
CVE-2025-38207 – mm: fix uprobe pte be overwritten when expanding vma
https://notcve.org/view.php?id=CVE-2025-38207
04 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: mm: fix uprobe pte be overwritten when expanding vma Patch series "Fix uprobe pte be overwritten when expanding vma". This patch (of 4): We encountered a BUG alert triggered by Syzkaller as follows: BUG: Bad rss-counter state mm:00000000b4a60fca type:MM_ANONPAGES val:1 And we can reproduce it with the following steps: 1. register uprobe on file at zero offset 2. mmap the file at zero offset: addr1 = mmap(NULL, 2 * 4096, PROT_NONE, MAP_PRIVA... • https://git.kernel.org/stable/c/2b144498350860b6ee9dc57ff27a93ad488de5dc •

CVE-2025-38206 – exfat: fix double free in delayed_free
https://notcve.org/view.php?id=CVE-2025-38206
04 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: exfat: fix double free in delayed_free The double free could happen in the following path. exfat_create_upcase_table() exfat_create_upcase_table() : return error exfat_free_upcase_table() : free ->vol_utbl exfat_load_default_upcase_table : return error exfat_kill_sb() delayed_free() exfat_free_upcase_table() <--------- double free This patch set ->vol_util as NULL after freeing it. In the Linux kernel, the following vulnerability has been r... • https://git.kernel.org/stable/c/13d8de1b6568dcc31a95534ced16bc0c9a67bc15 •

CVE-2025-38205 – drm/amd/display: Avoid divide by zero by initializing dummy pitch to 1
https://notcve.org/view.php?id=CVE-2025-38205
04 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Avoid divide by zero by initializing dummy pitch to 1 [Why] If the dummy values in `populate_dummy_dml_surface_cfg()` aren't updated then they can lead to a divide by zero in downstream callers like CalculateVMAndRowBytes() [How] Initialize dummy value to a value to avoid divide by zero. In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Avoid divide by zero by initializing dummy pitch to 1... • https://git.kernel.org/stable/c/8044f981b2cf8c32fe1bd5d1fc991552cdf7ffe0 •

CVE-2025-38204 – jfs: fix array-index-out-of-bounds read in add_missing_indices
https://notcve.org/view.php?id=CVE-2025-38204
04 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: jfs: fix array-index-out-of-bounds read in add_missing_indices stbl is s8 but it must contain offsets into slot which can go from 0 to 127. Added a bound check for that error and return -EIO if the check fails. Also make jfs_readdir return with error if add_missing_indices returns with an error. In the Linux kernel, the following vulnerability has been resolved: jfs: fix array-index-out-of-bounds read in add_missing_indices stbl is s8 but i... • https://git.kernel.org/stable/c/81af4b34fd72d390d7f237c6a545cc6d09707956 •

CVE-2025-38203 – jfs: Fix null-ptr-deref in jfs_ioc_trim
https://notcve.org/view.php?id=CVE-2025-38203
04 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: jfs: Fix null-ptr-deref in jfs_ioc_trim [ Syzkaller Report ] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000087: 0000 [#1 KASAN: null-ptr-deref in range [0x0000000000000438-0x000000000000043f] CPU: 2 UID: 0 PID: 10614 Comm: syz-executor.0 Not tainted 6.13.0-rc6-gfbfd64d25c7a-dirty #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Sched_ext: serialise (enabled+all), task: ru... • https://git.kernel.org/stable/c/0d50231d473f89024158dc62624930de45d13718 •

CVE-2025-38202 – bpf: Check rcu_read_lock_trace_held() in bpf_map_lookup_percpu_elem()
https://notcve.org/view.php?id=CVE-2025-38202
04 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: bpf: Check rcu_read_lock_trace_held() in bpf_map_lookup_percpu_elem() bpf_map_lookup_percpu_elem() helper is also available for sleepable bpf program. When BPF JIT is disabled or under 32-bit host, bpf_map_lookup_percpu_elem() will not be inlined. Using it in a sleepable bpf program will trigger the warning in bpf_map_lookup_percpu_elem(), because the bpf program only holds rcu_read_lock_trace lock. Therefore, add the missed check. In the L... • https://git.kernel.org/stable/c/2f8c69a72e8ad87b36b8052f789da3cc2b2e186c •

CVE-2025-38201 – netfilter: nft_set_pipapo: clamp maximum map bucket size to INT_MAX
https://notcve.org/view.php?id=CVE-2025-38201
04 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: clamp maximum map bucket size to INT_MAX Otherwise, it is possible to hit WARN_ON_ONCE in __kvmalloc_node_noprof() when resizing hashtable because __GFP_NOWARN is unset. Similar to: b541ba7d1f5a ("netfilter: conntrack: clamp maximum hashtable size to INT_MAX") In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: clamp maximum map bucket size to INT_MAX Otherwise, it is pos... • https://git.kernel.org/stable/c/0ab3de047808f375a36cd345225572eb3366f3c6 •

CVE-2025-38200 – i40e: fix MMIO write access to an invalid page in i40e_clear_hw
https://notcve.org/view.php?id=CVE-2025-38200
04 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: i40e: fix MMIO write access to an invalid page in i40e_clear_hw When the device sends a specific input, an integer underflow can occur, leading to MMIO write access to an invalid page. Prevent the integer underflow by changing the type of related variables. In the Linux kernel, the following vulnerability has been resolved: i40e: fix MMIO write access to an invalid page in i40e_clear_hw When the device sends a specific input, an integer und... • https://git.kernel.org/stable/c/872607632c658d3739e4e7889e4f3c419ae2c193 •

CVE-2025-38199 – wifi: ath12k: Fix memory leak due to multiple rx_stats allocation
https://notcve.org/view.php?id=CVE-2025-38199
04 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: Fix memory leak due to multiple rx_stats allocation rx_stats for each arsta is allocated when adding a station. arsta->rx_stats will be freed when a station is removed. Redundant allocations are occurring when the same station is added multiple times. This causes ath12k_mac_station_add() to be called multiple times, and rx_stats is allocated each time. As a result there is memory leaks. Prevent multiple allocations of rx_stats... • https://git.kernel.org/stable/c/232f962ae5fca98912a719e64b4964a5aec7c99b •

CVE-2025-38198 – fbcon: Make sure modelist not set on unregistered console
https://notcve.org/view.php?id=CVE-2025-38198
04 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: fbcon: Make sure modelist not set on unregistered console It looks like attempting to write to the "store_modes" sysfs node will run afoul of unregistered consoles: UBSAN: array-index-out-of-bounds in drivers/video/fbdev/core/fbcon.c:122:28 index -1 is out of range for type 'fb_info *[32]' ... fbcon_info_from_console+0x192/0x1a0 drivers/video/fbdev/core/fbcon.c:122 fbcon_new_modelist+0xbf/0x2d0 drivers/video/fbdev/core/fbcon.c:3048 fb_new_m... • https://git.kernel.org/stable/c/b3237d451bf3a4490cb1a76f3b7c91d9888f1c4b •