CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2022-50562 – tpm: acpi: Call acpi_put_table() to fix memory leak
https://notcve.org/view.php?id=CVE-2022-50562
22 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: tpm: acpi: Call acpi_put_table() to fix memory leak The start and length of the event log area are obtained from TPM2 or TCPA table, so we call acpi_get_table() to get the ACPI information, but the acpi_get_table() should be coupled with acpi_put_table() to release the ACPI memory, add the acpi_put_table() properly to fix the memory leak. While we are at it, remove the redundant empty line at the end of the tpm_read_log_acpi(). In the Linux... • https://git.kernel.org/stable/c/0bfb23746052168620c5b52f49d8a47c3bb022fa • CWE-772: Missing Release of Resource after Effective Lifetime •
CVSS: 6.6EPSS: 0%CPEs: 5EXPL: 0CVE-2022-50560 – drm/meson: explicitly remove aggregate driver at module unload time
https://notcve.org/view.php?id=CVE-2022-50560
22 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/meson: explicitly remove aggregate driver at module unload time Because component_master_del wasn't being called when unloading the meson_drm module, the aggregate device would linger forever in the global aggregate_devices list. That means when unloading and reloading the meson_dw_hdmi module, component_add would call into try_to_bring_up_aggregate_device and find the unbound meson_drm aggregate device. This would in turn dereference s... • https://git.kernel.org/stable/c/8a427a22839daacd36531a62c83d5c9cd6f20657 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2022-50556 – drm: Fix potential null-ptr-deref due to drmm_mode_config_init()
https://notcve.org/view.php?id=CVE-2022-50556
22 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: drm: Fix potential null-ptr-deref due to drmm_mode_config_init() drmm_mode_config_init() will call drm_mode_create_standard_properties() and won't check the ret value. When drm_mode_create_standard_properties() failed due to alloc, property will be a NULL pointer and may causes the null-ptr-deref. Fix the null-ptr-deref by adding the ret value check. Found null-ptr-deref while testing insert module bochs: general protection fault, probably ... • https://git.kernel.org/stable/c/6b4959f43a04e12d39c5700607727f2cbcfeac31 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-40016 – media: uvcvideo: Mark invalid entities with id UVC_INVALID_ENTITY_ID
https://notcve.org/view.php?id=CVE-2025-40016
20 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: media: uvcvideo: Mark invalid entities with id UVC_INVALID_ENTITY_ID Per UVC 1.1+ specification 3.7.2, units and terminals must have a non-zero unique ID. ``` Each Unit and Terminal within the video function is assigned a unique identification number, the Unit ID (UID) or Terminal ID (TID), contained in the bUnitID or bTerminalID field of the descriptor. The value 0x00 is reserved for undefined ID, ``` If we add a new entity with id 0 or a ... • https://git.kernel.org/stable/c/a3fbc2e6bb05a3b1ea341cd29dea09b4a033727b •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40011 – drm/gma500: Fix null dereference in hdmi teardown
https://notcve.org/view.php?id=CVE-2025-40011
20 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/gma500: Fix null dereference in hdmi teardown pci_set_drvdata sets the value of pdev->driver_data to NULL, after which the driver_data obtained from the same dev is dereferenced in oaktrail_hdmi_i2c_exit, and the i2c_dev is extracted from it. To prevent this, swap these calls. Found by Linux Verification Center (linuxtesting.org) with Svacer. In the Linux kernel, the following vulnerability has been resolved: drm/gma500: Fix null derefe... • https://git.kernel.org/stable/c/1b082ccf5901108d3acd860a73d8c0442556c0bb •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40006 – mm/hugetlb: fix folio is still mapped when deleted
https://notcve.org/view.php?id=CVE-2025-40006
20 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: mm/hugetlb: fix folio is still mapped when deleted Migration may be raced with fallocating hole. remove_inode_single_folio will unmap the folio if the folio is still mapped. However, it's called without folio lock. If the folio is migrated and the mapped pte has been converted to migration entry, folio_mapped() returns false, and won't unmap it. Due to extra refcount held by remove_inode_single_folio, migration fails, restores migration ent... • https://git.kernel.org/stable/c/4aae8d1c051ea00b456da6811bc36d1f69de5445 •
CVSS: 7.1EPSS: 0%CPEs: 2EXPL: 0CVE-2025-40005 – spi: cadence-quadspi: Implement refcount to handle unbind during busy
https://notcve.org/view.php?id=CVE-2025-40005
20 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: spi: cadence-quadspi: Implement refcount to handle unbind during busy driver support indirect read and indirect write operation with assumption no force device removal(unbind) operation. However force device removal(removal) is still available to root superuser. Unbinding driver during operation causes kernel crash. This changes ensure driver able to handle such operation for indirect read and indirect write by implementing refcount to trac... • https://git.kernel.org/stable/c/b7ec8a2b094a33d0464958c2cbf75b8f229098b0 •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2025-40003 – net: mscc: ocelot: Fix use-after-free caused by cyclic delayed work
https://notcve.org/view.php?id=CVE-2025-40003
18 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: net: mscc: ocelot: Fix use-after-free caused by cyclic delayed work The origin code calls cancel_delayed_work() in ocelot_stats_deinit() to cancel the cyclic delayed work item ocelot->stats_work. However, cancel_delayed_work() may fail to cancel the work item if it is already executing. While destroy_workqueue() does wait for all pending work items in the work queue to complete before destroying the work queue, it cannot prevent the delayed... • https://git.kernel.org/stable/c/a556c76adc052c979ef9e80f0cd3fa1379ff4943 •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40001 – scsi: mvsas: Fix use-after-free bugs in mvs_work_queue
https://notcve.org/view.php?id=CVE-2025-40001
18 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: scsi: mvsas: Fix use-after-free bugs in mvs_work_queue During the detaching of Marvell's SAS/SATA controller, the original code calls cancel_delayed_work() in mvs_free() to cancel the delayed work item mwq->work_q. However, if mwq->work_q is already running, the cancel_delayed_work() may fail to cancel it. This can lead to use-after-free scenarios where mvs_free() frees the mvs_info while mvs_work_queue() is still executing and attempts to ... • https://git.kernel.org/stable/c/20b09c2992fefbe78f8cede7b404fb143a413c52 •
CVSS: 7.8EPSS: 0%CPEs: 9EXPL: 0CVE-2025-39998 – scsi: target: target_core_configfs: Add length check to avoid buffer overflow
https://notcve.org/view.php?id=CVE-2025-39998
15 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: scsi: target: target_core_configfs: Add length check to avoid buffer overflow A buffer overflow arises from the usage of snprintf to write into the buffer "buf" in target_lu_gp_members_show function located in /drivers/target/target_core_configfs.c. This buffer is allocated with size LU_GROUP_NAME_BUF (256 bytes). snprintf(...) formats multiple strings into buf with the HBA name (hba->hba_group.cg_item), a slash character, a devicename (dev... • https://git.kernel.org/stable/c/e6eeee5dc0d9221ff96d1b229b1d0222c8871b84 •