CVSS: 7.8EPSS: 0%CPEs: 15EXPL: 0CVE-2025-23150 – ext4: fix off-by-one error in do_split
https://notcve.org/view.php?id=CVE-2025-23150
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: ext4: fix off-by-one error in do_split Syzkaller detected a use-after-free issue in ext4_insert_dentry that was caused by out-of-bounds access due to incorrect splitting in do_split. BUG: KASAN: use-after-free in ext4_insert_dentry+0x36a/0x6d0 fs/ext4/namei.c:2109 Write of size 251 at addr ffff888074572f14 by task syz-executor335/5847 CPU: 0 UID: 0 PID: 5847 Comm: syz-executor335 Not tainted 6.12.0-rc6-syzkaller-00318-ga9cda7c0ffed #0 Hardw... • https://git.kernel.org/stable/c/ea54176e5821936d109bb45dc2c19bd53559e735 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-23148 – soc: samsung: exynos-chipid: Add NULL pointer check in exynos_chipid_probe()
https://notcve.org/view.php?id=CVE-2025-23148
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: soc: samsung: exynos-chipid: Add NULL pointer check in exynos_chipid_probe() soc_dev_attr->revision could be NULL, thus, a pointer check is added to prevent potential NULL pointer dereference. This is similar to the fix in commit 3027e7b15b02 ("ice: Fix some null pointer dereference issues in ice_ptp.c"). This issue is found by our static analysis tool. In the Linux kernel, the following vulnerability has been resolved: soc: samsung: exynos... • https://git.kernel.org/stable/c/3253b7b7cd44c4dd029a4ce280ef9f409a256e5f •
CVSS: 5.5EPSS: 0%CPEs: 9EXPL: 0CVE-2025-23147 – i3c: Add NULL pointer check in i3c_master_queue_ibi()
https://notcve.org/view.php?id=CVE-2025-23147
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: i3c: Add NULL pointer check in i3c_master_queue_ibi() The I3C master driver may receive an IBI from a target device that has not been probed yet. In such cases, the master calls `i3c_master_queue_ibi()` to queue an IBI work task, leading to "Unable to handle kernel read from unreadable memory" and resulting in a kernel panic. Typical IBI handling flow: 1. The I3C master scans target devices and probes their respective drivers. 2. The target... • https://git.kernel.org/stable/c/3a379bbcea0af6280e1ca0d1edfcf4e68cde6ee0 •
CVSS: 7.2EPSS: 0%CPEs: 4EXPL: 0CVE-2025-23143 – net: Fix null-ptr-deref by sock_lock_init_class_and_name() and rmmod.
https://notcve.org/view.php?id=CVE-2025-23143
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: net: Fix null-ptr-deref by sock_lock_init_class_and_name() and rmmod. When I ran the repro [0] and waited a few seconds, I observed two LOCKDEP splats: a warning immediately followed by a null-ptr-deref. [1] Reproduction Steps: 1) Mount CIFS 2) Add an iptables rule to drop incoming FIN packets for CIFS 3) Unmount CIFS 4) Unload the CIFS module 5) Remove the iptables rule At step 3), the CIFS module calls sock_release() for the underlying TC... • https://git.kernel.org/stable/c/ed07536ed6731775219c1df7fa26a7588753e693 •
CVSS: 5.5EPSS: 0%CPEs: 14EXPL: 0CVE-2025-23142 – sctp: detect and prevent references to a freed transport in sendmsg
https://notcve.org/view.php?id=CVE-2025-23142
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: sctp: detect and prevent references to a freed transport in sendmsg sctp_sendmsg() re-uses associations and transports when possible by doing a lookup based on the socket endpoint and the message destination address, and then sctp_sendmsg_to_asoc() sets the selected transport in all the message chunks to be sent. There's a possible race condition if another thread triggers the removal of that selected transport, for instance, by explicitly ... • https://git.kernel.org/stable/c/df132eff463873e14e019a07f387b4d577d6d1f9 •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2025-23141 – KVM: x86: Acquire SRCU in KVM_GET_MP_STATE to protect guest memory accesses
https://notcve.org/view.php?id=CVE-2025-23141
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Acquire SRCU in KVM_GET_MP_STATE to protect guest memory accesses Acquire a lock on kvm->srcu when userspace is getting MP state to handle a rather extreme edge case where "accepting" APIC events, i.e. processing pending INIT or SIPI, can trigger accesses to guest memory. If the vCPU is in L2 with INIT *and* a TRIPLE_FAULT request pending, then getting MP state will trigger a nested VM-Exit by way of ->check_nested_events(), and e... • https://git.kernel.org/stable/c/0357c8406dfa09430dd9858ebe813feb65524b6e •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-23140 – misc: pci_endpoint_test: Avoid issue of interrupts remaining after request_irq error
https://notcve.org/view.php?id=CVE-2025-23140
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: misc: pci_endpoint_test: Avoid issue of interrupts remaining after request_irq error After devm_request_irq() fails with error in pci_endpoint_test_request_irq(), the pci_endpoint_test_free_irq_vectors() is called assuming that all IRQs have been released. However, some requested IRQs remain unreleased, so there are still /proc/irq/* entries remaining, and this results in WARN() with the following message: remove_proc_entry: removing non-em... • https://git.kernel.org/stable/c/e03327122e2c8e6ae4565ef5b3d3cbe4364546a1 •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-23139 – Bluetooth: hci_uart: Fix another race during initialization
https://notcve.org/view.php?id=CVE-2025-23139
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_uart: Fix another race during initialization Do not set 'HCI_UART_PROTO_READY' before call 'hci_uart_register_dev()'. Possible race is when someone calls 'hci_tty_uart_close()' after this bit is set, but 'hci_uart_register_dev()' wasn't done. This leads to access to uninitialized fields. To fix it let's set this bit after device was registered (as before patch c411c62cc133) and to fix previous problem let's add one more bit i... • https://git.kernel.org/stable/c/5df5dafc171b90d0b8d51547a82657cd5a1986c7 •
CVSS: 7.8EPSS: 0%CPEs: 9EXPL: 0CVE-2025-37838 – HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition
https://notcve.org/view.php?id=CVE-2025-37838
18 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition In the ssi_protocol_probe() function, &ssi->work is bound with ssip_xmit_work(), In ssip_pn_setup(), the ssip_pn_xmit() function within the ssip_pn_ops structure is capable of starting the work. If we remove the module which will call ssi_protocol_remove() to make a cleanup, it will free ssi through kfree(ssi), while the work mentioned above wil... • https://git.kernel.org/stable/c/d03abc1c2b21324550fa71e12d53e7d3498e0af6 • CWE-416: Use After Free •
CVSS: 7.1EPSS: 0%CPEs: 11EXPL: 0CVE-2025-39735 – jfs: fix slab-out-of-bounds read in ea_get()
https://notcve.org/view.php?id=CVE-2025-39735
18 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: jfs: fix slab-out-of-bounds read in ea_get() During the "size_check" label in ea_get(), the code checks if the extended attribute list (xattr) size matches ea_size. If not, it logs "ea_get: invalid extended attribute" and calls print_hex_dump(). Here, EALIST_SIZE(ea_buf->xattr) returns 4110417968, which exceeds INT_MAX (2,147,483,647). Then ea_size is clamped: int size = clamp_t(int, ea_size, 0, EALIST_SIZE(ea_buf->xattr)); Although clamp_t... • https://git.kernel.org/stable/c/6e39b681d1eb16f408493bf5023788b57f68998c •