CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-40107 – can: hi311x: fix null pointer dereference when resuming from sleep before interface was enabled
https://notcve.org/view.php?id=CVE-2025-40107
03 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: can: hi311x: fix null pointer dereference when resuming from sleep before interface was enabled This issue is similar to the vulnerability in the `mcp251x` driver, which was fixed in commit 03c427147b2d ("can: mcp251x: fix resume from sleep before interface was brought up"). In the `hi311x` driver, when the device resumes from sleep, the driver schedules `priv->restart_work`. However, if the network interface was not previously enabled, the... • https://git.kernel.org/stable/c/d1fc4c041459e2d4856c1b2501486ba4f0cbf96b •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40106 – comedi: fix divide-by-zero in comedi_buf_munge()
https://notcve.org/view.php?id=CVE-2025-40106
31 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: comedi: fix divide-by-zero in comedi_buf_munge() The comedi_buf_munge() function performs a modulo operation `async->munge_chan %= async->cmd.chanlist_len` without first checking if chanlist_len is zero. If a user program submits a command with chanlist_len set to zero, this causes a divide-by-zero error when the device processes data in the interrupt handler path. Add a check for zero chanlist_len at the beginning of the function, similar ... • https://git.kernel.org/stable/c/4ffea48c69cb2b96a281cb7e5e42d706996631db •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-40099 – cifs: parse_dfs_referrals: prevent oob on malformed input
https://notcve.org/view.php?id=CVE-2025-40099
30 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: cifs: parse_dfs_referrals: prevent oob on malformed input Malicious SMB server can send invalid reply to FSCTL_DFS_GET_REFERRALS - reply smaller than sizeof(struct get_dfs_referral_rsp) - reply with number of referrals smaller than NumberOfReferrals in the header Processing of such replies will cause oob. Return -EINVAL error on such replies to prevent oob-s. In the Linux kernel, the following vulnerability has been resolved: cifs: parse_df... • https://git.kernel.org/stable/c/cfacc7441f760e4a73cc71b6ff1635261d534657 •
CVSS: 5.0EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40088 – hfsplus: fix slab-out-of-bounds read in hfsplus_strcasecmp()
https://notcve.org/view.php?id=CVE-2025-40088
30 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix slab-out-of-bounds read in hfsplus_strcasecmp() The hfsplus_strcasecmp() logic can trigger the issue: [ 117.317703][ T9855] ================================================================== [ 117.318353][ T9855] BUG: KASAN: slab-out-of-bounds in hfsplus_strcasecmp+0x1bc/0x490 [ 117.318991][ T9855] Read of size 2 at addr ffff88802160f40c by task repro/9855 [ 117.319577][ T9855] [ 117.319773][ T9855] CPU: 0 UID: 0 PID: 9855 Comm... • https://git.kernel.org/stable/c/603158d4efa98a13a746bd586c20f194f4a31ec8 •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2023-7324 – scsi: ses: Fix possible addl_desc_ptr out-of-bounds accesses
https://notcve.org/view.php?id=CVE-2023-7324
29 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: scsi: ses: Fix possible addl_desc_ptr out-of-bounds accesses Sanitize possible addl_desc_ptr out-of-bounds accesses in ses_enclosure_data_process(). In the Linux kernel, the following vulnerability has been resolved: scsi: ses: Fix possible addl_desc_ptr out-of-bounds accesses Sanitize possible addl_desc_ptr out-of-bounds accesses in ses_enclosure_data_process(). The SUSE Linux Enterprise 15 SP5 RT kernel was updated to fix various security... • https://git.kernel.org/stable/c/af5114d824f3511a69d68beff49ca9a7c32d44e0 •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-40083 – net/sched: sch_qfq: Fix null-deref in agg_dequeue
https://notcve.org/view.php?id=CVE-2025-40083
29 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_qfq: Fix null-deref in agg_dequeue To prevent a potential crash in agg_dequeue (net/sched/sch_qfq.c) when cl->qdisc->ops->peek(cl->qdisc) returns NULL, we check the return value before using it, similar to the existing approach in sch_hfsc.c. To avoid code duplication, the following changes are made: 1. Changed qdisc_warn_nonwc(include/net/pkt_sched.h) into a static inline function. 2. Moved qdisc_peek_len from net/sched/sch_... • https://git.kernel.org/stable/c/71d84658a61322e5630c85c5388fc25e4a2d08b2 •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2025-40053 – net: dlink: handle copy_thresh allocation failure
https://notcve.org/view.php?id=CVE-2025-40053
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: net: dlink: handle copy_thresh allocation failure The driver did not handle failure of `netdev_alloc_skb_ip_align()`. If the allocation failed, dereferencing `skb->protocol` could lead to a NULL pointer dereference. This patch tries to allocate `skb`. If the allocation fails, it falls back to the normal path. Tested-on: D-Link DGE-550T Rev-A3 In the Linux kernel, the following vulnerability has been resolved: net: dlink: handle copy_thresh ... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40044 – fs: udf: fix OOB read in lengthAllocDescs handling
https://notcve.org/view.php?id=CVE-2025-40044
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: fs: udf: fix OOB read in lengthAllocDescs handling When parsing Allocation Extent Descriptor, lengthAllocDescs comes from on-disk data and must be validated against the block size. Crafted or corrupted images may set lengthAllocDescs so that the total descriptor length (sizeof(allocExtDesc) + lengthAllocDescs) exceeds the buffer, leading udf_update_tag() to call crc_itu_t() on out-of-bounds memory and trigger a KASAN use-after-free read. BU... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40030 – pinctrl: check the return value of pinmux_ops::get_function_name()
https://notcve.org/view.php?id=CVE-2025-40030
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: pinctrl: check the return value of pinmux_ops::get_function_name() While the API contract in docs doesn't specify it explicitly, the generic implementation of the get_function_name() callback from struct pinmux_ops - pinmux_generic_get_function_name() - can fail and return NULL. This is already checked in pinmux_check_ops() so add a similar check in pinmux_func_name_to_selector() instead of passing the returned pointer right down to strcmp(... • https://git.kernel.org/stable/c/1a7fc8fed2bb2e113604fde7a45432ace2056b97 •
CVSS: 6.6EPSS: 0%CPEs: 2EXPL: 0CVE-2025-40025 – f2fs: fix to do sanity check on node footer for non inode dnode
https://notcve.org/view.php?id=CVE-2025-40025
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to do sanity check on node footer for non inode dnode As syzbot reported below: ------------[ cut here ]------------ kernel BUG at fs/f2fs/file.c:1243! Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI CPU: 0 UID: 0 PID: 5354 Comm: syz.0.0 Not tainted 6.17.0-rc1-syzkaller-00211-g90d970cade8e #0 PREEMPT(full) RIP: 0010:f2fs_truncate_hole+0x69e/0x6c0 fs/f2fs/file.c:1243 Call Trace: