CVSS: 9.8EPSS: 0%CPEs: 5EXPL: 0CVE-2025-21971 – net_sched: Prevent creation of classes with TC_H_ROOT
https://notcve.org/view.php?id=CVE-2025-21971
01 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: net_sched: Prevent creation of classes with TC_H_ROOT The function qdisc_tree_reduce_backlog() uses TC_H_ROOT as a termination condition when traversing up the qdisc tree to update parent backlog counters. However, if a class is created with classid TC_H_ROOT, the traversal terminates prematurely at this class instead of reaching the actual root qdisc, causing parent statistics to be incorrectly maintained. In case of DRR, this could lead t... • https://git.kernel.org/stable/c/066a3b5b2346febf9a655b444567b7138e3bb939 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-21970 – net/mlx5: Bridge, fix the crash caused by LAG state check
https://notcve.org/view.php?id=CVE-2025-21970
01 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Bridge, fix the crash caused by LAG state check When removing LAG device from bridge, NETDEV_CHANGEUPPER event is triggered. Driver finds the lower devices (PFs) to flush all the offloaded entries. And mlx5_lag_is_shared_fdb is checked, it returns false if one of PF is unloaded. In such case, mlx5_esw_bridge_lag_rep_get() and its caller return NULL, instead of the alive PF, and the flush is skipped. Besides, the bridge fdb entry's... • https://git.kernel.org/stable/c/ff9b7521468bc2909293c1cda66a245a49688f6f •
CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-21969 – Bluetooth: L2CAP: Fix slab-use-after-free Read in l2cap_send_cmd
https://notcve.org/view.php?id=CVE-2025-21969
01 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix slab-use-after-free Read in l2cap_send_cmd After the hci sync command releases l2cap_conn, the hci receive data work queue references the released l2cap_conn when sending to the upper layer. Add hci dev lock to the hci receive data work queue to synchronize the two. [1] BUG: KASAN: slab-use-after-free in l2cap_send_cmd+0x187/0x8d0 net/bluetooth/l2cap_core.c:954 Read of size 8 at addr ffff8880271a4000 by task kworker/u9... • https://git.kernel.org/stable/c/c96cce853542b3b13da3738f35ef1be8cfcc9d1d •
CVSS: 9.8EPSS: 0%CPEs: 5EXPL: 0CVE-2025-21968 – drm/amd/display: Fix slab-use-after-free on hdcp_work
https://notcve.org/view.php?id=CVE-2025-21968
01 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix slab-use-after-free on hdcp_work [Why] A slab-use-after-free is reported when HDCP is destroyed but the property_validate_dwork queue is still running. [How] Cancel the delayed work when destroying workqueue. (cherry picked from commit 725a04ba5a95e89c89633d4322430cfbca7ce128) In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix slab-use-after-free on hdcp_work [Why] A slab-use-after-... • https://git.kernel.org/stable/c/da3fd7ac0bcf372cc57117bdfcd725cca7ef975a •
CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-21967 – ksmbd: fix use-after-free in ksmbd_free_work_struct
https://notcve.org/view.php?id=CVE-2025-21967
01 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in ksmbd_free_work_struct ->interim_entry of ksmbd_work could be deleted after oplock is freed. We don't need to manage it with linked list. The interim request could be immediately sent whenever a oplock break wait is needed. In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in ksmbd_free_work_struct ->interim_entry of ksmbd_work could be deleted after oplock is freed. W... • https://git.kernel.org/stable/c/0626e6641f6b467447c81dd7678a69c66f7746cf •
CVSS: 9.8EPSS: 0%CPEs: 5EXPL: 0CVE-2025-21964 – cifs: Fix integer overflow while processing acregmax mount option
https://notcve.org/view.php?id=CVE-2025-21964
01 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: cifs: Fix integer overflow while processing acregmax mount option User-provided mount parameter acregmax of type u32 is intended to have an upper limit, but before it is validated, the value is converted from seconds to jiffies which can lead to an integer overflow. Found by Linux Verification Center (linuxtesting.org) with SVACE. In the Linux kernel, the following vulnerability has been resolved: cifs: Fix integer overflow while processing... • https://git.kernel.org/stable/c/5780464614f6abe6026f00cf5a0777aa453ba450 •
CVSS: 9.8EPSS: 0%CPEs: 5EXPL: 0CVE-2025-21963 – cifs: Fix integer overflow while processing acdirmax mount option
https://notcve.org/view.php?id=CVE-2025-21963
01 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: cifs: Fix integer overflow while processing acdirmax mount option User-provided mount parameter acdirmax of type u32 is intended to have an upper limit, but before it is validated, the value is converted from seconds to jiffies which can lead to an integer overflow. Found by Linux Verification Center (linuxtesting.org) with SVACE. In the Linux kernel, the following vulnerability has been resolved: cifs: Fix integer overflow while processing... • https://git.kernel.org/stable/c/4c9f948142a550af416a2bfb5e56d29ce29e92cf •
CVSS: 9.8EPSS: 0%CPEs: 6EXPL: 0CVE-2025-21962 – cifs: Fix integer overflow while processing closetimeo mount option
https://notcve.org/view.php?id=CVE-2025-21962
01 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: cifs: Fix integer overflow while processing closetimeo mount option User-provided mount parameter closetimeo of type u32 is intended to have an upper limit, but before it is validated, the value is converted from seconds to jiffies which can lead to an integer overflow. Found by Linux Verification Center (linuxtesting.org) with SVACE. In the Linux kernel, the following vulnerability has been resolved: cifs: Fix integer overflow while proces... • https://git.kernel.org/stable/c/5efdd9122eff772eae2feae9f0fc0ec02d4846a3 •
CVSS: 9.8EPSS: 0%CPEs: 6EXPL: 0CVE-2025-21959 – netfilter: nf_conncount: Fully initialize struct nf_conncount_tuple in insert_tree()
https://notcve.org/view.php?id=CVE-2025-21959
01 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conncount: Fully initialize struct nf_conncount_tuple in insert_tree() Since commit b36e4523d4d5 ("netfilter: nf_conncount: fix garbage collection confirm race"), `cpu` and `jiffies32` were introduced to the struct nf_conncount_tuple. The commit made nf_conncount_add() initialize `conn->cpu` and `conn->jiffies32` when allocating the struct. In contrast, count_tree() was not changed to initialize them. By commit 34848d5c896e ("... • https://git.kernel.org/stable/c/b36e4523d4d56e2595e28f16f6ccf1cd6a9fc452 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-21957 – scsi: qla1280: Fix kernel oops when debug level > 2
https://notcve.org/view.php?id=CVE-2025-21957
01 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: scsi: qla1280: Fix kernel oops when debug level > 2 A null dereference or oops exception will eventually occur when qla1280.c driver is compiled with DEBUG_QLA1280 enabled and ql_debug_level > 2. I think its clear from the code that the intention here is sg_dma_len(s) not length of sg_next(s) when printing the debug info. In the Linux kernel, the following vulnerability has been resolved: scsi: qla1280: Fix kernel oops when debug level > 2 ... • https://git.kernel.org/stable/c/24602e2664c515a4f2950d7b52c3d5997463418c •