CVSS: 7.1EPSS: 0%CPEs: 4EXPL: 0CVE-2025-21754 – btrfs: fix assertion failure when splitting ordered extent after transaction abort
https://notcve.org/view.php?id=CVE-2025-21754
27 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: btrfs: fix assertion failure when splitting ordered extent after transaction abort If while we are doing a direct IO write a transaction abort happens, we mark all existing ordered extents with the BTRFS_ORDERED_IOERR flag (done at btrfs_destroy_ordered_extents()), and then after that if we enter btrfs_split_ordered_extent() and the ordered extent has bytes left (meaning we have a bio that doesn't cover the whole ordered extent, see details... • https://git.kernel.org/stable/c/52b1fdca23ac0fbcad363a1a5b426bf0d56b715a •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2025-21753 – btrfs: fix use-after-free when attempting to join an aborted transaction
https://notcve.org/view.php?id=CVE-2025-21753
27 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: btrfs: fix use-after-free when attempting to join an aborted transaction When we are trying to join the current transaction and if it's aborted, we read its 'aborted' field after unlocking fs_info->trans_lock and without holding any extra reference count on it. This means that a concurrent task that is aborting the transaction may free the transaction before we read its 'aborted' field, leading to a use-after-free. Fix this by reading the '... • https://git.kernel.org/stable/c/871383be592ba7e819d27556591e315a0df38cee • CWE-416: Use After Free •
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2025-21752 – btrfs: don't use btrfs_set_item_key_safe on RAID stripe-extents
https://notcve.org/view.php?id=CVE-2025-21752
27 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: btrfs: don't use btrfs_set_item_key_safe on RAID stripe-extents Don't use btrfs_set_item_key_safe() to modify the keys in the RAID stripe-tree, as this can lead to corruption of the tree, which is caught by the checks in btrfs_set_item_key_safe(): BTRFS info (device nvme1n1): leaf 49168384 gen 15 total ptrs 194 free space 8329 owner 12 BTRFS info (device nvme1n1): refs 2 lock_owner 1030 current 1030 [ snip ] item 105 key (354549760 230 2048... • https://git.kernel.org/stable/c/02c372e1f016e5113217597ab37b399c4e407477 •
CVSS: 5.0EPSS: 0%CPEs: 5EXPL: 0CVE-2025-21750 – wifi: brcmfmac: Check the return value of of_property_read_string_index()
https://notcve.org/view.php?id=CVE-2025-21750
27 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: Check the return value of of_property_read_string_index() Somewhen between 6.10 and 6.11 the driver started to crash on my MacBookPro14,3. The property doesn't exist and 'tmp' remains uninitialized, so we pass a random pointer to devm_kstrdup(). The crash I am getting looks like this: BUG: unable to handle page fault for address: 00007f033c669379 PF: supervisor read access in kernel mode PF: error_code(0x0001) - permissions ... • https://git.kernel.org/stable/c/af525a8b2ab85291617e79a5bb18bcdcb529e80c •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-21749 – net: rose: lock the socket in rose_bind()
https://notcve.org/view.php?id=CVE-2025-21749
27 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: net: rose: lock the socket in rose_bind() syzbot reported a soft lockup in rose_loopback_timer(), with a repro calling bind() from multiple threads. rose_bind() must lock the socket to avoid this issue. In the Linux kernel, the following vulnerability has been resolved: net: rose: lock the socket in rose_bind() syzbot reported a soft lockup in rose_loopback_timer(), with a repro calling bind() from multiple threads. rose_bind() must lock th... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2025-21748 – ksmbd: fix integer overflows on 32 bit systems
https://notcve.org/view.php?id=CVE-2025-21748
27 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix integer overflows on 32 bit systems On 32bit systems the addition operations in ipc_msg_alloc() can potentially overflow leading to memory corruption. Add bounds checking using KSMBD_IPC_MAX_PAYLOAD to avoid overflow. In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix integer overflows on 32 bit systems On 32bit systems the addition operations in ipc_msg_alloc() can potentially overflow leading to memo... • https://git.kernel.org/stable/c/0626e6641f6b467447c81dd7678a69c66f7746cf •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-21746 – Input: synaptics - fix crash when enabling pass-through port
https://notcve.org/view.php?id=CVE-2025-21746
27 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: Input: synaptics - fix crash when enabling pass-through port When enabling a pass-through port an interrupt might come before psmouse driver binds to the pass-through port. However synaptics sub-driver tries to access psmouse instance presumably associated with the pass-through port to figure out if only 1 byte of response or entire protocol packet needs to be forwarded to the pass-through port and may crash if psmouse instance has not been... • https://git.kernel.org/stable/c/100e16959c3ca8cb7be788ed3e2c5867481f35f6 •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2025-21745 – blk-cgroup: Fix class @block_class's subsystem refcount leakage
https://notcve.org/view.php?id=CVE-2025-21745
27 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: blk-cgroup: Fix class @block_class's subsystem refcount leakage blkcg_fill_root_iostats() iterates over @block_class's devices by class_dev_iter_(init|next)(), but does not end iterating with class_dev_iter_exit(), so causes the class's subsystem refcount leakage. Fix by ending the iterating with class_dev_iter_exit(). In the Linux kernel, the following vulnerability has been resolved: blk-cgroup: Fix class @block_class's subsystem refcount... • https://git.kernel.org/stable/c/ef45fe470e1e5410db4af87abc5d5055427945ac •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-21744 – wifi: brcmfmac: fix NULL pointer dereference in brcmf_txfinalize()
https://notcve.org/view.php?id=CVE-2025-21744
27 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: fix NULL pointer dereference in brcmf_txfinalize() On removal of the device or unloading of the kernel module a potential NULL pointer dereference occurs. The following sequence deletes the interface: brcmf_detach() brcmf_remove_interface() brcmf_del_if() Inside the brcmf_del_if() function the drvr->if2bss[ifidx] is updated to BRCMF_BSSIDX_INVALID (-1) if the bsscfgidx matches. After brcmf_remove_interface() call the brcmf_p... • https://git.kernel.org/stable/c/2326e19190e176fd72bb542b837a9d2b7fcb8693 •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-21743 – usbnet: ipheth: fix possible overflow in DPE length check
https://notcve.org/view.php?id=CVE-2025-21743
27 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: usbnet: ipheth: fix possible overflow in DPE length check Originally, it was possible for the DPE length check to overflow if wDatagramIndex + wDatagramLength > U16_MAX. This could lead to an OoB read. Move the wDatagramIndex term to the other side of the inequality. An existing condition ensures that wDatagramIndex < urb->actual_length. In the Linux kernel, the following vulnerability has been resolved: usbnet: ipheth: fix possible overflo... • https://git.kernel.org/stable/c/a2d274c62e44b1995c170595db3865c6fe701226 •