CVSS: 6.1EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38470 – net: vlan: fix VLAN 0 refcount imbalance of toggling filtering during runtime
https://notcve.org/view.php?id=CVE-2025-38470
28 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: net: vlan: fix VLAN 0 refcount imbalance of toggling filtering during runtime Assuming the "rx-vlan-filter" feature is enabled on a net device, the 8021q module will automatically add or remove VLAN 0 when the net device is put administratively up or down, respectively. There are a couple of problems with the above scheme. The first problem is a memory leak that can happen if the "rx-vlan-filter" feature is disabled while the device is runn... • https://git.kernel.org/stable/c/ad1afb00393915a51c21b1ae8704562bf036855f •
CVSS: 7.2EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38468 – net/sched: Return NULL when htb_lookup_leaf encounters an empty rbtree
https://notcve.org/view.php?id=CVE-2025-38468
28 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: net/sched: Return NULL when htb_lookup_leaf encounters an empty rbtree htb_lookup_leaf has a BUG_ON that can trigger with the following: tc qdisc del dev lo root tc qdisc add dev lo root handle 1: htb default 1 tc class add dev lo parent 1: classid 1:1 htb rate 64bit tc qdisc add dev lo parent 1:1 handle 2: netem tc qdisc add dev lo parent 2:1 handle 3: blackhole ping -I lo -c1 -W0.001 127.0.0.1 The root cause is the following: 1. htb_deque... • https://git.kernel.org/stable/c/512bb43eb5422ee69a1be05ea0d89dc074fac9a2 •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38465 – netlink: Fix wraparounds of sk->sk_rmem_alloc.
https://notcve.org/view.php?id=CVE-2025-38465
25 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: netlink: Fix wraparounds of sk->sk_rmem_alloc. Netlink has this pattern in some places if (atomic_read(&sk->sk_rmem_alloc) > sk->sk_rcvbuf) atomic_add(skb->truesize, &sk->sk_rmem_alloc); , which has the same problem fixed by commit 5a465a0da13e ("udp: Fix multiple wraparounds of sk->sk_rmem_alloc."). For example, if we set INT_MAX to SO_RCVBUFFORCE, the condition is always false as the two operands are of int. Then, a single socket can eat ... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 5.6EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38460 – atm: clip: Fix potential null-ptr-deref in to_atmarpd().
https://notcve.org/view.php?id=CVE-2025-38460
25 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: atm: clip: Fix potential null-ptr-deref in to_atmarpd(). atmarpd is protected by RTNL since commit f3a0592b37b8 ("[ATM]: clip causes unregister hang"). However, it is not enough because to_atmarpd() is called without RTNL, especially clip_neigh_solicit() / neigh_ops->solicit() is unsleepable. Also, there is no RTNL dependency around atmarpd. Let's use a private mutex and RCU to protect access to atmarpd in to_atmarpd(). En el kernel de Linu... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 5.6EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38459 – atm: clip: Fix infinite recursive call of clip_push().
https://notcve.org/view.php?id=CVE-2025-38459
25 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: atm: clip: Fix infinite recursive call of clip_push(). syzbot reported the splat below. [0] This happens if we call ioctl(ATMARP_MKIP) more than once. During the first call, clip_mkip() sets clip_push() to vcc->push(), and the second call copies it to clip_vcc->old_push(). Later, when the socket is close()d, vcc_destroy_socket() passes NULL skb to clip_push(), which calls clip_vcc->old_push(), triggering the infinite recursion. Let's preven... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38458 – atm: clip: Fix NULL pointer dereference in vcc_sendmsg()
https://notcve.org/view.php?id=CVE-2025-38458
25 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: atm: clip: Fix NULL pointer dereference in vcc_sendmsg() atmarpd_dev_ops does not implement the send method, which may cause crash as bellow. BUG: kernel NULL pointer dereference, address: 0000000000000000 PGD 0 P4D 0 Oops: Oops: 0010 [#1] SMP KASAN NOPTI CPU: 0 UID: 0 PID: 5324 Comm: syz.0.0 Not tainted 6.15.0-rc6-syzkaller-00346-g5723cc3450bc #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 7.2EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38457 – net/sched: Abort __tc_modify_qdisc if parent class does not exist
https://notcve.org/view.php?id=CVE-2025-38457
25 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: net/sched: Abort __tc_modify_qdisc if parent class does not exist Lion's patch [1] revealed an ancient bug in the qdisc API. Whenever a user creates/modifies a qdisc specifying as a parent another qdisc, the qdisc API will, during grafting, detect that the user is not trying to attach to a class and reject. However grafting is performed after qdisc_create (and thus the qdiscs' init callback) is executed. In qdiscs that eventually call qdisc... • https://git.kernel.org/stable/c/5e50da01d0ce7ef0ba3ed6cfabd62f327da0aca6 •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-38449 – drm/gem: Acquire references on GEM handles for framebuffers
https://notcve.org/view.php?id=CVE-2025-38449
25 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/gem: Acquire references on GEM handles for framebuffers A GEM handle can be released while the GEM buffer object is attached to a DRM framebuffer. This leads to the release of the dma-buf backing the buffer object, if any. [1] Trying to use the framebuffer in further mode-setting operations leads to a segmentation fault. Most easily happens with driver that use shadow planes for vmap-ing the dma-buf during a page flip. An example is sho... • https://git.kernel.org/stable/c/cb4c956a15f8b7f870649454771fc3761f504b5f •
CVSS: 6.9EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38448 – usb: gadget: u_serial: Fix race condition in TTY wakeup
https://notcve.org/view.php?id=CVE-2025-38448
25 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: usb: gadget: u_serial: Fix race condition in TTY wakeup A race condition occurs when gs_start_io() calls either gs_start_rx() or gs_start_tx(), as those functions briefly drop the port_lock for usb_ep_queue(). This allows gs_close() and gserial_disconnect() to clear port.tty and port_usb, respectively. Use the null-safe TTY Port helper function to wake up TTY. Example CPU1: CPU2: gserial_connect() // lock gs_close() // await lock gs_start_r... • https://git.kernel.org/stable/c/35f95fd7f234d2b58803bab6f6ebd6bb988050a2 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38430 – nfsd: nfsd4_spo_must_allow() must check this is a v4 compound request
https://notcve.org/view.php?id=CVE-2025-38430
25 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: nfsd: nfsd4_spo_must_allow() must check this is a v4 compound request If the request being processed is not a v4 compound request, then examining the cstate can have undefined results. This patch adds a check that the rpc procedure being executed (rq_procinfo) is the NFSPROC4_COMPOUND procedure. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: nfsd: nfsd4_spo_must_allow() debe comprobar que se trata de una solicitud compue... • https://git.kernel.org/stable/c/bf78a2706ce975981eb5167f2d3b609eb5d24c19 •