CVSS: 7.1EPSS: 0%CPEs: 6EXPL: 0CVE-2025-39845 – x86/mm/64: define ARCH_PAGE_TABLE_SYNC_MASK and arch_sync_kernel_mappings()
https://notcve.org/view.php?id=CVE-2025-39845
19 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: x86/mm/64: define ARCH_PAGE_TABLE_SYNC_MASK and arch_sync_kernel_mappings() Define ARCH_PAGE_TABLE_SYNC_MASK and arch_sync_kernel_mappings() to ensure page tables are properly synchronized when calling p*d_populate_kernel(). For 5-level paging, synchronization is performed via pgd_populate_kernel(). In 4-level paging, pgd_populate() is a no-op, so synchronization is instead performed at the P4D level via p4d_populate_kernel(). This fixes in... • https://git.kernel.org/stable/c/8d400913c231bd1da74067255816453f96cd35b0 •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2025-39844 – mm: move page table sync declarations to linux/pgtable.h
https://notcve.org/view.php?id=CVE-2025-39844
19 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: mm: move page table sync declarations to linux/pgtable.h During our internal testing, we started observing intermittent boot failures when the machine uses 4-level paging and has a large amount of persistent memory: BUG: unable to handle page fault for address: ffffe70000000034 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 0 P4D 0 Oops: 0002 [#1] SMP NOPTI RIP: 0010:__init_single_page+0x9/0x6d Ca... • https://git.kernel.org/stable/c/8d400913c231bd1da74067255816453f96cd35b0 •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2025-39842 – ocfs2: prevent release journal inode after journal shutdown
https://notcve.org/view.php?id=CVE-2025-39842
19 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: ocfs2: prevent release journal inode after journal shutdown Before calling ocfs2_delete_osb(), ocfs2_journal_shutdown() has already been executed in ocfs2_dismount_volume(), so osb->journal must be NULL. Therefore, the following calltrace will inevitably fail when it reaches jbd2_journal_release_jbd_inode(). ocfs2_dismount_volume()-> ocfs2_delete_osb()-> ocfs2_free_slot_info()-> __ocfs2_free_slot_info()-> evict()-> ocfs2_evict_inode()-> ocf... • https://git.kernel.org/stable/c/da5e7c87827e8caa6a1eeec6d95dcf74ab592a01 •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2025-39841 – scsi: lpfc: Fix buffer free/clear order in deferred receive path
https://notcve.org/view.php?id=CVE-2025-39841
19 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Fix buffer free/clear order in deferred receive path Fix a use-after-free window by correcting the buffer release sequence in the deferred receive path. The code freed the RQ buffer first and only then cleared the context pointer under the lock. Concurrent paths (e.g., ABTS and the repost path) also inspect and release the same pointer under the lock, so the old order could lead to double-free/UAF. Note that the repost path alre... • https://git.kernel.org/stable/c/472e146d1cf3410a898b49834500fa9e33ac41a2 • CWE-416: Use After Free •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2025-39839 – batman-adv: fix OOB read/write in network-coding decode
https://notcve.org/view.php?id=CVE-2025-39839
19 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: batman-adv: fix OOB read/write in network-coding decode batadv_nc_skb_decode_packet() trusts coded_len and checks only against skb->len. XOR starts at sizeof(struct batadv_unicast_packet), reducing payload headroom, and the source skb length is not verified, allowing an out-of-bounds read and a small out-of-bounds write. Validate that coded_len fits within the payload area of both destination and source sk_buffs before XORing. In the Linux ... • https://git.kernel.org/stable/c/2df5278b0267c799f3e877e8eeddbb6e93cda0bb •
CVSS: 4.7EPSS: 0%CPEs: 2EXPL: 0CVE-2023-53447 – f2fs: don't reset unchangable mount option in f2fs_remount()
https://notcve.org/view.php?id=CVE-2023-53447
18 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: f2fs: don't reset unchangable mount option in f2fs_remount() syzbot reports a bug as below: general protection fault, probably for non-canonical address 0xdffffc0000000009: 0000 [#1] PREEMPT SMP KASAN RIP: 0010:__lock_acquire+0x69/0x2000 kernel/locking/lockdep.c:4942 Call Trace: lock_acquire+0x1e3/0x520 kernel/locking/lockdep.c:5691 __raw_write_lock include/linux/rwlock_api_smp.h:209 [inline] _raw_write_lock+0x2e/0x40 kernel/locking/spinloc... • https://git.kernel.org/stable/c/98e4da8ca301e062d79ae168c67e56f3c3de3ce4 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 8.4EPSS: 0%CPEs: 7EXPL: 0CVE-2023-53446 – PCI/ASPM: Disable ASPM on MFD function removal to avoid use-after-free
https://notcve.org/view.php?id=CVE-2023-53446
18 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: PCI/ASPM: Disable ASPM on MFD function removal to avoid use-after-free Struct pcie_link_state->downstream is a pointer to the pci_dev of function 0. Previously we retained that pointer when removing function 0, and subsequent ASPM policy changes dereferenced it, resulting in a use-after-free warning from KASAN, e.g.: # echo 1 > /sys/bus/pci/devices/0000:03:00.0/remove # echo powersave > /sys/module/pcie_aspm/parameters/policy BUG: KASAN: sl... • https://git.kernel.org/stable/c/b5a0a9b59c8185aebcd9a717e2e6258b58c72c06 • CWE-416: Use After Free •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2023-53445 – net: qrtr: Fix a refcount bug in qrtr_recvmsg()
https://notcve.org/view.php?id=CVE-2023-53445
18 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: net: qrtr: Fix a refcount bug in qrtr_recvmsg() Syzbot reported a bug as following: refcount_t: addition on 0; use-after-free. ... RIP: 0010:refcount_warn_saturate+0x17c/0x1f0 lib/refcount.c:25 ... Call Trace:
CVSS: 7.1EPSS: 0%CPEs: 6EXPL: 0CVE-2023-53443 – mfd: arizona: Use pm_runtime_resume_and_get() to prevent refcnt leak
https://notcve.org/view.php?id=CVE-2023-53443
18 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: mfd: arizona: Use pm_runtime_resume_and_get() to prevent refcnt leak In arizona_clk32k_enable(), we should use pm_runtime_resume_and_get() as pm_runtime_get_sync() will increase the refcnt even when it returns an error. In the Linux kernel, the following vulnerability has been resolved: mfd: arizona: Use pm_runtime_resume_and_get() to prevent refcnt leak In arizona_clk32k_enable(), we should use pm_runtime_resume_and_get() as pm_runtime_get... • https://git.kernel.org/stable/c/247fa1920deeb1064e36c0a34410f4d63503b3d4 • CWE-772: Missing Release of Resource after Effective Lifetime •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2023-53442 – ice: Block switchdev mode when ADQ is active and vice versa
https://notcve.org/view.php?id=CVE-2023-53442
18 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: ice: Block switchdev mode when ADQ is active and vice versa ADQ and switchdev are not supported simultaneously. Enabling both at the same time can result in nullptr dereference. To prevent this, check if ADQ is active when changing devlink mode to switchdev mode, and check if switchdev is active when enabling ADQ. In the Linux kernel, the following vulnerability has been resolved: ice: Block switchdev mode when ADQ is active and vice versa ... • https://git.kernel.org/stable/c/fbc7b27af0f9fb181811424e29caf6825594a841 • CWE-476: NULL Pointer Dereference •