CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2025-39883 – mm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison memory
https://notcve.org/view.php?id=CVE-2025-39883
23 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: mm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison memory When I did memory failure tests, below panic occurs: page dumped because: VM_BUG_ON_PAGE(PagePoisoned(page)) kernel BUG at include/linux/page-flags.h:616! Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI CPU: 3 PID: 720 Comm: bash Not tainted 6.10.0-rc1-00195-g148743902568 #40 RIP: 0010:unpoison_memory+0x2f3/0x590 RSP: 0018:ffffa57fc8787d60 EFLAGS: 00000246 RAX:... • https://git.kernel.org/stable/c/f1dd2cd13c4bbbc9a7c4617b3b034fa643de98fe •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2025-39881 – kernfs: Fix UAF in polling when open file is released
https://notcve.org/view.php?id=CVE-2025-39881
23 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: kernfs: Fix UAF in polling when open file is released A use-after-free (UAF) vulnerability was identified in the PSI (Pressure Stall Information) monitoring mechanism: BUG: KASAN: slab-use-after-free in psi_trigger_poll+0x3c/0x140 Read of size 8 at addr ffff3de3d50bd308 by task systemd/1 psi_trigger_poll+0x3c/0x140 cgroup_pressure_poll+0x70/0xa0 cgroup_file_poll+0x8c/0x100 kernfs_fop_poll+0x11c/0x1c0 ep_item_poll.isra.0+0x188/0x2c0 Allocate... • https://git.kernel.org/stable/c/34f26a15611afb03c33df6819359d36f5b382589 • CWE-416: Use After Free •
CVSS: 7.1EPSS: 0%CPEs: 6EXPL: 0CVE-2025-39880 – libceph: fix invalid accesses to ceph_connection_v1_info
https://notcve.org/view.php?id=CVE-2025-39880
23 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: libceph: fix invalid accesses to ceph_connection_v1_info There is a place where generic code in messenger.c is reading and another place where it is writing to con->v1 union member without checking that the union member is active (i.e. msgr1 is in use). On 64-bit systems, con->v1.auth_retry overlaps with con->v2.out_iter, so such a read is almost guaranteed to return a bogus value instead of 0 when msgr2 is in use. This ends up being fairly... • https://git.kernel.org/stable/c/cd1a677cad994021b19665ed476aea63f5d54f31 •
CVSS: 7.0EPSS: 0%CPEs: 5EXPL: 0CVE-2025-39877 – mm/damon/sysfs: fix use-after-free in state_show()
https://notcve.org/view.php?id=CVE-2025-39877
23 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: mm/damon/sysfs: fix use-after-free in state_show() state_show() reads kdamond->damon_ctx without holding damon_sysfs_lock. This allows a use-after-free race: CPU 0 CPU 1 ----- ----- state_show() damon_sysfs_turn_damon_on() ctx = kdamond->damon_ctx; mutex_lock(&damon_sysfs_lock); damon_destroy_ctx(kdamond->damon_ctx); kdamond->damon_ctx = NULL; mutex_unlock(&damon_sysfs_lock); damon_is_running(ctx); /* ctx is freed */ mutex_lock(&ctx->kdamon... • https://git.kernel.org/stable/c/a61ea561c87139992fe32afdee48a6f6b85d824a •
CVSS: 5.5EPSS: 0%CPEs: 11EXPL: 0CVE-2025-39876 – net: fec: Fix possible NPD in fec_enet_phy_reset_after_clk_enable()
https://notcve.org/view.php?id=CVE-2025-39876
23 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: net: fec: Fix possible NPD in fec_enet_phy_reset_after_clk_enable() The function of_phy_find_device may return NULL, so we need to take care before dereferencing phy_dev. In the Linux kernel, the following vulnerability has been resolved: net: fec: Fix possible NPD in fec_enet_phy_reset_after_clk_enable() The function of_phy_find_device may return NULL, so we need to take care before dereferencing phy_dev. The SUSE Linux Enterprise 15 SP6 A... • https://git.kernel.org/stable/c/9e70485b40c8306298adea8bdc867ca27f88955a •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2025-39873 – can: xilinx_can: xcan_write_frame(): fix use-after-free of transmitted SKB
https://notcve.org/view.php?id=CVE-2025-39873
23 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: can: xilinx_can: xcan_write_frame(): fix use-after-free of transmitted SKB can_put_echo_skb() takes ownership of the SKB and it may be freed during or after the call. However, xilinx_can xcan_write_frame() keeps using SKB after the call. Fix that by only calling can_put_echo_skb() after the code is done touching the SKB. The tx_lock is held for the entire xcan_write_frame() execution and also on the can_get_echo_skb() side so the order of o... • https://git.kernel.org/stable/c/1598efe57b3e768056e4ca56cb9cf33111e68d1c •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2025-39871 – dmaengine: idxd: Remove improper idxd_free
https://notcve.org/view.php?id=CVE-2025-39871
23 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: Remove improper idxd_free The call to idxd_free() introduces a duplicate put_device() leading to a reference count underflow: refcount_t: underflow; use-after-free. WARNING: CPU: 15 PID: 4428 at lib/refcount.c:28 refcount_warn_saturate+0xbe/0x110 ... Call Trace:
CVSS: 9.8EPSS: 0%CPEs: 6EXPL: 0CVE-2025-39870 – dmaengine: idxd: Fix double free in idxd_setup_wqs()
https://notcve.org/view.php?id=CVE-2025-39870
23 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: Fix double free in idxd_setup_wqs() The clean up in idxd_setup_wqs() has had a couple bugs because the error handling is a bit subtle. It's simpler to just re-write it in a cleaner way. The issues here are: 1) If "idxd->max_wqs" is <= 0 then we call put_device(conf_dev) when "conf_dev" hasn't been initialized. 2) If kzalloc_node() fails then again "conf_dev" is invalid. It's either uninitialized or it points to the "conf_de... • https://git.kernel.org/stable/c/d584acdf54f409cb7eae1359ae6c12aaabedeed8 •
CVSS: 7.2EPSS: 0%CPEs: 8EXPL: 0CVE-2025-39869 – dmaengine: ti: edma: Fix memory allocation size for queue_priority_map
https://notcve.org/view.php?id=CVE-2025-39869
23 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: dmaengine: ti: edma: Fix memory allocation size for queue_priority_map Fix a critical memory allocation bug in edma_setup_from_hw() where queue_priority_map was allocated with insufficient memory. The code declared queue_priority_map as s8 (*)[2] (pointer to array of 2 s8), but allocated memory using sizeof(s8) instead of the correct size. This caused out-of-bounds memory writes when accessing: queue_priority_map[i][0] = i; queue_priority_m... • https://git.kernel.org/stable/c/2b6b3b7420190888793c49e97276e1e73bd7eaed •
CVSS: 6.4EPSS: 0%CPEs: 7EXPL: 1CVE-2025-39866 – fs: writeback: fix use-after-free in __mark_inode_dirty()
https://notcve.org/view.php?id=CVE-2025-39866
19 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: fs: writeback: fix use-after-free in __mark_inode_dirty() An use-after-free issue occurred when __mark_inode_dirty() get the bdi_writeback that was in the progress of switching. CPU: 1 PID: 562 Comm: systemd-random- Not tainted 6.6.56-gb4403bd46a8e #1 ...... pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : __mark_inode_dirty+0x124/0x418 lr : __mark_inode_dirty+0x118/0x418 sp : ffffffc08c9dbbc0 ........ Call trace: __mark... • https://packetstorm.news/files/id/209969 •