CVSS: -EPSS: %CPEs: 5EXPL: 0CVE-2025-21996 – drm/radeon: fix uninitialized size issue in radeon_vce_cs_parse()
https://notcve.org/view.php?id=CVE-2025-21996
03 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/radeon: fix uninitialized size issue in radeon_vce_cs_parse() On the off chance that command stream passed from userspace via ioctl() call to radeon_vce_cs_parse() is weirdly crafted and first command to execute is to encode (case 0x03000001), the function in question will attempt to call radeon_vce_cs_reloc() with size argument that has not been properly initialized. Specifically, 'size' will point to 'tmp' variable before the latter h... • https://git.kernel.org/stable/c/2fc5703abda201f138faf63bdca743d04dbf4b1a •
CVSS: -EPSS: %CPEs: 4EXPL: 0CVE-2025-21995 – drm/sched: Fix fence reference count leak
https://notcve.org/view.php?id=CVE-2025-21995
03 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/sched: Fix fence reference count leak The last_scheduled fence leaks when an entity is being killed and adding the cleanup callback fails. Decrement the reference count of prev when dma_fence_add_callback() fails, ensuring proper balance. [phasta: add git tag info for stable kernel] • https://git.kernel.org/stable/c/2fdb8a8f07c2f1353770a324fd19b8114e4329ac •
CVSS: 9.8EPSS: %CPEs: 5EXPL: 0CVE-2025-21994 – ksmbd: fix incorrect validation for num_aces field of smb_acl
https://notcve.org/view.php?id=CVE-2025-21994
02 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix incorrect validation for num_aces field of smb_acl parse_dcal() validate num_aces to allocate posix_ace_state_array. if (num_aces > ULONG_MAX / sizeof(struct smb_ace *)) It is an incorrect validation that we can create an array of size ULONG_MAX. smb_acl has ->size field to calculate actual number of aces in request buffer size. Use this to check invalid num_aces. In the Linux kernel, the following vulnerability has been resolved... • https://git.kernel.org/stable/c/9c4e202abff45f8eac17989e549fc7a75095f675 •
CVSS: 9.8EPSS: %CPEs: 5EXPL: 0CVE-2025-21993 – iscsi_ibft: Fix UBSAN shift-out-of-bounds warning in ibft_attr_show_nic()
https://notcve.org/view.php?id=CVE-2025-21993
02 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: iscsi_ibft: Fix UBSAN shift-out-of-bounds warning in ibft_attr_show_nic() When performing an iSCSI boot using IPv6, iscsistart still reads the /sys/firmware/ibft/ethernetX/subnet-mask entry. Since the IPv6 prefix length is 64, this causes the shift exponent to become negative, triggering a UBSAN warning. As the concept of a subnet mask does not apply to IPv6, the value is set to ~0 to suppress the warning message. In the Linux kernel, the f... • https://git.kernel.org/stable/c/9bfa80c8aa4e06dff55a953c3fffbfc68a3a3b1c •
CVSS: 9.8EPSS: %CPEs: 5EXPL: 0CVE-2025-21992 – HID: ignore non-functional sensor in HP 5MP Camera
https://notcve.org/view.php?id=CVE-2025-21992
02 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: HID: ignore non-functional sensor in HP 5MP Camera The HP 5MP Camera (USB ID 0408:5473) reports a HID sensor interface that is not actually implemented. Attempting to access this non-functional sensor via iio_info causes system hangs as runtime PM tries to wake up an unresponsive sensor. [453] hid-sensor-hub 0003:0408:5473.0003: Report latency attributes: ffffffff:ffffffff [453] hid-sensor-hub 0003:0408:5473.0003: common attributes: 5:1, 2:... • https://git.kernel.org/stable/c/9acdb0059fb6b82158e15adae91e629cb5974564 •
CVSS: 5.5EPSS: %CPEs: 11EXPL: 0CVE-2025-21991 – x86/microcode/AMD: Fix out-of-bounds on systems with CPU-less NUMA nodes
https://notcve.org/view.php?id=CVE-2025-21991
02 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: x86/microcode/AMD: Fix out-of-bounds on systems with CPU-less NUMA nodes Currently, load_microcode_amd() iterates over all NUMA nodes, retrieves their CPU masks and unconditionally accesses per-CPU data for the first CPU of each mask. According to Documentation/admin-guide/mm/numaperf.rst: "Some memory may share the same node as a CPU, and others are provided as memory only nodes." Therefore, some node CPU masks may be empty and wouldn't ha... • https://git.kernel.org/stable/c/d576547f489c935b9897d4acf8beee3325dea8a5 •
CVSS: 5.5EPSS: %CPEs: 3EXPL: 0CVE-2025-21990 – drm/amdgpu: NULL-check BO's backing store when determining GFX12 PTE flags
https://notcve.org/view.php?id=CVE-2025-21990
02 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: NULL-check BO's backing store when determining GFX12 PTE flags PRT BOs may not have any backing store, so bo->tbo.resource will be NULL. Check for that before dereferencing. (cherry picked from commit 3e3fcd29b505cebed659311337ea03b7698767fc) In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: NULL-check BO's backing store when determining GFX12 PTE flags PRT BOs may not have any backing store, so bo-... • https://git.kernel.org/stable/c/0cce5f285d9ae81c33993f3270fe77f5e74a69ab •
CVSS: 5.5EPSS: %CPEs: 3EXPL: 0CVE-2025-21989 – drm/amd/display: fix missing .is_two_pixels_per_container
https://notcve.org/view.php?id=CVE-2025-21989
02 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: fix missing .is_two_pixels_per_container Starting from 6.11, AMDGPU driver, while being loaded with amdgpu.dc=1, due to lack of .is_two_pixels_per_container function in dce60_tg_funcs, causes a NULL pointer dereference on PCs with old GPUs, such as R9 280X. So this fix adds missing .is_two_pixels_per_container to dce60_tg_funcs. (cherry picked from commit bd4b125eb949785c6f8a53b0494e32795421209d) In the Linux kernel, the fo... • https://git.kernel.org/stable/c/e6a901a00822659181c93c86d8bbc2a17779fddc •
CVSS: 9.8EPSS: %CPEs: 1EXPL: 0CVE-2025-21988 – fs/netfs/read_collect: add to next->prev_donated
https://notcve.org/view.php?id=CVE-2025-21988
02 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: fs/netfs/read_collect: add to next->prev_donated If multiple subrequests donate data to the same "next" request (depending on the subrequest completion order), each of them would overwrite the `prev_donated` field, causing data corruption and a BUG() crash ("Can't donate prior to front"). In the Linux kernel, the following vulnerability has been resolved: fs/netfs/read_collect: add to next->prev_donated If multiple subrequests donate data t... • https://git.kernel.org/stable/c/ee4cdf7ba857a894ad1650d6ab77669cbbfa329e •
CVSS: 7.1EPSS: %CPEs: 3EXPL: 0CVE-2025-21987 – drm/amdgpu: init return value in amdgpu_ttm_clear_buffer
https://notcve.org/view.php?id=CVE-2025-21987
02 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: init return value in amdgpu_ttm_clear_buffer Otherwise an uninitialized value can be returned if amdgpu_res_cleared returns true for all regions. Possibly closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3812 (cherry picked from commit 7c62aacc3b452f73a1284198c81551035fac6d71) In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: init return value in amdgpu_ttm_clear_buffer Otherwise an uninitial... • https://git.kernel.org/stable/c/a68c7eaa7a8ffdec9287ba1561a668d674c20a13 •