CVSS: 6.1EPSS: 0%CPEs: 9EXPL: 0CVE-2025-23163 – net: vlan: don't propagate flags on open
https://notcve.org/view.php?id=CVE-2025-23163
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: net: vlan: don't propagate flags on open With the device instance lock, there is now a possibility of a deadlock: [ 1.211455] ============================================ [ 1.211571] WARNING: possible recursive locking detected [ 1.211687] 6.14.0-rc5-01215-g032756b4ca7a-dirty #5 Not tainted [ 1.211823] -------------------------------------------- [ 1.211936] ip/184 is trying to acquire lock: [ 1.212032] ffff8881024a4c30 (&dev->lock){+.+.}-{... • https://git.kernel.org/stable/c/a32f1d4f1f4c9d978698f3c718621f6198f2e7ac •
CVSS: 7.1EPSS: 0%CPEs: 4EXPL: 0CVE-2025-23162 – drm/xe/vf: Don't try to trigger a full GT reset if VF
https://notcve.org/view.php?id=CVE-2025-23162
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/xe/vf: Don't try to trigger a full GT reset if VF VFs don't have access to the GDRST(0x941c) register that driver uses to reset a GT. Attempt to trigger a reset using debugfs: $ cat /sys/kernel/debug/dri/0000:00:02.1/gt0/force_reset or due to a hang condition detected by the driver leads to: [ ] xe 0000:00:02.1: [drm] GT0: trying reset from force_reset [xe] [ ] xe 0000:00:02.1: [drm] GT0: reset queued [ ] xe 0000:00:02.1: [drm] GT0: res... • https://git.kernel.org/stable/c/2eec2fa8666dcecebae33a565a818c9de9af8b50 •
CVSS: 7.1EPSS: 0%CPEs: 7EXPL: 0CVE-2025-23161 – PCI: vmd: Make vmd_dev::cfg_lock a raw_spinlock_t type
https://notcve.org/view.php?id=CVE-2025-23161
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: PCI: vmd: Make vmd_dev::cfg_lock a raw_spinlock_t type The access to the PCI config space via pci_ops::read and pci_ops::write is a low-level hardware access. The functions can be accessed with disabled interrupts even on PREEMPT_RT. The pci_lock is a raw_spinlock_t for this purpose. A spinlock_t becomes a sleeping lock on PREEMPT_RT, so it cannot be acquired with disabled interrupts. The vmd_dev::cfg_lock is accessed in the same context as... • https://git.kernel.org/stable/c/c250262d6485ca333e9821f85b07eb383ec546b1 •
CVSS: 7.2EPSS: 0%CPEs: 4EXPL: 0CVE-2025-23143 – net: Fix null-ptr-deref by sock_lock_init_class_and_name() and rmmod.
https://notcve.org/view.php?id=CVE-2025-23143
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: net: Fix null-ptr-deref by sock_lock_init_class_and_name() and rmmod. When I ran the repro [0] and waited a few seconds, I observed two LOCKDEP splats: a warning immediately followed by a null-ptr-deref. [1] Reproduction Steps: 1) Mount CIFS 2) Add an iptables rule to drop incoming FIN packets for CIFS 3) Unmount CIFS 4) Unload the CIFS module 5) Remove the iptables rule At step 3), the CIFS module calls sock_release() for the underlying TC... • https://git.kernel.org/stable/c/ed07536ed6731775219c1df7fa26a7588753e693 •
CVSS: 5.5EPSS: 0%CPEs: 14EXPL: 0CVE-2025-23142 – sctp: detect and prevent references to a freed transport in sendmsg
https://notcve.org/view.php?id=CVE-2025-23142
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: sctp: detect and prevent references to a freed transport in sendmsg sctp_sendmsg() re-uses associations and transports when possible by doing a lookup based on the socket endpoint and the message destination address, and then sctp_sendmsg_to_asoc() sets the selected transport in all the message chunks to be sent. There's a possible race condition if another thread triggers the removal of that selected transport, for instance, by explicitly ... • https://git.kernel.org/stable/c/df132eff463873e14e019a07f387b4d577d6d1f9 •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2025-23141 – KVM: x86: Acquire SRCU in KVM_GET_MP_STATE to protect guest memory accesses
https://notcve.org/view.php?id=CVE-2025-23141
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Acquire SRCU in KVM_GET_MP_STATE to protect guest memory accesses Acquire a lock on kvm->srcu when userspace is getting MP state to handle a rather extreme edge case where "accepting" APIC events, i.e. processing pending INIT or SIPI, can trigger accesses to guest memory. If the vCPU is in L2 with INIT *and* a TRIPLE_FAULT request pending, then getting MP state will trigger a nested VM-Exit by way of ->check_nested_events(), and e... • https://git.kernel.org/stable/c/0357c8406dfa09430dd9858ebe813feb65524b6e •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-23139 – Bluetooth: hci_uart: Fix another race during initialization
https://notcve.org/view.php?id=CVE-2025-23139
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_uart: Fix another race during initialization Do not set 'HCI_UART_PROTO_READY' before call 'hci_uart_register_dev()'. Possible race is when someone calls 'hci_tty_uart_close()' after this bit is set, but 'hci_uart_register_dev()' wasn't done. This leads to access to uninitialized fields. To fix it let's set this bit after device was registered (as before patch c411c62cc133) and to fix previous problem let's add one more bit i... • https://git.kernel.org/stable/c/5df5dafc171b90d0b8d51547a82657cd5a1986c7 •
CVSS: 7.8EPSS: 0%CPEs: 9EXPL: 0CVE-2025-37838 – HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition
https://notcve.org/view.php?id=CVE-2025-37838
18 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition In the ssi_protocol_probe() function, &ssi->work is bound with ssip_xmit_work(), In ssip_pn_setup(), the ssip_pn_xmit() function within the ssip_pn_ops structure is capable of starting the work. If we remove the module which will call ssi_protocol_remove() to make a cleanup, it will free ssi through kfree(ssi), while the work mentioned above wil... • https://git.kernel.org/stable/c/d03abc1c2b21324550fa71e12d53e7d3498e0af6 • CWE-416: Use After Free •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2025-37925 – jfs: reject on-disk inodes of an unsupported type
https://notcve.org/view.php?id=CVE-2025-37925
18 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: jfs: reject on-disk inodes of an unsupported type Syzbot has reported the following BUG: kernel BUG at fs/inode.c:668! Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 3 UID: 0 PID: 139 Comm: jfsCommit Not tainted 6.12.0-rc4-syzkaller-00085-g4e46774408d9 #0 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014 RIP: 0010:clear_inode+0x168/0x190 Code: 4c 89 f7 e8 ba fe e5 ff e9 61 ff ff ff 44 89 f1 80 ... • https://git.kernel.org/stable/c/79ac5a46c5c1c17476fbf84b4d4600d6d565defd •
CVSS: 7.1EPSS: 0%CPEs: 9EXPL: 0CVE-2025-37785 – ext4: fix OOB read when checking dotdot dir
https://notcve.org/view.php?id=CVE-2025-37785
18 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: ext4: fix OOB read when checking dotdot dir Mounting a corrupted filesystem with directory which contains '.' dir entry with rec_len == block size results in out-of-bounds read (later on, when the corrupted directory is removed). ext4_empty_dir() assumes every ext4 directory contains at least '.' and '..' as directory entries in the first data block. It first loads the '.' dir entry, performs sanity checks by calling ext4_check_dir_entry() ... • https://git.kernel.org/stable/c/ac27a0ec112a089f1a5102bc8dffc79c8c815571 •