CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2025-38067 – rseq: Fix segfault on registration when rseq_cs is non-zero
https://notcve.org/view.php?id=CVE-2025-38067
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: rseq: Fix segfault on registration when rseq_cs is non-zero The rseq_cs field is documented as being set to 0 by user-space prior to registration, however this is not currently enforced by the kernel. This can result in a segfault on return to user-space if the value stored in the rseq_cs field doesn't point to a valid struct rseq_cs. The correct solution to this would be to fail the rseq registration when the rseq_cs field is non-zero. How... • https://git.kernel.org/stable/c/d7822b1e24f2df5df98c76f0e94a5416349ff759 •
CVSS: 6.1EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38066 – dm cache: prevent BUG_ON by blocking retries on failed device resumes
https://notcve.org/view.php?id=CVE-2025-38066
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: dm cache: prevent BUG_ON by blocking retries on failed device resumes A cache device failing to resume due to mapping errors should not be retried, as the failure leaves a partially initialized policy object. Repeating the resume operation risks triggering BUG_ON when reloading cache mappings into the incomplete policy object. Reproduce steps: 1. create a cache metadata consisting of 512 or more cache blocks, with some mappings stored in th... • https://git.kernel.org/stable/c/66a636356647a9be8885c2ce2948de126577698a •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38065 – orangefs: Do not truncate file size
https://notcve.org/view.php?id=CVE-2025-38065
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: orangefs: Do not truncate file size 'len' is used to store the result of i_size_read(), so making 'len' a size_t results in truncation to 4GiB on 32-bit systems. In the Linux kernel, the following vulnerability has been resolved: orangefs: Do not truncate file size 'len' is used to store the result of i_size_read(), so making 'len' a size_t results in truncation to 4GiB on 32-bit systems. This update provides the initial livepatch for this ... • https://git.kernel.org/stable/c/f7ab093f74bf638ed98fd1115f3efa17e308bb7f •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2025-38064 – virtio: break and reset virtio devices on device_shutdown()
https://notcve.org/view.php?id=CVE-2025-38064
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: virtio: break and reset virtio devices on device_shutdown() Hongyu reported a hang on kexec in a VM. QEMU reported invalid memory accesses during the hang. Invalid read at addr 0x102877002, size 2, region '(null)', reason: rejected Invalid write at addr 0x102877A44, size 2, region '(null)', reason: rejected ... It was traced down to virtio-console. Kexec works fine if virtio-console is not in use. • https://git.kernel.org/stable/c/ec3d41c4db4c21164332826ea8d812f94f2f6886 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38063 – dm: fix unconditional IO throttle caused by REQ_PREFLUSH
https://notcve.org/view.php?id=CVE-2025-38063
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: dm: fix unconditional IO throttle caused by REQ_PREFLUSH When a bio with REQ_PREFLUSH is submitted to dm, __send_empty_flush() generates a flush_bio with REQ_OP_WRITE | REQ_PREFLUSH | REQ_SYNC, which causes the flush_bio to be throttled by wbt_wait(). An example from v5.4, similar problem also exists in upstream: crash> bt 2091206 PID: 2091206 TASK: ffff2050df92a300 CPU: 109 COMMAND: "kworker/u260:0" #0 [ffff800084a2f7f0] __switch_to at fff... • https://git.kernel.org/stable/c/e34cbd307477ae07c5d8a8d0bd15e65a9ddaba5c •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38061 – net: pktgen: fix access outside of user given buffer in pktgen_thread_write()
https://notcve.org/view.php?id=CVE-2025-38061
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: net: pktgen: fix access outside of user given buffer in pktgen_thread_write() Honour the user given buffer size for the strn_len() calls (otherwise strn_len() will access memory outside of the user given buffer). In the Linux kernel, the following vulnerability has been resolved: net: pktgen: fix access outside of user given buffer in pktgen_thread_write() Honour the user given buffer size for the strn_len() calls (otherwise strn_len() will... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38058 – __legitimize_mnt(): check for MNT_SYNC_UMOUNT should be under mount_lock
https://notcve.org/view.php?id=CVE-2025-38058
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: __legitimize_mnt(): check for MNT_SYNC_UMOUNT should be under mount_lock ... or we risk stealing final mntput from sync umount - raising mnt_count after umount(2) has verified that victim is not busy, but before it has set MNT_SYNC_UMOUNT; in that case __legitimize_mnt() doesn't see that it's safe to quietly undo mnt_count increment and leaves dropping the reference to caller, where it'll be a full-blown mntput(). Check under mount_lock is ... • https://git.kernel.org/stable/c/48a066e72d970a3e225a9c18690d570c736fc455 •
CVSS: 7.1EPSS: 0%CPEs: 9EXPL: 0CVE-2025-38051 – smb: client: Fix use-after-free in cifs_fill_dirent
https://notcve.org/view.php?id=CVE-2025-38051
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: smb: client: Fix use-after-free in cifs_fill_dirent There is a race condition in the readdir concurrency process, which may access the rsp buffer after it has been released, triggering the following KASAN warning. ================================================================== BUG: KASAN: slab-use-after-free in cifs_fill_dirent+0xb03/0xb60 [cifs] Read of size 4 at addr ffff8880099b819c by task a.out/342975 CPU: 2 UID: 0 PID: 342975 Comm:... • https://git.kernel.org/stable/c/a364bc0b37f14ffd66c1f982af42990a9d77fa43 •
CVSS: 7.3EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38040 – serial: mctrl_gpio: split disable_ms into sync and no_sync APIs
https://notcve.org/view.php?id=CVE-2025-38040
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: serial: mctrl_gpio: split disable_ms into sync and no_sync APIs The following splat has been observed on a SAMA5D27 platform using atmel_serial: BUG: sleeping function called from invalid context at kernel/irq/manage.c:738 in_atomic(): 1, irqs_disabled(): 128, non_block: 0, pid: 27, name: kworker/u5:0 preempt_count: 1, expected: 0 INFO: lockdep is turned off. irq event stamp: 0 hardirqs last enabled at (0): [<00000000>] 0x0 hardirqs last di... • https://git.kernel.org/stable/c/ce59e48fdbad2aa6609ceb87e1306ec69e577e05 •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38037 – vxlan: Annotate FDB data races
https://notcve.org/view.php?id=CVE-2025-38037
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: vxlan: Annotate FDB data races The 'used' and 'updated' fields in the FDB entry structure can be accessed concurrently by multiple threads, leading to reports such as [1]. Can be reproduced using [2]. Suppress these reports by annotating these accesses using READ_ONCE() / WRITE_ONCE(). [1] BUG: KCSAN: data-race in vxlan_xmit / vxlan_xmit write to 0xffff942604d263a8 of 8 bytes by task 286 on cpu 0: vxlan_xmit+0xb29/0x2380 dev_hard_start_xmit... • https://git.kernel.org/stable/c/d342894c5d2f8c7df194c793ec4059656e09ca31 •