CVSS: 6.6EPSS: 0%CPEs: 9EXPL: 0CVE-2025-40186 – tcp: Don't call reqsk_fastopen_remove() in tcp_conn_request().
https://notcve.org/view.php?id=CVE-2025-40186
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: tcp: Don't call reqsk_fastopen_remove() in tcp_conn_request(). syzbot reported the splat below in tcp_conn_request(). [0] If a listener is close()d while a TFO socket is being processed in tcp_conn_request(), inet_csk_reqsk_queue_add() does not set reqsk->sk and calls inet_child_forget(), which calls tcp_disconnect() for the TFO socket. After the cited commit, tcp_disconnect() calls reqsk_fastopen_remove(), where reqsk_put() is called due t... • https://git.kernel.org/stable/c/7ec092a91ff351dcde89c23e795b73a328274db6 •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-40185 – ice: ice_adapter: release xa entry on adapter allocation failure
https://notcve.org/view.php?id=CVE-2025-40185
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: ice: ice_adapter: release xa entry on adapter allocation failure When ice_adapter_new() fails, the reserved XArray entry created by xa_insert() is not released. This causes subsequent insertions at the same index to return -EBUSY, potentially leading to NULL pointer dereferences. Reorder the operations as suggested by Przemek Kitszel: 1. Check if adapter already exists (xa_load) 2. Reserve the XArray slot (xa_reserve) 3. • https://git.kernel.org/stable/c/0f0023c649c7bc50543fbe6e1801eb6357b8bd63 •
CVSS: 7.1EPSS: 0%CPEs: 7EXPL: 0CVE-2025-40183 – bpf: Fix metadata_dst leak __bpf_redirect_neigh_v{4,6}
https://notcve.org/view.php?id=CVE-2025-40183
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: bpf: Fix metadata_dst leak __bpf_redirect_neigh_v{4,6} Cilium has a BPF egress gateway feature which forces outgoing K8s Pod traffic to pass through dedicated egress gateways which then SNAT the traffic in order to interact with stable IPs outside the cluster. The traffic is directed to the gateway via vxlan tunnel in collect md mode. A recent BPF change utilized the bpf_redirect_neigh() helper to forward packets after the arrival and decap... • https://git.kernel.org/stable/c/b4ab31414970a7a03a5d55d75083f2c101a30592 •
CVSS: 7.2EPSS: 0%CPEs: 3EXPL: 0CVE-2025-40181 – x86/kvm: Force legacy PCI hole to UC when overriding MTRRs for TDX/SNP
https://notcve.org/view.php?id=CVE-2025-40181
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: x86/kvm: Force legacy PCI hole to UC when overriding MTRRs for TDX/SNP When running as an SNP or TDX guest under KVM, force the legacy PCI hole, i.e. memory between Top of Lower Usable DRAM and 4GiB, to be mapped as UC via a forced variable MTRR range. In most KVM-based setups, legacy devices such as the HPET and TPM are enumerated via ACPI. ACPI enumeration includes a Memory32Fixed entry, and optionally a SystemMemory descriptor for an Ope... • https://git.kernel.org/stable/c/8e690b817e38769dc2fa0e7473e5a5dc1fc25795 •
CVSS: 6.6EPSS: 0%CPEs: 3EXPL: 0CVE-2025-40180 – mailbox: zynqmp-ipi: Fix out-of-bounds access in mailbox cleanup loop
https://notcve.org/view.php?id=CVE-2025-40180
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: mailbox: zynqmp-ipi: Fix out-of-bounds access in mailbox cleanup loop The cleanup loop was starting at the wrong array index, causing out-of-bounds access. Start the loop at the correct index for zero-indexed arrays to prevent accessing memory beyond the allocated array bounds. In the Linux kernel, the following vulnerability has been resolved: mailbox: zynqmp-ipi: Fix out-of-bounds access in mailbox cleanup loop The cleanup loop was starti... • https://git.kernel.org/stable/c/4981b82ba2ff87df6a711fcd7a233c615df5fc79 •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2025-40179 – ext4: verify orphan file size is not too big
https://notcve.org/view.php?id=CVE-2025-40179
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: ext4: verify orphan file size is not too big In principle orphan file can be arbitrarily large. However orphan replay needs to traverse it all and we also pin all its buffers in memory. Thus filesystems with absurdly large orphan files can lead to big amounts of memory consumed. Limit orphan file size to a sane value and also use kvmalloc() for allocating array of block descriptor structures to avoid large order allocations for sane but lar... • https://git.kernel.org/stable/c/02f310fcf47fa9311d6ba2946a8d19e7d7d11f37 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40178 – pid: Add a judgment for ns null in pid_nr_ns
https://notcve.org/view.php?id=CVE-2025-40178
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: pid: Add a judgment for ns null in pid_nr_ns __task_pid_nr_ns ns = task_active_pid_ns(current); pid_nr_ns(rcu_dereference(*task_pid_ptr(task, type)), ns); if (pid && ns->level <= pid->level) { Sometimes null is returned for task_active_pid_ns. Then it will trigger kernel panic in pid_nr_ns. For example: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000058 Mem abort info: ESR = 0x0000000096000007 EC = 0x25: DA... • https://git.kernel.org/stable/c/75dbc029c5359438be4a6f908bfbfdab969af776 •
CVSS: 5.4EPSS: 0%CPEs: 3EXPL: 0CVE-2025-40177 – accel/qaic: Fix bootlog initialization ordering
https://notcve.org/view.php?id=CVE-2025-40177
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: accel/qaic: Fix bootlog initialization ordering As soon as we queue MHI buffers to receive the bootlog from the device, we could be receiving data. Therefore all the resources needed to process that data need to be setup prior to queuing the buffers. We currently initialize some of the resources after queuing the buffers which creates a race between the probe() and any data that comes back from the device. If the uninitialized resources are... • https://git.kernel.org/stable/c/5f8df5c6def641c164ed1b673d47a41fdd0013f8 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-40176 – tls: wait for pending async decryptions if tls_strp_msg_hold fails
https://notcve.org/view.php?id=CVE-2025-40176
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: tls: wait for pending async decryptions if tls_strp_msg_hold fails Async decryption calls tls_strp_msg_hold to create a clone of the input skb to hold references to the memory it uses. If we fail to allocate that clone, proceeding with async decryption can lead to various issues (UAF on the skb, writing into userspace memory after the recv() call has returned). In this case, wait for all pending decryption requests. In the Linux kernel, the... • https://git.kernel.org/stable/c/84c61fe1a75b4255df1e1e7c054c9e6d048da417 •
CVSS: 7.1EPSS: 0%CPEs: 2EXPL: 0CVE-2025-40174 – x86/mm: Fix SMP ordering in switch_mm_irqs_off()
https://notcve.org/view.php?id=CVE-2025-40174
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: x86/mm: Fix SMP ordering in switch_mm_irqs_off() Stephen noted that it is possible to not have an smp_mb() between the loaded_mm store and the tlb_gen load in switch_mm(), meaning the ordering against flush_tlb_mm_range() goes out the window, and it becomes possible for switch_mm() to not observe a recent tlb_gen update and fail to flush the TLBs. [ dhansen: merge conflict fixed by Ingo ] In the Linux kernel, the following vulnerability has... • https://git.kernel.org/stable/c/209954cbc7d0ce1a190fc725d20ce303d74d2680 •