CVSS: 5.5EPSS: %CPEs: 5EXPL: 0CVE-2025-37932 – sch_htb: make htb_qlen_notify() idempotent
https://notcve.org/view.php?id=CVE-2025-37932
20 May 2025 — In the Linux kernel, the following vulnerability has been resolved: sch_htb: make htb_qlen_notify() idempotent htb_qlen_notify() always deactivates the HTB class and in fact could trigger a warning if it is already deactivated. Therefore, it is not idempotent and not friendly to its callers, like fq_codel_dequeue(). Let's make it idempotent to ease qdisc_tree_reduce_backlog() callers' life. In the Linux kernel, the following vulnerability has been resolved: sch_htb: make htb_qlen_notify() idempotent htb_qle... • https://git.kernel.org/stable/c/73cf6af13153d62f9b76eff422eea79dbc70f15e •
CVSS: 7.8EPSS: %CPEs: 3EXPL: 0CVE-2025-37926 – ksmbd: fix use-after-free in ksmbd_session_rpc_open
https://notcve.org/view.php?id=CVE-2025-37926
20 May 2025 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in ksmbd_session_rpc_open A UAF issue can occur due to a race condition between ksmbd_session_rpc_open() and __session_rpc_close(). Add rpc_lock to the session to protect it. In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in ksmbd_session_rpc_open A UAF issue can occur due to a race condition between ksmbd_session_rpc_open() and __session_rpc_close(). Add rpc_lock to t... • https://git.kernel.org/stable/c/8fb3b6c85b7e3127161623586b62abcc366caa20 •
CVSS: 7.8EPSS: %CPEs: 5EXPL: 0CVE-2025-37924 – ksmbd: fix use-after-free in kerberos authentication
https://notcve.org/view.php?id=CVE-2025-37924
20 May 2025 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in kerberos authentication Setting sess->user = NULL was introduced to fix the dangling pointer created by ksmbd_free_user. However, it is possible another thread could be operating on the session and make use of sess->user after it has been passed to ksmbd_free_user but before sess->user is set to NULL. In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in kerberos authen... • https://git.kernel.org/stable/c/e34a33d5d7e87399af0a138bb32f6a3e95dd83d2 •
CVSS: 7.8EPSS: %CPEs: 6EXPL: 0CVE-2025-37923 – tracing: Fix oob write in trace_seq_to_buffer()
https://notcve.org/view.php?id=CVE-2025-37923
20 May 2025 — In the Linux kernel, the following vulnerability has been resolved: tracing: Fix oob write in trace_seq_to_buffer() syzbot reported this bug: ================================================================== BUG: KASAN: slab-out-of-bounds in trace_seq_to_buffer kernel/trace/trace.c:1830 [inline] BUG: KASAN: slab-out-of-bounds in tracing_splice_read_pipe+0x6be/0xdd0 kernel/trace/trace.c:6822 Write of size 4507 at addr ffff888032b6b000 by task syz.2.320/7260 CPU: 1 UID: 0 PID: 7260 Comm: syz.2.320 Not tainte... • https://git.kernel.org/stable/c/3c56819b14b00dd449bd776303e61f8532fad09f •
CVSS: 4.3EPSS: %CPEs: 3EXPL: 0CVE-2025-37907 – accel/ivpu: Fix locking order in ivpu_job_submit
https://notcve.org/view.php?id=CVE-2025-37907
20 May 2025 — In the Linux kernel, the following vulnerability has been resolved: accel/ivpu: Fix locking order in ivpu_job_submit Fix deadlock in job submission and abort handling. When a thread aborts currently executing jobs due to a fault, it first locks the global lock protecting submitted_jobs (#1). After the last job is destroyed, it proceeds to release the related context and locks file_priv (#2). Meanwhile, in the job submission thread, the file_priv lock (#2) is taken first, and then the submitted_jobs lock (#1... • https://git.kernel.org/stable/c/079d2622f8c9e0c380149645fff21d35c59ce6ff •
CVSS: 7.8EPSS: %CPEs: 3EXPL: 0CVE-2025-37899 – ksmbd: fix use-after-free in session logoff
https://notcve.org/view.php?id=CVE-2025-37899
20 May 2025 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in session logoff The sess->user object can currently be in use by another thread, for example if another connection has sent a session setup request to bind to the session being free'd. The handler for that connection could be in the smb2_sess_setup function which makes use of sess->user. In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in session logoff The sess->user ... • https://git.kernel.org/stable/c/d5ec1d79509b3ee01de02c236f096bc050221b7f •
CVSS: 5.5EPSS: 0%CPEs: 9EXPL: 0CVE-2025-37892 – mtd: inftlcore: Add error check for inftl_read_oob()
https://notcve.org/view.php?id=CVE-2025-37892
20 May 2025 — In the Linux kernel, the following vulnerability has been resolved: mtd: inftlcore: Add error check for inftl_read_oob() In INFTL_findwriteunit(), the return value of inftl_read_oob() need to be checked. A proper implementation can be found in INFTL_deleteblock(). The status will be set as SECTOR_IGNORE to break from the while-loop correctly if the inftl_read_oob() fails. In the Linux kernel, the following vulnerability has been resolved: mtd: inftlcore: Add error check for inftl_read_oob() In INFTL_findwri... • https://git.kernel.org/stable/c/8593fbc68b0df1168995de76d1af38eb62fd6b62 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2023-53146 – media: dw2102: Fix null-ptr-deref in dw2102_i2c_transfer()
https://notcve.org/view.php?id=CVE-2023-53146
14 May 2025 — In the Linux kernel, the following vulnerability has been resolved: media: dw2102: Fix null-ptr-deref in dw2102_i2c_transfer() In dw2102_i2c_transfer, msg is controlled by user. When msg[i].buf is null and msg[i].len is zero, former checks on msg[i].buf would be passed. Malicious data finally reach dw2102_i2c_transfer. If accessing msg[i].buf[0] without sanity check, null ptr deref would happen. We add check on msg[i].len to prevent crash. Similar commit: commit 950e252cb469 ("[media] dw2102: limit messages... • https://git.kernel.org/stable/c/77cbd42d29de9ffc93d5529bab8813cde53af14c •
CVSS: 7.1EPSS: 0%CPEs: 7EXPL: 0CVE-2023-53145 – Bluetooth: btsdio: fix use after free bug in btsdio_remove due to race condition
https://notcve.org/view.php?id=CVE-2023-53145
10 May 2025 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btsdio: fix use after free bug in btsdio_remove due to race condition In btsdio_probe, the data->work is bound with btsdio_work. It will be started in btsdio_send_frame. If the btsdio_remove runs with a unfinished work, there may be a race condition that hdev is freed but used in btsdio_work. Fix it by canceling the work before do cleanup in btsdio_remove. In the Linux kernel, the following vulnerability has been resolved: Blueto... • https://git.kernel.org/stable/c/6c3653627397a0d6eab19b20a59423e118985a6b •
CVSS: 7.2EPSS: 0%CPEs: 7EXPL: 0CVE-2025-37885 – KVM: x86: Reset IRTE to host control if *new* route isn't postable
https://notcve.org/view.php?id=CVE-2025-37885
09 May 2025 — In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Reset IRTE to host control if *new* route isn't postable Restore an IRTE back to host control (remapped or posted MSI mode) if the *new* GSI route prevents posting the IRQ directly to a vCPU, regardless of the GSI routing type. Updating the IRTE if and only if the new GSI is an MSI results in KVM leaving an IRTE posting to a vCPU. The dangling IRTE can result in interrupts being incorrectly delivered to the guest, and in the worst... • https://git.kernel.org/stable/c/efc644048ecde54f016011fe10110addd0de348f •