CVSS: 7.2EPSS: 0%CPEs: 3EXPL: 0CVE-2025-39990 – bpf: Check the helper function is valid in get_helper_proto
https://notcve.org/view.php?id=CVE-2025-39990
15 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: bpf: Check the helper function is valid in get_helper_proto kernel test robot reported verifier bug [1] where the helper func pointer could be NULL due to disabled config option. As Alexei suggested we could check on that in get_helper_proto directly. Marking tail_call helper func with BPF_PTR_POISON, because it is unused by design. [1] https://lore.kernel.org/oe-lkp/202507160818.68358831-lkp@intel.com In the Linux kernel, the following vul... • https://git.kernel.org/stable/c/3d429cb1278e995e22995ef117fa96d223a67e93 •
CVSS: 7.3EPSS: 0%CPEs: 8EXPL: 0CVE-2025-39987 – can: hi311x: populate ndo_change_mtu() to prevent buffer overflow
https://notcve.org/view.php?id=CVE-2025-39987
15 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: can: hi311x: populate ndo_change_mtu() to prevent buffer overflow Sending an PF_PACKET allows to bypass the CAN framework logic and to directly reach the xmit() function of a CAN driver. The only check which is performed by the PF_PACKET framework is to make sure that skb->len fits the interface's MTU. Unfortunately, because the sun4i_can driver does not populate its net_device_ops->ndo_change_mtu(), it is possible for an attacker to config... • https://git.kernel.org/stable/c/57e83fb9b7468c75cb65cde1d23043553c346c6d •
CVSS: 8.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-39986 – can: sun4i_can: populate ndo_change_mtu() to prevent buffer overflow
https://notcve.org/view.php?id=CVE-2025-39986
15 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: can: sun4i_can: populate ndo_change_mtu() to prevent buffer overflow Sending an PF_PACKET allows to bypass the CAN framework logic and to directly reach the xmit() function of a CAN driver. The only check which is performed by the PF_PACKET framework is to make sure that skb->len fits the interface's MTU. Unfortunately, because the sun4i_can driver does not populate its net_device_ops->ndo_change_mtu(), it is possible for an attacker to con... • https://git.kernel.org/stable/c/0738eff14d817a02ab082c392c96a1613006f158 •
CVSS: 8.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-39985 – can: mcba_usb: populate ndo_change_mtu() to prevent buffer overflow
https://notcve.org/view.php?id=CVE-2025-39985
15 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: can: mcba_usb: populate ndo_change_mtu() to prevent buffer overflow Sending an PF_PACKET allows to bypass the CAN framework logic and to directly reach the xmit() function of a CAN driver. The only check which is performed by the PF_PACKET framework is to make sure that skb->len fits the interface's MTU. Unfortunately, because the mcba_usb driver does not populate its net_device_ops->ndo_change_mtu(), it is possible for an attacker to confi... • https://git.kernel.org/stable/c/51f3baad7de943780ce0c17bd7975df567dd6e14 •
CVSS: 6.1EPSS: 0%CPEs: 7EXPL: 0CVE-2025-39980 – nexthop: Forbid FDB status change while nexthop is in a group
https://notcve.org/view.php?id=CVE-2025-39980
15 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: nexthop: Forbid FDB status change while nexthop is in a group The kernel forbids the creation of non-FDB nexthop groups with FDB nexthops: # ip nexthop add id 1 via 192.0.2.1 fdb # ip nexthop add id 2 group 1 Error: Non FDB nexthop group cannot have fdb nexthops. And vice versa: # ip nexthop add id 3 via 192.0.2.2 dev dummy1 # ip nexthop add id 4 group 3 fdb Error: FDB nexthop group can only have fdb nexthops. However, as long as no routes ... • https://git.kernel.org/stable/c/38428d68719c454d269cb03b776d8a4b0ad66111 •
CVSS: 7.2EPSS: 0%CPEs: 8EXPL: 0CVE-2025-39973 – i40e: add validation for ring_len param
https://notcve.org/view.php?id=CVE-2025-39973
15 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: i40e: add validation for ring_len param The `ring_len` parameter provided by the virtual function (VF) is assigned directly to the hardware memory context (HMC) without any validation. To address this, introduce an upper boundary check for both Tx and Rx queue lengths. The maximum number of descriptors supported by the hardware is 8k-32. Additionally, enforce alignment constraints: Tx rings must be a multiple of 8, and Rx rings must be a mu... • https://git.kernel.org/stable/c/5c3c48ac6bf56367c4e89f6453cd2d61e50375bd •
CVSS: 7.2EPSS: 0%CPEs: 8EXPL: 0CVE-2025-39972 – i40e: fix idx validation in i40e_validate_queue_map
https://notcve.org/view.php?id=CVE-2025-39972
15 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: i40e: fix idx validation in i40e_validate_queue_map Ensure idx is within range of active/initialized TCs when iterating over vf->ch[idx] in i40e_validate_queue_map(). In the Linux kernel, the following vulnerability has been resolved: i40e: fix idx validation in i40e_validate_queue_map Ensure idx is within range of active/initialized TCs when iterating over vf->ch[idx] in i40e_validate_queue_map(). Several vulnerabilities have been discover... • https://git.kernel.org/stable/c/c27eac48160de72dee33d42b5a33cc7b8a2eb1f5 •
CVSS: 7.6EPSS: 0%CPEs: 8EXPL: 0CVE-2025-39971 – i40e: fix idx validation in config queues msg
https://notcve.org/view.php?id=CVE-2025-39971
15 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: i40e: fix idx validation in config queues msg Ensure idx is within range of active/initialized TCs when iterating over vf->ch[idx] in i40e_vc_config_queues_msg(). In the Linux kernel, the following vulnerability has been resolved: i40e: fix idx validation in config queues msg Ensure idx is within range of active/initialized TCs when iterating over vf->ch[idx] in i40e_vc_config_queues_msg(). Several vulnerabilities have been discovered in th... • https://git.kernel.org/stable/c/c27eac48160de72dee33d42b5a33cc7b8a2eb1f5 • CWE-787: Out-of-bounds Write •
CVSS: 6.6EPSS: 0%CPEs: 8EXPL: 0CVE-2025-39970 – i40e: fix input validation logic for action_meta
https://notcve.org/view.php?id=CVE-2025-39970
15 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: i40e: fix input validation logic for action_meta Fix condition to check 'greater or equal' to prevent OOB dereference. Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. For the oldstable distribution (bookworm), these problems have been fixed in version 6.1.158-1. • https://git.kernel.org/stable/c/e284fc280473bed23f2e1ed324e102a48f7d17e1 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-39969 – i40e: fix validation of VF state in get resources
https://notcve.org/view.php?id=CVE-2025-39969
15 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: i40e: fix validation of VF state in get resources VF state I40E_VF_STATE_ACTIVE is not the only state in which VF is actually active so it should not be used to determine if a VF is allowed to obtain resources. Use I40E_VF_STATE_RESOURCES_LOADED that is set only in i40e_vc_get_vf_resources_msg() and cleared during reset. In the Linux kernel, the following vulnerability has been resolved: i40e: fix validation of VF state in get resources VF ... • https://git.kernel.org/stable/c/171527da84149c2c7aa6a60a64b09d24f3546298 •