CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40363 – net: ipv6: fix field-spanning memcpy warning in AH output
https://notcve.org/view.php?id=CVE-2025-40363
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: net: ipv6: fix field-spanning memcpy warning in AH output Fix field-spanning memcpy warnings in ah6_output() and ah6_output_done() where extension headers are copied to/from IPv6 address fields, triggering fortify-string warnings about writes beyond the 16-byte address fields. memcpy: detected field-spanning write (size 40) of single field "&top_iph->saddr" at net/ipv6/ah6.c:439 (size 16) WARNING: CPU: 0 PID: 8838 at net/ipv6/ah6.c:439 ah6_... • https://git.kernel.org/stable/c/2da805a61ef5272a2773775ce14c3650adb84248 •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2025-40362 – ceph: fix multifs mds auth caps issue
https://notcve.org/view.php?id=CVE-2025-40362
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: ceph: fix multifs mds auth caps issue The mds auth caps check should also validate the fsname along with the associated caps. Not doing so would result in applying the mds auth caps of one fs on to the other fs in a multifs ceph cluster. The bug causes multiple issues w.r.t user authentication, following is one such example. Steps to Reproduce (on vstart cluster): 1. Create two file systems in a cluster, say 'fsname1' and 'fsname2' 2. Autho... • https://git.kernel.org/stable/c/07640d34a781bb2e39020a39137073c03c4aa932 •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2025-40361 – fs: ext4: change GFP_KERNEL to GFP_NOFS to avoid deadlock
https://notcve.org/view.php?id=CVE-2025-40361
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: fs: ext4: change GFP_KERNEL to GFP_NOFS to avoid deadlock The parent function ext4_xattr_inode_lookup_create already uses GFP_NOFS for memory alloction, so the function ext4_xattr_inode_cache_find should use same gfp_flag. • https://git.kernel.org/stable/c/5e6b27f4e68682aa3db9f83ca04adef89903159b •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2025-40353 – arm64: mte: Do not warn if the page is already tagged in copy_highpage()
https://notcve.org/view.php?id=CVE-2025-40353
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: arm64: mte: Do not warn if the page is already tagged in copy_highpage() The arm64 copy_highpage() assumes that the destination page is newly allocated and not MTE-tagged (PG_mte_tagged unset) and warns accordingly. However, following commit 060913999d7a ("mm: migrate: support poisoned recover from migrate folio"), folio_mc_copy() is called before __folio_migrate_mapping(). If the latter fails (-EAGAIN), the copy will be done again to the s... • https://git.kernel.org/stable/c/5ff5765a1fc526f07d3bbaedb061d970eb13bcf4 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40351 – hfsplus: fix KMSAN uninit-value issue in hfsplus_delete_cat()
https://notcve.org/view.php?id=CVE-2025-40351
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix KMSAN uninit-value issue in hfsplus_delete_cat() The syzbot reported issue in hfsplus_delete_cat(): [ 70.682285][ T9333] ===================================================== [ 70.682943][ T9333] BUG: KMSAN: uninit-value in hfsplus_subfolders_dec+0x1d7/0x220 [ 70.683640][ T9333] hfsplus_subfolders_dec+0x1d7/0x220 [ 70.684141][ T9333] hfsplus_delete_cat+0x105d/0x12b0 [ 70.684621][ T9333] hfsplus_rmdir+0x13d/0x310 [ 70.685048][ T... • https://git.kernel.org/stable/c/a2bee43b451615531ae6f3cf45054f02915ef885 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40349 – hfs: validate record offset in hfsplus_bmap_alloc
https://notcve.org/view.php?id=CVE-2025-40349
16 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: hfs: validate record offset in hfsplus_bmap_alloc hfsplus_bmap_alloc can trigger a crash if a record offset or length is larger than node_size [ 15.264282] BUG: KASAN: slab-out-of-bounds in hfsplus_bmap_alloc+0x887/0x8b0 [ 15.265192] Read of size 8 at addr ffff8881085ca188 by task test/183 [ 15.265949] [ 15.266163] CPU: 0 UID: 0 PID: 183 Comm: test Not tainted 6.17.0-rc2-gc17b750b3ad9 #14 PREEMPT(voluntary) [ 15.266165] Hardware name: QEMU ... • https://git.kernel.org/stable/c/f7d9f600c7c3ff5dab36181a388af55f2c95604c •
CVSS: 7.1EPSS: 0%CPEs: 7EXPL: 0CVE-2025-40345 – usb: storage: sddr55: Reject out-of-bound new_pba
https://notcve.org/view.php?id=CVE-2025-40345
12 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: usb: storage: sddr55: Reject out-of-bound new_pba Discovered by Atuin - Automated Vulnerability Discovery Engine. new_pba comes from the status packet returned after each write. A bogus device could report values beyond the block count derived from info->capacity, letting the driver walk off the end of pba_to_lba[] and corrupt heap memory. Reject PBAs that exceed the computed block count and fail the transfer so we avoid touching out-of-ran... • https://git.kernel.org/stable/c/d00a6c04a502cd52425dbf35588732c652b16490 •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2025-40341 – futex: Don't leak robust_list pointer on exec race
https://notcve.org/view.php?id=CVE-2025-40341
09 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: futex: Don't leak robust_list pointer on exec race sys_get_robust_list() and compat_get_robust_list() use ptrace_may_access() to check if the calling task is allowed to access another task's robust_list pointer. This check is racy against a concurrent exec() in the target process. During exec(), a task may transition from a non-privileged binary to a privileged one (e.g., setuid binary) and its credentials/memory mappings may change. If get... • https://git.kernel.org/stable/c/6511984d1aa1360181bcafb1ca75df7f291ef237 •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2025-40338 – ASoC: Intel: avs: Do not share the name pointer between components
https://notcve.org/view.php?id=CVE-2025-40338
09 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: avs: Do not share the name pointer between components By sharing 'name' directly, tearing down components may lead to use-after-free errors. Duplicate the name to avoid that. At the same time, update the order of operations - since commit cee28113db17 ("ASoC: dmaengine_pcm: Allow passing component name via config") the framework does not override component->name if set before invoking the initializer. In the Linux kernel, the f... • https://git.kernel.org/stable/c/128bf29c992988f8b4f3829227339908fde5ec86 •
CVSS: 8.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-40337 – net: stmmac: Correctly handle Rx checksum offload errors
https://notcve.org/view.php?id=CVE-2025-40337
09 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: net: stmmac: Correctly handle Rx checksum offload errors The stmmac_rx function would previously set skb->ip_summed to CHECKSUM_UNNECESSARY if hardware checksum offload (CoE) was enabled and the packet was of a known IP ethertype. However, this logic failed to check if the hardware had actually reported a checksum error. The hardware status, indicating a header or payload checksum failure, was being ignored at this stage. This could cause c... • https://git.kernel.org/stable/c/63fbe0e6413279d5ea5842e2423e351ded547683 •