CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 0CVE-2024-57974 – udp: Deal with race between UDP socket address change and rehash
https://notcve.org/view.php?id=CVE-2024-57974
27 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: udp: Deal with race between UDP socket address change and rehash If a UDP socket changes its local address while it's receiving datagrams, as a result of connect(), there is a period during which a lookup operation might fail to find it, after the address is changed but before the secondary hash (port and address) and the four-tuple hash (local and remote ports and addresses) are updated. Secondary hash chains were introduced by commit 30ff... • https://git.kernel.org/stable/c/30fff9231fad757c061285e347b33c5149c2c2e4 •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2024-57973 – rdma/cxgb4: Prevent potential integer overflow on 32bit
https://notcve.org/view.php?id=CVE-2024-57973
27 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: rdma/cxgb4: Prevent potential integer overflow on 32bit The "gl->tot_len" variable is controlled by the user. It comes from process_responses(). On 32bit systems, the "gl->tot_len + sizeof(struct cpl_pass_accept_req) + sizeof(struct rss_header)" addition could have an integer wrapping bug. Use size_add() to prevent this. In the Linux kernel, the following vulnerability has been resolved: rdma/cxgb4: Prevent potential integer overflow on 32b... • https://git.kernel.org/stable/c/1cab775c3e75f1250c965feafd061d696df36e53 •
CVSS: 7.1EPSS: 0%CPEs: 3EXPL: 0CVE-2024-57953 – rtc: tps6594: Fix integer overflow on 32bit systems
https://notcve.org/view.php?id=CVE-2024-57953
27 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: rtc: tps6594: Fix integer overflow on 32bit systems The problem is this multiply in tps6594_rtc_set_offset() tmp = offset * TICKS_PER_HOUR; The "tmp" variable is an s64 but "offset" is a long in the (-277774)-277774 range. On 32bit systems a long can hold numbers up to approximately two billion. The number of TICKS_PER_HOUR is really large, (32768 * 3600) or roughly a hundred million. When you start multiplying by a hundred million it doesn... • https://git.kernel.org/stable/c/9f67c1e63976d3403f0b250b03ffe959c890f9db •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2025-21704 – usb: cdc-acm: Check control transfer buffer size before access
https://notcve.org/view.php?id=CVE-2025-21704
22 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: usb: cdc-acm: Check control transfer buffer size before access If the first fragment is shorter than struct usb_cdc_notification, we can't calculate an expected_size. Log an error and discard the notification instead of reading lengths from memory outside the received data, which can lead to memory corruption when the expected_size decreases between fragments, causing `expected_size - acm->nb_index` to wrap. This issue has been present sinc... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2025-21703 – netem: Update sch->q.qlen before qdisc_tree_reduce_backlog()
https://notcve.org/view.php?id=CVE-2025-21703
18 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: netem: Update sch->q.qlen before qdisc_tree_reduce_backlog() qdisc_tree_reduce_backlog() notifies parent qdisc only if child qdisc becomes empty, therefore we need to reduce the backlog of the child qdisc before calling it. Otherwise it would miss the opportunity to call cops->qlen_notify(), in the case of DRR, it resulted in UAF since DRR uses ->qlen_notify() to maintain its active list. In the Linux kernel, the following vulnerability has... • https://git.kernel.org/stable/c/10df49cfca73dfbbdb6c4150d859f7e8926ae427 • CWE-416: Use After Free •
CVSS: 8.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-21702 – pfifo_tail_enqueue: Drop new packet when sch->limit == 0
https://notcve.org/view.php?id=CVE-2025-21702
18 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: pfifo_tail_enqueue: Drop new packet when sch->limit == 0 Expected behaviour: In case we reach scheduler's limit, pfifo_tail_enqueue() will drop a packet in scheduler's queue and decrease scheduler's qlen by one. Then, pfifo_tail_enqueue() enqueue new packet and increase scheduler's qlen by one. Finally, pfifo_tail_enqueue() return `NET_XMIT_CN` status code. Weird behaviour: In case we set `sch->limit == 0` and trigger pfifo_tail_enqueue() o... • https://git.kernel.org/stable/c/57dbb2d83d100ea601c54fe129bfde0678db5dee •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2025-21701 – net: avoid race between device unregistration and ethnl ops
https://notcve.org/view.php?id=CVE-2025-21701
13 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: net: avoid race between device unregistration and ethnl ops The following trace can be seen if a device is being unregistered while its number of channels are being modified. DEBUG_LOCKS_WARN_ON(lock->magic != lock) WARNING: CPU: 3 PID: 3754 at kernel/locking/mutex.c:564 __mutex_lock+0xc8a/0x1120 CPU: 3 UID: 0 PID: 3754 Comm: ethtool Not tainted 6.13.0-rc6+ #771 RIP: 0010:__mutex_lock+0xc8a/0x1120 Call Trace:
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2025-21700 – net: sched: Disallow replacing of child qdisc from one parent to another
https://notcve.org/view.php?id=CVE-2025-21700
13 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: net: sched: Disallow replacing of child qdisc from one parent to another Lion Ackermann was able to create a UAF which can be abused for privilege escalation with the following script Step 1. create root qdisc tc qdisc add dev lo root handle 1:0 drr step2. a class for packet aggregation do demonstrate uaf tc class add dev lo classid 1:1 drr step3. a class for nesting tc class add dev lo classid 1:2 drr step4. a class to graft qdisc to tc cl... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 • CWE-416: Use After Free •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2025-21699 – gfs2: Truncate address space when flipping GFS2_DIF_JDATA flag
https://notcve.org/view.php?id=CVE-2025-21699
12 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: gfs2: Truncate address space when flipping GFS2_DIF_JDATA flag Truncate an inode's address space when flipping the GFS2_DIF_JDATA flag: depending on that flag, the pages in the address space will either use buffer heads or iomap_folio_state structs, and we cannot mix the two. In the Linux kernel, the following vulnerability has been resolved: gfs2: Truncate address space when flipping GFS2_DIF_JDATA flag Truncate an inode's address space wh... • https://git.kernel.org/stable/c/2b0bd5051ad1c1e9ef4879f18e15a7712c974f3e •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2024-57952 – Revert "libfs: fix infinite directory reads for offset dir"
https://notcve.org/view.php?id=CVE-2024-57952
12 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: Revert "libfs: fix infinite directory reads for offset dir" The current directory offset allocator (based on mtree_alloc_cyclic) stores the next offset value to return in octx->next_offset. This mechanism typically returns values that increase monotonically over time. Eventually, though, the newly allocated offset value wraps back to a low number (say, 2) which is smaller than other already- allocated offset values. Yu Kuai