CVSS: 8.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-39986 – can: sun4i_can: populate ndo_change_mtu() to prevent buffer overflow
https://notcve.org/view.php?id=CVE-2025-39986
15 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: can: sun4i_can: populate ndo_change_mtu() to prevent buffer overflow Sending an PF_PACKET allows to bypass the CAN framework logic and to directly reach the xmit() function of a CAN driver. The only check which is performed by the PF_PACKET framework is to make sure that skb->len fits the interface's MTU. Unfortunately, because the sun4i_can driver does not populate its net_device_ops->ndo_change_mtu(), it is possible for an attacker to con... • https://git.kernel.org/stable/c/0738eff14d817a02ab082c392c96a1613006f158 •
CVSS: 8.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-39985 – can: mcba_usb: populate ndo_change_mtu() to prevent buffer overflow
https://notcve.org/view.php?id=CVE-2025-39985
15 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: can: mcba_usb: populate ndo_change_mtu() to prevent buffer overflow Sending an PF_PACKET allows to bypass the CAN framework logic and to directly reach the xmit() function of a CAN driver. The only check which is performed by the PF_PACKET framework is to make sure that skb->len fits the interface's MTU. Unfortunately, because the mcba_usb driver does not populate its net_device_ops->ndo_change_mtu(), it is possible for an attacker to confi... • https://git.kernel.org/stable/c/51f3baad7de943780ce0c17bd7975df567dd6e14 •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2025-39982 – Bluetooth: hci_event: Fix UAF in hci_acl_create_conn_sync
https://notcve.org/view.php?id=CVE-2025-39982
15 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_event: Fix UAF in hci_acl_create_conn_sync This fixes the following UFA in hci_acl_create_conn_sync where a connection still pending is command submission (conn->state == BT_OPEN) maybe freed, also since this also can happen with the likes of hci_le_create_conn_sync fix it as well: BUG: KASAN: slab-use-after-free in hci_acl_create_conn_sync+0x5ef/0x790 net/bluetooth/hci_sync.c:6861 Write of size 2 at addr ffff88805ffcc038 by ... • https://git.kernel.org/stable/c/aef2aa4fa98e18ea5d9345bf777ee698c8598728 • CWE-416: Use After Free •
CVSS: 7.0EPSS: 0%CPEs: 3EXPL: 0CVE-2025-39981 – Bluetooth: MGMT: Fix possible UAFs
https://notcve.org/view.php?id=CVE-2025-39981
15 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Fix possible UAFs This attemps to fix possible UAFs caused by struct mgmt_pending being freed while still being processed like in the following trace, in order to fix mgmt_pending_valid is introduce and use to check if the mgmt_pending hasn't been removed from the pending list, on the complete callbacks it is used to check and in addtion remove the cmd from the list while holding mgmt_pending_lock to avoid TOCTOU problems s... • https://git.kernel.org/stable/c/cf75ad8b41d2aa06f98f365d42a3ae8b059daddd •
CVSS: 6.1EPSS: 0%CPEs: 7EXPL: 0CVE-2025-39980 – nexthop: Forbid FDB status change while nexthop is in a group
https://notcve.org/view.php?id=CVE-2025-39980
15 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: nexthop: Forbid FDB status change while nexthop is in a group The kernel forbids the creation of non-FDB nexthop groups with FDB nexthops: # ip nexthop add id 1 via 192.0.2.1 fdb # ip nexthop add id 2 group 1 Error: Non FDB nexthop group cannot have fdb nexthops. And vice versa: # ip nexthop add id 3 via 192.0.2.2 dev dummy1 # ip nexthop add id 4 group 3 fdb Error: FDB nexthop group can only have fdb nexthops. However, as long as no routes ... • https://git.kernel.org/stable/c/38428d68719c454d269cb03b776d8a4b0ad66111 •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2025-39978 – octeontx2-pf: Fix potential use after free in otx2_tc_add_flow()
https://notcve.org/view.php?id=CVE-2025-39978
15 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: octeontx2-pf: Fix potential use after free in otx2_tc_add_flow() This code calls kfree_rcu(new_node, rcu) and then dereferences "new_node" and then dereferences it on the next line. Two lines later, we take a mutex so I don't think this is an RCU safe region. Re-order it to do the dereferences before queuing up the free. In the Linux kernel, the following vulnerability has been resolved: octeontx2-pf: Fix potential use after free in otx2_tc... • https://git.kernel.org/stable/c/68fbff68dbea35f9e6f7649dd22fce492a5aedac •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2025-39977 – futex: Prevent use-after-free during requeue-PI
https://notcve.org/view.php?id=CVE-2025-39977
15 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: futex: Prevent use-after-free during requeue-PI syzbot managed to trigger the following race: T1 T2 futex_wait_requeue_pi() futex_do_wait() schedule() futex_requeue() futex_proxy_trylock_atomic() futex_requeue_pi_prepare() requeue_pi_wake_futex() futex_requeue_pi_complete() /* preempt */ * timeout/ signal wakes T1 * futex_requeue_pi_wakeup_sync() // Q_REQUEUE_PI_LOCKED futex_hash_put() // back to userland, on stack futex_q is garbage /* bac... • https://git.kernel.org/stable/c/07d91ef510fb16a2e0ca7453222105835b7ba3b8 •
CVSS: 7.2EPSS: 0%CPEs: 8EXPL: 0CVE-2025-39973 – i40e: add validation for ring_len param
https://notcve.org/view.php?id=CVE-2025-39973
15 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: i40e: add validation for ring_len param The `ring_len` parameter provided by the virtual function (VF) is assigned directly to the hardware memory context (HMC) without any validation. To address this, introduce an upper boundary check for both Tx and Rx queue lengths. The maximum number of descriptors supported by the hardware is 8k-32. Additionally, enforce alignment constraints: Tx rings must be a multiple of 8, and Rx rings must be a mu... • https://git.kernel.org/stable/c/5c3c48ac6bf56367c4e89f6453cd2d61e50375bd •
CVSS: 7.2EPSS: 0%CPEs: 8EXPL: 0CVE-2025-39972 – i40e: fix idx validation in i40e_validate_queue_map
https://notcve.org/view.php?id=CVE-2025-39972
15 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: i40e: fix idx validation in i40e_validate_queue_map Ensure idx is within range of active/initialized TCs when iterating over vf->ch[idx] in i40e_validate_queue_map(). In the Linux kernel, the following vulnerability has been resolved: i40e: fix idx validation in i40e_validate_queue_map Ensure idx is within range of active/initialized TCs when iterating over vf->ch[idx] in i40e_validate_queue_map(). Several vulnerabilities have been discover... • https://git.kernel.org/stable/c/c27eac48160de72dee33d42b5a33cc7b8a2eb1f5 •
CVSS: 7.6EPSS: 0%CPEs: 8EXPL: 0CVE-2025-39971 – i40e: fix idx validation in config queues msg
https://notcve.org/view.php?id=CVE-2025-39971
15 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: i40e: fix idx validation in config queues msg Ensure idx is within range of active/initialized TCs when iterating over vf->ch[idx] in i40e_vc_config_queues_msg(). In the Linux kernel, the following vulnerability has been resolved: i40e: fix idx validation in config queues msg Ensure idx is within range of active/initialized TCs when iterating over vf->ch[idx] in i40e_vc_config_queues_msg(). Several vulnerabilities have been discovered in th... • https://git.kernel.org/stable/c/c27eac48160de72dee33d42b5a33cc7b8a2eb1f5 • CWE-787: Out-of-bounds Write •