CVSS: -EPSS: %CPEs: 5EXPL: 0CVE-2025-21997 – xsk: fix an integer overflow in xp_create_and_assign_umem()
https://notcve.org/view.php?id=CVE-2025-21997
03 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: xsk: fix an integer overflow in xp_create_and_assign_umem() Since the i and pool->chunk_size variables are of type 'u32', their product can wrap around and then be cast to 'u64'. This can lead to two different XDP buffers pointing to the same memory area. Found by InfoTeCS on behalf of Linux Verification Center (linuxtesting.org) with SVACE. • https://git.kernel.org/stable/c/94033cd8e73b8632bab7c8b7bb54caa4f5616db7 •
CVSS: -EPSS: %CPEs: 5EXPL: 0CVE-2025-21996 – drm/radeon: fix uninitialized size issue in radeon_vce_cs_parse()
https://notcve.org/view.php?id=CVE-2025-21996
03 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/radeon: fix uninitialized size issue in radeon_vce_cs_parse() On the off chance that command stream passed from userspace via ioctl() call to radeon_vce_cs_parse() is weirdly crafted and first command to execute is to encode (case 0x03000001), the function in question will attempt to call radeon_vce_cs_reloc() with size argument that has not been properly initialized. Specifically, 'size' will point to 'tmp' variable before the latter h... • https://git.kernel.org/stable/c/2fc5703abda201f138faf63bdca743d04dbf4b1a •
CVSS: -EPSS: %CPEs: 4EXPL: 0CVE-2025-21995 – drm/sched: Fix fence reference count leak
https://notcve.org/view.php?id=CVE-2025-21995
03 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/sched: Fix fence reference count leak The last_scheduled fence leaks when an entity is being killed and adding the cleanup callback fails. Decrement the reference count of prev when dma_fence_add_callback() fails, ensuring proper balance. [phasta: add git tag info for stable kernel] • https://git.kernel.org/stable/c/2fdb8a8f07c2f1353770a324fd19b8114e4329ac •
CVSS: 9.8EPSS: %CPEs: 5EXPL: 0CVE-2025-21994 – ksmbd: fix incorrect validation for num_aces field of smb_acl
https://notcve.org/view.php?id=CVE-2025-21994
02 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix incorrect validation for num_aces field of smb_acl parse_dcal() validate num_aces to allocate posix_ace_state_array. if (num_aces > ULONG_MAX / sizeof(struct smb_ace *)) It is an incorrect validation that we can create an array of size ULONG_MAX. smb_acl has ->size field to calculate actual number of aces in request buffer size. Use this to check invalid num_aces. In the Linux kernel, the following vulnerability has been resolved... • https://git.kernel.org/stable/c/9c4e202abff45f8eac17989e549fc7a75095f675 •
CVSS: 9.8EPSS: %CPEs: 5EXPL: 0CVE-2025-21993 – iscsi_ibft: Fix UBSAN shift-out-of-bounds warning in ibft_attr_show_nic()
https://notcve.org/view.php?id=CVE-2025-21993
02 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: iscsi_ibft: Fix UBSAN shift-out-of-bounds warning in ibft_attr_show_nic() When performing an iSCSI boot using IPv6, iscsistart still reads the /sys/firmware/ibft/ethernetX/subnet-mask entry. Since the IPv6 prefix length is 64, this causes the shift exponent to become negative, triggering a UBSAN warning. As the concept of a subnet mask does not apply to IPv6, the value is set to ~0 to suppress the warning message. In the Linux kernel, the f... • https://git.kernel.org/stable/c/9bfa80c8aa4e06dff55a953c3fffbfc68a3a3b1c •
CVSS: 9.8EPSS: %CPEs: 5EXPL: 0CVE-2025-21992 – HID: ignore non-functional sensor in HP 5MP Camera
https://notcve.org/view.php?id=CVE-2025-21992
02 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: HID: ignore non-functional sensor in HP 5MP Camera The HP 5MP Camera (USB ID 0408:5473) reports a HID sensor interface that is not actually implemented. Attempting to access this non-functional sensor via iio_info causes system hangs as runtime PM tries to wake up an unresponsive sensor. [453] hid-sensor-hub 0003:0408:5473.0003: Report latency attributes: ffffffff:ffffffff [453] hid-sensor-hub 0003:0408:5473.0003: common attributes: 5:1, 2:... • https://git.kernel.org/stable/c/9acdb0059fb6b82158e15adae91e629cb5974564 •
CVSS: 5.5EPSS: %CPEs: 11EXPL: 0CVE-2025-21991 – x86/microcode/AMD: Fix out-of-bounds on systems with CPU-less NUMA nodes
https://notcve.org/view.php?id=CVE-2025-21991
02 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: x86/microcode/AMD: Fix out-of-bounds on systems with CPU-less NUMA nodes Currently, load_microcode_amd() iterates over all NUMA nodes, retrieves their CPU masks and unconditionally accesses per-CPU data for the first CPU of each mask. According to Documentation/admin-guide/mm/numaperf.rst: "Some memory may share the same node as a CPU, and others are provided as memory only nodes." Therefore, some node CPU masks may be empty and wouldn't ha... • https://git.kernel.org/stable/c/d576547f489c935b9897d4acf8beee3325dea8a5 •
CVSS: 5.5EPSS: %CPEs: 3EXPL: 0CVE-2025-21990 – drm/amdgpu: NULL-check BO's backing store when determining GFX12 PTE flags
https://notcve.org/view.php?id=CVE-2025-21990
02 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: NULL-check BO's backing store when determining GFX12 PTE flags PRT BOs may not have any backing store, so bo->tbo.resource will be NULL. Check for that before dereferencing. (cherry picked from commit 3e3fcd29b505cebed659311337ea03b7698767fc) In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: NULL-check BO's backing store when determining GFX12 PTE flags PRT BOs may not have any backing store, so bo-... • https://git.kernel.org/stable/c/0cce5f285d9ae81c33993f3270fe77f5e74a69ab •
CVSS: 5.5EPSS: %CPEs: 3EXPL: 0CVE-2025-21989 – drm/amd/display: fix missing .is_two_pixels_per_container
https://notcve.org/view.php?id=CVE-2025-21989
02 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: fix missing .is_two_pixels_per_container Starting from 6.11, AMDGPU driver, while being loaded with amdgpu.dc=1, due to lack of .is_two_pixels_per_container function in dce60_tg_funcs, causes a NULL pointer dereference on PCs with old GPUs, such as R9 280X. So this fix adds missing .is_two_pixels_per_container to dce60_tg_funcs. (cherry picked from commit bd4b125eb949785c6f8a53b0494e32795421209d) In the Linux kernel, the fo... • https://git.kernel.org/stable/c/e6a901a00822659181c93c86d8bbc2a17779fddc •
CVSS: 9.8EPSS: %CPEs: 1EXPL: 0CVE-2025-21988 – fs/netfs/read_collect: add to next->prev_donated
https://notcve.org/view.php?id=CVE-2025-21988
02 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: fs/netfs/read_collect: add to next->prev_donated If multiple subrequests donate data to the same "next" request (depending on the subrequest completion order), each of them would overwrite the `prev_donated` field, causing data corruption and a BUG() crash ("Can't donate prior to front"). In the Linux kernel, the following vulnerability has been resolved: fs/netfs/read_collect: add to next->prev_donated If multiple subrequests donate data t... • https://git.kernel.org/stable/c/ee4cdf7ba857a894ad1650d6ab77669cbbfa329e •