CVSS: 7.8EPSS: 0%CPEs: 7EXPL: 0CVE-2025-38342 – software node: Correct a OOB check in software_node_get_reference_args()
https://notcve.org/view.php?id=CVE-2025-38342
10 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: software node: Correct a OOB check in software_node_get_reference_args() software_node_get_reference_args() wants to get @index-th element, so the property value requires at least '(index + 1) * sizeof(*ref)' bytes but that can not be guaranteed by current OOB check, and may cause OOB for malformed property. Fix by using as OOB check '((index + 1) * sizeof(*ref) > prop->length)'. In the Linux kernel, the following vulnerability has been res... • https://git.kernel.org/stable/c/59abd83672f70cac4b6bf9b237506c5bc6837606 •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-38341 – eth: fbnic: avoid double free when failing to DMA-map FW msg
https://notcve.org/view.php?id=CVE-2025-38341
10 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: eth: fbnic: avoid double free when failing to DMA-map FW msg The semantics are that caller of fbnic_mbx_map_msg() retains the ownership of the message on error. All existing callers dutifully free the page. In the Linux kernel, the following vulnerability has been resolved: eth: fbnic: avoid double free when failing to DMA-map FW msg The semantics are that caller of fbnic_mbx_map_msg() retains the ownership of the message on error. All exis... • https://git.kernel.org/stable/c/da3cde08209ec1c915195c2331c275397f34a731 •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2025-38339 – powerpc/bpf: fix JIT code size calculation of bpf trampoline
https://notcve.org/view.php?id=CVE-2025-38339
10 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: powerpc/bpf: fix JIT code size calculation of bpf trampoline arch_bpf_trampoline_size() provides JIT size of the BPF trampoline before the buffer for JIT'ing it is allocated. The total number of instructions emitted for BPF trampoline JIT code depends on where the final image is located. So, the size arrived at with the dummy pass in arch_bpf_trampoline_size() can vary from the actual size needed in arch_prepare_bpf_trampoline(). When the i... • https://git.kernel.org/stable/c/d243b62b7bd3d5314382d3b54e4992226245e936 •
CVSS: 7.1EPSS: 0%CPEs: 4EXPL: 0CVE-2025-38338 – fs/nfs/read: fix double-unlock bug in nfs_return_empty_folio()
https://notcve.org/view.php?id=CVE-2025-38338
10 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: fs/nfs/read: fix double-unlock bug in nfs_return_empty_folio() Sometimes, when a file was read while it was being truncated by another NFS client, the kernel could deadlock because folio_unlock() was called twice, and the second call would XOR back the `PG_locked` flag. Most of the time (depending on the timing of the truncation), nobody notices the problem because folio_unlock() gets called three times, which flips `PG_locked` back off: 1.... • https://git.kernel.org/stable/c/000dbe0bec058cbf2ca9e156e4a5584f5158b0f9 •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38337 – jbd2: fix data-race and null-ptr-deref in jbd2_journal_dirty_metadata()
https://notcve.org/view.php?id=CVE-2025-38337
10 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: jbd2: fix data-race and null-ptr-deref in jbd2_journal_dirty_metadata() Since handle->h_transaction may be a NULL pointer, so we should change it to call is_handle_aborted(handle) first before dereferencing it. And the following data-race was reported in my fuzzer: ================================================================== BUG: KCSAN: data-race in jbd2_journal_dirty_metadata / jbd2_journal_dirty_metadata write to 0xffff888011024104 ... • https://git.kernel.org/stable/c/6e06ae88edae77379bef7c0cb7d3c2dd88676867 •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38336 – ata: pata_via: Force PIO for ATAPI devices on VT6415/VT6330
https://notcve.org/view.php?id=CVE-2025-38336
10 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: ata: pata_via: Force PIO for ATAPI devices on VT6415/VT6330 The controller has a hardware bug that can hard hang the system when doing ATAPI DMAs without any trace of what happened. Depending on the device attached, it can also prevent the system from booting. In this case, the system hangs when reading the ATIP from optical media with cdrecord -vvv -atip on an _NEC DVD_RW ND-4571A 1-01 and an Optiarc DVD RW AD-7200A 1.06 attached to an ASR... • https://git.kernel.org/stable/c/67d66a5e4583fd3bcf13d6f747e571df13cbad51 •
CVSS: 7.2EPSS: 0%CPEs: 2EXPL: 0CVE-2025-38335 – Input: gpio-keys - fix a sleep while atomic with PREEMPT_RT
https://notcve.org/view.php?id=CVE-2025-38335
10 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: Input: gpio-keys - fix a sleep while atomic with PREEMPT_RT When enabling PREEMPT_RT, the gpio_keys_irq_timer() callback runs in hard irq context, but the input_event() takes a spin_lock, which isn't allowed there as it is converted to a rt_spin_lock(). [ 4054.289999] BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48 [ 4054.290028] in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 0, name: swapper/0 ... • https://git.kernel.org/stable/c/019002f20cb5b9f78d39360aff244265d035e08a •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38334 – x86/sgx: Prevent attempts to reclaim poisoned pages
https://notcve.org/view.php?id=CVE-2025-38334
10 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: x86/sgx: Prevent attempts to reclaim poisoned pages TL;DR: SGX page reclaim touches the page to copy its contents to secondary storage. SGX instructions do not gracefully handle machine checks. Despite this, the existing SGX code will try to reclaim pages that it _knows_ are poisoned. Avoid even trying to reclaim poisoned pages. The longer story: Pages used by an enclave only get epc_page->poison set in arch_memory_failure() but they curren... • https://git.kernel.org/stable/c/70d3b8ddcd20d3c859676f56c43c7b2360c70266 •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2025-38333 – f2fs: fix to bail out in get_new_segment()
https://notcve.org/view.php?id=CVE-2025-38333
10 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to bail out in get_new_segment() ------------[ cut here ]------------ WARNING: CPU: 3 PID: 579 at fs/f2fs/segment.c:2832 new_curseg+0x5e8/0x6dc pc : new_curseg+0x5e8/0x6dc Call trace: new_curseg+0x5e8/0x6dc f2fs_allocate_data_block+0xa54/0xe28 do_write_page+0x6c/0x194 f2fs_do_write_node_page+0x38/0x78 __write_node_page+0x248/0x6d4 f2fs_sync_node_pages+0x524/0x72c f2fs_write_checkpoint+0x4bc/0x9b0 __checkpoint_and_complete_reqs+0x8... • https://git.kernel.org/stable/c/98e4da8ca301e062d79ae168c67e56f3c3de3ce4 •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38332 – scsi: lpfc: Use memcpy() for BIOS version
https://notcve.org/view.php?id=CVE-2025-38332
10 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Use memcpy() for BIOS version The strlcat() with FORTIFY support is triggering a panic because it thinks the target buffer will overflow although the correct target buffer size is passed in. Anyway, instead of memset() with 0 followed by a strlcat(), just use memcpy() and ensure that the resulting buffer is NULL terminated. BIOSVersion is only used for the lpfc_printf_log() which expects a properly terminated string. In the Linu... • https://git.kernel.org/stable/c/ac7bfaa099ec3e4d7dfd0ab9726fc3bc7911365d •