CVSS: 7.1EPSS: 0%CPEs: 7EXPL: 0CVE-2025-39788 – scsi: ufs: exynos: Fix programming of HCI_UTRL_NEXUS_TYPE
https://notcve.org/view.php?id=CVE-2025-39788
11 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: exynos: Fix programming of HCI_UTRL_NEXUS_TYPE On Google gs101, the number of UTP transfer request slots (nutrs) is 32, and in this case the driver ends up programming the UTRL_NEXUS_TYPE incorrectly as 0. This is because the left hand side of the shift is 1, which is of type int, i.e. 31 bits wide. Shifting by more than that width results in undefined behaviour. Fix this by switching to the BIT() macro, which applies correct typ... • https://git.kernel.org/stable/c/55f4b1f73631a0817717fe6e98517de51b4c3527 •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2025-39787 – soc: qcom: mdt_loader: Ensure we don't read past the ELF header
https://notcve.org/view.php?id=CVE-2025-39787
11 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: soc: qcom: mdt_loader: Ensure we don't read past the ELF header When the MDT loader is used in remoteproc, the ELF header is sanitized beforehand, but that's not necessary the case for other clients. Validate the size of the firmware buffer to ensure that we don't read past the end as we iterate over the header. e_phentsize and e_shentsize are validated as well, to ensure that the assumptions about step size in the traversal are valid. In t... • https://git.kernel.org/stable/c/2aad40d911eeb7dcac91c669f2762a28134f0eb1 •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2025-39783 – PCI: endpoint: Fix configfs group list head handling
https://notcve.org/view.php?id=CVE-2025-39783
11 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: PCI: endpoint: Fix configfs group list head handling Doing a list_del() on the epf_group field of struct pci_epf_driver in pci_epf_remove_cfs() is not correct as this field is a list head, not a list entry. This list_del() call triggers a KASAN warning when an endpoint function driver which has a configfs attribute group is torn down: ================================================================== BUG: KASAN: slab-use-after-free in pci_e... • https://git.kernel.org/stable/c/ef1433f717a2c63747a519d86965d73ff9bd08b3 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-39782 – jbd2: prevent softlockup in jbd2_log_do_checkpoint()
https://notcve.org/view.php?id=CVE-2025-39782
11 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: jbd2: prevent softlockup in jbd2_log_do_checkpoint() Both jbd2_log_do_checkpoint() and jbd2_journal_shrink_checkpoint_list() periodically release j_list_lock after processing a batch of buffers to avoid long hold times on the j_list_lock. However, since both functions contend for j_list_lock, the combined time spent waiting and processing can be significant. jbd2_journal_shrink_checkpoint_list() explicitly calls cond_resched() when need_res... • https://git.kernel.org/stable/c/f683d611518d30334813eecf9a8c687453e2800e •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-39781 – parisc: Drop WARN_ON_ONCE() from flush_cache_vmap
https://notcve.org/view.php?id=CVE-2025-39781
11 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: parisc: Drop WARN_ON_ONCE() from flush_cache_vmap I have observed warning to occassionally trigger. Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. For the stable distribution (trixie), these problems have been fixed in version 6.12.48-1. • https://git.kernel.org/stable/c/69cf90e5aa50fe3cb0c1a63cabc4761db44b0035 •
CVSS: 7.1EPSS: 0%CPEs: 3EXPL: 0CVE-2025-39779 – btrfs: subpage: keep TOWRITE tag until folio is cleaned
https://notcve.org/view.php?id=CVE-2025-39779
11 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: btrfs: subpage: keep TOWRITE tag until folio is cleaned btrfs_subpage_set_writeback() calls folio_start_writeback() the first time a folio is written back, and it also clears the PAGECACHE_TAG_TOWRITE tag even if there are still dirty blocks in the folio. This can break ordering guarantees, such as those required by btrfs_wait_ordered_extents(). That ordering breakage leads to a real failure. For example, running generic/464 on a zoned setu... • https://git.kernel.org/stable/c/3470da3b7d87fde4b9729d4e29c2dc074cd59c10 •
CVSS: 7.1EPSS: 0%CPEs: 6EXPL: 0CVE-2025-39776 – mm/debug_vm_pgtable: clear page table entries at destroy_args()
https://notcve.org/view.php?id=CVE-2025-39776
11 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: mm/debug_vm_pgtable: clear page table entries at destroy_args() The mm/debug_vm_pagetable test allocates manually page table entries for the tests it runs, using also its manually allocated mm_struct. That in itself is ok, but when it exits, at destroy_args() it fails to clear those entries with the *_clear functions. The problem is that leaves stale entries. If another process allocates an mm_struct with a pgd at the same address, it may e... • https://git.kernel.org/stable/c/3c9b84f044a9e54cf56d1b2c9b80a2d2ce56d70a •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2025-39773 – net: bridge: fix soft lockup in br_multicast_query_expired()
https://notcve.org/view.php?id=CVE-2025-39773
11 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: net: bridge: fix soft lockup in br_multicast_query_expired() When set multicast_query_interval to a large value, the local variable 'time' in br_multicast_send_query() may overflow. If the time is smaller than jiffies, the timer will expire immediately, and then call mod_timer() again, which creates a loop and may trigger the following soft lockup issue. watchdog: BUG: soft lockup - CPU#1 stuck for 221s! [rb_consumer:66] CPU: 1 UID: 0 PID: ... • https://git.kernel.org/stable/c/d902eee43f1951b358d7347d9165c6af21cf7b1b •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2025-39772 – drm/hisilicon/hibmc: fix the hibmc loaded failed bug
https://notcve.org/view.php?id=CVE-2025-39772
11 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/hisilicon/hibmc: fix the hibmc loaded failed bug When hibmc loaded failed, the driver use hibmc_unload to free the resource, but the mutexes in mode.config are not init, which will access an NULL pointer. Just change goto statement to return, because hibnc_hw_init() doesn't need to free anything. In the Linux kernel, the following vulnerability has been resolved: drm/hisilicon/hibmc: fix the hibmc loaded failed bug When hibmc loaded fai... • https://git.kernel.org/stable/c/b3df5e65cc03696b0624a877d03a3ddf3ef43f52 •
CVSS: 6.5EPSS: 0%CPEs: 10EXPL: 0CVE-2025-39770 – net: gso: Forbid IPv6 TSO with extensions on devices with only IPV6_CSUM
https://notcve.org/view.php?id=CVE-2025-39770
11 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: net: gso: Forbid IPv6 TSO with extensions on devices with only IPV6_CSUM When performing Generic Segmentation Offload (GSO) on an IPv6 packet that contains extension headers, the kernel incorrectly requests checksum offload if the egress device only advertises NETIF_F_IPV6_CSUM feature, which has a strict contract: it supports checksum offload only for plain TCP or UDP over IPv6 and explicitly does not support packets with extension headers... • https://git.kernel.org/stable/c/a84978a9cda68f0afe3f01d476c68db21526baf1 • CWE-841: Improper Enforcement of Behavioral Workflow •