CVSS: 5.5EPSS: 0%CPEs: 11EXPL: 0CVE-2025-39876 – net: fec: Fix possible NPD in fec_enet_phy_reset_after_clk_enable()
https://notcve.org/view.php?id=CVE-2025-39876
23 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: net: fec: Fix possible NPD in fec_enet_phy_reset_after_clk_enable() The function of_phy_find_device may return NULL, so we need to take care before dereferencing phy_dev. In the Linux kernel, the following vulnerability has been resolved: net: fec: Fix possible NPD in fec_enet_phy_reset_after_clk_enable() The function of_phy_find_device may return NULL, so we need to take care before dereferencing phy_dev. The SUSE Linux Enterprise 15 SP6 A... • https://git.kernel.org/stable/c/9e70485b40c8306298adea8bdc867ca27f88955a •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2025-39873 – can: xilinx_can: xcan_write_frame(): fix use-after-free of transmitted SKB
https://notcve.org/view.php?id=CVE-2025-39873
23 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: can: xilinx_can: xcan_write_frame(): fix use-after-free of transmitted SKB can_put_echo_skb() takes ownership of the SKB and it may be freed during or after the call. However, xilinx_can xcan_write_frame() keeps using SKB after the call. Fix that by only calling can_put_echo_skb() after the code is done touching the SKB. The tx_lock is held for the entire xcan_write_frame() execution and also on the can_get_echo_skb() side so the order of o... • https://git.kernel.org/stable/c/1598efe57b3e768056e4ca56cb9cf33111e68d1c •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2025-39871 – dmaengine: idxd: Remove improper idxd_free
https://notcve.org/view.php?id=CVE-2025-39871
23 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: Remove improper idxd_free The call to idxd_free() introduces a duplicate put_device() leading to a reference count underflow: refcount_t: underflow; use-after-free. WARNING: CPU: 15 PID: 4428 at lib/refcount.c:28 refcount_warn_saturate+0xbe/0x110 ... Call Trace:
CVSS: 9.8EPSS: 0%CPEs: 6EXPL: 0CVE-2025-39870 – dmaengine: idxd: Fix double free in idxd_setup_wqs()
https://notcve.org/view.php?id=CVE-2025-39870
23 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: Fix double free in idxd_setup_wqs() The clean up in idxd_setup_wqs() has had a couple bugs because the error handling is a bit subtle. It's simpler to just re-write it in a cleaner way. The issues here are: 1) If "idxd->max_wqs" is <= 0 then we call put_device(conf_dev) when "conf_dev" hasn't been initialized. 2) If kzalloc_node() fails then again "conf_dev" is invalid. It's either uninitialized or it points to the "conf_de... • https://git.kernel.org/stable/c/d584acdf54f409cb7eae1359ae6c12aaabedeed8 •
CVSS: 7.2EPSS: 0%CPEs: 8EXPL: 0CVE-2025-39869 – dmaengine: ti: edma: Fix memory allocation size for queue_priority_map
https://notcve.org/view.php?id=CVE-2025-39869
23 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: dmaengine: ti: edma: Fix memory allocation size for queue_priority_map Fix a critical memory allocation bug in edma_setup_from_hw() where queue_priority_map was allocated with insufficient memory. The code declared queue_priority_map as s8 (*)[2] (pointer to array of 2 s8), but allocated memory using sizeof(s8) instead of the correct size. This caused out-of-bounds memory writes when accessing: queue_priority_map[i][0] = i; queue_priority_m... • https://git.kernel.org/stable/c/2b6b3b7420190888793c49e97276e1e73bd7eaed •
CVSS: 6.4EPSS: 0%CPEs: 7EXPL: 1CVE-2025-39866 – fs: writeback: fix use-after-free in __mark_inode_dirty()
https://notcve.org/view.php?id=CVE-2025-39866
19 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: fs: writeback: fix use-after-free in __mark_inode_dirty() An use-after-free issue occurred when __mark_inode_dirty() get the bdi_writeback that was in the progress of switching. CPU: 1 PID: 562 Comm: systemd-random- Not tainted 6.6.56-gb4403bd46a8e #1 ...... pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : __mark_inode_dirty+0x124/0x418 lr : __mark_inode_dirty+0x118/0x418 sp : ffffffc08c9dbbc0 ........ Call trace: __mark... • https://packetstorm.news/files/id/209969 •
CVSS: 5.5EPSS: 0%CPEs: 10EXPL: 0CVE-2025-39865 – tee: fix NULL pointer dereference in tee_shm_put
https://notcve.org/view.php?id=CVE-2025-39865
19 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: tee: fix NULL pointer dereference in tee_shm_put tee_shm_put have NULL pointer dereference: __optee_disable_shm_cache --> shm = reg_pair_to_ptr(...);//shm maybe return NULL tee_shm_free(shm); --> tee_shm_put(shm);//crash Add check in tee_shm_put to fix it. panic log: Unable to handle kernel paging request at virtual address 0000000000100cca Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 ... • https://git.kernel.org/stable/c/c05d8f66ec3470e5212c4d08c46d6cb5738d600d •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2025-39864 – wifi: cfg80211: fix use-after-free in cmp_bss()
https://notcve.org/view.php?id=CVE-2025-39864
19 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: fix use-after-free in cmp_bss() Following bss_free() quirk introduced in commit 776b3580178f ("cfg80211: track hidden SSID networks properly"), adjust cfg80211_update_known_bss() to free the last beacon frame elements only if they're not shared via the corresponding 'hidden_beacon_bss' pointer. In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: fix use-after-free in cmp_bss() Following bss_fr... • https://git.kernel.org/stable/c/3ab8227d3e7d1d2bf1829675d3197e3cb600e9f6 • CWE-416: Use After Free •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-39863 – wifi: brcmfmac: fix use-after-free when rescheduling brcmf_btcoex_info work
https://notcve.org/view.php?id=CVE-2025-39863
19 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: fix use-after-free when rescheduling brcmf_btcoex_info work The brcmf_btcoex_detach() only shuts down the btcoex timer, if the flag timer_on is false. However, the brcmf_btcoex_timerfunc(), which runs as timer handler, sets timer_on to false. This creates critical race conditions: 1.If brcmf_btcoex_detach() is called while brcmf_btcoex_timerfunc() is executing, it may observe timer_on as false and skip the call to timer_shut... • https://git.kernel.org/stable/c/61730d4dfffc2cc9d3a49fad87633008105c18ba • CWE-416: Use After Free •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2025-39862 – wifi: mt76: mt7915: fix list corruption after hardware restart
https://notcve.org/view.php?id=CVE-2025-39862
19 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7915: fix list corruption after hardware restart Since stations are recreated from scratch, all lists that wcids are added to must be cleared before calling ieee80211_restart_hw. Set wcid->sta = 0 for each wcid entry in order to ensure that they are not added again before they are ready. In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7915: fix list corruption after hardware restart Since stat... • https://git.kernel.org/stable/c/8a55712d124fd8a919e8a69b70643e1a97280b4b • CWE-787: Out-of-bounds Write •