CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-39721 – crypto: qat - flush misc workqueue during device shutdown
https://notcve.org/view.php?id=CVE-2025-39721
05 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: crypto: qat - flush misc workqueue during device shutdown Repeated loading and unloading of a device specific QAT driver, for example qat_4xxx, in a tight loop can lead to a crash due to a use-after-free scenario. This occurs when a power management (PM) interrupt triggers just before the device-specific driver (e.g., qat_4xxx.ko) is unloaded, while the core driver (intel_qat.ko) remains loaded. Since the driver uses a shared workqueue (`qa... • https://git.kernel.org/stable/c/e5745f34113b758b45d134dec04a7df94dc67131 •
CVSS: 7.1EPSS: 0%CPEs: 4EXPL: 0CVE-2025-39720 – ksmbd: fix refcount leak causing resource not released
https://notcve.org/view.php?id=CVE-2025-39720
05 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix refcount leak causing resource not released When ksmbd_conn_releasing(opinfo->conn) returns true,the refcount was not decremented properly, causing a refcount leak that prevents the count from reaching zero and the memory from being released. In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix refcount leak causing resource not released When ksmbd_conn_releasing(opinfo->conn) returns true,the refcount w... • https://git.kernel.org/stable/c/a1d2bab4d53368a526c97aba92671dd71814f95a •
CVSS: 7.2EPSS: 0%CPEs: 5EXPL: 0CVE-2025-39719 – iio: imu: bno055: fix OOB access of hw_xlate array
https://notcve.org/view.php?id=CVE-2025-39719
05 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: iio: imu: bno055: fix OOB access of hw_xlate array Fix a potential out-of-bounds array access of the hw_xlate array in bno055.c. In bno055_get_regmask(), hw_xlate was iterated over the length of the vals array instead of the length of the hw_xlate array. In the case of bno055_gyr_scale, the vals array is larger than the hw_xlate array, so this could result in an out-of-bounds access. In practice, this shouldn't happen though because a match... • https://git.kernel.org/stable/c/4aefe1c2bd0cb0223130671d459cd16efa3d3462 •
CVSS: 7.2EPSS: 0%CPEs: 5EXPL: 0CVE-2025-39718 – vsock/virtio: Validate length in packet header before skb_put()
https://notcve.org/view.php?id=CVE-2025-39718
05 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: Validate length in packet header before skb_put() When receiving a vsock packet in the guest, only the virtqueue buffer size is validated prior to virtio_vsock_skb_rx_put(). Unfortunately, virtio_vsock_skb_rx_put() uses the length from the packet header as the length argument to skb_put(), potentially resulting in SKB overflow if the host has gone wonky. Validate the length as advertised by the packet header before calling vir... • https://git.kernel.org/stable/c/baddcc2c71572968cdaeee1c4ab3dc0ad90fa765 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-39716 – parisc: Revise __get_user() to probe user read access
https://notcve.org/view.php?id=CVE-2025-39716
05 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: parisc: Revise __get_user() to probe user read access Because of the way read access support is implemented, read access interruptions are only triggered at privilege levels 2 and 3. The kernel executes at privilege level 0, so __get_user() never triggers a read access interruption (code 26). Thus, it is currently possible for user code to access a read protected address via a system call. Fix this by probing read access rights at privilege... • https://git.kernel.org/stable/c/28a9b71671fb4a2993ef85b8ef6f117ea63894fe •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2025-39715 – parisc: Revise gateway LWS calls to probe user read access
https://notcve.org/view.php?id=CVE-2025-39715
05 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: parisc: Revise gateway LWS calls to probe user read access We use load and stbys,e instructions to trigger memory reference interruptions without writing to memory. Because of the way read access support is implemented, read access interruptions are only triggered at privilege levels 2 and 3. The kernel and gateway page execute at privilege level 0, so this code never triggers a read access interruption. Thus, it is currently possible for u... • https://git.kernel.org/stable/c/e8b496c52aa0c6572d88db7cab85aeea6f9c194d •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-39714 – media: usbtv: Lock resolution while streaming
https://notcve.org/view.php?id=CVE-2025-39714
05 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: media: usbtv: Lock resolution while streaming When an program is streaming (ffplay) and another program (qv4l2) changes the TV standard from NTSC to PAL, the kernel crashes due to trying to copy to unmapped memory. Changing from NTSC to PAL increases the resolution in the usbtv struct, but the video plane buffer isn't adjusted, so it overflows. [hverkuil: call vb2_is_busy instead of vb2_is_streaming] In the Linux kernel, the following vulne... • https://git.kernel.org/stable/c/0e0fe3958fdd13dbf55c3a787acafde6efd04272 •
CVSS: 7.0EPSS: 0%CPEs: 8EXPL: 0CVE-2025-39713 – media: rainshadow-cec: fix TOCTOU race condition in rain_interrupt()
https://notcve.org/view.php?id=CVE-2025-39713
05 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: media: rainshadow-cec: fix TOCTOU race condition in rain_interrupt() In the interrupt handler rain_interrupt(), the buffer full check on rain->buf_len is performed before acquiring rain->buf_lock. This creates a Time-of-Check to Time-of-Use (TOCTOU) race condition, as rain->buf_len is concurrently accessed and modified in the work handler rain_irq_work_handler() under the same lock. Multiple interrupt invocations can race, with each reading... • https://git.kernel.org/stable/c/0f314f6c2e77beb1a232be21dd6be4e1849ba5ac •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-39712 – media: mt9m114: Fix deadlock in get_frame_interval/set_frame_interval
https://notcve.org/view.php?id=CVE-2025-39712
05 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: media: mt9m114: Fix deadlock in get_frame_interval/set_frame_interval Getting / Setting the frame interval using the V4L2 subdev pad ops get_frame_interval/set_frame_interval causes a deadlock, as the subdev state is locked in the [1] but also in the driver itself. In [2] it's described that the caller is responsible to acquire and release the lock in this case. Therefore, acquiring the lock in the driver is wrong. Remove the lock acquisiti... • https://git.kernel.org/stable/c/24d756e914fc3418bad7897b0657aefa9ef848e8 •
CVSS: 6.6EPSS: 0%CPEs: 4EXPL: 0CVE-2025-39711 – media: ivsc: Fix crash at shutdown due to missing mei_cldev_disable() calls
https://notcve.org/view.php?id=CVE-2025-39711
05 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: media: ivsc: Fix crash at shutdown due to missing mei_cldev_disable() calls Both the ACE and CSI driver are missing a mei_cldev_disable() call in their remove() function. This causes the mei_cl client to stay part of the mei_device->file_list list even though its memory is freed by mei_cl_bus_dev_release() calling kfree(cldev->cl). This leads to a use-after-free when mei_vsc_remove() runs mei_stop() which first removes all mei bus devices c... • https://git.kernel.org/stable/c/29006e196a5661d9afc8152fa2bf8a5347ac17b4 •