CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38735 – gve: prevent ethtool ops after shutdown
https://notcve.org/view.php?id=CVE-2025-38735
05 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: gve: prevent ethtool ops after shutdown A crash can occur if an ethtool operation is invoked after shutdown() is called. shutdown() is invoked during system shutdown to stop DMA operations without performing expensive deallocations. It is discouraged to unregister the netdev in this path, so the device may still be visible to userspace and kernel helpers. In gve, shutdown() tears down most internal data structures. If an ethtool operation i... • https://git.kernel.org/stable/c/974365e518617c9ce917f61aacbba07e4bedcca0 •
CVSS: 6.6EPSS: 0%CPEs: 4EXPL: 0CVE-2025-38734 – net/smc: fix UAF on smcsk after smc_listen_out()
https://notcve.org/view.php?id=CVE-2025-38734
05 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: net/smc: fix UAF on smcsk after smc_listen_out() BPF CI testing report a UAF issue: [ 16.446633] BUG: kernel NULL pointer dereference, address: 000000000000003 0 [ 16.447134] #PF: supervisor read access in kernel mod e [ 16.447516] #PF: error_code(0x0000) - not-present pag e [ 16.447878] PGD 0 P4D 0 [ 16.448063] Oops: Oops: 0000 [#1] PREEMPT SMP NOPT I [ 16.448409] CPU: 0 UID: 0 PID: 9 Comm: kworker/0:1 Tainted: G OE 6.13.0-rc3-g89e8a75fda7... • https://git.kernel.org/stable/c/3b2dec2603d5b06ad3af71c1164ca0b92df3d2a8 •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-38733 – s390/mm: Do not map lowcore with identity mapping
https://notcve.org/view.php?id=CVE-2025-38733
05 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: s390/mm: Do not map lowcore with identity mapping Since the identity mapping is pinned to address zero the lowcore is always also mapped to address zero, this happens regardless of the relocate_lowcore command line option. If the option is specified the lowcore is mapped twice, instead of only once. This means that NULL pointer accesses will succeed instead of causing an exception (low address protection still applies, but covers only parts... • https://git.kernel.org/stable/c/32db401965f165f7c44447d0508097f070c8f576 •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2025-38732 – netfilter: nf_reject: don't leak dst refcount for loopback packets
https://notcve.org/view.php?id=CVE-2025-38732
05 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_reject: don't leak dst refcount for loopback packets recent patches to add a WARN() when replacing skb dst entry found an old bug: WARNING: include/linux/skbuff.h:1165 skb_dst_check_unset include/linux/skbuff.h:1164 [inline] WARNING: include/linux/skbuff.h:1165 skb_dst_set include/linux/skbuff.h:1210 [inline] WARNING: include/linux/skbuff.h:1165 nf_reject_fill_skb_dst+0x2a4/0x330 net/ipv4/netfilter/nf_reject_ipv4.c:234 [..] Ca... • https://git.kernel.org/stable/c/f53b9b0bdc59c0823679f2e3214e0d538f5951b9 •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38730 – io_uring/net: commit partial buffers on retry
https://notcve.org/view.php?id=CVE-2025-38730
04 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: io_uring/net: commit partial buffers on retry Ring provided buffers are potentially only valid within the single execution context in which they were acquired. io_uring deals with this and invalidates them on retry. But on the networking side, if MSG_WAITALL is set, or if the socket is of the streaming type and too little was processed, then it will hang on to the buffer rather than recycle or commit it. This is problematic for two reasons:... • https://git.kernel.org/stable/c/c56e022c0a27142b7b59ae6bdf45f86bf4b298a1 •
CVSS: 7.2EPSS: 0%CPEs: 9EXPL: 0CVE-2025-38729 – ALSA: usb-audio: Validate UAC3 power domain descriptors, too
https://notcve.org/view.php?id=CVE-2025-38729
04 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Validate UAC3 power domain descriptors, too UAC3 power domain descriptors need to be verified with its variable bLength for avoiding the unexpected OOB accesses by malicious firmware, too. In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Validate UAC3 power domain descriptors, too UAC3 power domain descriptors need to be verified with its variable bLength for avoiding the unexpected OOB a... • https://git.kernel.org/stable/c/9a2fe9b801f585baccf8352d82839dcd54b300cf • CWE-125: Out-of-bounds Read •
CVSS: 6.9EPSS: 0%CPEs: 6EXPL: 0CVE-2025-38728 – smb3: fix for slab out of bounds on mount to ksmbd
https://notcve.org/view.php?id=CVE-2025-38728
04 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: smb3: fix for slab out of bounds on mount to ksmbd With KASAN enabled, it is possible to get a slab out of bounds during mount to ksmbd due to missing check in parse_server_interfaces() (see below): BUG: KASAN: slab-out-of-bounds in parse_server_interfaces+0x14ee/0x1880 [cifs] Read of size 4 at addr ffff8881433dba98 by task mount/9827 CPU: 5 UID: 0 PID: 9827 Comm: mount Tainted: G OE 6.16.0-rc2-kasan #2 PREEMPT(voluntary) Tainted: [O]=OOT_M... • https://git.kernel.org/stable/c/fe856be475f7cf5ffcde57341d175ce9fd09434b •
CVSS: 6.6EPSS: 0%CPEs: 9EXPL: 0CVE-2025-38727 – netlink: avoid infinite retry looping in netlink_unicast()
https://notcve.org/view.php?id=CVE-2025-38727
04 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: netlink: avoid infinite retry looping in netlink_unicast() netlink_attachskb() checks for the socket's read memory allocation constraints. Firstly, it has: rmem < READ_ONCE(sk->sk_rcvbuf) to check if the just increased rmem value fits into the socket's receive buffer. If not, it proceeds and tries to wait for the memory under: rmem + skb->truesize > READ_ONCE(sk->sk_rcvbuf) The checks don't cover the case when skb->truesize + sk->sk_rmem_al... • https://git.kernel.org/stable/c/9da025150b7c14a8390fc06aea314c0a4011e82c •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-38726 – net: ftgmac100: fix potential NULL pointer access in ftgmac100_phy_disconnect
https://notcve.org/view.php?id=CVE-2025-38726
04 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: net: ftgmac100: fix potential NULL pointer access in ftgmac100_phy_disconnect After the call to phy_disconnect() netdev->phydev is reset to NULL. So fixed_phy_unregister() would be called with a NULL pointer as argument. Therefore cache the phy_device before this call. In the Linux kernel, the following vulnerability has been resolved: net: ftgmac100: fix potential NULL pointer access in ftgmac100_phy_disconnect After the call to phy_discon... • https://git.kernel.org/stable/c/e24a6c874601efb3de6e535895dd8e4f56fa98f1 •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2025-38725 – net: usb: asix_devices: add phy_mask for ax88772 mdio bus
https://notcve.org/view.php?id=CVE-2025-38725
04 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: net: usb: asix_devices: add phy_mask for ax88772 mdio bus Without setting phy_mask for ax88772 mdio bus, current driver may create at most 32 mdio phy devices with phy address range from 0x00 ~ 0x1f. DLink DUB-E100 H/W Ver B1 is such a device. However, only one main phy device will bind to net phy driver. This is creating issue during system suspend/resume since phy_polling_mode() in phy_state_machine() will directly deference member of phy... • https://git.kernel.org/stable/c/e532a096be0e5e570b383e71d4560e7f04384e0f •