CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38473 – Bluetooth: Fix null-ptr-deref in l2cap_sock_resume_cb()
https://notcve.org/view.php?id=CVE-2025-38473
28 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix null-ptr-deref in l2cap_sock_resume_cb() syzbot reported null-ptr-deref in l2cap_sock_resume_cb(). [0] l2cap_sock_resume_cb() has a similar problem that was fixed by commit 1bff51ea59a9 ("Bluetooth: fix use-after-free error in lock_sock_nested()"). Since both l2cap_sock_kill() and l2cap_sock_resume_cb() are executed under l2cap_sock_resume_cb(), we can avoid the issue simply by checking if chan->data is NULL. Let's not access... • https://git.kernel.org/stable/c/d97c899bde330cd1c76c3a162558177563a74362 •
CVSS: 6.1EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38470 – net: vlan: fix VLAN 0 refcount imbalance of toggling filtering during runtime
https://notcve.org/view.php?id=CVE-2025-38470
28 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: net: vlan: fix VLAN 0 refcount imbalance of toggling filtering during runtime Assuming the "rx-vlan-filter" feature is enabled on a net device, the 8021q module will automatically add or remove VLAN 0 when the net device is put administratively up or down, respectively. There are a couple of problems with the above scheme. The first problem is a memory leak that can happen if the "rx-vlan-filter" feature is disabled while the device is runn... • https://git.kernel.org/stable/c/ad1afb00393915a51c21b1ae8704562bf036855f •
CVSS: 7.2EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38468 – net/sched: Return NULL when htb_lookup_leaf encounters an empty rbtree
https://notcve.org/view.php?id=CVE-2025-38468
28 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: net/sched: Return NULL when htb_lookup_leaf encounters an empty rbtree htb_lookup_leaf has a BUG_ON that can trigger with the following: tc qdisc del dev lo root tc qdisc add dev lo root handle 1: htb default 1 tc class add dev lo parent 1: classid 1:1 htb rate 64bit tc qdisc add dev lo parent 1:1 handle 2: netem tc qdisc add dev lo parent 2:1 handle 3: blackhole ping -I lo -c1 -W0.001 127.0.0.1 The root cause is the following: 1. htb_deque... • https://git.kernel.org/stable/c/512bb43eb5422ee69a1be05ea0d89dc074fac9a2 •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38465 – netlink: Fix wraparounds of sk->sk_rmem_alloc.
https://notcve.org/view.php?id=CVE-2025-38465
25 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: netlink: Fix wraparounds of sk->sk_rmem_alloc. Netlink has this pattern in some places if (atomic_read(&sk->sk_rmem_alloc) > sk->sk_rcvbuf) atomic_add(skb->truesize, &sk->sk_rmem_alloc); , which has the same problem fixed by commit 5a465a0da13e ("udp: Fix multiple wraparounds of sk->sk_rmem_alloc."). For example, if we set INT_MAX to SO_RCVBUFFORCE, the condition is always false as the two operands are of int. Then, a single socket can eat ... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 7.2EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38464 – tipc: Fix use-after-free in tipc_conn_close().
https://notcve.org/view.php?id=CVE-2025-38464
25 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: tipc: Fix use-after-free in tipc_conn_close(). syzbot reported a null-ptr-deref in tipc_conn_close() during netns dismantle. [0] tipc_topsrv_stop() iterates tipc_net(net)->topsrv->conn_idr and calls tipc_conn_close() for each tipc_conn. The problem is that tipc_conn_close() is called after releasing the IDR lock. At the same time, there might be tipc_conn_recv_work() running and it could call tipc_conn_close() for the same tipc_conn and rel... • https://git.kernel.org/stable/c/c5fa7b3cf3cb22e4ac60485fc2dc187fe012910f •
CVSS: 5.6EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38460 – atm: clip: Fix potential null-ptr-deref in to_atmarpd().
https://notcve.org/view.php?id=CVE-2025-38460
25 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: atm: clip: Fix potential null-ptr-deref in to_atmarpd(). atmarpd is protected by RTNL since commit f3a0592b37b8 ("[ATM]: clip causes unregister hang"). However, it is not enough because to_atmarpd() is called without RTNL, especially clip_neigh_solicit() / neigh_ops->solicit() is unsleepable. Also, there is no RTNL dependency around atmarpd. Let's use a private mutex and RCU to protect access to atmarpd in to_atmarpd(). In the Linux kernel,... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 5.6EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38459 – atm: clip: Fix infinite recursive call of clip_push().
https://notcve.org/view.php?id=CVE-2025-38459
25 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: atm: clip: Fix infinite recursive call of clip_push(). syzbot reported the splat below. [0] This happens if we call ioctl(ATMARP_MKIP) more than once. During the first call, clip_mkip() sets clip_push() to vcc->push(), and the second call copies it to clip_vcc->old_push(). Later, when the socket is close()d, vcc_destroy_socket() passes NULL skb to clip_push(), which calls clip_vcc->old_push(), triggering the infinite recursion. Let's preven... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38458 – atm: clip: Fix NULL pointer dereference in vcc_sendmsg()
https://notcve.org/view.php?id=CVE-2025-38458
25 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: atm: clip: Fix NULL pointer dereference in vcc_sendmsg() atmarpd_dev_ops does not implement the send method, which may cause crash as bellow. BUG: kernel NULL pointer dereference, address: 0000000000000000 PGD 0 P4D 0 Oops: Oops: 0010 [#1] SMP KASAN NOPTI CPU: 0 UID: 0 PID: 5324 Comm: syz.0.0 Not tainted 6.15.0-rc6-syzkaller-00346-g5723cc3450bc #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 7.2EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38457 – net/sched: Abort __tc_modify_qdisc if parent class does not exist
https://notcve.org/view.php?id=CVE-2025-38457
25 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: net/sched: Abort __tc_modify_qdisc if parent class does not exist Lion's patch [1] revealed an ancient bug in the qdisc API. Whenever a user creates/modifies a qdisc specifying as a parent another qdisc, the qdisc API will, during grafting, detect that the user is not trying to attach to a class and reject. However grafting is performed after qdisc_create (and thus the qdiscs' init callback) is executed. In qdiscs that eventually call qdisc... • https://git.kernel.org/stable/c/5e50da01d0ce7ef0ba3ed6cfabd62f327da0aca6 •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-38449 – drm/gem: Acquire references on GEM handles for framebuffers
https://notcve.org/view.php?id=CVE-2025-38449
25 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/gem: Acquire references on GEM handles for framebuffers A GEM handle can be released while the GEM buffer object is attached to a DRM framebuffer. This leads to the release of the dma-buf backing the buffer object, if any. [1] Trying to use the framebuffer in further mode-setting operations leads to a segmentation fault. Most easily happens with driver that use shadow planes for vmap-ing the dma-buf during a page flip. An example is sho... • https://git.kernel.org/stable/c/cb4c956a15f8b7f870649454771fc3761f504b5f •