CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-39762 – drm/amd/display: add null check
https://notcve.org/view.php?id=CVE-2025-39762
11 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: add null check [WHY] Prevents null pointer dereferences to enhance function robustness [HOW] Adds early null check and return false if invalid. In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: add null check [WHY] Prevents null pointer dereferences to enhance function robustness [HOW] Adds early null check and return false if invalid. • https://git.kernel.org/stable/c/4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2025-39761 – wifi: ath12k: Decrement TID on RX peer frag setup error handling
https://notcve.org/view.php?id=CVE-2025-39761
11 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: Decrement TID on RX peer frag setup error handling Currently, TID is not decremented before peer cleanup, during error handling path of ath12k_dp_rx_peer_frag_setup(). This could lead to out-of-bounds access in peer->rx_tid[]. Hence, add a decrement operation for TID, before peer cleanup to ensures proper cleanup and prevents out-of-bounds access issues when the RX peer frag setup fails. Found during code review. Compile teste... • https://git.kernel.org/stable/c/d889913205cf7ebda905b1e62c5867ed4e39f6c2 •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2025-39760 – usb: core: config: Prevent OOB read in SS endpoint companion parsing
https://notcve.org/view.php?id=CVE-2025-39760
11 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: usb: core: config: Prevent OOB read in SS endpoint companion parsing usb_parse_ss_endpoint_companion() checks descriptor type before length, enabling a potentially odd read outside of the buffer size. Fix this up by checking the size first before looking at any of the fields in the descriptor. In the Linux kernel, the following vulnerability has been resolved: usb: core: config: Prevent OOB read in SS endpoint companion parsing usb_parse_ss... • https://git.kernel.org/stable/c/5c3097ede7835d3caf6543eb70ff689af4550cd2 •
CVSS: 6.3EPSS: 0%CPEs: 6EXPL: 0CVE-2025-39759 – btrfs: qgroup: fix race between quota disable and quota rescan ioctl
https://notcve.org/view.php?id=CVE-2025-39759
11 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: btrfs: qgroup: fix race between quota disable and quota rescan ioctl There's a race between a task disabling quotas and another running the rescan ioctl that can result in a use-after-free of qgroup records from the fs_info->qgroup_tree rbtree. This happens as follows: 1) Task A enters btrfs_ioctl_quota_rescan() -> btrfs_qgroup_rescan(); 2) Task B enters btrfs_quota_disable() and calls btrfs_qgroup_wait_for_completion(), which does nothing ... • https://git.kernel.org/stable/c/7cda0fdde5d9890976861421d207870500f9aace •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-39758 – RDMA/siw: Fix the sendmsg byte count in siw_tcp_sendpages
https://notcve.org/view.php?id=CVE-2025-39758
11 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: RDMA/siw: Fix the sendmsg byte count in siw_tcp_sendpages Ever since commit c2ff29e99a76 ("siw: Inline do_tcp_sendpages()"), we have been doing this: static int siw_tcp_sendpages(struct socket *s, struct page **page, int offset, size_t size) [...] /* Calculate the number of bytes we need to push, for this page * specifically */ size_t bytes = min_t(size_t, PAGE_SIZE - offset, size); /* If we can't splice it, then copy it in, as normal */ if... • https://git.kernel.org/stable/c/c2ff29e99a764769eb2ce3a1a5585013633ee9a6 •
CVSS: 7.2EPSS: 0%CPEs: 9EXPL: 0CVE-2025-39757 – ALSA: usb-audio: Validate UAC3 cluster segment descriptors
https://notcve.org/view.php?id=CVE-2025-39757
11 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Validate UAC3 cluster segment descriptors UAC3 class segment descriptors need to be verified whether their sizes match with the declared lengths and whether they fit with the allocated buffer sizes, too. Otherwise malicious firmware may lead to the unexpected OOB accesses. In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Validate UAC3 cluster segment descriptors UAC3 class segment descrip... • https://git.kernel.org/stable/c/11785ef53228d23ec386f5fe4a34601536f0c891 •
CVSS: 5.5EPSS: 0%CPEs: 9EXPL: 0CVE-2025-39756 – fs: Prevent file descriptor table allocations exceeding INT_MAX
https://notcve.org/view.php?id=CVE-2025-39756
11 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: fs: Prevent file descriptor table allocations exceeding INT_MAX When sysctl_nr_open is set to a very high value (for example, 1073741816 as set by systemd), processes attempting to use file descriptors near the limit can trigger massive memory allocation attempts that exceed INT_MAX, resulting in a WARNING in mm/slub.c: WARNING: CPU: 0 PID: 44 at mm/slub.c:5027 __kvmalloc_node_noprof+0x21a/0x288 This happens because kvmalloc_array() and kvm... • https://git.kernel.org/stable/c/9cfe015aa424b3c003baba3841a60dd9b5ad319b •
CVSS: 6.2EPSS: 0%CPEs: 4EXPL: 0CVE-2025-39754 – mm/smaps: fix race between smaps_hugetlb_range and migration
https://notcve.org/view.php?id=CVE-2025-39754
11 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: mm/smaps: fix race between smaps_hugetlb_range and migration smaps_hugetlb_range() handles the pte without holdling ptl, and may be concurrenct with migration, leaing to BUG_ON in pfn_swap_entry_to_page(). The race is as follows. smaps_hugetlb_range migrate_pages huge_ptep_get remove_migration_ptes folio_unlock pfn_swap_entry_folio BUG_ON To fix it, hold ptl lock in smaps_hugetlb_range(). In the Linux kernel, the following vulnerability has... • https://git.kernel.org/stable/c/25ee01a2fca02dfb5a3ce316e77910c468108199 •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2025-39753 – gfs2: Set .migrate_folio in gfs2_{rgrp,meta}_aops
https://notcve.org/view.php?id=CVE-2025-39753
11 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: gfs2: Set .migrate_folio in gfs2_{rgrp,meta}_aops Clears up the warning added in 7ee3647243e5 ("migrate: Remove call to ->writepage") that occurs in various xfstests, causing "something found in dmesg" failures. [ 341.136573] gfs2_meta_aops does not implement migrate_folio [ 341.136953] WARNING: CPU: 1 PID: 36 at mm/migrate.c:944 move_to_new_folio+0x2f8/0x300 In the Linux kernel, the following vulnerability has been resolved: gfs2: Set .mig... • https://git.kernel.org/stable/c/3d2c05cbc6a3725d832b912b637971f37301c7e5 •
CVSS: 7.8EPSS: 0%CPEs: 9EXPL: 0CVE-2025-39752 – ARM: rockchip: fix kernel hang during smp initialization
https://notcve.org/view.php?id=CVE-2025-39752
11 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: ARM: rockchip: fix kernel hang during smp initialization In order to bring up secondary CPUs main CPU write trampoline code to SRAM. The trampoline code is written while secondary CPUs are powered on (at least that true for RK3188 CPU). Sometimes that leads to kernel hang. Probably because secondary CPU execute trampoline code while kernel doesn't expect. The patch moves SRAM initialization step to the point where all secondary CPUs are pow... • https://git.kernel.org/stable/c/3ee851e212d0bb6be8c462059fba74ce2e3f6064 •