CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-38123 – net: wwan: t7xx: Fix napi rx poll issue
https://notcve.org/view.php?id=CVE-2025-38123
03 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: net: wwan: t7xx: Fix napi rx poll issue When driver handles the napi rx polling requests, the netdev might have been released by the dellink logic triggered by the disconnect operation on user plane. However, in the logic of processing skb in polling, an invalid netdev is still being used, which causes a panic. BUG: kernel NULL pointer dereference, address: 00000000000000f1 Oops: 0000 [#1] PREEMPT SMP NOPTI RIP: 0010:dev_gro_receive+0x3a/0x... • https://git.kernel.org/stable/c/5545b7b9f294de7f95ec6a7cb1de0db52296001c •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2025-38122 – gve: add missing NULL check for gve_alloc_pending_packet() in TX DQO
https://notcve.org/view.php?id=CVE-2025-38122
03 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: gve: add missing NULL check for gve_alloc_pending_packet() in TX DQO gve_alloc_pending_packet() can return NULL, but gve_tx_add_skb_dqo() did not check for this case before dereferencing the returned pointer. Add a missing NULL check to prevent a potential NULL pointer dereference when allocation fails. This improves robustness in low-memory scenarios. In the Linux kernel, the following vulnerability has been resolved: gve: add missing NULL... • https://git.kernel.org/stable/c/a57e5de476be0b4b7f42beb6a21c19ad9c577aa3 •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2025-38121 – wifi: iwlwifi: mld: avoid panic on init failure
https://notcve.org/view.php?id=CVE-2025-38121
03 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mld: avoid panic on init failure In case of an error during init, in_hw_restart will be set, but it will never get cleared. Instead, we will retry to init again, and then we will act like we are in a restart when we are actually not. This causes (among others) to a NULL pointer dereference when canceling rx_omi::finished_work, that was not even initialized, because we thought that we are in hw_restart. Set in_hw_restart to tr... • https://git.kernel.org/stable/c/7391b2a4f7dbb7be7dd763bc87506c10f570a8d3 •
CVSS: 7.1EPSS: 0%CPEs: 7EXPL: 0CVE-2025-38120 – netfilter: nf_set_pipapo_avx2: fix initial map fill
https://notcve.org/view.php?id=CVE-2025-38120
03 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_set_pipapo_avx2: fix initial map fill If the first field doesn't cover the entire start map, then we must zero out the remainder, else we leak those bits into the next match round map. The early fix was incomplete and did only fix up the generic C implementation. A followup patch adds a test case to nft_concat_range.sh. In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_set_pipapo_avx2: fix initi... • https://git.kernel.org/stable/c/957a4d1c4c5849e4515c9fb4db21bf85318103dc •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2025-38119 – scsi: core: ufs: Fix a hang in the error handler
https://notcve.org/view.php?id=CVE-2025-38119
03 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: scsi: core: ufs: Fix a hang in the error handler ufshcd_err_handling_prepare() calls ufshcd_rpm_get_sync(). The latter function can only succeed if UFSHCD_EH_IN_PROGRESS is not set because resuming involves submitting a SCSI command and ufshcd_queuecommand() returns SCSI_MLQUEUE_HOST_BUSY if UFSHCD_EH_IN_PROGRESS is set. Fix this hang by setting UFSHCD_EH_IN_PROGRESS after ufshcd_rpm_get_sync() has been called instead of before. Backtrace: ... • https://git.kernel.org/stable/c/62694735ca95c74dac4eb9068d59801ac0ddebaf •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38118 – Bluetooth: MGMT: Fix UAF on mgmt_remove_adv_monitor_complete
https://notcve.org/view.php?id=CVE-2025-38118
03 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Fix UAF on mgmt_remove_adv_monitor_complete This reworks MGMT_OP_REMOVE_ADV_MONITOR to not use mgmt_pending_add to avoid crashes like bellow: ================================================================== BUG: KASAN: slab-use-after-free in mgmt_remove_adv_monitor_complete+0xe5/0x540 net/bluetooth/mgmt.c:5406 Read of size 8 at addr ffff88801c53f318 by task kworker/u5:5/5341 CPU: 0 UID: 0 PID: 5341 Comm: kworker/u5:5 Not ... • https://git.kernel.org/stable/c/66bd095ab5d408af106808cce302406542f70f65 •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-38117 – Bluetooth: MGMT: Protect mgmt_pending list with its own lock
https://notcve.org/view.php?id=CVE-2025-38117
03 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Protect mgmt_pending list with its own lock This uses a mutex to protect from concurrent access of mgmt_pending list which can cause crashes like: ================================================================== BUG: KASAN: slab-use-after-free in hci_sock_get_channel+0x60/0x68 net/bluetooth/hci_sock.c:91 Read of size 2 at addr ffff0000c48885b2 by task syz.4.334/7318 CPU: 0 UID: 0 PID: 7318 Comm: syz.4.334 Not tainted 6.15... • https://git.kernel.org/stable/c/a380b6cff1a2d2139772e88219d08330f84d0381 •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2025-38116 – wifi: ath12k: fix uaf in ath12k_core_init()
https://notcve.org/view.php?id=CVE-2025-38116
03 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix uaf in ath12k_core_init() When the execution of ath12k_core_hw_group_assign() or ath12k_core_hw_group_create() fails, the registered notifier chain is not unregistered properly. Its memory is freed after rmmod, which may trigger to a use-after-free (UAF) issue if there is a subsequent access to this notifier chain. Fixes the issue by calling ath12k_core_panic_notifier_unregister() in failure cases. Call trace: notifier_cha... • https://git.kernel.org/stable/c/6f245ea0ec6c29b90c8fa4fdf6e178c646125d7e •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38115 – net_sched: sch_sfq: fix a potential crash on gso_skb handling
https://notcve.org/view.php?id=CVE-2025-38115
03 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: net_sched: sch_sfq: fix a potential crash on gso_skb handling SFQ has an assumption of always being able to queue at least one packet. However, after the blamed commit, sch->q.len can be inflated by packets in sch->gso_skb, and an enqueue() on an empty SFQ qdisc can be followed by an immediate drop. Fix sfq_drop() to properly clear q->tail in this situation. ip netns add lb ip link add dev to-lb type veth peer name in-lb netns lb ethtool -K... • https://git.kernel.org/stable/c/a53851e2c3218aa30b77abd6e68cf1c371f15afe •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2025-38114 – e1000: Move cancel_work_sync to avoid deadlock
https://notcve.org/view.php?id=CVE-2025-38114
03 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: e1000: Move cancel_work_sync to avoid deadlock Previously, e1000_down called cancel_work_sync for the e1000 reset task (via e1000_down_and_stop), which takes RTNL. As reported by users and syzbot, a deadlock is possible in the following scenario: CPU 0: - RTNL is held - e1000_close - e1000_down - cancel_work_sync (cancel / wait for e1000_reset_task()) CPU 1: - process_one_work - e1000_reset_task - take RTNL To remedy this, avoid calling can... • https://git.kernel.org/stable/c/e400c7444d84b0fd2ebb34e618f83abe05917543 •