CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38481 – comedi: Fail COMEDI_INSNLIST ioctl if n_insns is too large
https://notcve.org/view.php?id=CVE-2025-38481
28 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: comedi: Fail COMEDI_INSNLIST ioctl if n_insns is too large The handling of the `COMEDI_INSNLIST` ioctl allocates a kernel buffer to hold the array of `struct comedi_insn`, getting the length from the `n_insns` member of the `struct comedi_insnlist` supplied by the user. The allocation will fail with a WARNING and a stack dump if it is too large. Avoid that by failing with an `-EINVAL` error if the supplied `n_insns` value is unreasonable. D... • https://git.kernel.org/stable/c/ed9eccbe8970f6eedc1b978c157caf1251a896d4 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38480 – comedi: Fix use of uninitialized data in insn_rw_emulate_bits()
https://notcve.org/view.php?id=CVE-2025-38480
28 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: comedi: Fix use of uninitialized data in insn_rw_emulate_bits() For Comedi `INSN_READ` and `INSN_WRITE` instructions on "digital" subdevices (subdevice types `COMEDI_SUBD_DI`, `COMEDI_SUBD_DO`, and `COMEDI_SUBD_DIO`), it is common for the subdevice driver not to have `insn_read` and `insn_write` handler functions, but to have an `insn_bits` handler function for handling Comedi `INSN_BITS` instructions. In that case, the subdevice's `insn_re... • https://git.kernel.org/stable/c/ed9eccbe8970f6eedc1b978c157caf1251a896d4 •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38478 – comedi: Fix initialization of data for instructions that write to subdevice
https://notcve.org/view.php?id=CVE-2025-38478
28 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: comedi: Fix initialization of data for instructions that write to subdevice Some Comedi subdevice instruction handlers are known to access instruction data elements beyond the first `insn->n` elements in some cases. The `do_insn_ioctl()` and `do_insnlist_ioctl()` functions allocate at least `MIN_SAMPLES` (16) data elements to deal with this, but they do not initialize all of that. For Comedi instruction codes that write to the subdevice, th... • https://git.kernel.org/stable/c/ed9eccbe8970f6eedc1b978c157caf1251a896d4 •
CVSS: 6.9EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38477 – net/sched: sch_qfq: Fix race condition on qfq_aggregate
https://notcve.org/view.php?id=CVE-2025-38477
28 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_qfq: Fix race condition on qfq_aggregate A race condition can occur when 'agg' is modified in qfq_change_agg (called during qfq_enqueue) while other threads access it concurrently. For example, qfq_dump_class may trigger a NULL dereference, and qfq_delete_class may cause a use-after-free. This patch addresses the issue by: 1. Moved qfq_destroy_class into the critical section. 2. Added sch_tree_lock protection to qfq_dump_clas... • https://git.kernel.org/stable/c/462dbc9101acd38e92eda93c0726857517a24bbd •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38476 – rpl: Fix use-after-free in rpl_do_srh_inline().
https://notcve.org/view.php?id=CVE-2025-38476
28 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: rpl: Fix use-after-free in rpl_do_srh_inline(). Running lwt_dst_cache_ref_loop.sh in selftest with KASAN triggers the splat below [0]. rpl_do_srh_inline() fetches ipv6_hdr(skb) and accesses it after skb_cow_head(), which is illegal as the header could be freed then. Let's fix it by making oldhdr to a local struct instead of a pointer. [0]: [root@fedora net]# ./lwt_dst_cache_ref_loop.sh ... TEST: rpl (input) [ 57.631529] ====================... • https://git.kernel.org/stable/c/a7a29f9c361f8542604ef959ae6627f423b7a412 •
CVSS: 5.6EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38474 – usb: net: sierra: check for no status endpoint
https://notcve.org/view.php?id=CVE-2025-38474
28 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: usb: net: sierra: check for no status endpoint The driver checks for having three endpoints and having bulk in and out endpoints, but not that the third endpoint is interrupt input. Rectify the omission. In the Linux kernel, the following vulnerability has been resolved: usb: net: sierra: check for no status endpoint The driver checks for having three endpoints and having bulk in and out endpoints, but not that the third endpoint is interru... • https://git.kernel.org/stable/c/eb4fd8cd355c8ec425a12ec6cbdac614e8a4819d •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38473 – Bluetooth: Fix null-ptr-deref in l2cap_sock_resume_cb()
https://notcve.org/view.php?id=CVE-2025-38473
28 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix null-ptr-deref in l2cap_sock_resume_cb() syzbot reported null-ptr-deref in l2cap_sock_resume_cb(). [0] l2cap_sock_resume_cb() has a similar problem that was fixed by commit 1bff51ea59a9 ("Bluetooth: fix use-after-free error in lock_sock_nested()"). Since both l2cap_sock_kill() and l2cap_sock_resume_cb() are executed under l2cap_sock_resume_cb(), we can avoid the issue simply by checking if chan->data is NULL. Let's not access... • https://git.kernel.org/stable/c/d97c899bde330cd1c76c3a162558177563a74362 •
CVSS: 6.1EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38470 – net: vlan: fix VLAN 0 refcount imbalance of toggling filtering during runtime
https://notcve.org/view.php?id=CVE-2025-38470
28 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: net: vlan: fix VLAN 0 refcount imbalance of toggling filtering during runtime Assuming the "rx-vlan-filter" feature is enabled on a net device, the 8021q module will automatically add or remove VLAN 0 when the net device is put administratively up or down, respectively. There are a couple of problems with the above scheme. The first problem is a memory leak that can happen if the "rx-vlan-filter" feature is disabled while the device is runn... • https://git.kernel.org/stable/c/ad1afb00393915a51c21b1ae8704562bf036855f •
CVSS: 7.2EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38468 – net/sched: Return NULL when htb_lookup_leaf encounters an empty rbtree
https://notcve.org/view.php?id=CVE-2025-38468
28 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: net/sched: Return NULL when htb_lookup_leaf encounters an empty rbtree htb_lookup_leaf has a BUG_ON that can trigger with the following: tc qdisc del dev lo root tc qdisc add dev lo root handle 1: htb default 1 tc class add dev lo parent 1: classid 1:1 htb rate 64bit tc qdisc add dev lo parent 1:1 handle 2: netem tc qdisc add dev lo parent 2:1 handle 3: blackhole ping -I lo -c1 -W0.001 127.0.0.1 The root cause is the following: 1. htb_deque... • https://git.kernel.org/stable/c/512bb43eb5422ee69a1be05ea0d89dc074fac9a2 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38467 – drm/exynos: exynos7_drm_decon: add vblank check in IRQ handling
https://notcve.org/view.php?id=CVE-2025-38467
25 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/exynos: exynos7_drm_decon: add vblank check in IRQ handling If there's support for another console device (such as a TTY serial), the kernel occasionally panics during boot. The panic message and a relevant snippet of the call stack is as follows: Unable to handle kernel NULL pointer dereference at virtual address 000000000000000 Call trace: drm_crtc_handle_vblank+0x10/0x30 (P) decon_irq_handler+0x88/0xb4 [...] Otherwise, the panics don... • https://git.kernel.org/stable/c/96976c3d9aff4e1387c30f6356ac01fa6f72ef46 •