpp in dcn401, with the same issue. Fix possible null pointer deference on dcn401_program_pipe too. (cherry picked from commit d8... • https://git.kernel.org/stable/c/63ab80d9ac0adae2066b140ec30481ba4648140d •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38020 – net/mlx5e: Disable MACsec offload for uplink representor profile
https://notcve.org/view.php?id=CVE-2025-38020
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Disable MACsec offload for uplink representor profile MACsec offload is not supported in switchdev mode for uplink representors. When switching to the uplink representor profile, the MACsec offload feature must be cleared from the netdevice's features. If left enabled, attempts to add offloads result in a null pointer dereference, as the uplink representor does not support MACsec offload even though the feature bit remains set. C... • https://git.kernel.org/stable/c/8ff0ac5be1446920d71bdce5547f0d8476e280ff •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-38019 – mlxsw: spectrum_router: Fix use-after-free when deleting GRE net devices
https://notcve.org/view.php?id=CVE-2025-38019
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_router: Fix use-after-free when deleting GRE net devices The driver only offloads neighbors that are constructed on top of net devices registered by it or their uppers (which are all Ethernet). The device supports GRE encapsulation and decapsulation of forwarded traffic, but the driver will not offload dummy neighbors constructed on top of GRE net devices as they are not uppers of its net devices: # ip link add name gre1 up ... • https://git.kernel.org/stable/c/8fdb09a7674c61c4f0e5faf0d63b3ce500a341b0 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38018 – net/tls: fix kernel panic when alloc_page failed
https://notcve.org/view.php?id=CVE-2025-38018
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: net/tls: fix kernel panic when alloc_page failed We cannot set frag_list to NULL pointer when alloc_page failed. It will be used in tls_strp_check_queue_ok when the next time tls_strp_read_sock is called. This is because we don't reset full_len in tls_strp_flush_anchor_copy() so the recv path will try to continue handling the partial record on the next call but we dettached the rcvq from the frag list. Alternative fix would be to reset full... • https://git.kernel.org/stable/c/84c61fe1a75b4255df1e1e7c054c9e6d048da417 •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-38017 – fs/eventpoll: fix endless busy loop after timeout has expired
https://notcve.org/view.php?id=CVE-2025-38017
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: fs/eventpoll: fix endless busy loop after timeout has expired After commit 0a65bc27bd64 ("eventpoll: Set epoll timeout if it's in the future"), the following program would immediately enter a busy loop in the kernel: ``` int main() { int e = epoll_create1(0); struct epoll_event event = {.events = EPOLLIN}; epoll_ctl(e, EPOLL_CTL_ADD, 0, &event); const struct timespec timeout = {.tv_nsec = 1}; epoll_pwait2(e, &event, 1, &timeout, 0); } ``` T... • https://git.kernel.org/stable/c/99a0ad16dfd114a429df665065dcc576dad743c0 •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-38016 – HID: bpf: abort dispatch if device destroyed
https://notcve.org/view.php?id=CVE-2025-38016
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: HID: bpf: abort dispatch if device destroyed The current HID bpf implementation assumes no output report/request will go through it after hid_bpf_destroy_device() has been called. This leads to a bug that unplugging certain types of HID devices causes a cleaned- up SRCU to be accessed. The bug was previously a hidden failure until a recent x86 percpu change [1] made it access not-present pages. The bug will be triggered if the conditions be... • https://git.kernel.org/stable/c/8bd0488b5ea58655ad6fdcbe0408ef49b16882b1 •