CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2025-39864 – wifi: cfg80211: fix use-after-free in cmp_bss()
https://notcve.org/view.php?id=CVE-2025-39864
19 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: fix use-after-free in cmp_bss() Following bss_free() quirk introduced in commit 776b3580178f ("cfg80211: track hidden SSID networks properly"), adjust cfg80211_update_known_bss() to free the last beacon frame elements only if they're not shared via the corresponding 'hidden_beacon_bss' pointer. In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: fix use-after-free in cmp_bss() Following bss_fr... • https://git.kernel.org/stable/c/3ab8227d3e7d1d2bf1829675d3197e3cb600e9f6 • CWE-416: Use After Free •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-39863 – wifi: brcmfmac: fix use-after-free when rescheduling brcmf_btcoex_info work
https://notcve.org/view.php?id=CVE-2025-39863
19 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: fix use-after-free when rescheduling brcmf_btcoex_info work The brcmf_btcoex_detach() only shuts down the btcoex timer, if the flag timer_on is false. However, the brcmf_btcoex_timerfunc(), which runs as timer handler, sets timer_on to false. This creates critical race conditions: 1.If brcmf_btcoex_detach() is called while brcmf_btcoex_timerfunc() is executing, it may observe timer_on as false and skip the call to timer_shut... • https://git.kernel.org/stable/c/61730d4dfffc2cc9d3a49fad87633008105c18ba • CWE-416: Use After Free •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2025-39862 – wifi: mt76: mt7915: fix list corruption after hardware restart
https://notcve.org/view.php?id=CVE-2025-39862
19 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7915: fix list corruption after hardware restart Since stations are recreated from scratch, all lists that wcids are added to must be cleared before calling ieee80211_restart_hw. Set wcid->sta = 0 for each wcid entry in order to ensure that they are not added again before they are ready. In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7915: fix list corruption after hardware restart Since stat... • https://git.kernel.org/stable/c/8a55712d124fd8a919e8a69b70643e1a97280b4b • CWE-787: Out-of-bounds Write •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-39861 – Bluetooth: vhci: Prevent use-after-free by removing debugfs files early
https://notcve.org/view.php?id=CVE-2025-39861
19 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: vhci: Prevent use-after-free by removing debugfs files early Move the creation of debugfs files into a dedicated function, and ensure they are explicitly removed during vhci_release(), before associated data structures are freed. Previously, debugfs files such as "force_suspend", "force_wakeup", and others were created under hdev->debugfs but not removed in vhci_release(). Since vhci_release() frees the backing vhci_data structur... • https://git.kernel.org/stable/c/ab4e4380d4e158486e595013a2635190e07e28ce • CWE-416: Use After Free •
CVSS: 7.2EPSS: 0%CPEs: 11EXPL: 0CVE-2025-39860 – Bluetooth: Fix use-after-free in l2cap_sock_cleanup_listen()
https://notcve.org/view.php?id=CVE-2025-39860
19 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix use-after-free in l2cap_sock_cleanup_listen() syzbot reported the splat below without a repro. In the splat, a single thread calling bt_accept_dequeue() freed sk and touched it after that. The root cause would be the racy l2cap_sock_cleanup_listen() call added by the cited commit. bt_accept_dequeue() is called under lock_sock() except for l2cap_sock_release(). Two threads could see the same socket during the list iteration in... • https://git.kernel.org/stable/c/a2da00d1ea1abfb04f846638e210b5b5166e3c9c •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2025-39859 – ptp: ocp: fix use-after-free bugs causing by ptp_ocp_watchdog
https://notcve.org/view.php?id=CVE-2025-39859
19 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: ptp: ocp: fix use-after-free bugs causing by ptp_ocp_watchdog The ptp_ocp_detach() only shuts down the watchdog timer if it is pending. However, if the timer handler is already running, the timer_delete_sync() is not called. This leads to race conditions where the devlink that contains the ptp_ocp is deallocated while the timer handler is still accessing it, resulting in use-after-free bugs. The following details one of the race scenarios. ... • https://git.kernel.org/stable/c/773bda96492153e11d21eb63ac814669b51fc701 • CWE-416: Use After Free •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-39857 – net/smc: fix one NULL pointer dereference in smc_ib_is_sg_need_sync()
https://notcve.org/view.php?id=CVE-2025-39857
19 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: net/smc: fix one NULL pointer dereference in smc_ib_is_sg_need_sync() BUG: kernel NULL pointer dereference, address: 00000000000002ec PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP PTI CPU: 28 UID: 0 PID: 343 Comm: kworker/28:1 Kdump: loaded Tainted: G OE 6.17.0-rc2+ #9 NONE Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014 Workqueue: smc_hs_wq smc_listen_work [smc] RIP: 0010:sm... • https://git.kernel.org/stable/c/0ef69e788411cba2af017db731a9fc62d255e9ac •
CVSS: 5.6EPSS: 0%CPEs: 8EXPL: 0CVE-2025-39853 – i40e: Fix potential invalid access when MAC list is empty
https://notcve.org/view.php?id=CVE-2025-39853
19 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: i40e: Fix potential invalid access when MAC list is empty list_first_entry() never returns NULL - if the list is empty, it still returns a pointer to an invalid object, leading to potential invalid memory access when dereferenced. Fix this by using list_first_entry_or_null instead of list_first_entry. In the Linux kernel, the following vulnerability has been resolved: i40e: Fix potential invalid access when MAC list is empty list_first_entr... • https://git.kernel.org/stable/c/e3219ce6a775468368fb270fae3eb82a6787b436 •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-39851 – vxlan: Fix NPD when refreshing an FDB entry with a nexthop object
https://notcve.org/view.php?id=CVE-2025-39851
19 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: vxlan: Fix NPD when refreshing an FDB entry with a nexthop object VXLAN FDB entries can point to either a remote destination or an FDB nexthop group. The latter is usually used in EVPN deployments where learning is disabled. However, when learning is enabled, an incoming packet might try to refresh an FDB entry that points to an FDB nexthop group and therefore does not have a remote. Such packets should be dropped, but they are only dropped... • https://git.kernel.org/stable/c/1274e1cc42264d4e629841e4f182795cb0becfd2 • CWE-476: NULL Pointer Dereference •
CVSS: 6.6EPSS: 0%CPEs: 3EXPL: 0CVE-2025-39850 – vxlan: Fix NPD in {arp,neigh}_reduce() when using nexthop objects
https://notcve.org/view.php?id=CVE-2025-39850
19 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: vxlan: Fix NPD in {arp,neigh}_reduce() when using nexthop objects When the "proxy" option is enabled on a VXLAN device, the device will suppress ARP requests and IPv6 Neighbor Solicitation messages if it is able to reply on behalf of the remote host. That is, if a matching and valid neighbor entry is configured on the VXLAN device whose MAC address is not behind the "any" remote (0.0.0.0 / ::). The code currently assumes that the FDB entry ... • https://git.kernel.org/stable/c/1274e1cc42264d4e629841e4f182795cb0becfd2 • CWE-476: NULL Pointer Dereference •