CVSS: 7.8EPSS: %CPEs: 2EXPL: 0CVE-2025-22118 – ice: validate queue quanta parameters to prevent OOB access
https://notcve.org/view.php?id=CVE-2025-22118
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: ice: validate queue quanta parameters to prevent OOB access Add queue wraparound prevention in quanta configuration. Ensure end_qid does not overflow by validating start_qid and num_queues. In the Linux kernel, the following vulnerability has been resolved: ice: validate queue quanta parameters to prevent OOB access Add queue wraparound prevention in quanta configuration. Ensure end_qid does not overflow by validating start_qid and num_queu... • https://git.kernel.org/stable/c/015307754a19832dd665295f6c123289b0f37ba6 •
CVSS: 7.1EPSS: %CPEs: 2EXPL: 0CVE-2025-22117 – ice: fix using untrusted value of pkt_len in ice_vc_fdir_parse_raw()
https://notcve.org/view.php?id=CVE-2025-22117
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: ice: fix using untrusted value of pkt_len in ice_vc_fdir_parse_raw() Fix using the untrusted value of proto->raw.pkt_len in function ice_vc_fdir_parse_raw() by verifying if it does not exceed the VIRTCHNL_MAX_SIZE_RAW_PACKET value. In the Linux kernel, the following vulnerability has been resolved: ice: fix using untrusted value of pkt_len in ice_vc_fdir_parse_raw() Fix using the untrusted value of proto->raw.pkt_len in function ice_vc_fdir... • https://git.kernel.org/stable/c/99f419df8a5c5e1a58822203989f77712d01d410 •
CVSS: 5.5EPSS: %CPEs: 2EXPL: 0CVE-2025-22116 – idpf: check error for register_netdev() on init
https://notcve.org/view.php?id=CVE-2025-22116
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: idpf: check error for register_netdev() on init Current init logic ignores the error code from register_netdev(), which will cause WARN_ON() on attempt to unregister it, if there was one, and there is no info for the user that the creation of the netdev failed. WARNING: CPU: 89 PID: 6902 at net/core/dev.c:11512 unregister_netdevice_many_notify+0x211/0x1a10 ... [ 3707.563641] unregister_netdev+0x1c/0x30 [ 3707.563656] idpf_vport_dealloc+0x5c... • https://git.kernel.org/stable/c/0fe45467a1041ea3657a7fa3a791c84c104fbd34 •
CVSS: 5.4EPSS: %CPEs: 4EXPL: 0CVE-2025-22115 – btrfs: fix block group refcount race in btrfs_create_pending_block_groups()
https://notcve.org/view.php?id=CVE-2025-22115
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: btrfs: fix block group refcount race in btrfs_create_pending_block_groups() Block group creation is done in two phases, which results in a slightly unintuitive property: a block group can be allocated/deallocated from after btrfs_make_block_group() adds it to the space_info with btrfs_add_bg_to_space_info(), but before creation is completely completed in btrfs_create_pending_block_groups(). As a result, it is possible for a block group to g... • https://git.kernel.org/stable/c/0657b20c5a76c938612f8409735a8830d257866e •
CVSS: 6.1EPSS: %CPEs: 2EXPL: 0CVE-2025-22113 – ext4: avoid journaling sb update on error if journal is destroying
https://notcve.org/view.php?id=CVE-2025-22113
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: ext4: avoid journaling sb update on error if journal is destroying Presently we always BUG_ON if trying to start a transaction on a journal marked with JBD2_UNMOUNT, since this should never happen. However, while ltp running stress tests, it was observed that in case of some error handling paths, it is possible for update_super_work to start a transaction after the journal is destroyed eg: (umount) ext4_kill_sb kill_block_super generic_shut... • https://git.kernel.org/stable/c/2d01ddc86606564fb08c56e3bc93a0693895f710 •
CVSS: 7.1EPSS: %CPEs: 4EXPL: 0CVE-2025-22112 – eth: bnxt: fix out-of-range access of vnic_info array
https://notcve.org/view.php?id=CVE-2025-22112
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: eth: bnxt: fix out-of-range access of vnic_info array The bnxt_queue_{start | stop}() access vnic_info as much as allocated, which indicates bp->nr_vnics. So, it should not reach bp->vnic_info[bp->nr_vnics]. In the Linux kernel, the following vulnerability has been resolved: eth: bnxt: fix out-of-range access of vnic_info array The bnxt_queue_{start | stop}() access vnic_info as much as allocated, which indicates bp->nr_vnics. So, it should... • https://git.kernel.org/stable/c/661958552eda5bf64bfafb4821cbdded935f1f68 •
CVSS: 4.7EPSS: %CPEs: 2EXPL: 0CVE-2025-22111 – net: Remove RTNL dance for SIOCBRADDIF and SIOCBRDELIF.
https://notcve.org/view.php?id=CVE-2025-22111
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: net: Remove RTNL dance for SIOCBRADDIF and SIOCBRDELIF. SIOCBRDELIF is passed to dev_ioctl() first and later forwarded to br_ioctl_call(), which causes unnecessary RTNL dance and the splat below [0] under RTNL pressure. Let's say Thread A is trying to detach a device from a bridge and Thread B is trying to remove the bridge. In dev_ioctl(), Thread A bumps the bridge device's refcnt by netdev_hold() and releases RTNL because the following br... • https://git.kernel.org/stable/c/893b195875340cb44b54c9db99e708145f1210e8 •
CVSS: 5.5EPSS: %CPEs: 2EXPL: 0CVE-2025-22109 – ax25: Remove broken autobind
https://notcve.org/view.php?id=CVE-2025-22109
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: ax25: Remove broken autobind Binding AX25 socket by using the autobind feature leads to memory leaks in ax25_connect() and also refcount leaks in ax25_release(). Memory leak was detected with kmemleak: ================================================================ unreferenced object 0xffff8880253cd680 (size 96): backtrace: __kmalloc_node_track_caller_noprof (./include/linux/kmemleak.h:43) kmemdup_noprof (mm/util.c:136) ax25_rt_autobind (... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 5.5EPSS: %CPEs: 2EXPL: 0CVE-2025-22108 – bnxt_en: Mask the bd_cnt field in the TX BD properly
https://notcve.org/view.php?id=CVE-2025-22108
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Mask the bd_cnt field in the TX BD properly The bd_cnt field in the TX BD specifies the total number of BDs for the TX packet. The bd_cnt field has 5 bits and the maximum number supported is 32 with the value 0. CONFIG_MAX_SKB_FRAGS can be modified and the total number of SKB fragments can approach or exceed the maximum supported by the chip. Add a macro to properly mask the bd_cnt field so that the value 32 will be properly masked... • https://git.kernel.org/stable/c/3948b05950fdd64002a5f182c65ba5cf2d53cf71 •
CVSS: 9.0EPSS: %CPEs: 2EXPL: 0CVE-2025-22107 – net: dsa: sja1105: fix kasan out-of-bounds warning in sja1105_table_delete_entry()
https://notcve.org/view.php?id=CVE-2025-22107
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: net: dsa: sja1105: fix kasan out-of-bounds warning in sja1105_table_delete_entry() There are actually 2 problems: - deleting the last element doesn't require the memmove of elements [i + 1, end) over it. Actually, element i+1 is out of bounds. - The memmove itself should move size - i - 1 elements, because the last element is out of bounds. The out-of-bounds element still remains out of bounds after being accessed, so the problem is only th... • https://git.kernel.org/stable/c/6666cebc5e306f49a25bd20aa8c1cb8ef8950df5 •