CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-37823 – net_sched: hfsc: Fix a potential UAF in hfsc_dequeue() too
https://notcve.org/view.php?id=CVE-2025-37823
08 May 2025 — In the Linux kernel, the following vulnerability has been resolved: net_sched: hfsc: Fix a potential UAF in hfsc_dequeue() too Similarly to the previous patch, we need to safe guard hfsc_dequeue() too. But for this one, we don't have a reliable reproducer. In the Linux kernel, the following vulnerability has been resolved: net_sched: hfsc: Fix a potential UAF in hfsc_dequeue() too Similarly to the previous patch, we need to safe guard hfsc_dequeue() too. But for this one, we don't have a reliable reproducer... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2025-37822 – riscv: uprobes: Add missing fence.i after building the XOL buffer
https://notcve.org/view.php?id=CVE-2025-37822
08 May 2025 — In the Linux kernel, the following vulnerability has been resolved: riscv: uprobes: Add missing fence.i after building the XOL buffer The XOL (execute out-of-line) buffer is used to single-step the replaced instruction(s) for uprobes. The RISC-V port was missing a proper fence.i (i$ flushing) after constructing the XOL buffer, which can result in incorrect execution of stale/broken instructions. This was found running the BPF selftests "test_progs: uprobe_autoattach, attach_probe" on the Spacemit K1/X60, wh... • https://git.kernel.org/stable/c/74784081aac8a0f3636965fc230e2d3b7cc123c6 •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2025-37821 – sched/eevdf: Fix se->slice being set to U64_MAX and resulting crash
https://notcve.org/view.php?id=CVE-2025-37821
08 May 2025 — In the Linux kernel, the following vulnerability has been resolved: sched/eevdf: Fix se->slice being set to U64_MAX and resulting crash There is a code path in dequeue_entities() that can set the slice of a sched_entity to U64_MAX, which sometimes results in a crash. The offending case is when dequeue_entities() is called to dequeue a delayed group entity, and then the entity's parent's dequeue is delayed. In that case: 1. In the if (entity_is_task(se)) else block at the beginning of dequeue_entities(), sli... • https://git.kernel.org/stable/c/aef6987d89544d63a47753cf3741cabff0b5574c •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-37820 – xen-netfront: handle NULL returned by xdp_convert_buff_to_frame()
https://notcve.org/view.php?id=CVE-2025-37820
08 May 2025 — In the Linux kernel, the following vulnerability has been resolved: xen-netfront: handle NULL returned by xdp_convert_buff_to_frame() The function xdp_convert_buff_to_frame() may return NULL if it fails to correctly convert the XDP buffer into an XDP frame due to memory constraints, internal errors, or invalid data. Failing to check for NULL may lead to a NULL pointer dereference if the result is used later in processing, potentially causing crashes, data corruption, or undefined behavior. On XDP redirect f... • https://git.kernel.org/stable/c/6c5aa6fc4defc2a0977a2c59e4710d50fa1e834c •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-37819 – irqchip/gic-v2m: Prevent use after free of gicv2m_get_fwnode()
https://notcve.org/view.php?id=CVE-2025-37819
08 May 2025 — In the Linux kernel, the following vulnerability has been resolved: irqchip/gic-v2m: Prevent use after free of gicv2m_get_fwnode() With ACPI in place, gicv2m_get_fwnode() is registered with the pci subsystem as pci_msi_get_fwnode_cb(), which may get invoked at runtime during a PCI host bridge probe. But, the call back is wrongly marked as __init, causing it to be freed, while being registered with the PCI subsystem and could trigger: Unable to handle kernel paging request at virtual address ffff8000816c0400... • https://git.kernel.org/stable/c/0644b3daca28dcb320373ae20069c269c9386304 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-37818 – LoongArch: Return NULL from huge_pte_offset() for invalid PMD
https://notcve.org/view.php?id=CVE-2025-37818
08 May 2025 — In the Linux kernel, the following vulnerability has been resolved: LoongArch: Return NULL from huge_pte_offset() for invalid PMD LoongArch's huge_pte_offset() currently returns a pointer to a PMD slot even if the underlying entry points to invalid_pte_table (indicating no mapping). Callers like smaps_hugetlb_range() fetch this invalid entry value (the address of invalid_pte_table) via this pointer. The generic is_swap_pte() check then incorrectly identifies this address as a swap entry on LoongArch, becaus... • https://git.kernel.org/stable/c/34256805720993e37adf6127371a1265aea8376a •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2025-37817 – mcb: fix a double free bug in chameleon_parse_gdd()
https://notcve.org/view.php?id=CVE-2025-37817
08 May 2025 — In the Linux kernel, the following vulnerability has been resolved: mcb: fix a double free bug in chameleon_parse_gdd() In chameleon_parse_gdd(), if mcb_device_register() fails, 'mdev' would be released in mcb_device_register() via put_device(). Thus, goto 'err' label and free 'mdev' again causes a double free. Just return if mcb_device_register() fails. In the Linux kernel, the following vulnerability has been resolved: mcb: fix a double free bug in chameleon_parse_gdd() In chameleon_parse_gdd(), if mcb_de... • https://git.kernel.org/stable/c/3764e82e5150d87b205c10cd78a9c9ab86fbfa51 •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-37816 – mei: vsc: Fix fortify-panic caused by invalid counted_by() use
https://notcve.org/view.php?id=CVE-2025-37816
08 May 2025 — In the Linux kernel, the following vulnerability has been resolved: mei: vsc: Fix fortify-panic caused by invalid counted_by() use gcc 15 honors the __counted_by(len) attribute on vsc_tp_packet.buf[] and the vsc-tp.c code is using this in a wrong way. len does not contain the available size in the buffer, it contains the actual packet length *without* the crc. So as soon as vsc_tp_xfer() tries to add the crc to buf[] the fortify-panic handler gets triggered: [ 80.842193] memcpy: detected buffer overflow: 4 ... • https://git.kernel.org/stable/c/566f5ca9768075e453b7b51a397733968df4287d •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-37815 – misc: microchip: pci1xxxx: Fix Kernel panic during IRQ handler registration
https://notcve.org/view.php?id=CVE-2025-37815
08 May 2025 — In the Linux kernel, the following vulnerability has been resolved: misc: microchip: pci1xxxx: Fix Kernel panic during IRQ handler registration Resolve kernel panic while accessing IRQ handler associated with the generated IRQ. This is done by acquiring the spinlock and storing the current interrupt state before handling the interrupt request using generic_handle_irq. A previous fix patch was submitted where 'generic_handle_irq' was replaced with 'handle_nested_irq'. However, this change also causes the ker... • https://git.kernel.org/stable/c/79aef6187e16b2d32307c8ff610e9e04f7f86e1f •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-37814 – tty: Require CAP_SYS_ADMIN for all usages of TIOCL_SELMOUSEREPORT
https://notcve.org/view.php?id=CVE-2025-37814
08 May 2025 — In the Linux kernel, the following vulnerability has been resolved: tty: Require CAP_SYS_ADMIN for all usages of TIOCL_SELMOUSEREPORT This requirement was overeagerly loosened in commit 2f83e38a095f ("tty: Permit some TIOCL_SETSEL modes without CAP_SYS_ADMIN"), but as it turns out, (1) the logic I implemented there was inconsistent (apologies!), (2) TIOCL_SELMOUSEREPORT might actually be a small security risk after all, and (3) TIOCL_SELMOUSEREPORT is only meant to be used by the mouse daemon (GPM or Consol... • https://git.kernel.org/stable/c/e46d91ca504d69ae3d09c120b162a238b8013890 •