CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40190 – ext4: guard against EA inode refcount underflow in xattr update
https://notcve.org/view.php?id=CVE-2025-40190
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: ext4: guard against EA inode refcount underflow in xattr update syzkaller found a path where ext4_xattr_inode_update_ref() reads an EA inode refcount that is already <= 0 and then applies ref_change (often -1). That lets the refcount underflow and we proceed with a bogus value, triggering errors like: EXT4-fs error: EA inode
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40188 – pwm: berlin: Fix wrong register in suspend/resume
https://notcve.org/view.php?id=CVE-2025-40188
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: pwm: berlin: Fix wrong register in suspend/resume The 'enable' register should be BERLIN_PWM_EN rather than BERLIN_PWM_ENABLE, otherwise, the driver accesses wrong address, there will be cpu exception then kernel panic during suspend/resume. In the Linux kernel, the following vulnerability has been resolved: pwm: berlin: Fix wrong register in suspend/resume The 'enable' register should be BERLIN_PWM_EN rather than BERLIN_PWM_ENABLE, otherwi... • https://git.kernel.org/stable/c/bbf0722c1c663b08f612bd8c58af27f45aa84862 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40187 – net/sctp: fix a null dereference in sctp_disposition sctp_sf_do_5_1D_ce()
https://notcve.org/view.php?id=CVE-2025-40187
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: net/sctp: fix a null dereference in sctp_disposition sctp_sf_do_5_1D_ce() If new_asoc->peer.adaptation_ind=0 and sctp_ulpevent_make_authkey=0 and sctp_ulpevent_make_authkey() returns 0, then the variable ai_ev remains zero and the zero will be dereferenced in the sctp_ulpevent_free() function. In the Linux kernel, the following vulnerability has been resolved: net/sctp: fix a null dereference in sctp_disposition sctp_sf_do_5_1D_ce() If new_... • https://git.kernel.org/stable/c/30f6ebf65bc46161c5aaff1db2e6e7c76aa4a06b •
CVSS: 6.6EPSS: 0%CPEs: 9EXPL: 0CVE-2025-40186 – tcp: Don't call reqsk_fastopen_remove() in tcp_conn_request().
https://notcve.org/view.php?id=CVE-2025-40186
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: tcp: Don't call reqsk_fastopen_remove() in tcp_conn_request(). syzbot reported the splat below in tcp_conn_request(). [0] If a listener is close()d while a TFO socket is being processed in tcp_conn_request(), inet_csk_reqsk_queue_add() does not set reqsk->sk and calls inet_child_forget(), which calls tcp_disconnect() for the TFO socket. After the cited commit, tcp_disconnect() calls reqsk_fastopen_remove(), where reqsk_put() is called due t... • https://git.kernel.org/stable/c/7ec092a91ff351dcde89c23e795b73a328274db6 •
CVSS: 7.1EPSS: 0%CPEs: 7EXPL: 0CVE-2025-40183 – bpf: Fix metadata_dst leak __bpf_redirect_neigh_v{4,6}
https://notcve.org/view.php?id=CVE-2025-40183
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: bpf: Fix metadata_dst leak __bpf_redirect_neigh_v{4,6} Cilium has a BPF egress gateway feature which forces outgoing K8s Pod traffic to pass through dedicated egress gateways which then SNAT the traffic in order to interact with stable IPs outside the cluster. The traffic is directed to the gateway via vxlan tunnel in collect md mode. A recent BPF change utilized the bpf_redirect_neigh() helper to forward packets after the arrival and decap... • https://git.kernel.org/stable/c/b4ab31414970a7a03a5d55d75083f2c101a30592 •
CVSS: 6.6EPSS: 0%CPEs: 3EXPL: 0CVE-2025-40180 – mailbox: zynqmp-ipi: Fix out-of-bounds access in mailbox cleanup loop
https://notcve.org/view.php?id=CVE-2025-40180
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: mailbox: zynqmp-ipi: Fix out-of-bounds access in mailbox cleanup loop The cleanup loop was starting at the wrong array index, causing out-of-bounds access. Start the loop at the correct index for zero-indexed arrays to prevent accessing memory beyond the allocated array bounds. In the Linux kernel, the following vulnerability has been resolved: mailbox: zynqmp-ipi: Fix out-of-bounds access in mailbox cleanup loop The cleanup loop was starti... • https://git.kernel.org/stable/c/4981b82ba2ff87df6a711fcd7a233c615df5fc79 •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2025-40179 – ext4: verify orphan file size is not too big
https://notcve.org/view.php?id=CVE-2025-40179
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: ext4: verify orphan file size is not too big In principle orphan file can be arbitrarily large. However orphan replay needs to traverse it all and we also pin all its buffers in memory. Thus filesystems with absurdly large orphan files can lead to big amounts of memory consumed. Limit orphan file size to a sane value and also use kvmalloc() for allocating array of block descriptor structures to avoid large order allocations for sane but lar... • https://git.kernel.org/stable/c/02f310fcf47fa9311d6ba2946a8d19e7d7d11f37 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40178 – pid: Add a judgment for ns null in pid_nr_ns
https://notcve.org/view.php?id=CVE-2025-40178
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: pid: Add a judgment for ns null in pid_nr_ns __task_pid_nr_ns ns = task_active_pid_ns(current); pid_nr_ns(rcu_dereference(*task_pid_ptr(task, type)), ns); if (pid && ns->level <= pid->level) { Sometimes null is returned for task_active_pid_ns. Then it will trigger kernel panic in pid_nr_ns. For example: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000058 Mem abort info: ESR = 0x0000000096000007 EC = 0x25: DA... • https://git.kernel.org/stable/c/75dbc029c5359438be4a6f908bfbfdab969af776 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40173 – net/ip6_tunnel: Prevent perpetual tunnel growth
https://notcve.org/view.php?id=CVE-2025-40173
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: net/ip6_tunnel: Prevent perpetual tunnel growth Similarly to ipv4 tunnel, ipv6 version updates dev->needed_headroom, too. While ipv4 tunnel headroom adjustment growth was limited in commit 5ae1e9922bbd ("net: ip_tunnel: prevent perpetual headroom growth"), ipv6 tunnel yet increases the headroom without any ceiling. Reflect ipv4 tunnel headroom adjustment limit on ipv6 version. Credits to Francesco Ruggeri, who was originally debugging this ... • https://git.kernel.org/stable/c/8eb30be0352d09165e94a41fef1c7b994dca0714 •
CVSS: 7.1EPSS: 0%CPEs: 7EXPL: 0CVE-2025-40171 – nvmet-fc: move lsop put work to nvmet_fc_ls_req_op
https://notcve.org/view.php?id=CVE-2025-40171
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: nvmet-fc: move lsop put work to nvmet_fc_ls_req_op It’s possible for more than one async command to be in flight from __nvmet_fc_send_ls_req. For each command, a tgtport reference is taken. In the current code, only one put work item is queued at a time, which results in a leaked reference. To fix this, move the work item to the nvmet_fc_ls_req_op struct, which already tracks all resources related to the command. In the Linux kernel, the fo... • https://git.kernel.org/stable/c/5e0bc09a52b6169ce90f7ac6e195791adb16cec4 •