CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38590 – net/mlx5e: Remove skb secpath if xfrm state is not found
https://notcve.org/view.php?id=CVE-2025-38590
19 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Remove skb secpath if xfrm state is not found Hardware returns a unique identifier for a decrypted packet's xfrm state, this state is looked up in an xarray. However, the state might have been freed by the time of this lookup. Currently, if the state is not found, only a counter is incremented. The secpath (sp) extension on the skb is not removed, resulting in sp->len becoming 0. Subsequently, functions like __xfrm_policy_check()... • https://git.kernel.org/stable/c/b2ac7541e3777f325c49d900550c9e3dd10c0eda •
CVSS: 5.6EPSS: 0%CPEs: 3EXPL: 0CVE-2025-38589 – neighbour: Fix null-ptr-deref in neigh_flush_dev().
https://notcve.org/view.php?id=CVE-2025-38589
19 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: neighbour: Fix null-ptr-deref in neigh_flush_dev(). kernel test robot reported null-ptr-deref in neigh_flush_dev(). [0] The cited commit introduced per-netdev neighbour list and converted neigh_flush_dev() to use it instead of the global hash table. One thing we missed is that neigh_table_clear() calls neigh_ifdown() with NULL dev. Let's restore the hash table iteration. Note that IPv6 module is no longer unloadable, so neigh_table_clear() ... • https://git.kernel.org/stable/c/f7f52738637f4361c108cad36e23ee98959a9006 •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2025-38588 – ipv6: prevent infinite loop in rt6_nlmsg_size()
https://notcve.org/view.php?id=CVE-2025-38588
19 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: ipv6: prevent infinite loop in rt6_nlmsg_size() While testing prior patch, I was able to trigger an infinite loop in rt6_nlmsg_size() in the following place: list_for_each_entry_rcu(sibling, &f6i->fib6_siblings, fib6_siblings) { rt6_nh_nlmsg_size(sibling->fib6_nh, &nexthop_len); } This is because fib6_del_route() and fib6_add_rt2node() uses list_del_rcu(), which can confuse rcu readers, because they might no longer see the head of the list.... • https://git.kernel.org/stable/c/d0ec61c9f3583b76aebdbb271f5c0d3fcccd48b2 •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2025-38587 – ipv6: fix possible infinite loop in fib6_info_uses_dev()
https://notcve.org/view.php?id=CVE-2025-38587
19 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: ipv6: fix possible infinite loop in fib6_info_uses_dev() fib6_info_uses_dev() seems to rely on RCU without an explicit protection. Like the prior fix in rt6_nlmsg_size(), we need to make sure fib6_del_route() or fib6_add_rt2node() have not removed the anchor from the list, or we risk an infinite loop. In the Linux kernel, the following vulnerability has been resolved: ipv6: fix possible infinite loop in fib6_info_uses_dev() fib6_info_uses_d... • https://git.kernel.org/stable/c/d0ec61c9f3583b76aebdbb271f5c0d3fcccd48b2 •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-38586 – bpf, arm64: Fix fp initialization for exception boundary
https://notcve.org/view.php?id=CVE-2025-38586
19 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: bpf, arm64: Fix fp initialization for exception boundary In the ARM64 BPF JIT when prog->aux->exception_boundary is set for a BPF program, find_used_callee_regs() is not called because for a program acting as exception boundary, all callee saved registers are saved. find_used_callee_regs() sets `ctx->fp_used = true;` when it sees FP being used in any of the instructions. For programs acting as exception boundary, ctx->fp_used remains false ... • https://git.kernel.org/stable/c/5d4fa9ec5643a5c75d3c1e6abf50fb9284caf1ff •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-38585 – staging: media: atomisp: Fix stack buffer overflow in gmin_get_var_int()
https://notcve.org/view.php?id=CVE-2025-38585
19 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: staging: media: atomisp: Fix stack buffer overflow in gmin_get_var_int() When gmin_get_config_var() calls efi.get_variable() and the EFI variable is larger than the expected buffer size, two behaviors combine to create a stack buffer overflow: 1. gmin_get_config_var() does not return the proper error code when efi.get_variable() fails. It returns the stale 'ret' value from earlier operations instead of indicating the EFI failure. 2. When ef... • https://git.kernel.org/stable/c/38d4f74bc14847491d07bd745dc4a2c274f4987d •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-38584 – padata: Fix pd UAF once and for all
https://notcve.org/view.php?id=CVE-2025-38584
19 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: padata: Fix pd UAF once and for all There is a race condition/UAF in padata_reorder that goes back to the initial commit. A reference count is taken at the start of the process in padata_do_parallel, and released at the end in padata_serial_worker. This reference count is (and only is) required for padata_replace to function correctly. If padata_replace is never called then there is no issue. In the function padata_reorder which serves as t... • https://git.kernel.org/stable/c/16295bec6398a3eedc9377e1af6ff4c71b98c300 •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2025-38583 – clk: xilinx: vcu: unregister pll_post only if registered correctly
https://notcve.org/view.php?id=CVE-2025-38583
19 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: clk: xilinx: vcu: unregister pll_post only if registered correctly If registration of pll_post is failed, it will be set to NULL or ERR, unregistering same will fail with following call trace: Unable to handle kernel NULL pointer dereference at virtual address 008 pc : clk_hw_unregister+0xc/0x20 lr : clk_hw_unregister_fixed_factor+0x18/0x30 sp : ffff800011923850 ... Call trace: clk_hw_unregister+0xc/0x20 clk_hw_unregister_fixed_factor+0x18/... • https://git.kernel.org/stable/c/4472e1849db7f719bbf625890096e0269b5849fe •
CVSS: 7.2EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38582 – RDMA/hns: Fix double destruction of rsv_qp
https://notcve.org/view.php?id=CVE-2025-38582
19 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: RDMA/hns: Fix double destruction of rsv_qp rsv_qp may be double destroyed in error flow, first in free_mr_init(), and then in hns_roce_exit(). Fix it by moving the free_mr_init() call into hns_roce_v2_init(). list_del corruption, ffff589732eb9b50->next is LIST_POISON1 (dead000000000100) WARNING: CPU: 8 PID: 1047115 at lib/list_debug.c:53 __list_del_entry_valid+0x148/0x240 ... Call trace: __list_del_entry_valid+0x148/0x240 hns_roce_qp_remove... • https://git.kernel.org/stable/c/fd8489294dd2beefb70f12ec4f6132aeec61a4d0 •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2025-38581 – crypto: ccp - Fix crash when rebind ccp device for ccp.ko
https://notcve.org/view.php?id=CVE-2025-38581
19 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: crypto: ccp - Fix crash when rebind ccp device for ccp.ko When CONFIG_CRYPTO_DEV_CCP_DEBUGFS is enabled, rebinding the ccp device causes the following crash: $ echo '0000:0a:00.2' > /sys/bus/pci/drivers/ccp/unbind $ echo '0000:0a:00.2' > /sys/bus/pci/drivers/ccp/bind [ 204.976930] BUG: kernel NULL pointer dereference, address: 0000000000000098 [ 204.978026] #PF: supervisor write access in kernel mode [ 204.979126] #PF: error_code(0x0002) - ... • https://git.kernel.org/stable/c/3cdbe346ed3f380eae1cb3e9febfe703e7d8a7b0 •