CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-40099 – cifs: parse_dfs_referrals: prevent oob on malformed input
https://notcve.org/view.php?id=CVE-2025-40099
30 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: cifs: parse_dfs_referrals: prevent oob on malformed input Malicious SMB server can send invalid reply to FSCTL_DFS_GET_REFERRALS - reply smaller than sizeof(struct get_dfs_referral_rsp) - reply with number of referrals smaller than NumberOfReferrals in the header Processing of such replies will cause oob. Return -EINVAL error on such replies to prevent oob-s. In the Linux kernel, the following vulnerability has been resolved: cifs: parse_df... • https://git.kernel.org/stable/c/cfacc7441f760e4a73cc71b6ff1635261d534657 •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2025-40098 – ALSA: hda: cs35l41: Fix NULL pointer dereference in cs35l41_get_acpi_mute_state()
https://notcve.org/view.php?id=CVE-2025-40098
30 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: ALSA: hda: cs35l41: Fix NULL pointer dereference in cs35l41_get_acpi_mute_state() Return value of a function acpi_evaluate_dsm() is dereferenced without checking for NULL, but it is usually checked for this function. acpi_evaluate_dsm() may return NULL, when acpi_evaluate_object() returns acpi_status other than ACPI_SUCCESS, so add a check to prevent the crach. Found by Linux Verification Center (linuxtesting.org) with SVACE. In the Linux k... • https://git.kernel.org/stable/c/447106e92a0c86c332d40710436f38f64c322cd6 •
CVSS: 6.6EPSS: 0%CPEs: 2EXPL: 0CVE-2025-40097 – ALSA: hda: Fix missing pointer check in hda_component_manager_init function
https://notcve.org/view.php?id=CVE-2025-40097
30 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: ALSA: hda: Fix missing pointer check in hda_component_manager_init function The __component_match_add function may assign the 'matchptr' pointer the value ERR_PTR(-ENOMEM), which will subsequently be dereferenced. The call stack leading to the error looks like this: hda_component_manager_init |-> component_match_add |-> component_match_add_release |-> __component_match_add ( ... ,**matchptr, ... ) |-> *matchptr = ERR_PTR(-ENOMEM); // assign... • https://git.kernel.org/stable/c/ae7abe36e352eddf8e30d3b1ea3fb402514ba13b •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2025-40096 – drm/sched: Fix potential double free in drm_sched_job_add_resv_dependencies
https://notcve.org/view.php?id=CVE-2025-40096
30 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/sched: Fix potential double free in drm_sched_job_add_resv_dependencies When adding dependencies with drm_sched_job_add_dependency(), that function consumes the fence reference both on success and failure, so in the latter case the dma_fence_put() on the error path (xarray failed to expand) is a double free. Interestingly this bug appears to have been present ever since commit ebd5f74255b9 ("drm/sched: Add dependency tracking"), since t... • https://git.kernel.org/stable/c/963d0b3569354230f6e2c36a286ef270a8901878 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-40095 – usb: gadget: f_rndis: Refactor bind path to use __free()
https://notcve.org/view.php?id=CVE-2025-40095
30 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_rndis: Refactor bind path to use __free() After an bind/unbind cycle, the rndis->notify_req is left stale. If a subsequent bind fails, the unified error label attempts to free this stale request, leading to a NULL pointer dereference when accessing ep->ops->free_request. Refactor the error handling in the bind path to use the __free() automatic cleanup mechanism. In the Linux kernel, the following vulnerability has been resol... • https://git.kernel.org/stable/c/45fe3b8e5342cd1ce307099459c74011d8e01986 •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2025-40094 – usb: gadget: f_acm: Refactor bind path to use __free()
https://notcve.org/view.php?id=CVE-2025-40094
30 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_acm: Refactor bind path to use __free() After an bind/unbind cycle, the acm->notify_req is left stale. If a subsequent bind fails, the unified error label attempts to free this stale request, leading to a NULL pointer dereference when accessing ep->ops->free_request. Refactor the error handling in the bind path to use the __free() automatic cleanup mechanism. Unable to handle kernel NULL pointer dereference at virtual address... • https://git.kernel.org/stable/c/1f1ba11b64947051fc32aa15fcccef6463b433f7 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-40093 – usb: gadget: f_ecm: Refactor bind path to use __free()
https://notcve.org/view.php?id=CVE-2025-40093
30 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_ecm: Refactor bind path to use __free() After an bind/unbind cycle, the ecm->notify_req is left stale. If a subsequent bind fails, the unified error label attempts to free this stale request, leading to a NULL pointer dereference when accessing ep->ops->free_request. Refactor the error handling in the bind path to use the __free() automatic cleanup mechanism. In the Linux kernel, the following vulnerability has been resolved:... • https://git.kernel.org/stable/c/da741b8c56d612b5dd26ffa31341911a5fea23ee •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2025-40092 – usb: gadget: f_ncm: Refactor bind path to use __free()
https://notcve.org/view.php?id=CVE-2025-40092
30 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_ncm: Refactor bind path to use __free() After an bind/unbind cycle, the ncm->notify_req is left stale. If a subsequent bind fails, the unified error label attempts to free this stale request, leading to a NULL pointer dereference when accessing ep->ops->free_request. Refactor the error handling in the bind path to use the __free() automatic cleanup mechanism. Unable to handle kernel NULL pointer dereference at virtual address... • https://git.kernel.org/stable/c/9f6ce4240a2bf456402c15c06768059e5973f28c •
CVSS: 7.1EPSS: 0%CPEs: 2EXPL: 0CVE-2025-40091 – ixgbe: fix too early devlink_free() in ixgbe_remove()
https://notcve.org/view.php?id=CVE-2025-40091
30 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: ixgbe: fix too early devlink_free() in ixgbe_remove() Since ixgbe_adapter is embedded in devlink, calling devlink_free() prematurely in the ixgbe_remove() path can lead to UAF. Move devlink_free() to the end. KASAN report: BUG: KASAN: use-after-free in ixgbe_reset_interrupt_capability+0x140/0x180 [ixgbe] Read of size 8 at addr ffff0000adf813e0 by task bash/2095 CPU: 1 UID: 0 PID: 2095 Comm: bash Tainted: G S 6.17.0-rc2-tnguy.net-queue+ #1 P... • https://git.kernel.org/stable/c/a0285236ab93fdfdd1008afaa04561d142d6c276 •
CVSS: 7.1EPSS: 0%CPEs: 3EXPL: 0CVE-2025-40090 – ksmbd: fix recursive locking in RPC handle list access
https://notcve.org/view.php?id=CVE-2025-40090
30 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix recursive locking in RPC handle list access Since commit 305853cce3794 ("ksmbd: Fix race condition in RPC handle list access"), ksmbd_session_rpc_method() attempts to lock sess->rpc_lock. This causes hung connections / tasks when a client attempts to open a named pipe. Using Samba's rpcclient tool: $ rpcclient //192.168.1.254 -U user%password $ rpcclient $> srvinfo