CVSS: -EPSS: %CPEs: 3EXPL: 0CVE-2025-38597 – drm/rockchip: vop2: fail cleanly if missing a primary plane for a video-port
https://notcve.org/view.php?id=CVE-2025-38597
19 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/rockchip: vop2: fail cleanly if missing a primary plane for a video-port Each window of a vop2 is usable by a specific set of video ports, so while binding the vop2, we look through the list of available windows trying to find one designated as primary-plane and usable by that specific port. The code later wants to use drm_crtc_init_with_planes with that found primary plane, but nothing has checked so far if a primary plane was actually... • https://git.kernel.org/stable/c/604be85547ce4d61b89292d2f9a78c721b778c16 •
CVSS: -EPSS: %CPEs: 4EXPL: 0CVE-2025-38595 – xen: fix UAF in dmabuf_exp_from_pages()
https://notcve.org/view.php?id=CVE-2025-38595
19 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: xen: fix UAF in dmabuf_exp_from_pages() [dma_buf_fd() fixes; no preferences regarding the tree it goes through - up to xen folks] As soon as we'd inserted a file reference into descriptor table, another thread could close it. That's fine for the case when all we are doing is returning that descriptor to userland (it's a race, but it's a userland race and there's nothing the kernel can do about it). However, if we follow fd_install() with an... • https://git.kernel.org/stable/c/a240d6e42e28c34fdc34b3a98ca838a31c939901 •
CVSS: -EPSS: %CPEs: 4EXPL: 0CVE-2025-38593 – Bluetooth: hci_sync: fix double free in 'hci_discovery_filter_clear()'
https://notcve.org/view.php?id=CVE-2025-38593
19 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sync: fix double free in 'hci_discovery_filter_clear()' Function 'hci_discovery_filter_clear()' frees 'uuids' array and then sets it to NULL. There is a tiny chance of the following race: 'hci_cmd_sync_work()' 'update_passive_scan_sync()' 'hci_update_passive_scan_sync()' 'hci_discovery_filter_clear()' kfree(uuids); <-------------------------preempted--------------------------------> 'start_service_discovery()' 'hci_discovery_... • https://git.kernel.org/stable/c/ad383c2c65a5baf16e334cd40a013cc302176891 •
CVSS: -EPSS: %CPEs: 2EXPL: 0CVE-2025-38591 – bpf: Reject narrower access to pointer ctx fields
https://notcve.org/view.php?id=CVE-2025-38591
19 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: bpf: Reject narrower access to pointer ctx fields The following BPF program, simplified from a syzkaller repro, causes a kernel warning: r0 = *(u8 *)(r1 + 169); exit; With pointer field sk being at offset 168 in __sk_buff. This access is detected as a narrower read in bpf_skb_is_valid_access because it doesn't match offsetof(struct __sk_buff, sk). It is therefore allowed and later proceeds to bpf_convert_ctx_access. Note that for the "is_na... • https://git.kernel.org/stable/c/f96da09473b52c09125cc9bf7d7d4576ae8229e0 •
CVSS: -EPSS: %CPEs: 5EXPL: 0CVE-2025-38590 – net/mlx5e: Remove skb secpath if xfrm state is not found
https://notcve.org/view.php?id=CVE-2025-38590
19 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Remove skb secpath if xfrm state is not found Hardware returns a unique identifier for a decrypted packet's xfrm state, this state is looked up in an xarray. However, the state might have been freed by the time of this lookup. Currently, if the state is not found, only a counter is incremented. The secpath (sp) extension on the skb is not removed, resulting in sp->len becoming 0. Subsequently, functions like __xfrm_policy_check()... • https://git.kernel.org/stable/c/b2ac7541e3777f325c49d900550c9e3dd10c0eda •
CVSS: -EPSS: %CPEs: 4EXPL: 0CVE-2025-38585 – staging: media: atomisp: Fix stack buffer overflow in gmin_get_var_int()
https://notcve.org/view.php?id=CVE-2025-38585
19 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: staging: media: atomisp: Fix stack buffer overflow in gmin_get_var_int() When gmin_get_config_var() calls efi.get_variable() and the EFI variable is larger than the expected buffer size, two behaviors combine to create a stack buffer overflow: 1. gmin_get_config_var() does not return the proper error code when efi.get_variable() fails. It returns the stale 'ret' value from earlier operations instead of indicating the EFI failure. 2. When ef... • https://git.kernel.org/stable/c/38d4f74bc14847491d07bd745dc4a2c274f4987d •
CVSS: -EPSS: %CPEs: 3EXPL: 0CVE-2025-38584 – padata: Fix pd UAF once and for all
https://notcve.org/view.php?id=CVE-2025-38584
19 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: padata: Fix pd UAF once and for all There is a race condition/UAF in padata_reorder that goes back to the initial commit. A reference count is taken at the start of the process in padata_do_parallel, and released at the end in padata_serial_worker. This reference count is (and only is) required for padata_replace to function correctly. If padata_replace is never called then there is no issue. In the function padata_reorder which serves as t... • https://git.kernel.org/stable/c/16295bec6398a3eedc9377e1af6ff4c71b98c300 •
CVSS: -EPSS: %CPEs: 6EXPL: 0CVE-2025-38583 – clk: xilinx: vcu: unregister pll_post only if registered correctly
https://notcve.org/view.php?id=CVE-2025-38583
19 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: clk: xilinx: vcu: unregister pll_post only if registered correctly If registration of pll_post is failed, it will be set to NULL or ERR, unregistering same will fail with following call trace: Unable to handle kernel NULL pointer dereference at virtual address 008 pc : clk_hw_unregister+0xc/0x20 lr : clk_hw_unregister_fixed_factor+0x18/0x30 sp : ffff800011923850 ... Call trace: clk_hw_unregister+0xc/0x20 clk_hw_unregister_fixed_factor+0x18/... • https://git.kernel.org/stable/c/4472e1849db7f719bbf625890096e0269b5849fe •
CVSS: -EPSS: %CPEs: 6EXPL: 0CVE-2025-38581 – crypto: ccp - Fix crash when rebind ccp device for ccp.ko
https://notcve.org/view.php?id=CVE-2025-38581
19 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: crypto: ccp - Fix crash when rebind ccp device for ccp.ko When CONFIG_CRYPTO_DEV_CCP_DEBUGFS is enabled, rebinding the ccp device causes the following crash: $ echo '0000:0a:00.2' > /sys/bus/pci/drivers/ccp/unbind $ echo '0000:0a:00.2' > /sys/bus/pci/drivers/ccp/bind [ 204.976930] BUG: kernel NULL pointer dereference, address: 0000000000000098 [ 204.978026] #PF: supervisor write access in kernel mode [ 204.979126] #PF: error_code(0x0002) - ... • https://git.kernel.org/stable/c/3cdbe346ed3f380eae1cb3e9febfe703e7d8a7b0 •
CVSS: -EPSS: %CPEs: 6EXPL: 0CVE-2025-38579 – f2fs: fix KMSAN uninit-value in extent_info usage
https://notcve.org/view.php?id=CVE-2025-38579
19 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: f2fs: fix KMSAN uninit-value in extent_info usage KMSAN reported a use of uninitialized value in `__is_extent_mergeable()` and `__is_back_mergeable()` via the read extent tree path. The root cause is that `get_read_extent_info()` only initializes three fields (`fofs`, `blk`, `len`) of `struct extent_info`, leaving the remaining fields uninitialized. This leads to undefined behavior when those fields are accessed later, especially during ext... • https://git.kernel.org/stable/c/94afd6d6e5253179c9b891d02081cc8355a11768 •