CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2022-49763 – ntfs: fix use-after-free in ntfs_attr_find()
https://notcve.org/view.php?id=CVE-2022-49763
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: ntfs: fix use-after-free in ntfs_attr_find() Patch series "ntfs: fix bugs about Attribute", v2. This patchset fixes three bugs relative to Attribute in record: Patch 1 adds a sanity check to ensure that, attrs_offset field in first mft record loading from disk is within bounds. Patch 2 moves the ATTR_RECORD's bounds checking earlier, to avoid dereferencing ATTR_RECORD before checking this ATTR_RECORD is within bounds. Patch 3 adds an overfl... • https://git.kernel.org/stable/c/79f3ac7dcd12c05b7539239a4c6fa229a50d786c •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2022-49762 – ntfs: check overflow when iterating ATTR_RECORDs
https://notcve.org/view.php?id=CVE-2022-49762
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: ntfs: check overflow when iterating ATTR_RECORDs Kernel iterates over ATTR_RECORDs in mft record in ntfs_attr_find(). Because the ATTR_RECORDs are next to each other, kernel can get the next ATTR_RECORD from end address of current ATTR_RECORD, through current ATTR_RECORD length field. The problem is that during iteration, when kernel calculates the end address of current ATTR_RECORD, kernel may trigger an integer overflow bug in executing `... • https://git.kernel.org/stable/c/5559eb5809353a83a40a1e4e7f066431c7b83020 •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2025-37796 – wifi: at76c50x: fix use after free access in at76_disconnect
https://notcve.org/view.php?id=CVE-2025-37796
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: at76c50x: fix use after free access in at76_disconnect The memory pointed to by priv is freed at the end of at76_delete_device function (using ieee80211_free_hw). But the code then accesses the udev field of the freed object to put the USB device. This may also lead to a memory leak of the usb device. Fix this by using udev from interface. In the Linux kernel, the following vulnerability has been resolved: wifi: at76c50x: fix use afte... • https://git.kernel.org/stable/c/29e20aa6c6aff35c81d4da2e2cd516dadb569061 •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2025-37795 – wifi: mac80211: Update skb's control block key in ieee80211_tx_dequeue()
https://notcve.org/view.php?id=CVE-2025-37795
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: Update skb's control block key in ieee80211_tx_dequeue() The ieee80211 skb control block key (set when skb was queued) could have been removed before ieee80211_tx_dequeue() call. ieee80211_tx_dequeue() already called ieee80211_tx_h_select_key() to get the current key, but the latter do not update the key in skb control block in case it is NULL. Because some drivers actually use this key in their TX callbacks (e.g. ath1{1,2}k... • https://git.kernel.org/stable/c/bb42f2d13ffcd0baed7547b37d05add51fcd50e1 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-37794 – wifi: mac80211: Purge vif txq in ieee80211_do_stop()
https://notcve.org/view.php?id=CVE-2025-37794
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: Purge vif txq in ieee80211_do_stop() After ieee80211_do_stop() SKB from vif's txq could still be processed. Indeed another concurrent vif schedule_and_wake_txq call could cause those packets to be dequeued (see ieee80211_handle_wake_tx_queue()) without checking the sdata current state. Because vif.drv_priv is now cleared in this function, this could lead to driver crash. For example in ath12k, ahvif is store in vif.drv_priv.... • https://git.kernel.org/stable/c/ba8c3d6f16a1f9305c23ac1d2fd3992508c5ac03 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-37792 – Bluetooth: btrtl: Prevent potential NULL dereference
https://notcve.org/view.php?id=CVE-2025-37792
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btrtl: Prevent potential NULL dereference The btrtl_initialize() function checks that rtl_load_file() either had an error or it loaded a zero length file. However, if it loaded a zero length file then the error code is not set correctly. It results in an error pointer vs NULL bug, followed by a NULL pointer dereference. This was detected by Smatch: drivers/bluetooth/btrtl.c:592 btrtl_initialize() warn: passing zero to 'ERR_PTR' I... • https://git.kernel.org/stable/c/26503ad25de8c7c93a2037f919c2e49a62cf65f1 •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2025-37789 – net: openvswitch: fix nested key length validation in the set() action
https://notcve.org/view.php?id=CVE-2025-37789
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: net: openvswitch: fix nested key length validation in the set() action It's not safe to access nla_len(ovs_key) if the data is smaller than the netlink header. Check that the attribute is OK first. In the Linux kernel, the following vulnerability has been resolved: net: openvswitch: fix nested key length validation in the set() action It's not safe to access nla_len(ovs_key) if the data is smaller than the netlink header. Check that the att... • https://git.kernel.org/stable/c/ccb1352e76cff0524e7ccb2074826a092dd13016 •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2025-37782 – hfs/hfsplus: fix slab-out-of-bounds in hfs_bnode_read_key
https://notcve.org/view.php?id=CVE-2025-37782
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: hfs/hfsplus: fix slab-out-of-bounds in hfs_bnode_read_key Syzbot reported an issue in hfs subsystem: BUG: KASAN: slab-out-of-bounds in memcpy_from_page include/linux/highmem.h:423 [inline] BUG: KASAN: slab-out-of-bounds in hfs_bnode_read fs/hfs/bnode.c:35 [inline] BUG: KASAN: slab-out-of-bounds in hfs_bnode_read_key+0x314/0x450 fs/hfs/bnode.c:70 Write of size 94 at addr ffff8880123cd100 by task syz-executor237/5102 Call Trace:
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2025-37781 – i2c: cros-ec-tunnel: defer probe if parent EC is not present
https://notcve.org/view.php?id=CVE-2025-37781
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: i2c: cros-ec-tunnel: defer probe if parent EC is not present When i2c-cros-ec-tunnel and the EC driver are built-in, the EC parent device will not be found, leading to NULL pointer dereference. That can also be reproduced by unbinding the controller driver and then loading i2c-cros-ec-tunnel module (or binding the device). [ 271.991245] BUG: kernel NULL pointer dereference, address: 0000000000000058 [ 271.998215] #PF: supervisor read access... • https://git.kernel.org/stable/c/9d230c9e4f4e67cb1c1cb9e0f6142da16b0f2796 •
CVSS: 7.3EPSS: 0%CPEs: 8EXPL: 0CVE-2025-37780 – isofs: Prevent the use of too small fid
https://notcve.org/view.php?id=CVE-2025-37780
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: isofs: Prevent the use of too small fid syzbot reported a slab-out-of-bounds Read in isofs_fh_to_parent. [1] The handle_bytes value passed in by the reproducing program is equal to 12. In handle_to_path(), only 12 bytes of memory are allocated for the structure file_handle->f_handle member, which causes an out-of-bounds access when accessing the member parent_block of the structure isofs_fid in isofs, because accessing parent_block requires... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •