CVSS: 8.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38483 – comedi: das16m1: Fix bit shift out of bounds
https://notcve.org/view.php?id=CVE-2025-38483
28 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: comedi: das16m1: Fix bit shift out of bounds When checking for a supported IRQ number, the following test is used: /* only irqs 2, 3, 4, 5, 6, 7, 10, 11, 12, 14, and 15 are valid */ if ((1 << it->options[1]) & 0xdcfc) { However, `it->options[i]` is an unchecked `int` value from userspace, so the shift amount could be negative or out of bounds. Fix the test by requiring `it->options[1]` to be within bounds before proceeding with the original... • https://git.kernel.org/stable/c/729988507680b2ce934bce61d9ce0ea7b235914c •
CVSS: 5.6EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38482 – comedi: das6402: Fix bit shift out of bounds
https://notcve.org/view.php?id=CVE-2025-38482
28 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: comedi: das6402: Fix bit shift out of bounds When checking for a supported IRQ number, the following test is used: /* IRQs 2,3,5,6,7, 10,11,15 are valid for "enhanced" mode */ if ((1 << it->options[1]) & 0x8cec) { However, `it->options[i]` is an unchecked `int` value from userspace, so the shift amount could be negative or out of bounds. Fix the test by requiring `it->options[1]` to be within bounds before proceeding with the original test.... • https://git.kernel.org/stable/c/79e5e6addbb18bf56075f0ff552094a28636dd03 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38481 – comedi: Fail COMEDI_INSNLIST ioctl if n_insns is too large
https://notcve.org/view.php?id=CVE-2025-38481
28 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: comedi: Fail COMEDI_INSNLIST ioctl if n_insns is too large The handling of the `COMEDI_INSNLIST` ioctl allocates a kernel buffer to hold the array of `struct comedi_insn`, getting the length from the `n_insns` member of the `struct comedi_insnlist` supplied by the user. The allocation will fail with a WARNING and a stack dump if it is too large. Avoid that by failing with an `-EINVAL` error if the supplied `n_insns` value is unreasonable. D... • https://git.kernel.org/stable/c/ed9eccbe8970f6eedc1b978c157caf1251a896d4 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38480 – comedi: Fix use of uninitialized data in insn_rw_emulate_bits()
https://notcve.org/view.php?id=CVE-2025-38480
28 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: comedi: Fix use of uninitialized data in insn_rw_emulate_bits() For Comedi `INSN_READ` and `INSN_WRITE` instructions on "digital" subdevices (subdevice types `COMEDI_SUBD_DI`, `COMEDI_SUBD_DO`, and `COMEDI_SUBD_DIO`), it is common for the subdevice driver not to have `insn_read` and `insn_write` handler functions, but to have an `insn_bits` handler function for handling Comedi `INSN_BITS` instructions. In that case, the subdevice's `insn_re... • https://git.kernel.org/stable/c/ed9eccbe8970f6eedc1b978c157caf1251a896d4 •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38478 – comedi: Fix initialization of data for instructions that write to subdevice
https://notcve.org/view.php?id=CVE-2025-38478
28 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: comedi: Fix initialization of data for instructions that write to subdevice Some Comedi subdevice instruction handlers are known to access instruction data elements beyond the first `insn->n` elements in some cases. The `do_insn_ioctl()` and `do_insnlist_ioctl()` functions allocate at least `MIN_SAMPLES` (16) data elements to deal with this, but they do not initialize all of that. For Comedi instruction codes that write to the subdevice, th... • https://git.kernel.org/stable/c/ed9eccbe8970f6eedc1b978c157caf1251a896d4 •
CVSS: 6.9EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38477 – net/sched: sch_qfq: Fix race condition on qfq_aggregate
https://notcve.org/view.php?id=CVE-2025-38477
28 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_qfq: Fix race condition on qfq_aggregate A race condition can occur when 'agg' is modified in qfq_change_agg (called during qfq_enqueue) while other threads access it concurrently. For example, qfq_dump_class may trigger a NULL dereference, and qfq_delete_class may cause a use-after-free. This patch addresses the issue by: 1. Moved qfq_destroy_class into the critical section. 2. Added sch_tree_lock protection to qfq_dump_clas... • https://git.kernel.org/stable/c/462dbc9101acd38e92eda93c0726857517a24bbd •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38476 – rpl: Fix use-after-free in rpl_do_srh_inline().
https://notcve.org/view.php?id=CVE-2025-38476
28 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: rpl: Fix use-after-free in rpl_do_srh_inline(). Running lwt_dst_cache_ref_loop.sh in selftest with KASAN triggers the splat below [0]. rpl_do_srh_inline() fetches ipv6_hdr(skb) and accesses it after skb_cow_head(), which is illegal as the header could be freed then. Let's fix it by making oldhdr to a local struct instead of a pointer. [0]: [root@fedora net]# ./lwt_dst_cache_ref_loop.sh ... TEST: rpl (input) [ 57.631529] ====================... • https://git.kernel.org/stable/c/a7a29f9c361f8542604ef959ae6627f423b7a412 •
CVSS: 5.6EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38474 – usb: net: sierra: check for no status endpoint
https://notcve.org/view.php?id=CVE-2025-38474
28 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: usb: net: sierra: check for no status endpoint The driver checks for having three endpoints and having bulk in and out endpoints, but not that the third endpoint is interrupt input. Rectify the omission. In the Linux kernel, the following vulnerability has been resolved: usb: net: sierra: check for no status endpoint The driver checks for having three endpoints and having bulk in and out endpoints, but not that the third endpoint is interru... • https://git.kernel.org/stable/c/eb4fd8cd355c8ec425a12ec6cbdac614e8a4819d •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38473 – Bluetooth: Fix null-ptr-deref in l2cap_sock_resume_cb()
https://notcve.org/view.php?id=CVE-2025-38473
28 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix null-ptr-deref in l2cap_sock_resume_cb() syzbot reported null-ptr-deref in l2cap_sock_resume_cb(). [0] l2cap_sock_resume_cb() has a similar problem that was fixed by commit 1bff51ea59a9 ("Bluetooth: fix use-after-free error in lock_sock_nested()"). Since both l2cap_sock_kill() and l2cap_sock_resume_cb() are executed under l2cap_sock_resume_cb(), we can avoid the issue simply by checking if chan->data is NULL. Let's not access... • https://git.kernel.org/stable/c/d97c899bde330cd1c76c3a162558177563a74362 •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2025-38472 – netfilter: nf_conntrack: fix crash due to removal of uninitialised entry
https://notcve.org/view.php?id=CVE-2025-38472
28 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack: fix crash due to removal of uninitialised entry A crash in conntrack was reported while trying to unlink the conntrack entry from the hash bucket list: [exception RIP: __nf_ct_delete_from_lists+172] [..] #7 [ff539b5a2b043aa0] nf_ct_delete at ffffffffc124d421 [nf_conntrack] #8 [ff539b5a2b043ad0] nf_ct_gc_expired at ffffffffc124d999 [nf_conntrack] #9 [ff539b5a2b043ae0] __nf_conntrack_find_get at ffffffffc124efbc [nf_c... • https://git.kernel.org/stable/c/1397af5bfd7d32b0cf2adb70a78c9a9e8f11d912 •