CVSS: 7.2EPSS: 0%CPEs: 8EXPL: 0CVE-2025-39869 – dmaengine: ti: edma: Fix memory allocation size for queue_priority_map
https://notcve.org/view.php?id=CVE-2025-39869
23 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: dmaengine: ti: edma: Fix memory allocation size for queue_priority_map Fix a critical memory allocation bug in edma_setup_from_hw() where queue_priority_map was allocated with insufficient memory. The code declared queue_priority_map as s8 (*)[2] (pointer to array of 2 s8), but allocated memory using sizeof(s8) instead of the correct size. This caused out-of-bounds memory writes when accessing: queue_priority_map[i][0] = i; queue_priority_m... • https://git.kernel.org/stable/c/2b6b3b7420190888793c49e97276e1e73bd7eaed •
CVSS: 6.4EPSS: 0%CPEs: 7EXPL: 1CVE-2025-39866 – fs: writeback: fix use-after-free in __mark_inode_dirty()
https://notcve.org/view.php?id=CVE-2025-39866
19 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: fs: writeback: fix use-after-free in __mark_inode_dirty() An use-after-free issue occurred when __mark_inode_dirty() get the bdi_writeback that was in the progress of switching. CPU: 1 PID: 562 Comm: systemd-random- Not tainted 6.6.56-gb4403bd46a8e #1 ...... pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : __mark_inode_dirty+0x124/0x418 lr : __mark_inode_dirty+0x118/0x418 sp : ffffffc08c9dbbc0 ........ Call trace: __mark... • https://packetstorm.news/files/id/209969 •
CVSS: 5.5EPSS: 0%CPEs: 10EXPL: 0CVE-2025-39865 – tee: fix NULL pointer dereference in tee_shm_put
https://notcve.org/view.php?id=CVE-2025-39865
19 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: tee: fix NULL pointer dereference in tee_shm_put tee_shm_put have NULL pointer dereference: __optee_disable_shm_cache --> shm = reg_pair_to_ptr(...);//shm maybe return NULL tee_shm_free(shm); --> tee_shm_put(shm);//crash Add check in tee_shm_put to fix it. panic log: Unable to handle kernel paging request at virtual address 0000000000100cca Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 ... • https://git.kernel.org/stable/c/c05d8f66ec3470e5212c4d08c46d6cb5738d600d •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2025-39864 – wifi: cfg80211: fix use-after-free in cmp_bss()
https://notcve.org/view.php?id=CVE-2025-39864
19 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: fix use-after-free in cmp_bss() Following bss_free() quirk introduced in commit 776b3580178f ("cfg80211: track hidden SSID networks properly"), adjust cfg80211_update_known_bss() to free the last beacon frame elements only if they're not shared via the corresponding 'hidden_beacon_bss' pointer. In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: fix use-after-free in cmp_bss() Following bss_fr... • https://git.kernel.org/stable/c/3ab8227d3e7d1d2bf1829675d3197e3cb600e9f6 • CWE-416: Use After Free •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2025-39863 – wifi: brcmfmac: fix use-after-free when rescheduling brcmf_btcoex_info work
https://notcve.org/view.php?id=CVE-2025-39863
19 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: fix use-after-free when rescheduling brcmf_btcoex_info work The brcmf_btcoex_detach() only shuts down the btcoex timer, if the flag timer_on is false. However, the brcmf_btcoex_timerfunc(), which runs as timer handler, sets timer_on to false. This creates critical race conditions: 1.If brcmf_btcoex_detach() is called while brcmf_btcoex_timerfunc() is executing, it may observe timer_on as false and skip the call to timer_shut... • https://git.kernel.org/stable/c/61730d4dfffc2cc9d3a49fad87633008105c18ba • CWE-416: Use After Free •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2025-39862 – wifi: mt76: mt7915: fix list corruption after hardware restart
https://notcve.org/view.php?id=CVE-2025-39862
19 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7915: fix list corruption after hardware restart Since stations are recreated from scratch, all lists that wcids are added to must be cleared before calling ieee80211_restart_hw. Set wcid->sta = 0 for each wcid entry in order to ensure that they are not added again before they are ready. In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7915: fix list corruption after hardware restart Since stat... • https://git.kernel.org/stable/c/8a55712d124fd8a919e8a69b70643e1a97280b4b • CWE-787: Out-of-bounds Write •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-39861 – Bluetooth: vhci: Prevent use-after-free by removing debugfs files early
https://notcve.org/view.php?id=CVE-2025-39861
19 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: vhci: Prevent use-after-free by removing debugfs files early Move the creation of debugfs files into a dedicated function, and ensure they are explicitly removed during vhci_release(), before associated data structures are freed. Previously, debugfs files such as "force_suspend", "force_wakeup", and others were created under hdev->debugfs but not removed in vhci_release(). Since vhci_release() frees the backing vhci_data structur... • https://git.kernel.org/stable/c/ab4e4380d4e158486e595013a2635190e07e28ce • CWE-416: Use After Free •
CVSS: 7.2EPSS: 0%CPEs: 11EXPL: 0CVE-2025-39860 – Bluetooth: Fix use-after-free in l2cap_sock_cleanup_listen()
https://notcve.org/view.php?id=CVE-2025-39860
19 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix use-after-free in l2cap_sock_cleanup_listen() syzbot reported the splat below without a repro. In the splat, a single thread calling bt_accept_dequeue() freed sk and touched it after that. The root cause would be the racy l2cap_sock_cleanup_listen() call added by the cited commit. bt_accept_dequeue() is called under lock_sock() except for l2cap_sock_release(). Two threads could see the same socket during the list iteration in... • https://git.kernel.org/stable/c/a2da00d1ea1abfb04f846638e210b5b5166e3c9c •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2025-39859 – ptp: ocp: fix use-after-free bugs causing by ptp_ocp_watchdog
https://notcve.org/view.php?id=CVE-2025-39859
19 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: ptp: ocp: fix use-after-free bugs causing by ptp_ocp_watchdog The ptp_ocp_detach() only shuts down the watchdog timer if it is pending. However, if the timer handler is already running, the timer_delete_sync() is not called. This leads to race conditions where the devlink that contains the ptp_ocp is deallocated while the timer handler is still accessing it, resulting in use-after-free bugs. The following details one of the race scenarios. ... • https://git.kernel.org/stable/c/773bda96492153e11d21eb63ac814669b51fc701 • CWE-416: Use After Free •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-39857 – net/smc: fix one NULL pointer dereference in smc_ib_is_sg_need_sync()
https://notcve.org/view.php?id=CVE-2025-39857
19 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: net/smc: fix one NULL pointer dereference in smc_ib_is_sg_need_sync() BUG: kernel NULL pointer dereference, address: 00000000000002ec PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP PTI CPU: 28 UID: 0 PID: 343 Comm: kworker/28:1 Kdump: loaded Tainted: G OE 6.17.0-rc2+ #9 NONE Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014 Workqueue: smc_hs_wq smc_listen_work [smc] RIP: 0010:sm... • https://git.kernel.org/stable/c/0ef69e788411cba2af017db731a9fc62d255e9ac •