CVSS: 7.1EPSS: 0%CPEs: 7EXPL: 0CVE-2025-23161 – PCI: vmd: Make vmd_dev::cfg_lock a raw_spinlock_t type
https://notcve.org/view.php?id=CVE-2025-23161
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: PCI: vmd: Make vmd_dev::cfg_lock a raw_spinlock_t type The access to the PCI config space via pci_ops::read and pci_ops::write is a low-level hardware access. The functions can be accessed with disabled interrupts even on PREEMPT_RT. The pci_lock is a raw_spinlock_t for this purpose. A spinlock_t becomes a sleeping lock on PREEMPT_RT, so it cannot be acquired with disabled interrupts. The vmd_dev::cfg_lock is accessed in the same context as... • https://git.kernel.org/stable/c/c250262d6485ca333e9821f85b07eb383ec546b1 •
CVSS: 7.1EPSS: 0%CPEs: 9EXPL: 0CVE-2025-23159 – media: venus: hfi: add a check to handle OOB in sfr region
https://notcve.org/view.php?id=CVE-2025-23159
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: media: venus: hfi: add a check to handle OOB in sfr region sfr->buf_size is in shared memory and can be modified by malicious user. OOB write is possible when the size is made higher than actual sfr data buffer. Cap the size to allocated size for such cases. In the Linux kernel, the following vulnerability has been resolved: media: venus: hfi: add a check to handle OOB in sfr region sfr->buf_size is in shared memory and can be modified by m... • https://git.kernel.org/stable/c/d96d3f30c0f2f564f6922bf4ccdf4464992e31fb •
CVSS: 8.5EPSS: 0%CPEs: 9EXPL: 0CVE-2025-23158 – media: venus: hfi: add check to handle incorrect queue size
https://notcve.org/view.php?id=CVE-2025-23158
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: media: venus: hfi: add check to handle incorrect queue size qsize represents size of shared queued between driver and video firmware. Firmware can modify this value to an invalid large value. In such situation, empty_space will be bigger than the space actually available. Since new_wr_idx is not checked, so the following code will result in an OOB write. ... qsize = qhdr->q_size if (wr_idx >= rd_idx) empty_space = qsize - (wr_idx - rd_idx) ... • https://git.kernel.org/stable/c/d96d3f30c0f2f564f6922bf4ccdf4464992e31fb •
CVSS: 7.8EPSS: 0%CPEs: 9EXPL: 0CVE-2025-23157 – media: venus: hfi_parser: add check to avoid out of bound access
https://notcve.org/view.php?id=CVE-2025-23157
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: media: venus: hfi_parser: add check to avoid out of bound access There is a possibility that init_codecs is invoked multiple times during manipulated payload from video firmware. In such case, if codecs_count can get incremented to value more than MAX_CODEC_NUM, there can be OOB access. Reset the count so that it always starts from beginning. In the Linux kernel, the following vulnerability has been resolved: media: venus: hfi_parser: add c... • https://git.kernel.org/stable/c/1a73374a04e555103e5369429a30999114001dda •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2025-23156 – media: venus: hfi_parser: refactor hfi packet parsing logic
https://notcve.org/view.php?id=CVE-2025-23156
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: media: venus: hfi_parser: refactor hfi packet parsing logic words_count denotes the number of words in total payload, while data points to payload of various property within it. When words_count reaches last word, data can access memory beyond the total payload. This can lead to OOB access. With this patch, the utility api for handling individual properties now returns the size of data consumed. Accordingly remaining bytes are calculated be... • https://git.kernel.org/stable/c/1a73374a04e555103e5369429a30999114001dda •
CVSS: 7.8EPSS: 0%CPEs: 15EXPL: 0CVE-2025-23150 – ext4: fix off-by-one error in do_split
https://notcve.org/view.php?id=CVE-2025-23150
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: ext4: fix off-by-one error in do_split Syzkaller detected a use-after-free issue in ext4_insert_dentry that was caused by out-of-bounds access due to incorrect splitting in do_split. BUG: KASAN: use-after-free in ext4_insert_dentry+0x36a/0x6d0 fs/ext4/namei.c:2109 Write of size 251 at addr ffff888074572f14 by task syz-executor335/5847 CPU: 0 UID: 0 PID: 5847 Comm: syz-executor335 Not tainted 6.12.0-rc6-syzkaller-00318-ga9cda7c0ffed #0 Hardw... • https://git.kernel.org/stable/c/ea54176e5821936d109bb45dc2c19bd53559e735 •
CVSS: 7.2EPSS: 0%CPEs: 4EXPL: 0CVE-2025-23143 – net: Fix null-ptr-deref by sock_lock_init_class_and_name() and rmmod.
https://notcve.org/view.php?id=CVE-2025-23143
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: net: Fix null-ptr-deref by sock_lock_init_class_and_name() and rmmod. When I ran the repro [0] and waited a few seconds, I observed two LOCKDEP splats: a warning immediately followed by a null-ptr-deref. [1] Reproduction Steps: 1) Mount CIFS 2) Add an iptables rule to drop incoming FIN packets for CIFS 3) Unmount CIFS 4) Unload the CIFS module 5) Remove the iptables rule At step 3), the CIFS module calls sock_release() for the underlying TC... • https://git.kernel.org/stable/c/ed07536ed6731775219c1df7fa26a7588753e693 •
CVSS: 5.5EPSS: 0%CPEs: 14EXPL: 0CVE-2025-23142 – sctp: detect and prevent references to a freed transport in sendmsg
https://notcve.org/view.php?id=CVE-2025-23142
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: sctp: detect and prevent references to a freed transport in sendmsg sctp_sendmsg() re-uses associations and transports when possible by doing a lookup based on the socket endpoint and the message destination address, and then sctp_sendmsg_to_asoc() sets the selected transport in all the message chunks to be sent. There's a possible race condition if another thread triggers the removal of that selected transport, for instance, by explicitly ... • https://git.kernel.org/stable/c/df132eff463873e14e019a07f387b4d577d6d1f9 •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2025-23141 – KVM: x86: Acquire SRCU in KVM_GET_MP_STATE to protect guest memory accesses
https://notcve.org/view.php?id=CVE-2025-23141
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Acquire SRCU in KVM_GET_MP_STATE to protect guest memory accesses Acquire a lock on kvm->srcu when userspace is getting MP state to handle a rather extreme edge case where "accepting" APIC events, i.e. processing pending INIT or SIPI, can trigger accesses to guest memory. If the vCPU is in L2 with INIT *and* a TRIPLE_FAULT request pending, then getting MP state will trigger a nested VM-Exit by way of ->check_nested_events(), and e... • https://git.kernel.org/stable/c/0357c8406dfa09430dd9858ebe813feb65524b6e •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-23140 – misc: pci_endpoint_test: Avoid issue of interrupts remaining after request_irq error
https://notcve.org/view.php?id=CVE-2025-23140
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: misc: pci_endpoint_test: Avoid issue of interrupts remaining after request_irq error After devm_request_irq() fails with error in pci_endpoint_test_request_irq(), the pci_endpoint_test_free_irq_vectors() is called assuming that all IRQs have been released. However, some requested IRQs remain unreleased, so there are still /proc/irq/* entries remaining, and this results in WARN() with the following message: remove_proc_entry: removing non-em... • https://git.kernel.org/stable/c/e03327122e2c8e6ae4565ef5b3d3cbe4364546a1 •