CVSS: 7.2EPSS: 0%CPEs: 8EXPL: 0CVE-2025-39766 – net/sched: Make cake_enqueue return NET_XMIT_CN when past buffer_limit
https://notcve.org/view.php?id=CVE-2025-39766
11 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: net/sched: Make cake_enqueue return NET_XMIT_CN when past buffer_limit The following setup can trigger a WARNING in htb_activate due to the condition: !cl->leaf.q->q.qlen tc qdisc del dev lo root tc qdisc add dev lo root handle 1: htb default 1 tc class add dev lo parent 1: classid 1:1 \ htb rate 64bit tc qdisc add dev lo parent 1:1 handle f: \ cake memlimit 1b ping -I lo -f -c1 -s64 -W0.001 127.0.0.1 This is because the low memlimit leads ... • https://git.kernel.org/stable/c/046f6fd5daefac7f5abdafb436b30f63bc7c602b •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2025-39764 – netfilter: ctnetlink: remove refcounting in expectation dumpers
https://notcve.org/view.php?id=CVE-2025-39764
11 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: netfilter: ctnetlink: remove refcounting in expectation dumpers Same pattern as previous patch: do not keep the expectation object alive via refcount, only store a cookie value and then use that as the skip hint for dump resumption. AFAICS this has the same issue as the one resolved in the conntrack dumper, when we do if (!refcount_inc_not_zero(&exp->use)) to increment the refcount, there is a chance that exp == last, which causes a double-... • https://git.kernel.org/stable/c/cf6994c2b9812a9f02b99e89df411ffc5db9c779 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-39763 – ACPI: APEI: send SIGBUS to current task if synchronous memory error not recovered
https://notcve.org/view.php?id=CVE-2025-39763
11 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: ACPI: APEI: send SIGBUS to current task if synchronous memory error not recovered If a synchronous error is detected as a result of user-space process triggering a 2-bit uncorrected error, the CPU will take a synchronous error exception such as Synchronous External Abort (SEA) on Arm64. The kernel will queue a memory_failure() work which poisons the related page, unmaps the page, and then sends a SIGBUS to the process, so that a system wide... • https://git.kernel.org/stable/c/082735fbcdb6cd0cf20fbec94516ab2996f1cdd5 •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-39762 – drm/amd/display: add null check
https://notcve.org/view.php?id=CVE-2025-39762
11 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: add null check [WHY] Prevents null pointer dereferences to enhance function robustness [HOW] Adds early null check and return false if invalid. In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: add null check [WHY] Prevents null pointer dereferences to enhance function robustness [HOW] Adds early null check and return false if invalid. • https://git.kernel.org/stable/c/4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2025-39760 – usb: core: config: Prevent OOB read in SS endpoint companion parsing
https://notcve.org/view.php?id=CVE-2025-39760
11 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: usb: core: config: Prevent OOB read in SS endpoint companion parsing usb_parse_ss_endpoint_companion() checks descriptor type before length, enabling a potentially odd read outside of the buffer size. Fix this up by checking the size first before looking at any of the fields in the descriptor. In the Linux kernel, the following vulnerability has been resolved: usb: core: config: Prevent OOB read in SS endpoint companion parsing usb_parse_ss... • https://git.kernel.org/stable/c/5c3097ede7835d3caf6543eb70ff689af4550cd2 •
CVSS: 6.3EPSS: 0%CPEs: 6EXPL: 0CVE-2025-39759 – btrfs: qgroup: fix race between quota disable and quota rescan ioctl
https://notcve.org/view.php?id=CVE-2025-39759
11 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: btrfs: qgroup: fix race between quota disable and quota rescan ioctl There's a race between a task disabling quotas and another running the rescan ioctl that can result in a use-after-free of qgroup records from the fs_info->qgroup_tree rbtree. This happens as follows: 1) Task A enters btrfs_ioctl_quota_rescan() -> btrfs_qgroup_rescan(); 2) Task B enters btrfs_quota_disable() and calls btrfs_qgroup_wait_for_completion(), which does nothing ... • https://git.kernel.org/stable/c/7cda0fdde5d9890976861421d207870500f9aace •
CVSS: 7.2EPSS: 0%CPEs: 9EXPL: 0CVE-2025-39757 – ALSA: usb-audio: Validate UAC3 cluster segment descriptors
https://notcve.org/view.php?id=CVE-2025-39757
11 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Validate UAC3 cluster segment descriptors UAC3 class segment descriptors need to be verified whether their sizes match with the declared lengths and whether they fit with the allocated buffer sizes, too. Otherwise malicious firmware may lead to the unexpected OOB accesses. In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Validate UAC3 cluster segment descriptors UAC3 class segment descrip... • https://git.kernel.org/stable/c/11785ef53228d23ec386f5fe4a34601536f0c891 •
CVSS: 5.5EPSS: 0%CPEs: 9EXPL: 0CVE-2025-39756 – fs: Prevent file descriptor table allocations exceeding INT_MAX
https://notcve.org/view.php?id=CVE-2025-39756
11 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: fs: Prevent file descriptor table allocations exceeding INT_MAX When sysctl_nr_open is set to a very high value (for example, 1073741816 as set by systemd), processes attempting to use file descriptors near the limit can trigger massive memory allocation attempts that exceed INT_MAX, resulting in a WARNING in mm/slub.c: WARNING: CPU: 0 PID: 44 at mm/slub.c:5027 __kvmalloc_node_noprof+0x21a/0x288 This happens because kvmalloc_array() and kvm... • https://git.kernel.org/stable/c/9cfe015aa424b3c003baba3841a60dd9b5ad319b •
CVSS: 6.2EPSS: 0%CPEs: 4EXPL: 0CVE-2025-39754 – mm/smaps: fix race between smaps_hugetlb_range and migration
https://notcve.org/view.php?id=CVE-2025-39754
11 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: mm/smaps: fix race between smaps_hugetlb_range and migration smaps_hugetlb_range() handles the pte without holdling ptl, and may be concurrenct with migration, leaing to BUG_ON in pfn_swap_entry_to_page(). The race is as follows. smaps_hugetlb_range migrate_pages huge_ptep_get remove_migration_ptes folio_unlock pfn_swap_entry_folio BUG_ON To fix it, hold ptl lock in smaps_hugetlb_range(). In the Linux kernel, the following vulnerability has... • https://git.kernel.org/stable/c/25ee01a2fca02dfb5a3ce316e77910c468108199 •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2025-39753 – gfs2: Set .migrate_folio in gfs2_{rgrp,meta}_aops
https://notcve.org/view.php?id=CVE-2025-39753
11 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: gfs2: Set .migrate_folio in gfs2_{rgrp,meta}_aops Clears up the warning added in 7ee3647243e5 ("migrate: Remove call to ->writepage") that occurs in various xfstests, causing "something found in dmesg" failures. [ 341.136573] gfs2_meta_aops does not implement migrate_folio [ 341.136953] WARNING: CPU: 1 PID: 36 at mm/migrate.c:944 move_to_new_folio+0x2f8/0x300 In the Linux kernel, the following vulnerability has been resolved: gfs2: Set .mig... • https://git.kernel.org/stable/c/3d2c05cbc6a3725d832b912b637971f37301c7e5 •