CVSS: 6.8EPSS: 0%CPEs: 6EXPL: 0CVE-2025-38491 – mptcp: make fallback action and fallback decision atomic
https://notcve.org/view.php?id=CVE-2025-38491
28 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: mptcp: make fallback action and fallback decision atomic Syzkaller reported the following splat: WARNING: CPU: 1 PID: 7704 at net/mptcp/protocol.h:1223 __mptcp_do_fallback net/mptcp/protocol.h:1223 [inline] WARNING: CPU: 1 PID: 7704 at net/mptcp/protocol.h:1223 mptcp_do_fallback net/mptcp/protocol.h:1244 [inline] WARNING: CPU: 1 PID: 7704 at net/mptcp/protocol.h:1223 check_fully_established net/mptcp/options.c:982 [inline] WARNING: CPU: 1 P... • https://git.kernel.org/stable/c/0530020a7c8f2204e784f0dbdc882bbd961fdbde •
CVSS: 7.1EPSS: 0%CPEs: 4EXPL: 0CVE-2025-38490 – net: libwx: remove duplicate page_pool_put_full_page()
https://notcve.org/view.php?id=CVE-2025-38490
28 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: net: libwx: remove duplicate page_pool_put_full_page() page_pool_put_full_page() should only be invoked when freeing Rx buffers or building a skb if the size is too short. At other times, the pages need to be reused. So remove the redundant page put. In the original code, double free pages cause kernel panic: [ 876.949834] __irq_exit_rcu+0xc7/0x130 [ 876.949836] common_interrupt+0xb8/0xd0 [ 876.949838] [ 876.949838]
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38489 – s390/bpf: Fix bpf_arch_text_poke() with new_addr == NULL again
https://notcve.org/view.php?id=CVE-2025-38489
28 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: s390/bpf: Fix bpf_arch_text_poke() with new_addr == NULL again Commit 7ded842b356d ("s390/bpf: Fix bpf_plt pointer arithmetic") has accidentally removed the critical piece of commit c730fce7c70c ("s390/bpf: Fix bpf_arch_text_poke() with new_addr == NULL"), causing intermittent kernel panics in e.g. perf's on_switch() prog to reappear. Restore the fix and add a comment. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: s390/... • https://git.kernel.org/stable/c/c3062bdb859b6e2567e7f5c8cde20c0250bb130f •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38488 – smb: client: fix use-after-free in crypt_message when using async crypto
https://notcve.org/view.php?id=CVE-2025-38488
28 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: smb: client: fix use-after-free in crypt_message when using async crypto The CVE-2024-50047 fix removed asynchronous crypto handling from crypt_message(), assuming all crypto operations are synchronous. However, when hardware crypto accelerators are used, this can cause use-after-free crashes: crypt_message() // Allocate the creq buffer containing the req creq = smb2_get_aead_req(..., &req); // Async encryption returns -EINPROGRESS immediat... • https://git.kernel.org/stable/c/bce966530fd5542bbb422cb45ecb775f7a1a6bc3 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38487 – soc: aspeed: lpc-snoop: Don't disable channels that aren't enabled
https://notcve.org/view.php?id=CVE-2025-38487
28 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: soc: aspeed: lpc-snoop: Don't disable channels that aren't enabled Mitigate e.g. the following: # echo 1e789080.lpc-snoop > /sys/bus/platform/drivers/aspeed-lpc-snoop/unbind ... [ 120.363594] Unable to handle kernel NULL pointer dereference at virtual address 00000004 when write [ 120.373866] [00000004] *pgd=00000000 [ 120.377910] Internal error: Oops: 805 [#1] SMP ARM [ 120.383306] CPU: 1 UID: 0 PID: 315 Comm: sh Not tainted 6.15.0-rc1-000... • https://git.kernel.org/stable/c/9f4f9ae81d0affc182f54dd00285ddb90e0b3ae1 •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38485 – iio: accel: fxls8962af: Fix use after free in fxls8962af_fifo_flush
https://notcve.org/view.php?id=CVE-2025-38485
28 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: iio: accel: fxls8962af: Fix use after free in fxls8962af_fifo_flush fxls8962af_fifo_flush() uses indio_dev->active_scan_mask (with iio_for_each_active_channel()) without making sure the indio_dev stays in buffer mode. There is a race if indio_dev exits buffer mode in the middle of the interrupt that flushes the fifo. Fix this by calling synchronize_irq() to ensure that no interrupt is currently running when disabling buffer mode. Unable to ... • https://git.kernel.org/stable/c/79e3a5bdd9efbdf4e1069793d7735b432d641e7c •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38484 – iio: backend: fix out-of-bound write
https://notcve.org/view.php?id=CVE-2025-38484
28 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: iio: backend: fix out-of-bound write The buffer is set to 80 character. If a caller write more characters, count is truncated to the max available space in "simple_write_to_buffer". But afterwards a string terminator is written to the buffer at offset count without boundary check. The zero termination is written OUT-OF-BOUND. Add a check that the given buffer is smaller then the buffer to prevent. En el kernel de Linux, se ha resuelto la si... • https://git.kernel.org/stable/c/df3892e5e861c43d5612728ed259634675b8a71f •
CVSS: 8.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38483 – comedi: das16m1: Fix bit shift out of bounds
https://notcve.org/view.php?id=CVE-2025-38483
28 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: comedi: das16m1: Fix bit shift out of bounds When checking for a supported IRQ number, the following test is used: /* only irqs 2, 3, 4, 5, 6, 7, 10, 11, 12, 14, and 15 are valid */ if ((1 << it->options[1]) & 0xdcfc) { However, `it->options[i]` is an unchecked `int` value from userspace, so the shift amount could be negative or out of bounds. Fix the test by requiring `it->options[1]` to be within bounds before proceeding with the original... • https://git.kernel.org/stable/c/729988507680b2ce934bce61d9ce0ea7b235914c •
CVSS: 5.6EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38482 – comedi: das6402: Fix bit shift out of bounds
https://notcve.org/view.php?id=CVE-2025-38482
28 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: comedi: das6402: Fix bit shift out of bounds When checking for a supported IRQ number, the following test is used: /* IRQs 2,3,5,6,7, 10,11,15 are valid for "enhanced" mode */ if ((1 << it->options[1]) & 0x8cec) { However, `it->options[i]` is an unchecked `int` value from userspace, so the shift amount could be negative or out of bounds. Fix the test by requiring `it->options[1]` to be within bounds before proceeding with the original test.... • https://git.kernel.org/stable/c/79e5e6addbb18bf56075f0ff552094a28636dd03 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38481 – comedi: Fail COMEDI_INSNLIST ioctl if n_insns is too large
https://notcve.org/view.php?id=CVE-2025-38481
28 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: comedi: Fail COMEDI_INSNLIST ioctl if n_insns is too large The handling of the `COMEDI_INSNLIST` ioctl allocates a kernel buffer to hold the array of `struct comedi_insn`, getting the length from the `n_insns` member of the `struct comedi_insnlist` supplied by the user. The allocation will fail with a WARNING and a stack dump if it is too large. Avoid that by failing with an `-EINVAL` error if the supplied `n_insns` value is unreasonable. D... • https://git.kernel.org/stable/c/ed9eccbe8970f6eedc1b978c157caf1251a896d4 •