CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38735 – gve: prevent ethtool ops after shutdown
https://notcve.org/view.php?id=CVE-2025-38735
05 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: gve: prevent ethtool ops after shutdown A crash can occur if an ethtool operation is invoked after shutdown() is called. shutdown() is invoked during system shutdown to stop DMA operations without performing expensive deallocations. It is discouraged to unregister the netdev in this path, so the device may still be visible to userspace and kernel helpers. In gve, shutdown() tears down most internal data structures. If an ethtool operation i... • https://git.kernel.org/stable/c/974365e518617c9ce917f61aacbba07e4bedcca0 •
CVSS: 6.6EPSS: 0%CPEs: 4EXPL: 0CVE-2025-38734 – net/smc: fix UAF on smcsk after smc_listen_out()
https://notcve.org/view.php?id=CVE-2025-38734
05 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: net/smc: fix UAF on smcsk after smc_listen_out() BPF CI testing report a UAF issue: [ 16.446633] BUG: kernel NULL pointer dereference, address: 000000000000003 0 [ 16.447134] #PF: supervisor read access in kernel mod e [ 16.447516] #PF: error_code(0x0000) - not-present pag e [ 16.447878] PGD 0 P4D 0 [ 16.448063] Oops: Oops: 0000 [#1] PREEMPT SMP NOPT I [ 16.448409] CPU: 0 UID: 0 PID: 9 Comm: kworker/0:1 Tainted: G OE 6.13.0-rc3-g89e8a75fda7... • https://git.kernel.org/stable/c/3b2dec2603d5b06ad3af71c1164ca0b92df3d2a8 •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2025-38732 – netfilter: nf_reject: don't leak dst refcount for loopback packets
https://notcve.org/view.php?id=CVE-2025-38732
05 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_reject: don't leak dst refcount for loopback packets recent patches to add a WARN() when replacing skb dst entry found an old bug: WARNING: include/linux/skbuff.h:1165 skb_dst_check_unset include/linux/skbuff.h:1164 [inline] WARNING: include/linux/skbuff.h:1165 skb_dst_set include/linux/skbuff.h:1210 [inline] WARNING: include/linux/skbuff.h:1165 nf_reject_fill_skb_dst+0x2a4/0x330 net/ipv4/netfilter/nf_reject_ipv4.c:234 [..] Ca... • https://git.kernel.org/stable/c/f53b9b0bdc59c0823679f2e3214e0d538f5951b9 •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38730 – io_uring/net: commit partial buffers on retry
https://notcve.org/view.php?id=CVE-2025-38730
04 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: io_uring/net: commit partial buffers on retry Ring provided buffers are potentially only valid within the single execution context in which they were acquired. io_uring deals with this and invalidates them on retry. But on the networking side, if MSG_WAITALL is set, or if the socket is of the streaming type and too little was processed, then it will hang on to the buffer rather than recycle or commit it. This is problematic for two reasons:... • https://git.kernel.org/stable/c/c56e022c0a27142b7b59ae6bdf45f86bf4b298a1 •
CVSS: 7.2EPSS: 0%CPEs: 9EXPL: 0CVE-2025-38729 – ALSA: usb-audio: Validate UAC3 power domain descriptors, too
https://notcve.org/view.php?id=CVE-2025-38729
04 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Validate UAC3 power domain descriptors, too UAC3 power domain descriptors need to be verified with its variable bLength for avoiding the unexpected OOB accesses by malicious firmware, too. In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Validate UAC3 power domain descriptors, too UAC3 power domain descriptors need to be verified with its variable bLength for avoiding the unexpected OOB a... • https://git.kernel.org/stable/c/9a2fe9b801f585baccf8352d82839dcd54b300cf • CWE-125: Out-of-bounds Read •
CVSS: 6.9EPSS: 0%CPEs: 6EXPL: 0CVE-2025-38728 – smb3: fix for slab out of bounds on mount to ksmbd
https://notcve.org/view.php?id=CVE-2025-38728
04 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: smb3: fix for slab out of bounds on mount to ksmbd With KASAN enabled, it is possible to get a slab out of bounds during mount to ksmbd due to missing check in parse_server_interfaces() (see below): BUG: KASAN: slab-out-of-bounds in parse_server_interfaces+0x14ee/0x1880 [cifs] Read of size 4 at addr ffff8881433dba98 by task mount/9827 CPU: 5 UID: 0 PID: 9827 Comm: mount Tainted: G OE 6.16.0-rc2-kasan #2 PREEMPT(voluntary) Tainted: [O]=OOT_M... • https://git.kernel.org/stable/c/fe856be475f7cf5ffcde57341d175ce9fd09434b •
CVSS: 6.6EPSS: 0%CPEs: 9EXPL: 0CVE-2025-38727 – netlink: avoid infinite retry looping in netlink_unicast()
https://notcve.org/view.php?id=CVE-2025-38727
04 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: netlink: avoid infinite retry looping in netlink_unicast() netlink_attachskb() checks for the socket's read memory allocation constraints. Firstly, it has: rmem < READ_ONCE(sk->sk_rcvbuf) to check if the just increased rmem value fits into the socket's receive buffer. If not, it proceeds and tries to wait for the memory under: rmem + skb->truesize > READ_ONCE(sk->sk_rcvbuf) The checks don't cover the case when skb->truesize + sk->sk_rmem_al... • https://git.kernel.org/stable/c/9da025150b7c14a8390fc06aea314c0a4011e82c •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2025-38725 – net: usb: asix_devices: add phy_mask for ax88772 mdio bus
https://notcve.org/view.php?id=CVE-2025-38725
04 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: net: usb: asix_devices: add phy_mask for ax88772 mdio bus Without setting phy_mask for ax88772 mdio bus, current driver may create at most 32 mdio phy devices with phy address range from 0x00 ~ 0x1f. DLink DUB-E100 H/W Ver B1 is such a device. However, only one main phy device will bind to net phy driver. This is creating issue during system suspend/resume since phy_polling_mode() in phy_state_machine() will directly deference member of phy... • https://git.kernel.org/stable/c/e532a096be0e5e570b383e71d4560e7f04384e0f •
CVSS: 7.1EPSS: 0%CPEs: 9EXPL: 0CVE-2025-38724 – nfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm()
https://notcve.org/view.php?id=CVE-2025-38724
04 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: nfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm() Lei Lu recently reported that nfsd4_setclientid_confirm() did not check the return value from get_client_locked(). a SETCLIENTID_CONFIRM could race with a confirmed client expiring and fail to get a reference. That could later lead to a UAF. Fix this by getting a reference early in the case where there is an extant confirmed client. If that fails then treat it as if the... • https://git.kernel.org/stable/c/d20c11d86d8f821a64eac7d6c8f296f06d935f4f •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2025-38723 – LoongArch: BPF: Fix jump offset calculation in tailcall
https://notcve.org/view.php?id=CVE-2025-38723
04 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: LoongArch: BPF: Fix jump offset calculation in tailcall The extra pass of bpf_int_jit_compile() skips JIT context initialization which essentially skips offset calculation leaving out_offset = -1, so the jmp_offset in emit_bpf_tail_call is calculated by "#define jmp_offset (out_offset - (cur_offset))" is a negative number, which is wrong. The final generated assembly are as follow. 54: bgeu $a2, $t1, -8 # 0x0000004c 58: addi.d $a6, $s5, -1 ... • https://git.kernel.org/stable/c/5dc615520c4dfb358245680f1904bad61116648e •