CVSS: 7.1EPSS: 0%CPEs: 4EXPL: 0CVE-2025-38217 – hwmon: (ftsteutates) Fix TOCTOU race in fts_read()
https://notcve.org/view.php?id=CVE-2025-38217
04 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: hwmon: (ftsteutates) Fix TOCTOU race in fts_read() In the fts_read() function, when handling hwmon_pwm_auto_channels_temp, the code accesses the shared variable data->fan_source[channel] twice without holding any locks. It is first checked against FTS_FAN_SOURCE_INVALID, and if the check passes, it is read again when used as an argument to the BIT() macro. This creates a Time-of-Check to Time-of-Use (TOCTOU) race condition. Another thread e... • https://git.kernel.org/stable/c/1c5759d8ce054961b454af69568a41e7e3210ee1 •
CVSS: 7.1EPSS: 0%CPEs: 3EXPL: 0CVE-2025-38216 – iommu/vt-d: Restore context entry setup order for aliased devices
https://notcve.org/view.php?id=CVE-2025-38216
04 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Restore context entry setup order for aliased devices Commit 2031c469f816 ("iommu/vt-d: Add support for static identity domain") changed the context entry setup during domain attachment from a set-and-check policy to a clear-and-reset approach. This inadvertently introduced a regression affecting PCI aliased devices behind PCIe-to-PCI bridges. Specifically, keyboard and touchpad stopped working on several Apple Macbooks with bel... • https://git.kernel.org/stable/c/2031c469f8161abe74189cb74f50da224f340b71 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38215 – fbdev: Fix do_register_framebuffer to prevent null-ptr-deref in fb_videomode_to_var
https://notcve.org/view.php?id=CVE-2025-38215
04 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: fbdev: Fix do_register_framebuffer to prevent null-ptr-deref in fb_videomode_to_var If fb_add_videomode() in do_register_framebuffer() fails to allocate memory for fb_videomode, it will later lead to a null-ptr dereference in fb_videomode_to_var(), as the fb_info is registered while not having the mode in modelist that is expected to be there, i.e. the one that is described in fb_info->var. ==================================================... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38214 – fbdev: Fix fb_set_var to prevent null-ptr-deref in fb_videomode_to_var
https://notcve.org/view.php?id=CVE-2025-38214
04 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: fbdev: Fix fb_set_var to prevent null-ptr-deref in fb_videomode_to_var If fb_add_videomode() in fb_set_var() fails to allocate memory for fb_videomode, later it may lead to a null-ptr dereference in fb_videomode_to_var(), as the fb_info is registered while not having the mode in modelist that is expected to be there, i.e. the one that is described in fb_info->var. ================================================================ general prot... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38213 – vgacon: Add check for vc_origin address range in vgacon_scroll()
https://notcve.org/view.php?id=CVE-2025-38213
04 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: vgacon: Add check for vc_origin address range in vgacon_scroll() Our in-house Syzkaller reported the following BUG (twice), which we believed was the same issue with [1]: ================================================================== BUG: KASAN: slab-out-of-bounds in vcs_scr_readw+0xc2/0xd0 drivers/tty/vt/vt.c:4740 Read of size 2 at addr ffff88800f5bef60 by task syz.7.2620/12393 ... Call Trace:
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38212 – ipc: fix to protect IPCS lookups using RCU
https://notcve.org/view.php?id=CVE-2025-38212
04 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: ipc: fix to protect IPCS lookups using RCU syzbot reported that it discovered a use-after-free vulnerability, [0] [0]: https://lore.kernel.org/all/67af13f8.050a0220.21dd3.0038.GAE@google.com/ idr_for_each() is protected by rwsem, but this is not enough. If it is not protected by RCU read-critical region, when idr_for_each() calls radix_tree_node_free() through call_rcu() to free the radix_tree_node structure, the node will be freed immediat... • https://git.kernel.org/stable/c/b34a6b1da371ed8af1221459a18c67970f7e3d53 •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2025-38211 – RDMA/iwcm: Fix use-after-free of work objects after cm_id destruction
https://notcve.org/view.php?id=CVE-2025-38211
04 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: RDMA/iwcm: Fix use-after-free of work objects after cm_id destruction The commit 59c68ac31e15 ("iw_cm: free cm_id resources on the last deref") simplified cm_id resource management by freeing cm_id once all references to the cm_id were removed. The references are removed either upon completion of iw_cm event handlers or when the application destroys the cm_id. This commit introduced the use-after-free condition where cm_id_private object co... • https://git.kernel.org/stable/c/59c68ac31e15ad09d2cb04734e3c8c544a95f8d4 •
CVSS: 7.1EPSS: 0%CPEs: 3EXPL: 0CVE-2025-38210 – configfs-tsm-report: Fix NULL dereference of tsm_ops
https://notcve.org/view.php?id=CVE-2025-38210
04 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: configfs-tsm-report: Fix NULL dereference of tsm_ops Unlike sysfs, the lifetime of configfs objects is controlled by userspace. There is no mechanism for the kernel to find and delete all created config-items. Instead, the configfs-tsm-report mechanism has an expectation that tsm_unregister() can happen at any time and cause established config-item access to start failing. That expectation is not fully satisfied. While tsm_report_read(), ts... • https://git.kernel.org/stable/c/70e6f7e2b98575621019aa40ac616be58ff984e0 •
CVSS: 7.1EPSS: 0%CPEs: 2EXPL: 0CVE-2025-38209 – nvme-tcp: remove tag set when second admin queue config fails
https://notcve.org/view.php?id=CVE-2025-38209
04 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: nvme-tcp: remove tag set when second admin queue config fails Commit 104d0e2f6222 ("nvme-fabrics: reset admin connection for secure concatenation") modified nvme_tcp_setup_ctrl() to call nvme_tcp_configure_admin_queue() twice. The first call prepares for DH-CHAP negotitation, and the second call is required for secure concatenation. However, this change triggered BUG KASAN slab-use-after- free in blk_mq_queue_tag_busy_iter(). This BUG can b... • https://git.kernel.org/stable/c/104d0e2f622233477ef7e57e59e8a4c3bb062c82 •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-38208 – smb: client: add NULL check in automount_fullpath
https://notcve.org/view.php?id=CVE-2025-38208
04 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: smb: client: add NULL check in automount_fullpath page is checked for null in __build_path_from_dentry_optional_prefix when tcon->origin_fullpath is not set. However, the check is missing when it is set. Add a check to prevent a potential NULL pointer dereference. In the Linux kernel, the following vulnerability has been resolved: smb: client: add NULL check in automount_fullpath page is checked for null in __build_path_from_dentry_optional... • https://git.kernel.org/stable/c/37166d63e42c34846a16001950ecec96229a8d17 •