CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-22009 – regulator: dummy: force synchronous probing
https://notcve.org/view.php?id=CVE-2025-22009
08 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: regulator: dummy: force synchronous probing Sometimes I get a NULL pointer dereference at boot time in kobject_get() with the following call stack: anatop_regulator_probe() devm_regulator_register() regulator_register() regulator_resolve_supply() kobject_get() By placing some extra BUG_ON() statements I could verify that this is raised because probing of the 'dummy' regulator driver is not completed ('dummy_regulator_rdev' is still NULL). I... • https://git.kernel.org/stable/c/259b93b21a9ffe5117af4dfb5505437e463c6a5a •
CVSS: 9.8EPSS: 0%CPEs: 7EXPL: 0CVE-2025-22008 – regulator: check that dummy regulator has been probed before using it
https://notcve.org/view.php?id=CVE-2025-22008
08 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: regulator: check that dummy regulator has been probed before using it Due to asynchronous driver probing there is a chance that the dummy regulator hasn't already been probed when first accessing it. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: regulador: comprobar que el regulador ficticio haya sido probado antes de usarlo Debido al sondeo asincrónico del controlador existe la posibilidad de que el regulador ficticio ... • https://git.kernel.org/stable/c/3a9c46af5654783f99015727ac65bc2a23e2735a •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-22007 – Bluetooth: Fix error code in chan_alloc_skb_cb()
https://notcve.org/view.php?id=CVE-2025-22007
03 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix error code in chan_alloc_skb_cb() The chan_alloc_skb_cb() function is supposed to return error pointers on error. Returning NULL will lead to a NULL dereference. In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix error code in chan_alloc_skb_cb() The chan_alloc_skb_cb() function is supposed to return error pointers on error. Returning NULL will lead to a NULL dereference. Several vulnerabilitie... • https://git.kernel.org/stable/c/6b8d4a6a03144c5996f98db7f8256267b0d72a3a •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-22005 – ipv6: Fix memleak of nhc_pcpu_rth_output in fib_check_nh_v6_gw().
https://notcve.org/view.php?id=CVE-2025-22005
03 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: ipv6: Fix memleak of nhc_pcpu_rth_output in fib_check_nh_v6_gw(). fib_check_nh_v6_gw() expects that fib6_nh_init() cleans up everything when it fails. Commit 7dd73168e273 ("ipv6: Always allocate pcpu memory in a fib6_nh") moved fib_nh_common_init() before alloc_percpu_gfp() within fib6_nh_init() but forgot to add cleanup for fib6_nh->nh_common.nhc_pcpu_rth_output in case it fails to allocate fib6_nh->rt6i_pcpu, resulting in memleak. Let's c... • https://git.kernel.org/stable/c/7dd73168e273938b9e9bb42ca51b0c27d807992b •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2025-22004 – net: atm: fix use after free in lec_send()
https://notcve.org/view.php?id=CVE-2025-22004
03 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: net: atm: fix use after free in lec_send() The ->send() operation frees skb so save the length before calling ->send() to avoid a use after free. In the Linux kernel, the following vulnerability has been resolved: net: atm: fix use after free in lec_send() The ->send() operation frees skb so save the length before calling ->send() to avoid a use after free. Several vulnerabilities have been discovered in the Linux kernel that may lead to a ... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 • CWE-416: Use After Free •
CVSS: 7.1EPSS: 0%CPEs: 4EXPL: 0CVE-2025-22003 – can: ucan: fix out of bound read in strscpy() source
https://notcve.org/view.php?id=CVE-2025-22003
03 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: can: ucan: fix out of bound read in strscpy() source Commit 7fdaf8966aae ("can: ucan: use strscpy() to instead of strncpy()") unintentionally introduced a one byte out of bound read on strscpy()'s source argument (which is kind of ironic knowing that strscpy() is meant to be a more secure alternative :)). Let's consider below buffers: dest[len + 1]; /* will be NUL terminated */ src[len]; /* may not be NUL terminated */ When doing: strncpy(d... • https://git.kernel.org/stable/c/7fdaf8966aae476deafe11f9a0067ff588615444 •
CVSS: 9.0EPSS: 0%CPEs: 4EXPL: 0CVE-2025-22001 – accel/qaic: Fix integer overflow in qaic_validate_req()
https://notcve.org/view.php?id=CVE-2025-22001
03 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: accel/qaic: Fix integer overflow in qaic_validate_req() These are u64 variables that come from the user via qaic_attach_slice_bo_ioctl(). Use check_add_overflow() to ensure that the math doesn't have an integer wrapping bug. In the Linux kernel, the following vulnerability has been resolved: accel/qaic: Fix integer overflow in qaic_validate_req() These are u64 variables that come from the user via qaic_attach_slice_bo_ioctl(). Use check_add... • https://git.kernel.org/stable/c/ff13be8303336ead5621712f2c55012d738878b5 •
CVSS: 7.8EPSS: 0%CPEs: 7EXPL: 0CVE-2025-21999 – proc: fix UAF in proc_get_inode()
https://notcve.org/view.php?id=CVE-2025-21999
03 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: proc: fix UAF in proc_get_inode() Fix race between rmmod and /proc/XXX's inode instantiation. The bug is that pde->proc_ops don't belong to /proc, it belongs to a module, therefore dereferencing it after /proc entry has been registered is a bug unless use_pde/unuse_pde() pair has been used. use_pde/unuse_pde can be avoided (2 atomic ops!) because pde->proc_ops never changes so information necessary for inode instantiation can be saved _befo... • https://git.kernel.org/stable/c/778f3dd5a13c9e1642e0b2efea4b769387a70afa • CWE-416: Use After Free •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2025-21997 – xsk: fix an integer overflow in xp_create_and_assign_umem()
https://notcve.org/view.php?id=CVE-2025-21997
03 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: xsk: fix an integer overflow in xp_create_and_assign_umem() Since the i and pool->chunk_size variables are of type 'u32', their product can wrap around and then be cast to 'u64'. This can lead to two different XDP buffers pointing to the same memory area. Found by InfoTeCS on behalf of Linux Verification Center (linuxtesting.org) with SVACE. In the Linux kernel, the following vulnerability has been resolved: xsk: fix an integer overflow in ... • https://git.kernel.org/stable/c/94033cd8e73b8632bab7c8b7bb54caa4f5616db7 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-21996 – drm/radeon: fix uninitialized size issue in radeon_vce_cs_parse()
https://notcve.org/view.php?id=CVE-2025-21996
03 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/radeon: fix uninitialized size issue in radeon_vce_cs_parse() On the off chance that command stream passed from userspace via ioctl() call to radeon_vce_cs_parse() is weirdly crafted and first command to execute is to encode (case 0x03000001), the function in question will attempt to call radeon_vce_cs_reloc() with size argument that has not been properly initialized. Specifically, 'size' will point to 'tmp' variable before the latter h... • https://git.kernel.org/stable/c/2fc5703abda201f138faf63bdca743d04dbf4b1a •