CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-39948 – ice: fix Rx page leak on multi-buffer frames
https://notcve.org/view.php?id=CVE-2025-39948
04 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: ice: fix Rx page leak on multi-buffer frames The ice_put_rx_mbuf() function handles calling ice_put_rx_buf() for each buffer in the current frame. This function was introduced as part of handling multi-buffer XDP support in the ice driver. It works by iterating over the buffers from first_desc up to 1 plus the total number of fragments in the frame, cached from before the XDP program was executed. If the hardware posts a descriptor with a s... • https://git.kernel.org/stable/c/311813ed013c016d4b0b0985a9ee41f778489077 •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-39947 – net/mlx5e: Harden uplink netdev access against device unbind
https://notcve.org/view.php?id=CVE-2025-39947
04 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Harden uplink netdev access against device unbind The function mlx5_uplink_netdev_get() gets the uplink netdevice pointer from mdev->mlx5e_res.uplink_netdev. However, the netdevice can be removed and its pointer cleared when unbound from the mlx5_core.eth driver. This results in a NULL pointer, causing a kernel panic. BUG: unable to handle page fault for address: 0000000000001300 at RIP: 0010:mlx5e_vport_rep_load+0x22a/0x270 [mlx... • https://git.kernel.org/stable/c/7a9fb35e8c3a67145fca262c304de65cb2f83abf •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-39946 – tls: make sure to abort the stream if headers are bogus
https://notcve.org/view.php?id=CVE-2025-39946
04 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: tls: make sure to abort the stream if headers are bogus Normally we wait for the socket to buffer up the whole record before we service it. If the socket has a tiny buffer, however, we read out the data sooner, to prevent connection stalls. Make sure that we abort the connection when we find out late that the record is actually invalid. Retrying the parsing is fine in itself but since we copy some more data each time before we parse we can ... • https://git.kernel.org/stable/c/84c61fe1a75b4255df1e1e7c054c9e6d048da417 •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2025-39945 – cnic: Fix use-after-free bugs in cnic_delete_task
https://notcve.org/view.php?id=CVE-2025-39945
04 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: cnic: Fix use-after-free bugs in cnic_delete_task The original code uses cancel_delayed_work() in cnic_cm_stop_bnx2x_hw(), which does not guarantee that the delayed work item 'delete_task' has fully completed if it was already running. Additionally, the delayed work item is cyclic, the flush_workqueue() in cnic_cm_stop_bnx2x_hw() only blocks and waits for work items that were already queued to the workqueue prior to its invocation. Any work... • https://git.kernel.org/stable/c/fdf24086f4752aee5dfb40143c736250df017820 •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2025-39944 – octeontx2-pf: Fix use-after-free bugs in otx2_sync_tstamp()
https://notcve.org/view.php?id=CVE-2025-39944
04 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: octeontx2-pf: Fix use-after-free bugs in otx2_sync_tstamp() The original code relies on cancel_delayed_work() in otx2_ptp_destroy(), which does not ensure that the delayed work item synctstamp_work has fully completed if it was already running. This leads to use-after-free scenarios where otx2_ptp is deallocated by otx2_ptp_destroy(), while synctstamp_work remains active and attempts to dereference otx2_ptp in otx2_sync_tstamp(). Furthermor... • https://git.kernel.org/stable/c/2958d17a898416c6193431676f6130b68a2cb9fc •
CVSS: 7.1EPSS: 0%CPEs: 6EXPL: 0CVE-2025-39943 – ksmbd: smbdirect: validate data_offset and data_length field of smb_direct_data_transfer
https://notcve.org/view.php?id=CVE-2025-39943
04 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: smbdirect: validate data_offset and data_length field of smb_direct_data_transfer If data_offset and data_length of smb_direct_data_transfer struct are invalid, out of bounds issue could happen. This patch validate data_offset and data_length field in recv_done. In the Linux kernel, the following vulnerability has been resolved: ksmbd: smbdirect: validate data_offset and data_length field of smb_direct_data_transfer If data_offset an... • https://git.kernel.org/stable/c/2ea086e35c3d726a3bacd0a971c1f02a50e98206 •
CVSS: 6.1EPSS: 0%CPEs: 5EXPL: 0CVE-2025-39942 – ksmbd: smbdirect: verify remaining_data_length respects max_fragmented_recv_size
https://notcve.org/view.php?id=CVE-2025-39942
04 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: smbdirect: verify remaining_data_length respects max_fragmented_recv_size This is inspired by the check for data_offset + data_length. Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. For the oldstable distribution (bookworm), these problems have been fixed in version 6.1.158-1. • https://git.kernel.org/stable/c/2ea086e35c3d726a3bacd0a971c1f02a50e98206 •
CVSS: 7.2EPSS: 0%CPEs: 3EXPL: 0CVE-2025-39940 – dm-stripe: fix a possible integer overflow
https://notcve.org/view.php?id=CVE-2025-39940
04 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: dm-stripe: fix a possible integer overflow There's a possible integer overflow in stripe_io_hints if we have too large chunk size. Test if the overflow happened, and if it did, don't set limits->io_min and limits->io_opt; In the Linux kernel, the following vulnerability has been resolved: dm-stripe: fix a possible integer overflow There's a possible integer overflow in stripe_io_hints if we have too large chunk size. Test if the overflow ha... • https://git.kernel.org/stable/c/40bea431274c247425e7f5970d796ff7b37a2b22 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-39938 – ASoC: qcom: q6apm-lpass-dais: Fix NULL pointer dereference if source graph failed
https://notcve.org/view.php?id=CVE-2025-39938
04 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: ASoC: qcom: q6apm-lpass-dais: Fix NULL pointer dereference if source graph failed If earlier opening of source graph fails (e.g. ADSP rejects due to incorrect audioreach topology), the graph is closed and "dai_data->graph[dai->id]" is assigned NULL. Preparing the DAI for sink graph continues though and next call to q6apm_lpass_dai_prepare() receives dai_data->graph[dai->id]=NULL leading to NULL pointer exception: qcom-apm gprsvc:service:2:1... • https://git.kernel.org/stable/c/30ad723b93ade607a678698e5947a55a4375c3a1 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-39937 – net: rfkill: gpio: Fix crash due to dereferencering uninitialized pointer
https://notcve.org/view.php?id=CVE-2025-39937
04 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: net: rfkill: gpio: Fix crash due to dereferencering uninitialized pointer Since commit 7d5e9737efda ("net: rfkill: gpio: get the name and type from device property") rfkill_find_type() gets called with the possibly uninitialized "const char *type_name;" local variable. On x86 systems when rfkill-gpio binds to a "BCM4752" or "LNV4752" acpi_device, the rfkill->type is set based on the ACPI acpi_device_id: rfkill->type = (unsigned)id->driver_d... • https://git.kernel.org/stable/c/7d5e9737efda16535e5b54bd627ef4881d11d31f •