CVSS: 7.0EPSS: 0%CPEs: 5EXPL: 0CVE-2025-39694 – s390/sclp: Fix SCCB present check
https://notcve.org/view.php?id=CVE-2025-39694
05 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: s390/sclp: Fix SCCB present check Tracing code called by the SCLP interrupt handler contains early exits if the SCCB address associated with an interrupt is NULL. This check is performed after physical to virtual address translation. If the kernel identity mapping does not start at address zero, the resulting virtual address is never zero, so that the NULL checks won't work. Subsequently this may result in incorrect accesses to the first pa... • https://git.kernel.org/stable/c/ada1da31ce34248bc97ca8f801f2cf6efa378a81 • CWE-1285: Improper Validation of Specified Index, Position, or Offset in Input •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2025-39693 – drm/amd/display: Avoid a NULL pointer dereference
https://notcve.org/view.php?id=CVE-2025-39693
05 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Avoid a NULL pointer dereference [WHY] Although unlikely drm_atomic_get_new_connector_state() or drm_atomic_get_old_connector_state() can return NULL. [HOW] Check returns before dereference. (cherry picked from commit 1e5e8d672fec9f2ab352be121be971877bff2af9) In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Avoid a NULL pointer dereference [WHY] Although unlikely drm_atomic_get_new_connec... • https://git.kernel.org/stable/c/4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2025-39692 – smb: server: split ksmbd_rdma_stop_listening() out of ksmbd_rdma_destroy()
https://notcve.org/view.php?id=CVE-2025-39692
05 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: smb: server: split ksmbd_rdma_stop_listening() out of ksmbd_rdma_destroy() We can't call destroy_workqueue(smb_direct_wq); before stop_sessions()! Otherwise already existing connections try to use smb_direct_wq as a NULL pointer. In the Linux kernel, the following vulnerability has been resolved: smb: server: split ksmbd_rdma_stop_listening() out of ksmbd_rdma_destroy() We can't call destroy_workqueue(smb_direct_wq); before stop_sessions()!... • https://git.kernel.org/stable/c/0626e6641f6b467447c81dd7678a69c66f7746cf •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2025-39691 – fs/buffer: fix use-after-free when call bh_read() helper
https://notcve.org/view.php?id=CVE-2025-39691
05 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: fs/buffer: fix use-after-free when call bh_read() helper There's issue as follows: BUG: KASAN: stack-out-of-bounds in end_buffer_read_sync+0xe3/0x110 Read of size 8 at addr ffffc9000168f7f8 by task swapper/3/0 CPU: 3 UID: 0 PID: 0 Comm: swapper/3 Not tainted 6.16.0-862.14.0.6.x86_64 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) Call Trace:
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2025-39689 – ftrace: Also allocate and copy hash for reading of filter files
https://notcve.org/view.php?id=CVE-2025-39689
05 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: ftrace: Also allocate and copy hash for reading of filter files Currently the reader of set_ftrace_filter and set_ftrace_notrace just adds the pointer to the global tracer hash to its iterator. Unlike the writer that allocates a copy of the hash, the reader keeps the pointer to the filter hashes. This is problematic because this pointer is static across function calls that release the locks that can update the global tracer hashes. This can... • https://git.kernel.org/stable/c/c20489dad156dd9919ebd854bbace46dbd2576a3 •
CVSS: 7.1EPSS: 0%CPEs: 7EXPL: 0CVE-2025-39687 – iio: light: as73211: Ensure buffer holes are zeroed
https://notcve.org/view.php?id=CVE-2025-39687
05 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: iio: light: as73211: Ensure buffer holes are zeroed Given that the buffer is copied to a kfifo that ultimately user space can read, ensure we zero it. In the Linux kernel, the following vulnerability has been resolved: iio: light: as73211: Ensure buffer holes are zeroed Given that the buffer is copied to a kfifo that ultimately user space can read, ensure we zero it. Several vulnerabilities have been discovered in the Linux kernel that may ... • https://git.kernel.org/stable/c/403e5586b52e466893ce3a7b7f3a3ecdc4c82d3e •
CVSS: 7.2EPSS: 0%CPEs: 6EXPL: 0CVE-2025-39686 – comedi: Make insn_rw_emulate_bits() do insn->n samples
https://notcve.org/view.php?id=CVE-2025-39686
05 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: comedi: Make insn_rw_emulate_bits() do insn->n samples The `insn_rw_emulate_bits()` function is used as a default handler for `INSN_READ` instructions for subdevices that have a handler for `INSN_BITS` but not for `INSN_READ`. Similarly, it is used as a default handler for `INSN_WRITE` instructions for subdevices that have a handler for `INSN_BITS` but not for `INSN_WRITE`. It works by emulating the `INSN_READ` or `INSN_WRITE` instruction h... • https://git.kernel.org/stable/c/ed9eccbe8970f6eedc1b978c157caf1251a896d4 •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2025-39685 – comedi: pcl726: Prevent invalid irq number
https://notcve.org/view.php?id=CVE-2025-39685
05 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: comedi: pcl726: Prevent invalid irq number The reproducer passed in an irq number(0x80008000) that was too large, which triggered the oob. Added an interrupt number check to prevent users from passing in an irq number that was too large. If `it->options[1]` is 31, then `1 << it->options[1]` is still invalid because it shifts a 1-bit into the sign bit (which is UB in C). Possible solutions include reducing the upper bound on the `it->options... • https://git.kernel.org/stable/c/fff46207245cd9e39c05b638afaee2478e64914b •
CVSS: 7.1EPSS: 0%CPEs: 6EXPL: 0CVE-2025-39684 – comedi: Fix use of uninitialized memory in do_insn_ioctl() and do_insnlist_ioctl()
https://notcve.org/view.php?id=CVE-2025-39684
05 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: comedi: Fix use of uninitialized memory in do_insn_ioctl() and do_insnlist_ioctl() syzbot reports a KMSAN kernel-infoleak in `do_insn_ioctl()`. A kernel buffer is allocated to hold `insn->n` samples (each of which is an `unsigned int`). For some instruction types, `insn->n` samples are copied back to user-space, unless an error code is being returned. The problem is that not all the instruction handlers that need to return data to userspace... • https://git.kernel.org/stable/c/ed9eccbe8970f6eedc1b978c157caf1251a896d4 •
CVSS: 7.1EPSS: 0%CPEs: 14EXPL: 0CVE-2025-39683 – tracing: Limit access to parser->buffer when trace_get_user failed
https://notcve.org/view.php?id=CVE-2025-39683
05 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: tracing: Limit access to parser->buffer when trace_get_user failed When the length of the string written to set_ftrace_filter exceeds FTRACE_BUFF_MAX, the following KASAN alarm will be triggered: BUG: KASAN: slab-out-of-bounds in strsep+0x18c/0x1b0 Read of size 1 at addr ffff0000d00bd5ba by task ash/165 CPU: 1 UID: 0 PID: 165 Comm: ash Not tainted 6.16.0-g6bcdbd62bd56-dirty Hardware name: linux,dummy-virt (DT) Call trace: show_stack+0x34/0x... • https://git.kernel.org/stable/c/634684d79733124f7470b226b0f42aada4426b07 •