CVSS: 5.5EPSS: 0%CPEs: 9EXPL: 0CVE-2025-38695 – scsi: lpfc: Check for hdwq null ptr when cleaning up lpfc_vport structure
https://notcve.org/view.php?id=CVE-2025-38695
04 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Check for hdwq null ptr when cleaning up lpfc_vport structure If a call to lpfc_sli4_read_rev() from lpfc_sli4_hba_setup() fails, the resultant cleanup routine lpfc_sli4_vport_delete_fcp_xri_aborted() may occur before sli4_hba.hdwqs are allocated. This may result in a null pointer dereference when attempting to take the abts_io_buf_list_lock for the first hardware queue. Fix by adding a null ptr check on phba->sli4_hba.hdwq and ... • https://git.kernel.org/stable/c/6711ce7e9de4eb1a541ef30638df1294ea4267f8 •
CVSS: 5.5EPSS: 0%CPEs: 9EXPL: 0CVE-2025-38694 – media: dvb-frontends: dib7090p: fix null-ptr-deref in dib7090p_rw_on_apb()
https://notcve.org/view.php?id=CVE-2025-38694
04 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: media: dvb-frontends: dib7090p: fix null-ptr-deref in dib7090p_rw_on_apb() In dib7090p_rw_on_apb, msg is controlled by user. When msg[0].buf is null and msg[0].len is zero, former checks on msg[0].buf would be passed. If accessing msg[0].buf[2] without sanity check, null pointer deref would happen. We add check on msg[0].len to prevent crash. Similar issue occurs when access msg[1].buf[0] and msg[1].buf[1]. • https://git.kernel.org/stable/c/bc07cae4f36bb18d5b6a9ed835c1278ca44ec82e •
CVSS: 5.5EPSS: 0%CPEs: 9EXPL: 0CVE-2025-38693 – media: dvb-frontends: w7090p: fix null-ptr-deref in w7090p_tuner_write_serpar and w7090p_tuner_read_serpar
https://notcve.org/view.php?id=CVE-2025-38693
04 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: media: dvb-frontends: w7090p: fix null-ptr-deref in w7090p_tuner_write_serpar and w7090p_tuner_read_serpar In w7090p_tuner_write_serpar, msg is controlled by user. When msg[0].buf is null and msg[0].len is zero, former checks on msg[0].buf would be passed. If accessing msg[0].buf[2] without sanity check, null pointer deref would happen. We add check on msg[0].len to prevent crash. Similar commit: commit 0ed554fd769a ("media: dvb-usb: az6027... • https://git.kernel.org/stable/c/7a41ecfc3415ebe3b4c44f96b3337691dcf431a3 •
CVSS: 5.5EPSS: 0%CPEs: 9EXPL: 0CVE-2025-38691 – pNFS: Fix uninited ptr deref in block/scsi layout
https://notcve.org/view.php?id=CVE-2025-38691
04 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: pNFS: Fix uninited ptr deref in block/scsi layout The error occurs on the third attempt to encode extents. When function ext_tree_prepare_commit() reallocates a larger buffer to retry encoding extents, the "layoutupdate_pages" page array is initialized only after the retry loop. But ext_tree_free_commitdata() is called on every iteration and tries to put pages in the array, thus dereferencing uninitialized pointers. An additional problem is... • https://git.kernel.org/stable/c/579b85f893d9885162e1cabf99a4a088916e143e •
CVSS: 6.3EPSS: 0%CPEs: 9EXPL: 0CVE-2025-38687 – comedi: fix race between polling and detaching
https://notcve.org/view.php?id=CVE-2025-38687
04 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: comedi: fix race between polling and detaching syzbot reports a use-after-free in comedi in the below link, which is due to comedi gladly removing the allocated async area even though poll requests are still active on the wait_queue_head inside of it. This can cause a use-after-free when the poll entries are later triggered or removed, as the memory for the wait_queue_head has been freed. We need to check there are no tasks queued on any of... • https://git.kernel.org/stable/c/2f3fdcd7ce935f6f2899ceab57dc8fe5286db3e1 •
CVSS: 7.8EPSS: 0%CPEs: 7EXPL: 0CVE-2025-38685 – fbdev: Fix vmalloc out-of-bounds write in fast_imageblit
https://notcve.org/view.php?id=CVE-2025-38685
04 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: fbdev: Fix vmalloc out-of-bounds write in fast_imageblit This issue triggers when a userspace program does an ioctl FBIOPUT_CON2FBMAP by passing console number and frame buffer number. Ideally this maps console to frame buffer and updates the screen if console is visible. As part of mapping it has to do resize of console according to frame buffer info. if this resize fails and returns from vc_do_resize() and continues further. At this point... • https://git.kernel.org/stable/c/078e62bffca4b7e72e8f3550eb063ab981c36c7a •
CVSS: 7.1EPSS: 0%CPEs: 9EXPL: 0CVE-2025-38680 – media: uvcvideo: Fix 1-byte out-of-bounds read in uvc_parse_format()
https://notcve.org/view.php?id=CVE-2025-38680
04 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: media: uvcvideo: Fix 1-byte out-of-bounds read in uvc_parse_format() The buffer length check before calling uvc_parse_format() only ensured that the buffer has at least 3 bytes (buflen > 2), buf the function accesses buffer[3], requiring at least 4 bytes. This can lead to an out-of-bounds read if the buffer has exactly 3 bytes. Fix it by checking that the buffer has at least 4 bytes in uvc_parse_format(). In the Linux kernel, the following ... • https://git.kernel.org/stable/c/c0efd232929c2cd87238de2cccdaf4e845be5b0c •
CVSS: 7.1EPSS: 0%CPEs: 6EXPL: 0CVE-2025-38679 – media: venus: Fix OOB read due to missing payload bound check
https://notcve.org/view.php?id=CVE-2025-38679
04 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: media: venus: Fix OOB read due to missing payload bound check Currently, The event_seq_changed() handler processes a variable number of properties sent by the firmware. The number of properties is indicated by the firmware and used to iterate over the payload. However, the payload size is not being validated against the actual message length. This can lead to out-of-bounds memory access if the firmware provides a property count that exceeds... • https://git.kernel.org/stable/c/09c2845e8fe4fcab942929480203f504a6e0a114 •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38677 – f2fs: fix to avoid out-of-boundary access in dnode page
https://notcve.org/view.php?id=CVE-2025-38677
30 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid out-of-boundary access in dnode page As Jiaming Zhang reported:
CVSS: 9.1EPSS: 0%CPEs: 4EXPL: 0CVE-2024-58240 – tls: separate no-async decryption request handling from async
https://notcve.org/view.php?id=CVE-2024-58240
28 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: tls: separate no-async decryption request handling from async If we're not doing async, the handling is much simpler. There's no reference counting, we just need to wait for the completion to wake us up and return its result. We should preferably also use a separate crypto_wait. I'm not seeing a UAF as I did in the past, I think aec7961916f3 ("tls: fix race between async notify and socket close") took care of it. This will make the next fix... • https://git.kernel.org/stable/c/3c4d7559159bfe1e3b94df3a657b2cda3a34e218 •