CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-21969 – Bluetooth: L2CAP: Fix slab-use-after-free Read in l2cap_send_cmd
https://notcve.org/view.php?id=CVE-2025-21969
01 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix slab-use-after-free Read in l2cap_send_cmd After the hci sync command releases l2cap_conn, the hci receive data work queue references the released l2cap_conn when sending to the upper layer. Add hci dev lock to the hci receive data work queue to synchronize the two. [1] BUG: KASAN: slab-use-after-free in l2cap_send_cmd+0x187/0x8d0 net/bluetooth/l2cap_core.c:954 Read of size 8 at addr ffff8880271a4000 by task kworker/u9... • https://git.kernel.org/stable/c/c96cce853542b3b13da3738f35ef1be8cfcc9d1d •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-21957 – scsi: qla1280: Fix kernel oops when debug level > 2
https://notcve.org/view.php?id=CVE-2025-21957
01 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: scsi: qla1280: Fix kernel oops when debug level > 2 A null dereference or oops exception will eventually occur when qla1280.c driver is compiled with DEBUG_QLA1280 enabled and ql_debug_level > 2. I think its clear from the code that the intention here is sg_dma_len(s) not length of sg_next(s) when printing the debug info. In the Linux kernel, the following vulnerability has been resolved: scsi: qla1280: Fix kernel oops when debug level > 2 ... • https://git.kernel.org/stable/c/24602e2664c515a4f2950d7b52c3d5997463418c •
CVSS: 9.8EPSS: 0%CPEs: 5EXPL: 0CVE-2025-21956 – drm/amd/display: Assign normalized_pix_clk when color depth = 14
https://notcve.org/view.php?id=CVE-2025-21956
01 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Assign normalized_pix_clk when color depth = 14 [WHY & HOW] A warning message "WARNING: CPU: 4 PID: 459 at ... /dc_resource.c:3397 calculate_phy_pix_clks+0xef/0x100 [amdgpu]" occurs because the display_color_depth == COLOR_DEPTH_141414 is not handled. This is observed in Radeon RX 6600 XT. It is fixed by assigning pix_clk * (14 * 3) / 24 - same as the rests. Also fixes the indentation in get_norm_pix_clk. • https://git.kernel.org/stable/c/dc831b38680c47d07e425871a9852109183895cf •
CVSS: 9.8EPSS: 0%CPEs: 8EXPL: 0CVE-2025-21948 – HID: appleir: Fix potential NULL dereference at raw event handle
https://notcve.org/view.php?id=CVE-2025-21948
01 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: HID: appleir: Fix potential NULL dereference at raw event handle Syzkaller reports a NULL pointer dereference issue in input_event(). BUG: KASAN: null-ptr-deref in instrument_atomic_read include/linux/instrumented.h:68 [inline] BUG: KASAN: null-ptr-deref in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline] BUG: KASAN: null-ptr-deref in is_event_supported drivers/input/input.c:67 [inline] BUG: KASAN: null-ptr-deref ... • https://git.kernel.org/stable/c/9a4a5574ce427c364d81746fc7fb82d86b5f1a7e •
CVSS: 5.5EPSS: 0%CPEs: 9EXPL: 0CVE-2025-21931 – hwpoison, memory_hotplug: lock folio before unmap hwpoisoned folio
https://notcve.org/view.php?id=CVE-2025-21931
01 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: hwpoison, memory_hotplug: lock folio before unmap hwpoisoned folio Commit b15c87263a69 ("hwpoison, memory_hotplug: allow hwpoisoned pages to be offlined) add page poison checks in do_migrate_range in order to make offline hwpoisoned page possible by introducing isolate_lru_page and try_to_unmap for hwpoisoned page. However folio lock must be held before calling try_to_unmap. Add it to fix this problem. Warning will be produced if folio is n... • https://git.kernel.org/stable/c/b15c87263a69272423771118c653e9a1d0672caa •
CVSS: 5.6EPSS: 0%CPEs: 8EXPL: 0CVE-2025-21925 – llc: do not use skb_get() before dev_queue_xmit()
https://notcve.org/view.php?id=CVE-2025-21925
01 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: llc: do not use skb_get() before dev_queue_xmit() syzbot is able to crash hosts [1], using llc and devices not supporting IFF_TX_SKB_SHARING. In this case, e1000 driver calls eth_skb_pad(), while the skb is shared. Simply replace skb_get() by skb_clone() in net/llc/llc_s_ac.c Note that e1000 driver might have an issue with pktgen, because it does not clear IFF_TX_SKB_SHARING, this is an orthogonal change. We need to audit other skb_get() us... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 9.8EPSS: 0%CPEs: 8EXPL: 0CVE-2025-21922 – ppp: Fix KMSAN uninit-value warning with bpf
https://notcve.org/view.php?id=CVE-2025-21922
01 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: ppp: Fix KMSAN uninit-value warning with bpf Syzbot caught an "KMSAN: uninit-value" warning [1], which is caused by the ppp driver not initializing a 2-byte header when using socket filter. The following code can generate a PPP filter BPF program: ''' struct bpf_program fp; pcap_t *handle; handle = pcap_open_dead(DLT_PPP_PPPD, 65535); pcap_compile(handle, &fp, "ip and outbound", 0, 0); bpf_dump(&fp, 1); ''' Its output is: ''' (000) ldh [2] ... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 6.6EPSS: 0%CPEs: 8EXPL: 0CVE-2025-21920 – vlan: enforce underlying device type
https://notcve.org/view.php?id=CVE-2025-21920
01 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: vlan: enforce underlying device type Currently, VLAN devices can be created on top of non-ethernet devices. Besides the fact that it doesn't make much sense, this also causes a bug which leaks the address of a kernel function to usermode. When creating a VLAN device, we initialize GARP (garp_init_applicant) and MRP (mrp_init_applicant) for the underlying device. As part of the initialization process, we add the multicast address of each app... • https://git.kernel.org/stable/c/22bedad3ce112d5ca1eaf043d4990fa2ed698c87 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-21917 – usb: renesas_usbhs: Flush the notify_hotplug_work
https://notcve.org/view.php?id=CVE-2025-21917
01 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: usb: renesas_usbhs: Flush the notify_hotplug_work When performing continuous unbind/bind operations on the USB drivers available on the Renesas RZ/G2L SoC, a kernel crash with the message "Unable to handle kernel NULL pointer dereference at virtual address" may occur. This issue points to the usbhsc_notify_hotplug() function. Flush the delayed work to avoid its execution when driver resources are unavailable. In the Linux kernel, the follow... • https://git.kernel.org/stable/c/bc57381e634782009b1cb2e86b18013699ada576 •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2025-21912 – gpio: rcar: Use raw_spinlock to protect register access
https://notcve.org/view.php?id=CVE-2025-21912
01 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: gpio: rcar: Use raw_spinlock to protect register access Use raw_spinlock in order to fix spurious messages about invalid context when spinlock debugging is enabled. The lock is only used to serialize register access. [ 4.239592] ============================= [ 4.239595] [ BUG: Invalid wait context ] [ 4.239599] 6.13.0-rc7-arm64-renesas-05496-gd088502a519f #35 Not tainted [ 4.239603] ----------------------------- [ 4.239606] kworker/u8:5/76 ... • https://git.kernel.org/stable/c/7c1f36f9c9aca507d317479a3d3388150ae40a87 •