CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-40195 – mount: handle NULL values in mnt_ns_release()
https://notcve.org/view.php?id=CVE-2025-40195
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: mount: handle NULL values in mnt_ns_release() When calling in listmount() mnt_ns_release() may be passed a NULL pointer. Handle that case gracefully. In the Linux kernel, the following vulnerability has been resolved: mount: handle NULL values in mnt_ns_release() When calling in listmount() mnt_ns_release() may be passed a NULL pointer. Handle that case gracefully. • https://git.kernel.org/stable/c/2d68f8a7379d9c61005e982600c61948d4d019bd •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40194 – cpufreq: intel_pstate: Fix object lifecycle issue in update_qos_request()
https://notcve.org/view.php?id=CVE-2025-40194
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: cpufreq: intel_pstate: Fix object lifecycle issue in update_qos_request() The cpufreq_cpu_put() call in update_qos_request() takes place too early because the latter subsequently calls freq_qos_update_request() that indirectly accesses the policy object in question through the QoS request object passed to it. Fortunately, update_qos_request() is called under intel_pstate_driver_lock, so this issue does not matter for changing the intel_psta... • https://git.kernel.org/stable/c/da5c504c7aae96db68c4b38e2564a88e91842d89 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-40193 – xtensa: simdisk: add input size check in proc_write_simdisk
https://notcve.org/view.php?id=CVE-2025-40193
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: xtensa: simdisk: add input size check in proc_write_simdisk A malicious user could pass an arbitrarily bad value to memdup_user_nul(), potentially causing kernel crash. This follows the same pattern as commit ee76746387f6 ("netdevsim: prevent bad user input in nsim_dev_health_break_write()") In the Linux kernel, the following vulnerability has been resolved: xtensa: simdisk: add input size check in proc_write_simdisk A malicious user could ... • https://git.kernel.org/stable/c/b6c7e873daf765e41233b9752083b66442703b7a •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40190 – ext4: guard against EA inode refcount underflow in xattr update
https://notcve.org/view.php?id=CVE-2025-40190
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: ext4: guard against EA inode refcount underflow in xattr update syzkaller found a path where ext4_xattr_inode_update_ref() reads an EA inode refcount that is already <= 0 and then applies ref_change (often -1). That lets the refcount underflow and we proceed with a bogus value, triggering errors like: EXT4-fs error: EA inode
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40188 – pwm: berlin: Fix wrong register in suspend/resume
https://notcve.org/view.php?id=CVE-2025-40188
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: pwm: berlin: Fix wrong register in suspend/resume The 'enable' register should be BERLIN_PWM_EN rather than BERLIN_PWM_ENABLE, otherwise, the driver accesses wrong address, there will be cpu exception then kernel panic during suspend/resume. In the Linux kernel, the following vulnerability has been resolved: pwm: berlin: Fix wrong register in suspend/resume The 'enable' register should be BERLIN_PWM_EN rather than BERLIN_PWM_ENABLE, otherwi... • https://git.kernel.org/stable/c/bbf0722c1c663b08f612bd8c58af27f45aa84862 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40187 – net/sctp: fix a null dereference in sctp_disposition sctp_sf_do_5_1D_ce()
https://notcve.org/view.php?id=CVE-2025-40187
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: net/sctp: fix a null dereference in sctp_disposition sctp_sf_do_5_1D_ce() If new_asoc->peer.adaptation_ind=0 and sctp_ulpevent_make_authkey=0 and sctp_ulpevent_make_authkey() returns 0, then the variable ai_ev remains zero and the zero will be dereferenced in the sctp_ulpevent_free() function. In the Linux kernel, the following vulnerability has been resolved: net/sctp: fix a null dereference in sctp_disposition sctp_sf_do_5_1D_ce() If new_... • https://git.kernel.org/stable/c/30f6ebf65bc46161c5aaff1db2e6e7c76aa4a06b •
CVSS: 6.6EPSS: 0%CPEs: 9EXPL: 0CVE-2025-40186 – tcp: Don't call reqsk_fastopen_remove() in tcp_conn_request().
https://notcve.org/view.php?id=CVE-2025-40186
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: tcp: Don't call reqsk_fastopen_remove() in tcp_conn_request(). syzbot reported the splat below in tcp_conn_request(). [0] If a listener is close()d while a TFO socket is being processed in tcp_conn_request(), inet_csk_reqsk_queue_add() does not set reqsk->sk and calls inet_child_forget(), which calls tcp_disconnect() for the TFO socket. After the cited commit, tcp_disconnect() calls reqsk_fastopen_remove(), where reqsk_put() is called due t... • https://git.kernel.org/stable/c/7ec092a91ff351dcde89c23e795b73a328274db6 •
CVSS: 7.1EPSS: 0%CPEs: 7EXPL: 0CVE-2025-40183 – bpf: Fix metadata_dst leak __bpf_redirect_neigh_v{4,6}
https://notcve.org/view.php?id=CVE-2025-40183
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: bpf: Fix metadata_dst leak __bpf_redirect_neigh_v{4,6} Cilium has a BPF egress gateway feature which forces outgoing K8s Pod traffic to pass through dedicated egress gateways which then SNAT the traffic in order to interact with stable IPs outside the cluster. The traffic is directed to the gateway via vxlan tunnel in collect md mode. A recent BPF change utilized the bpf_redirect_neigh() helper to forward packets after the arrival and decap... • https://git.kernel.org/stable/c/b4ab31414970a7a03a5d55d75083f2c101a30592 •
CVSS: 6.6EPSS: 0%CPEs: 3EXPL: 0CVE-2025-40180 – mailbox: zynqmp-ipi: Fix out-of-bounds access in mailbox cleanup loop
https://notcve.org/view.php?id=CVE-2025-40180
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: mailbox: zynqmp-ipi: Fix out-of-bounds access in mailbox cleanup loop The cleanup loop was starting at the wrong array index, causing out-of-bounds access. Start the loop at the correct index for zero-indexed arrays to prevent accessing memory beyond the allocated array bounds. In the Linux kernel, the following vulnerability has been resolved: mailbox: zynqmp-ipi: Fix out-of-bounds access in mailbox cleanup loop The cleanup loop was starti... • https://git.kernel.org/stable/c/4981b82ba2ff87df6a711fcd7a233c615df5fc79 •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2025-40179 – ext4: verify orphan file size is not too big
https://notcve.org/view.php?id=CVE-2025-40179
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: ext4: verify orphan file size is not too big In principle orphan file can be arbitrarily large. However orphan replay needs to traverse it all and we also pin all its buffers in memory. Thus filesystems with absurdly large orphan files can lead to big amounts of memory consumed. Limit orphan file size to a sane value and also use kvmalloc() for allocating array of block descriptor structures to avoid large order allocations for sane but lar... • https://git.kernel.org/stable/c/02f310fcf47fa9311d6ba2946a8d19e7d7d11f37 •