CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40178 – pid: Add a judgment for ns null in pid_nr_ns
https://notcve.org/view.php?id=CVE-2025-40178
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: pid: Add a judgment for ns null in pid_nr_ns __task_pid_nr_ns ns = task_active_pid_ns(current); pid_nr_ns(rcu_dereference(*task_pid_ptr(task, type)), ns); if (pid && ns->level <= pid->level) { Sometimes null is returned for task_active_pid_ns. Then it will trigger kernel panic in pid_nr_ns. For example: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000058 Mem abort info: ESR = 0x0000000096000007 EC = 0x25: DA... • https://git.kernel.org/stable/c/75dbc029c5359438be4a6f908bfbfdab969af776 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40173 – net/ip6_tunnel: Prevent perpetual tunnel growth
https://notcve.org/view.php?id=CVE-2025-40173
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: net/ip6_tunnel: Prevent perpetual tunnel growth Similarly to ipv4 tunnel, ipv6 version updates dev->needed_headroom, too. While ipv4 tunnel headroom adjustment growth was limited in commit 5ae1e9922bbd ("net: ip_tunnel: prevent perpetual headroom growth"), ipv6 tunnel yet increases the headroom without any ceiling. Reflect ipv4 tunnel headroom adjustment limit on ipv6 version. Credits to Francesco Ruggeri, who was originally debugging this ... • https://git.kernel.org/stable/c/8eb30be0352d09165e94a41fef1c7b994dca0714 •
CVSS: 7.1EPSS: 0%CPEs: 7EXPL: 0CVE-2025-40171 – nvmet-fc: move lsop put work to nvmet_fc_ls_req_op
https://notcve.org/view.php?id=CVE-2025-40171
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: nvmet-fc: move lsop put work to nvmet_fc_ls_req_op It’s possible for more than one async command to be in flight from __nvmet_fc_send_ls_req. For each command, a tgtport reference is taken. In the current code, only one put work item is queued at a time, which results in a leaked reference. To fix this, move the work item to the nvmet_fc_ls_req_op struct, which already tracks all resources related to the command. In the Linux kernel, the fo... • https://git.kernel.org/stable/c/5e0bc09a52b6169ce90f7ac6e195791adb16cec4 •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2025-40170 – net: use dst_dev_rcu() in sk_setup_caps()
https://notcve.org/view.php?id=CVE-2025-40170
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: net: use dst_dev_rcu() in sk_setup_caps() Use RCU to protect accesses to dst->dev from sk_setup_caps() and sk_dst_gso_max_size(). Also use dst_dev_rcu() in ip6_dst_mtu_maybe_forward(), and ip_dst_mtu_maybe_forward(). ip4_dst_hoplimit() can use dst_dev_net_rcu(). In the Linux kernel, the following vulnerability has been resolved: net: use dst_dev_rcu() in sk_setup_caps() Use RCU to protect accesses to dst->dev from sk_setup_caps() and sk_dst... • https://git.kernel.org/stable/c/4a6ce2b6f2ecabbddcfe47e7cf61dd0f00b10e36 •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2025-40168 – smc: Use __sk_dst_get() and dst_dev_rcu() in smc_clc_prfx_match().
https://notcve.org/view.php?id=CVE-2025-40168
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: smc: Use __sk_dst_get() and dst_dev_rcu() in smc_clc_prfx_match(). smc_clc_prfx_match() is called from smc_listen_work() and not under RCU nor RTNL. Using sk_dst_get(sk)->dev could trigger UAF. Let's use __sk_dst_get() and dst_dev_rcu(). Note that the returned value of smc_clc_prfx_match() is not used in the caller. In the Linux kernel, the following vulnerability has been resolved: smc: Use __sk_dst_get() and dst_dev_rcu() in smc_clc_prfx_... • https://git.kernel.org/stable/c/a046d57da19f812216f393e7c535f5858f793ac3 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40167 – ext4: detect invalid INLINE_DATA + EXTENTS flag combination
https://notcve.org/view.php?id=CVE-2025-40167
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: ext4: detect invalid INLINE_DATA + EXTENTS flag combination syzbot reported a BUG_ON in ext4_es_cache_extent() when opening a verity file on a corrupted ext4 filesystem mounted without a journal. The issue is that the filesystem has an inode with both the INLINE_DATA and EXTENTS flags set: EXT4-fs error (device loop0): ext4_cache_extents:545: inode #15: comm syz.0.17: corrupted extent tree: lblk 0 < prev 66 Investigation revealed that the i... • https://git.kernel.org/stable/c/4954d297c91d292630ab43ba4d195dc371ce65d3 •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2025-40164 – usbnet: Fix using smp_processor_id() in preemptible code warnings
https://notcve.org/view.php?id=CVE-2025-40164
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: usbnet: Fix using smp_processor_id() in preemptible code warnings Syzbot reported the following warning: BUG: using smp_processor_id() in preemptible [00000000] code: dhcpcd/2879 caller is usbnet_skb_return+0x74/0x490 drivers/net/usb/usbnet.c:331 CPU: 1 UID: 0 PID: 2879 Comm: dhcpcd Not tainted 6.15.0-rc4-syzkaller-00098-g615dca38c2ea #0 PREEMPT(voluntary) Call Trace:
CVSS: 6.6EPSS: 0%CPEs: 4EXPL: 0CVE-2025-40160 – xen/events: Return -EEXIST for bound VIRQs
https://notcve.org/view.php?id=CVE-2025-40160
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: xen/events: Return -EEXIST for bound VIRQs Change find_virq() to return -EEXIST when a VIRQ is bound to a different CPU than the one passed in. With that, remove the BUG_ON() from bind_virq_to_irq() to propogate the error upwards. Some VIRQs are per-cpu, but others are per-domain or global. Those must be bound to CPU0 and can then migrate elsewhere. The lookup for per-domain and global will probably fail when migrated off CPU 0, especially ... • https://git.kernel.org/stable/c/612ef6056855c0aacb9b25d1d853c435754483f7 •
CVSS: 7.2EPSS: 0%CPEs: 2EXPL: 0CVE-2025-40158 – ipv6: use RCU in ip6_output()
https://notcve.org/view.php?id=CVE-2025-40158
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: ipv6: use RCU in ip6_output() Use RCU in ip6_output() in order to use dst_dev_rcu() to prevent possible UAF. We can remove rcu_read_lock()/rcu_read_unlock() pairs from ip6_finish_output2(). In the Linux kernel, the following vulnerability has been resolved: ipv6: use RCU in ip6_output() Use RCU in ip6_output() in order to use dst_dev_rcu() to prevent possible UAF. We can remove rcu_read_lock()/rcu_read_unlock() pairs from ip6_finish_output2... • https://git.kernel.org/stable/c/4a6ce2b6f2ecabbddcfe47e7cf61dd0f00b10e36 •
CVSS: 7.2EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40154 – ASoC: Intel: bytcr_rt5640: Fix invalid quirk input mapping
https://notcve.org/view.php?id=CVE-2025-40154
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: bytcr_rt5640: Fix invalid quirk input mapping When an invalid value is passed via quirk option, currently bytcr_rt5640 driver only shows an error message but leaves as is. This may lead to unepxected results like OOB access. This patch corrects the input mapping to the certain default value if an invalid value is passed. In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: bytcr_rt5640: Fix invalid q... • https://git.kernel.org/stable/c/063422ca2a9de238401c3848c1b3641c07b6316c •