CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38487 – soc: aspeed: lpc-snoop: Don't disable channels that aren't enabled
https://notcve.org/view.php?id=CVE-2025-38487
28 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: soc: aspeed: lpc-snoop: Don't disable channels that aren't enabled Mitigate e.g. the following: # echo 1e789080.lpc-snoop > /sys/bus/platform/drivers/aspeed-lpc-snoop/unbind ... [ 120.363594] Unable to handle kernel NULL pointer dereference at virtual address 00000004 when write [ 120.373866] [00000004] *pgd=00000000 [ 120.377910] Internal error: Oops: 805 [#1] SMP ARM [ 120.383306] CPU: 1 UID: 0 PID: 315 Comm: sh Not tainted 6.15.0-rc1-000... • https://git.kernel.org/stable/c/9f4f9ae81d0affc182f54dd00285ddb90e0b3ae1 •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38485 – iio: accel: fxls8962af: Fix use after free in fxls8962af_fifo_flush
https://notcve.org/view.php?id=CVE-2025-38485
28 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: iio: accel: fxls8962af: Fix use after free in fxls8962af_fifo_flush fxls8962af_fifo_flush() uses indio_dev->active_scan_mask (with iio_for_each_active_channel()) without making sure the indio_dev stays in buffer mode. There is a race if indio_dev exits buffer mode in the middle of the interrupt that flushes the fifo. Fix this by calling synchronize_irq() to ensure that no interrupt is currently running when disabling buffer mode. Unable to ... • https://git.kernel.org/stable/c/79e3a5bdd9efbdf4e1069793d7735b432d641e7c •
CVSS: 8.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38483 – comedi: das16m1: Fix bit shift out of bounds
https://notcve.org/view.php?id=CVE-2025-38483
28 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: comedi: das16m1: Fix bit shift out of bounds When checking for a supported IRQ number, the following test is used: /* only irqs 2, 3, 4, 5, 6, 7, 10, 11, 12, 14, and 15 are valid */ if ((1 << it->options[1]) & 0xdcfc) { However, `it->options[i]` is an unchecked `int` value from userspace, so the shift amount could be negative or out of bounds. Fix the test by requiring `it->options[1]` to be within bounds before proceeding with the original... • https://git.kernel.org/stable/c/729988507680b2ce934bce61d9ce0ea7b235914c •
CVSS: 5.6EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38482 – comedi: das6402: Fix bit shift out of bounds
https://notcve.org/view.php?id=CVE-2025-38482
28 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: comedi: das6402: Fix bit shift out of bounds When checking for a supported IRQ number, the following test is used: /* IRQs 2,3,5,6,7, 10,11,15 are valid for "enhanced" mode */ if ((1 << it->options[1]) & 0x8cec) { However, `it->options[i]` is an unchecked `int` value from userspace, so the shift amount could be negative or out of bounds. Fix the test by requiring `it->options[1]` to be within bounds before proceeding with the original test.... • https://git.kernel.org/stable/c/79e5e6addbb18bf56075f0ff552094a28636dd03 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38481 – comedi: Fail COMEDI_INSNLIST ioctl if n_insns is too large
https://notcve.org/view.php?id=CVE-2025-38481
28 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: comedi: Fail COMEDI_INSNLIST ioctl if n_insns is too large The handling of the `COMEDI_INSNLIST` ioctl allocates a kernel buffer to hold the array of `struct comedi_insn`, getting the length from the `n_insns` member of the `struct comedi_insnlist` supplied by the user. The allocation will fail with a WARNING and a stack dump if it is too large. Avoid that by failing with an `-EINVAL` error if the supplied `n_insns` value is unreasonable. D... • https://git.kernel.org/stable/c/ed9eccbe8970f6eedc1b978c157caf1251a896d4 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38480 – comedi: Fix use of uninitialized data in insn_rw_emulate_bits()
https://notcve.org/view.php?id=CVE-2025-38480
28 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: comedi: Fix use of uninitialized data in insn_rw_emulate_bits() For Comedi `INSN_READ` and `INSN_WRITE` instructions on "digital" subdevices (subdevice types `COMEDI_SUBD_DI`, `COMEDI_SUBD_DO`, and `COMEDI_SUBD_DIO`), it is common for the subdevice driver not to have `insn_read` and `insn_write` handler functions, but to have an `insn_bits` handler function for handling Comedi `INSN_BITS` instructions. In that case, the subdevice's `insn_re... • https://git.kernel.org/stable/c/ed9eccbe8970f6eedc1b978c157caf1251a896d4 •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38478 – comedi: Fix initialization of data for instructions that write to subdevice
https://notcve.org/view.php?id=CVE-2025-38478
28 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: comedi: Fix initialization of data for instructions that write to subdevice Some Comedi subdevice instruction handlers are known to access instruction data elements beyond the first `insn->n` elements in some cases. The `do_insn_ioctl()` and `do_insnlist_ioctl()` functions allocate at least `MIN_SAMPLES` (16) data elements to deal with this, but they do not initialize all of that. For Comedi instruction codes that write to the subdevice, th... • https://git.kernel.org/stable/c/ed9eccbe8970f6eedc1b978c157caf1251a896d4 •
CVSS: 6.9EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38477 – net/sched: sch_qfq: Fix race condition on qfq_aggregate
https://notcve.org/view.php?id=CVE-2025-38477
28 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_qfq: Fix race condition on qfq_aggregate A race condition can occur when 'agg' is modified in qfq_change_agg (called during qfq_enqueue) while other threads access it concurrently. For example, qfq_dump_class may trigger a NULL dereference, and qfq_delete_class may cause a use-after-free. This patch addresses the issue by: 1. Moved qfq_destroy_class into the critical section. 2. Added sch_tree_lock protection to qfq_dump_clas... • https://git.kernel.org/stable/c/462dbc9101acd38e92eda93c0726857517a24bbd •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38476 – rpl: Fix use-after-free in rpl_do_srh_inline().
https://notcve.org/view.php?id=CVE-2025-38476
28 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: rpl: Fix use-after-free in rpl_do_srh_inline(). Running lwt_dst_cache_ref_loop.sh in selftest with KASAN triggers the splat below [0]. rpl_do_srh_inline() fetches ipv6_hdr(skb) and accesses it after skb_cow_head(), which is illegal as the header could be freed then. Let's fix it by making oldhdr to a local struct instead of a pointer. [0]: [root@fedora net]# ./lwt_dst_cache_ref_loop.sh ... TEST: rpl (input) [ 57.631529] ====================... • https://git.kernel.org/stable/c/a7a29f9c361f8542604ef959ae6627f423b7a412 •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2025-38475 – smc: Fix various oops due to inet_sock type confusion.
https://notcve.org/view.php?id=CVE-2025-38475
28 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: smc: Fix various oops due to inet_sock type confusion. syzbot reported weird splats [0][1] in cipso_v4_sock_setattr() while freeing inet_sk(sk)->inet_opt. The address was freed multiple times even though it was read-only memory. cipso_v4_sock_setattr() did nothing wrong, and the root cause was type confusion. The cited commit made it possible to create smc_sock as an INET socket. The issue is that struct smc_sock does not have struct inet_s... • https://git.kernel.org/stable/c/d25a92ccae6bed02327b63d138e12e7806830f78 •