CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2025-39823 – KVM: x86: use array_index_nospec with indices that come from guest
https://notcve.org/view.php?id=CVE-2025-39823
16 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: KVM: x86: use array_index_nospec with indices that come from guest min and dest_id are guest-controlled indices. Using array_index_nospec() after the bounds checks clamps these values to mitigate speculative execution side-channels. In the Linux kernel, the following vulnerability has been resolved: KVM: x86: use array_index_nospec with indices that come from guest min and dest_id are guest-controlled indices. Using array_index_nospec() aft... • https://git.kernel.org/stable/c/4180bf1b655a791a0a6ef93a2ffffc762722c782 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-39819 – fs/smb: Fix inconsistent refcnt update
https://notcve.org/view.php?id=CVE-2025-39819
16 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: fs/smb: Fix inconsistent refcnt update A possible inconsistent update of refcount was identified in `smb2_compound_op`. Such inconsistent update could lead to possible resource leaks. Why it is a possible bug: 1. In the comment section of the function, it clearly states that the reference to `cfile` should be dropped after calling this function. 2. Every control flow path would check and drop the reference to `cfile`, except the patched one... • https://git.kernel.org/stable/c/a7d5c294628088781da9e91cbb034d61c3a71f71 •
CVSS: 7.1EPSS: 0%CPEs: 9EXPL: 0CVE-2025-39817 – efivarfs: Fix slab-out-of-bounds in efivarfs_d_compare
https://notcve.org/view.php?id=CVE-2025-39817
16 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: efivarfs: Fix slab-out-of-bounds in efivarfs_d_compare Observed on kernel 6.6 (present on master as well): BUG: KASAN: slab-out-of-bounds in memcmp+0x98/0xd0 Call trace: kasan_check_range+0xe8/0x190 __asan_loadN+0x1c/0x28 memcmp+0x98/0xd0 efivarfs_d_compare+0x68/0xd8 __d_lookup_rcu_op_compare+0x178/0x218 __d_lookup_rcu+0x1f8/0x228 d_alloc_parallel+0x150/0x648 lookup_open.isra.0+0x5f0/0x8d0 open_last_lookups+0x264/0x828 path_openat+0x130/0x3... • https://git.kernel.org/stable/c/da27a24383b2b10bf6ebd0db29b325548aafecb4 • CWE-125: Out-of-bounds Read •
CVSS: 4.7EPSS: 0%CPEs: 8EXPL: 0CVE-2025-39813 – ftrace: Fix potential warning in trace_printk_seq during ftrace_dump
https://notcve.org/view.php?id=CVE-2025-39813
16 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: ftrace: Fix potential warning in trace_printk_seq during ftrace_dump When calling ftrace_dump_one() concurrently with reading trace_pipe, a WARN_ON_ONCE() in trace_printk_seq() can be triggered due to a race condition. The issue occurs because: CPU0 (ftrace_dump) CPU1 (reader) echo z > /proc/sysrq-trigger !trace_empty(&iter) trace_iterator_reset(&iter) <- len = size = 0 cat /sys/kernel/tracing/trace_pipe trace_find_next_entry_inc(&iter) __f... • https://git.kernel.org/stable/c/d769041f865330034131525ee6a7f72eb4af2a24 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-39812 – sctp: initialize more fields in sctp_v6_from_sk()
https://notcve.org/view.php?id=CVE-2025-39812
16 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: sctp: initialize more fields in sctp_v6_from_sk() syzbot found that sin6_scope_id was not properly initialized, leading to undefined behavior. Clear sin6_scope_id and sin6_flowinfo. BUG: KMSAN: uninit-value in __sctp_v6_cmp_addr+0x887/0x8c0 net/sctp/ipv6.c:649 __sctp_v6_cmp_addr+0x887/0x8c0 net/sctp/ipv6.c:649 sctp_inet6_cmp_addr+0x4f2/0x510 net/sctp/ipv6.c:983 sctp_bind_addr_conflict+0x22a/0x3b0 net/sctp/bind_addr.c:390 sctp_get_port_local... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2025-39810 – bnxt_en: Fix memory corruption when FW resources change during ifdown
https://notcve.org/view.php?id=CVE-2025-39810
16 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Fix memory corruption when FW resources change during ifdown bnxt_set_dflt_rings() assumes that it is always called before any TC has been created. So it doesn't take bp->num_tc into account and assumes that it is always 0 or 1. In the FW resource or capability change scenario, the FW will return flags in bnxt_hwrm_if_change() that will cause the driver to reinitialize and call bnxt_cancel_reservations(). This will lead to bnxt_ini... • https://git.kernel.org/stable/c/ec5d31e3c15d5233b491400133c67f78a320062c • CWE-787: Out-of-bounds Write •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-39808 – HID: hid-ntrig: fix unable to handle page fault in ntrig_report_version()
https://notcve.org/view.php?id=CVE-2025-39808
16 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: HID: hid-ntrig: fix unable to handle page fault in ntrig_report_version() in ntrig_report_version(), hdev parameter passed from hid_probe(). sending descriptor to /dev/uhid can make hdev->dev.parent->parent to null if hdev->dev.parent->parent is null, usb_dev has invalid address(0xffffffffffffff58) that hid_to_usb_dev(hdev) returned when usb_rcvctrlpipe() use usb_dev,it trigger page fault error for address(0xffffffffffffff58) add null check... • https://git.kernel.org/stable/c/0277873c05158c5efc97c23d52e6aec6250bde0f •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2025-39806 – HID: multitouch: fix slab out-of-bounds access in mt_report_fixup()
https://notcve.org/view.php?id=CVE-2025-39806
16 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: HID: multitouch: fix slab out-of-bounds access in mt_report_fixup() A malicious HID device can trigger a slab out-of-bounds during mt_report_fixup() by passing in report descriptor smaller than 607 bytes. mt_report_fixup() attempts to patch byte offset 607 of the descriptor with 0x25 by first checking if byte offset 607 is 0x15 however it lacks bounds checks to verify if the descriptor is big enough before conducting this check. Fix this bu... • https://git.kernel.org/stable/c/7d91a0b2151a9c3b61d44c85c8eba930eddd1dd0 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-39805 – net: macb: fix unregister_netdev call order in macb_remove()
https://notcve.org/view.php?id=CVE-2025-39805
16 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: net: macb: fix unregister_netdev call order in macb_remove() When removing a macb device, the driver calls phy_exit() before unregister_netdev(). This leads to a WARN from kernfs: ------------[ cut here ]------------ kernfs: can not remove 'attached_dev', no directory WARNING: CPU: 1 PID: 27146 at fs/kernfs/dir.c:1683 Call trace: kernfs_remove_by_name_ns+0xd8/0xf0 sysfs_remove_link+0x24/0x58 phy_detach+0x5c/0x168 phy_disconnect+0x4c/0x70 ph... • https://git.kernel.org/stable/c/8b73fa3ae02b2401960de41b0454c0321377b203 •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2023-53302 – wifi: iwl4965: Add missing check for create_singlethread_workqueue()
https://notcve.org/view.php?id=CVE-2023-53302
16 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: iwl4965: Add missing check for create_singlethread_workqueue() Add the check for the return value of the create_singlethread_workqueue() in order to avoid NULL pointer dereference. This update provides the initial livepatch for this kernel update. This update does not contain any fixes and will be updated with livepatches later. • https://git.kernel.org/stable/c/b481de9ca074528fe8c429604e2777db8b89806a • CWE-476: NULL Pointer Dereference •