CVSS: 6.1EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38097 – espintcp: remove encap socket caching to avoid reference leak
https://notcve.org/view.php?id=CVE-2025-38097
03 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: espintcp: remove encap socket caching to avoid reference leak The current scheme for caching the encap socket can lead to reference leaks when we try to delete the netns. The reference chain is: xfrm_state -> enacp_sk -> netns Since the encap socket is a userspace socket, it holds a reference on the netns. If we delete the espintcp state (through flush or individual delete) before removing the netns, the reference on the socket is dropped a... • https://git.kernel.org/stable/c/e27cca96cd68fa2c6814c90f9a1cfd36bb68c593 •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2025-38096 – wifi: iwlwifi: don't warn when if there is a FW error
https://notcve.org/view.php?id=CVE-2025-38096
03 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: don't warn when if there is a FW error iwl_trans_reclaim is warning if it is called when the FW is not alive. But if it is called when there is a pending restart, i.e. after a FW error, there is no need to warn, instead - return silently. In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: don't warn when if there is a FW error iwl_trans_reclaim is warning if it is called when the FW is not aliv... • https://git.kernel.org/stable/c/0446d34a853d9576e2a7628c803d2abd2f8cf3a8 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38095 – dma-buf: insert memory barrier before updating num_fences
https://notcve.org/view.php?id=CVE-2025-38095
03 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: dma-buf: insert memory barrier before updating num_fences smp_store_mb() inserts memory barrier after storing operation. It is different with what the comment is originally aiming so Null pointer dereference can be happened if memory update is reordered. In the Linux kernel, the following vulnerability has been resolved: dma-buf: insert memory barrier before updating num_fences smp_store_mb() inserts memory barrier after storing operation. ... • https://git.kernel.org/stable/c/a590d0fdbaa56f482ff515e1040b6d9b1b200d63 •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2025-38094 – net: cadence: macb: Fix a possible deadlock in macb_halt_tx.
https://notcve.org/view.php?id=CVE-2025-38094
03 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: net: cadence: macb: Fix a possible deadlock in macb_halt_tx. There is a situation where after THALT is set high, TGO stays high as well. Because jiffies are never updated, as we are in a context with interrupts disabled, we never exit that loop and have a deadlock. That deadlock was noticed on a sama5d4 device that stayed locked for days. Use retries instead of jiffies so that the timeout really works and we do not have a deadlock anymore. • https://git.kernel.org/stable/c/e86cd53afc5907f7c221b709916e2dd354e14691 •
CVSS: 8.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-38092 – ksmbd: use list_first_entry_or_null for opinfo_get_list()
https://notcve.org/view.php?id=CVE-2025-38092
02 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: use list_first_entry_or_null for opinfo_get_list() The list_first_entry() macro never returns NULL. If the list is empty then it returns an invalid pointer. Use list_first_entry_or_null() to check if the list is empty. In the Linux kernel, the following vulnerability has been resolved: ksmbd: use list_first_entry_or_null for opinfo_get_list() The list_first_entry() macro never returns NULL. If the list is empty then it returns an inv... • https://git.kernel.org/stable/c/0626e6641f6b467447c81dd7678a69c66f7746cf •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38090 – drivers/rapidio/rio_cm.c: prevent possible heap overwrite
https://notcve.org/view.php?id=CVE-2025-38090
30 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: drivers/rapidio/rio_cm.c: prevent possible heap overwrite In riocm_cdev_ioctl(RIO_CM_CHAN_SEND) -> cm_chan_msg_send() -> riocm_ch_send() cm_chan_msg_send() checks that userspace didn't send too much data but riocm_ch_send() failed to check that userspace sent sufficient data. The result is that riocm_ch_send() can write to fields in the rio_ch_chan_hdr which were outside the bounds of the space which cm_chan_msg_send() allocated. Address th... • https://git.kernel.org/stable/c/b6e8d4aa1110306378af0f3472a6b85a1f039a16 •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 1CVE-2025-38089 – sunrpc: handle SVC_GARBAGE during svc auth processing as auth error
https://notcve.org/view.php?id=CVE-2025-38089
30 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: sunrpc: handle SVC_GARBAGE during svc auth processing as auth error tianshuo han reported a remotely-triggerable crash if the client sends a kernel RPC server a specially crafted packet. If decoding the RPC reply fails in such a way that SVC_GARBAGE is returned without setting the rq_accept_statp pointer, then that pointer can be dereferenced and a value stored there. If it's the first time the thread has processed an RPC, then that pointer... • https://github.com/keymaker-arch/NFSundown •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2025-38088 – powerpc/powernv/memtrace: Fix out of bounds issue in memtrace mmap
https://notcve.org/view.php?id=CVE-2025-38088
30 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: powerpc/powernv/memtrace: Fix out of bounds issue in memtrace mmap memtrace mmap issue has an out of bounds issue. This patch fixes the by checking that the requested mapping region size should stay within the allocated region size. In the Linux kernel, the following vulnerability has been resolved: powerpc/powernv/memtrace: Fix out of bounds issue in memtrace mmap memtrace mmap issue has an out of bounds issue. This patch fixes the by chec... • https://git.kernel.org/stable/c/08a022ad3dfafc7e33d4529015e14bb75179cacc •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-38087 – net/sched: fix use-after-free in taprio_dev_notifier
https://notcve.org/view.php?id=CVE-2025-38087
30 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: net/sched: fix use-after-free in taprio_dev_notifier Since taprio’s taprio_dev_notifier() isn’t protected by an RCU read-side critical section, a race with advance_sched() can lead to a use-after-free. Adding rcu_read_lock() inside taprio_dev_notifier() prevents this. In the Linux kernel, the following vulnerability has been resolved: net/sched: fix use-after-free in taprio_dev_notifier Since taprio’s taprio_dev_notifier() isn’t protected b... • https://git.kernel.org/stable/c/fed87cc6718ad5f80aa739fee3c5979a8b09d3a6 •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38086 – net: ch9200: fix uninitialised access during mii_nway_restart
https://notcve.org/view.php?id=CVE-2025-38086
28 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: net: ch9200: fix uninitialised access during mii_nway_restart In mii_nway_restart() the code attempts to call mii->mdio_read which is ch9200_mdio_read(). ch9200_mdio_read() utilises a local buffer called "buff", which is initialised with control_read(). However "buff" is conditionally initialised inside control_read(): if (err == size) { memcpy(data, buf, size); } If the condition of "err == size" is not met, then "buff" remains uninitialis... • https://git.kernel.org/stable/c/4a476bd6d1d923922ec950ddc4c27b279f6901eb •