CVSS: 5.5EPSS: 0%CPEs: 9EXPL: 0CVE-2025-21816 – hrtimers: Force migrate away hrtimers queued after CPUHP_AP_HRTIMERS_DYING
https://notcve.org/view.php?id=CVE-2025-21816
27 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: hrtimers: Force migrate away hrtimers queued after CPUHP_AP_HRTIMERS_DYING hrtimers are migrated away from the dying CPU to any online target at the CPUHP_AP_HRTIMERS_DYING stage in order not to delay bandwidth timers handling tasks involved in the CPU hotplug forward progress. However wakeups can still be performed by the outgoing CPU after CPUHP_AP_HRTIMERS_DYING. Those can result again in bandwidth timers being armed. Depending on severa... • https://git.kernel.org/stable/c/5c0930ccaad5a74d74e8b18b648c5eb21ed2fe94 •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2025-21814 – ptp: Ensure info->enable callback is always set
https://notcve.org/view.php?id=CVE-2025-21814
27 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: ptp: Ensure info->enable callback is always set The ioctl and sysfs handlers unconditionally call the ->enable callback. Not all drivers implement that callback, leading to NULL dereferences. Example of affected drivers: ptp_s390.c, ptp_vclock.c and ptp_mock.c. Instead use a dummy callback if no better was specified by the driver. In the Linux kernel, the following vulnerability has been resolved: ptp: Ensure info->enable callback is always... • https://git.kernel.org/stable/c/d94ba80ebbea17f036cecb104398fbcd788aa742 •
CVSS: 7.8EPSS: 0%CPEs: 11EXPL: 0CVE-2025-21812 – ax25: rcu protect dev->ax25_ptr
https://notcve.org/view.php?id=CVE-2025-21812
27 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: ax25: rcu protect dev->ax25_ptr syzbot found a lockdep issue [1]. We should remove ax25 RTNL dependency in ax25_setsockopt() This should also fix a variety of possible UAF in ax25. [1] WARNING: possible circular locking dependency detected 6.13.0-rc3-syzkaller-00762-g9268abe611b0 #0 Not tainted ------------------------------------------------------ syz.5.1818/12806 is trying to acquire lock: ffffffff8fcb3988 (rtnl_mutex){+.+.}-{4:4}, at: ax... • https://git.kernel.org/stable/c/c433570458e49bccea5c551df628d058b3526289 • CWE-416: Use After Free •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2025-21811 – nilfs2: protect access to buffers with no active references
https://notcve.org/view.php?id=CVE-2025-21811
27 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: nilfs2: protect access to buffers with no active references nilfs_lookup_dirty_data_buffers(), which iterates through the buffers attached to dirty data folios/pages, accesses the attached buffers without locking the folios/pages. For data cache, nilfs_clear_folio_dirty() may be called asynchronously when the file system degenerates to read only, so nilfs_lookup_dirty_data_buffers() still has the potential to cause use after free issues whe... • https://git.kernel.org/stable/c/8c26c4e2694a163d525976e804d81cd955bbb40c • CWE-416: Use After Free •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-21806 – net: let net.core.dev_weight always be non-zero
https://notcve.org/view.php?id=CVE-2025-21806
27 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: net: let net.core.dev_weight always be non-zero The following problem was encountered during stability test: (NULL net_device): NAPI poll function process_backlog+0x0/0x530 \ returned 1, exceeding its budget of 0. ------------[ cut here ]------------ list_add double add: new=ffff88905f746f48, prev=ffff88905f746f48, \ next=ffff88905f746e40. WARNING: CPU: 18 PID: 5462 at lib/list_debug.c:35 \ __list_add_valid_or_report+0xf3/0x130 CPU: 18 UID:... • https://git.kernel.org/stable/c/e3876605450979fe52a1a03e7eb78a89bf59e76a •
CVSS: 5.5EPSS: 0%CPEs: 9EXPL: 0CVE-2025-21802 – net: hns3: fix oops when unload drivers paralleling
https://notcve.org/view.php?id=CVE-2025-21802
27 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: net: hns3: fix oops when unload drivers paralleling When unload hclge driver, it tries to disable sriov first for each ae_dev node from hnae3_ae_dev_list. If user unloads hns3 driver at the time, because it removes all the ae_dev nodes, and it may cause oops. But we can't simply use hnae3_common_lock for this. Because in the process flow of pci_disable_sriov(), it will trigger the remove flow of VF, which will also take hnae3_common_lock. T... • https://git.kernel.org/stable/c/0dd8a25f355b4df2d41c08df1716340854c7d4c5 •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2025-21801 – net: ravb: Fix missing rtnl lock in suspend/resume path
https://notcve.org/view.php?id=CVE-2025-21801
27 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: net: ravb: Fix missing rtnl lock in suspend/resume path Fix the suspend/resume path by ensuring the rtnl lock is held where required. Calls to ravb_open, ravb_close and wol operations must be performed under the rtnl lock to prevent conflicts with ongoing ndo operations. Without this fix, the following warning is triggered: [ 39.032969] ============================= [ 39.032983] WARNING: suspicious RCU usage [ 39.033019] -------------------... • https://git.kernel.org/stable/c/0184165b2f42c4b032da9dd11546bfbaeb5afd4e •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2025-21796 – nfsd: clear acl_access/acl_default after releasing them
https://notcve.org/view.php?id=CVE-2025-21796
27 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: nfsd: clear acl_access/acl_default after releasing them If getting acl_default fails, acl_access and acl_default will be released simultaneously. However, acl_access will still retain a pointer pointing to the released posix_acl, which will trigger a WARNING in nfs3svc_release_getacl like this: ------------[ cut here ]------------ refcount_t: underflow; use-after-free. WARNING: CPU: 26 PID: 3199 at lib/refcount.c:28 refcount_warn_saturate+0... • https://git.kernel.org/stable/c/a257cdd0e2179630d3201c32ba14d7fcb3c3a055 • CWE-416: Use After Free •
CVSS: 5.5EPSS: 0%CPEs: 11EXPL: 0CVE-2025-21792 – ax25: Fix refcount leak caused by setting SO_BINDTODEVICE sockopt
https://notcve.org/view.php?id=CVE-2025-21792
27 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: ax25: Fix refcount leak caused by setting SO_BINDTODEVICE sockopt If an AX25 device is bound to a socket by setting the SO_BINDTODEVICE socket option, a refcount leak will occur in ax25_release(). Commit 9fd75b66b8f6 ("ax25: Fix refcount leaks caused by ax25_cb_del()") added decrement of device refcounts in ax25_release(). In order for that to work correctly the refcounts must already be incremented when the device is bound to the socket. A... • https://git.kernel.org/stable/c/9fd75b66b8f68498454d685dc4ba13192ae069b0 •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2025-21791 – vrf: use RCU protection in l3mdev_l3_out()
https://notcve.org/view.php?id=CVE-2025-21791
27 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: vrf: use RCU protection in l3mdev_l3_out() l3mdev_l3_out() can be called without RCU being held: raw_sendmsg() ip_push_pending_frames() ip_send_skb() ip_local_out() __ip_local_out() l3mdev_ip_out() Add rcu_read_lock() / rcu_read_unlock() pair to avoid a potential UAF. In the Linux kernel, the following vulnerability has been resolved: vrf: use RCU protection in l3mdev_l3_out() l3mdev_l3_out() can be called without RCU being held: raw_sendms... • https://git.kernel.org/stable/c/a8e3e1a9f02094145580ea7920c6a1d9aabd5539 • CWE-416: Use After Free •