CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2025-37795 – wifi: mac80211: Update skb's control block key in ieee80211_tx_dequeue()
https://notcve.org/view.php?id=CVE-2025-37795
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: Update skb's control block key in ieee80211_tx_dequeue() The ieee80211 skb control block key (set when skb was queued) could have been removed before ieee80211_tx_dequeue() call. ieee80211_tx_dequeue() already called ieee80211_tx_h_select_key() to get the current key, but the latter do not update the key in skb control block in case it is NULL. Because some drivers actually use this key in their TX callbacks (e.g. ath1{1,2}k... • https://git.kernel.org/stable/c/bb42f2d13ffcd0baed7547b37d05add51fcd50e1 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-37794 – wifi: mac80211: Purge vif txq in ieee80211_do_stop()
https://notcve.org/view.php?id=CVE-2025-37794
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: Purge vif txq in ieee80211_do_stop() After ieee80211_do_stop() SKB from vif's txq could still be processed. Indeed another concurrent vif schedule_and_wake_txq call could cause those packets to be dequeued (see ieee80211_handle_wake_tx_queue()) without checking the sdata current state. Because vif.drv_priv is now cleared in this function, this could lead to driver crash. For example in ath12k, ahvif is store in vif.drv_priv.... • https://git.kernel.org/stable/c/ba8c3d6f16a1f9305c23ac1d2fd3992508c5ac03 •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-37793 – ASoC: Intel: avs: Fix null-ptr-deref in avs_component_probe()
https://notcve.org/view.php?id=CVE-2025-37793
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: avs: Fix null-ptr-deref in avs_component_probe() devm_kasprintf() returns NULL when memory allocation fails. Currently, avs_component_probe() does not check for this case, which results in a NULL pointer dereference. In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: avs: Fix null-ptr-deref in avs_component_probe() devm_kasprintf() returns NULL when memory allocation fails. Currently, avs_component... • https://git.kernel.org/stable/c/739c031110da9ba966b0189fa25a2a1c0d42263c •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-37792 – Bluetooth: btrtl: Prevent potential NULL dereference
https://notcve.org/view.php?id=CVE-2025-37792
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btrtl: Prevent potential NULL dereference The btrtl_initialize() function checks that rtl_load_file() either had an error or it loaded a zero length file. However, if it loaded a zero length file then the error code is not set correctly. It results in an error pointer vs NULL bug, followed by a NULL pointer dereference. This was detected by Smatch: drivers/bluetooth/btrtl.c:592 btrtl_initialize() warn: passing zero to 'ERR_PTR' I... • https://git.kernel.org/stable/c/26503ad25de8c7c93a2037f919c2e49a62cf65f1 •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-37791 – ethtool: cmis_cdb: use correct rpl size in ethtool_cmis_module_poll()
https://notcve.org/view.php?id=CVE-2025-37791
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: ethtool: cmis_cdb: use correct rpl size in ethtool_cmis_module_poll() rpl is passed as a pointer to ethtool_cmis_module_poll(), so the correct size of rpl is sizeof(*rpl) which should be just 1 byte. Using the pointer size instead can cause stack corruption: Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: ethtool_cmis_wait_for_cond+0xf4/0x100 CPU: 72 UID: 0 PID: 4440 Comm: kworker/72:2 Kdump: loaded Tainted: G OE ... • https://git.kernel.org/stable/c/a39c84d796254e6b1662ca0c46dbc313379e9291 •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2025-37790 – net: mctp: Set SOCK_RCU_FREE
https://notcve.org/view.php?id=CVE-2025-37790
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: net: mctp: Set SOCK_RCU_FREE Bind lookup runs under RCU, so ensure that a socket doesn't go away in the middle of a lookup. In the Linux kernel, the following vulnerability has been resolved: net: mctp: Set SOCK_RCU_FREE Bind lookup runs under RCU, so ensure that a socket doesn't go away in the middle of a lookup. • https://git.kernel.org/stable/c/833ef3b91de692ef33b800bca6b1569c39dece74 •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2025-37789 – net: openvswitch: fix nested key length validation in the set() action
https://notcve.org/view.php?id=CVE-2025-37789
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: net: openvswitch: fix nested key length validation in the set() action It's not safe to access nla_len(ovs_key) if the data is smaller than the netlink header. Check that the attribute is OK first. In the Linux kernel, the following vulnerability has been resolved: net: openvswitch: fix nested key length validation in the set() action It's not safe to access nla_len(ovs_key) if the data is smaller than the netlink header. Check that the att... • https://git.kernel.org/stable/c/ccb1352e76cff0524e7ccb2074826a092dd13016 •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2025-37788 – cxgb4: fix memory leak in cxgb4_init_ethtool_filters() error path
https://notcve.org/view.php?id=CVE-2025-37788
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: cxgb4: fix memory leak in cxgb4_init_ethtool_filters() error path In the for loop used to allocate the loc_array and bmap for each port, a memory leak is possible when the allocation for loc_array succeeds, but the allocation for bmap fails. This is because when the control flow goes to the label free_eth_finfo, only the allocations starting from (i-1)th iteration are freed. Fix that by freeing the loc_array in the bmap allocation error pat... • https://git.kernel.org/stable/c/d915c299f1da68a7dbb43895b8741c7b916c9d08 •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2025-37787 – net: dsa: mv88e6xxx: avoid unregistering devlink regions which were never registered
https://notcve.org/view.php?id=CVE-2025-37787
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: net: dsa: mv88e6xxx: avoid unregistering devlink regions which were never registered Russell King reports that a system with mv88e6xxx dereferences a NULL pointer when unbinding this driver: https://lore.kernel.org/netdev/Z_lRkMlTJ1KQ0kVX@shell.armlinux.org.uk/ The crash seems to be in devlink_region_destroy(), which is not NULL tolerant but is given a NULL devlink global region pointer. At least on some chips, some devlink regions are cond... • https://git.kernel.org/stable/c/836021a2d0e0e4c90b895a35bd9c0342071855fb •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-37786 – net: dsa: free routing table on probe failure
https://notcve.org/view.php?id=CVE-2025-37786
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: net: dsa: free routing table on probe failure If complete = true in dsa_tree_setup(), it means that we are the last switch of the tree which is successfully probing, and we should be setting up all switches from our probe path. After "complete" becomes true, dsa_tree_setup_cpu_ports() or any subsequent function may fail. If that happens, the entire tree setup is in limbo: the first N-1 switches have successfully finished probing (doing noth... • https://git.kernel.org/stable/c/c5f51765a1f60b701840544faf3ca63204b8dc3c •