CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2025-39773 – net: bridge: fix soft lockup in br_multicast_query_expired()
https://notcve.org/view.php?id=CVE-2025-39773
11 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: net: bridge: fix soft lockup in br_multicast_query_expired() When set multicast_query_interval to a large value, the local variable 'time' in br_multicast_send_query() may overflow. If the time is smaller than jiffies, the timer will expire immediately, and then call mod_timer() again, which creates a loop and may trigger the following soft lockup issue. watchdog: BUG: soft lockup - CPU#1 stuck for 221s! [rb_consumer:66] CPU: 1 UID: 0 PID: ... • https://git.kernel.org/stable/c/d902eee43f1951b358d7347d9165c6af21cf7b1b •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2025-39772 – drm/hisilicon/hibmc: fix the hibmc loaded failed bug
https://notcve.org/view.php?id=CVE-2025-39772
11 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/hisilicon/hibmc: fix the hibmc loaded failed bug When hibmc loaded failed, the driver use hibmc_unload to free the resource, but the mutexes in mode.config are not init, which will access an NULL pointer. Just change goto statement to return, because hibnc_hw_init() doesn't need to free anything. In the Linux kernel, the following vulnerability has been resolved: drm/hisilicon/hibmc: fix the hibmc loaded failed bug When hibmc loaded fai... • https://git.kernel.org/stable/c/b3df5e65cc03696b0624a877d03a3ddf3ef43f52 •
CVSS: 6.5EPSS: 0%CPEs: 10EXPL: 0CVE-2025-39770 – net: gso: Forbid IPv6 TSO with extensions on devices with only IPV6_CSUM
https://notcve.org/view.php?id=CVE-2025-39770
11 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: net: gso: Forbid IPv6 TSO with extensions on devices with only IPV6_CSUM When performing Generic Segmentation Offload (GSO) on an IPv6 packet that contains extension headers, the kernel incorrectly requests checksum offload if the egress device only advertises NETIF_F_IPV6_CSUM feature, which has a strict contract: it supports checksum offload only for plain TCP or UDP over IPv6 and explicitly does not support packets with extension headers... • https://git.kernel.org/stable/c/a84978a9cda68f0afe3f01d476c68db21526baf1 • CWE-841: Improper Enforcement of Behavioral Workflow •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2025-39766 – net/sched: Make cake_enqueue return NET_XMIT_CN when past buffer_limit
https://notcve.org/view.php?id=CVE-2025-39766
11 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: net/sched: Make cake_enqueue return NET_XMIT_CN when past buffer_limit The following setup can trigger a WARNING in htb_activate due to the condition: !cl->leaf.q->q.qlen tc qdisc del dev lo root tc qdisc add dev lo root handle 1: htb default 1 tc class add dev lo parent 1: classid 1:1 \ htb rate 64bit tc qdisc add dev lo parent 1:1 handle f: \ cake memlimit 1b ping -I lo -f -c1 -s64 -W0.001 127.0.0.1 This is because the low memlimit leads ... • https://git.kernel.org/stable/c/046f6fd5daefac7f5abdafb436b30f63bc7c602b •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2025-39764 – netfilter: ctnetlink: remove refcounting in expectation dumpers
https://notcve.org/view.php?id=CVE-2025-39764
11 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: netfilter: ctnetlink: remove refcounting in expectation dumpers Same pattern as previous patch: do not keep the expectation object alive via refcount, only store a cookie value and then use that as the skip hint for dump resumption. AFAICS this has the same issue as the one resolved in the conntrack dumper, when we do if (!refcount_inc_not_zero(&exp->use)) to increment the refcount, there is a chance that exp == last, which causes a double-... • https://git.kernel.org/stable/c/cf6994c2b9812a9f02b99e89df411ffc5db9c779 •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2025-39763 – ACPI: APEI: send SIGBUS to current task if synchronous memory error not recovered
https://notcve.org/view.php?id=CVE-2025-39763
11 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: ACPI: APEI: send SIGBUS to current task if synchronous memory error not recovered If a synchronous error is detected as a result of user-space process triggering a 2-bit uncorrected error, the CPU will take a synchronous error exception such as Synchronous External Abort (SEA) on Arm64. The kernel will queue a memory_failure() work which poisons the related page, unmaps the page, and then sends a SIGBUS to the process, so that a system wide... • https://git.kernel.org/stable/c/8fcc4ae6faf8b455eeef00bc9ae70744e3b0f462 •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-39762 – drm/amd/display: add null check
https://notcve.org/view.php?id=CVE-2025-39762
11 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: add null check [WHY] Prevents null pointer dereferences to enhance function robustness [HOW] Adds early null check and return false if invalid. In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: add null check [WHY] Prevents null pointer dereferences to enhance function robustness [HOW] Adds early null check and return false if invalid. • https://git.kernel.org/stable/c/4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2025-39760 – usb: core: config: Prevent OOB read in SS endpoint companion parsing
https://notcve.org/view.php?id=CVE-2025-39760
11 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: usb: core: config: Prevent OOB read in SS endpoint companion parsing usb_parse_ss_endpoint_companion() checks descriptor type before length, enabling a potentially odd read outside of the buffer size. Fix this up by checking the size first before looking at any of the fields in the descriptor. In the Linux kernel, the following vulnerability has been resolved: usb: core: config: Prevent OOB read in SS endpoint companion parsing usb_parse_ss... • https://git.kernel.org/stable/c/842f16905dfc6743c1dd80c3d29b49ba3ab7f7c8 •
CVSS: 7.0EPSS: 0%CPEs: 6EXPL: 0CVE-2025-39759 – btrfs: qgroup: fix race between quota disable and quota rescan ioctl
https://notcve.org/view.php?id=CVE-2025-39759
11 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: btrfs: qgroup: fix race between quota disable and quota rescan ioctl There's a race between a task disabling quotas and another running the rescan ioctl that can result in a use-after-free of qgroup records from the fs_info->qgroup_tree rbtree. This happens as follows: 1) Task A enters btrfs_ioctl_quota_rescan() -> btrfs_qgroup_rescan(); 2) Task B enters btrfs_quota_disable() and calls btrfs_qgroup_wait_for_completion(), which does nothing ... • https://git.kernel.org/stable/c/e685da14af6b31e4b336a110cb1bae1afc268be8 •
CVSS: 7.1EPSS: 0%CPEs: 9EXPL: 0CVE-2025-39757 – ALSA: usb-audio: Validate UAC3 cluster segment descriptors
https://notcve.org/view.php?id=CVE-2025-39757
11 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Validate UAC3 cluster segment descriptors UAC3 class segment descriptors need to be verified whether their sizes match with the declared lengths and whether they fit with the allocated buffer sizes, too. Otherwise malicious firmware may lead to the unexpected OOB accesses. In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Validate UAC3 cluster segment descriptors UAC3 class segment descrip... • https://git.kernel.org/stable/c/11785ef53228d23ec386f5fe4a34601536f0c891 • CWE-20: Improper Input Validation •