CVSS: 7.1EPSS: 0%CPEs: 2EXPL: 0CVE-2025-22126 – md: fix mddev uaf while iterating all_mddevs list
https://notcve.org/view.php?id=CVE-2025-22126
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: md: fix mddev uaf while iterating all_mddevs list While iterating all_mddevs list from md_notify_reboot() and md_exit(), list_for_each_entry_safe is used, and this can race with deletint the next mddev, causing UAF: t1: spin_lock //list_for_each_entry_safe(mddev, n, ...) mddev_get(mddev1) // assume mddev2 is the next entry spin_unlock t2: //remove mddev2 ... mddev_free spin_lock list_del spin_unlock kfree(mddev2) mddev_put(mddev1) spin_lock... • https://git.kernel.org/stable/c/f26514342255855f4ca3c0a92cb1cdea01c33004 •
CVSS: 7.1EPSS: 0%CPEs: 2EXPL: 0CVE-2025-22125 – md/raid1,raid10: don't ignore IO flags
https://notcve.org/view.php?id=CVE-2025-22125
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: md/raid1,raid10: don't ignore IO flags If blk-wbt is enabled by default, it's found that raid write performance is quite bad because all IO are throttled by wbt of underlying disks, due to flag REQ_IDLE is ignored. And turns out this behaviour exist since blk-wbt is introduced. Other than REQ_IDLE, other flags should not be ignored as well, for example REQ_META can be set for filesystems, clearing it can cause priority reverse problems; And... • https://git.kernel.org/stable/c/5404bc7a87b9949cf61e0174b21f80e73239ab25 •
CVSS: 7.1EPSS: 0%CPEs: 2EXPL: 0CVE-2025-22121 – ext4: fix out-of-bound read in ext4_xattr_inode_dec_ref_all()
https://notcve.org/view.php?id=CVE-2025-22121
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: ext4: fix out-of-bound read in ext4_xattr_inode_dec_ref_all() There's issue as follows: BUG: KASAN: use-after-free in ext4_xattr_inode_dec_ref_all+0x6ff/0x790 Read of size 4 at addr ffff88807b003000 by task syz-executor.0/15172 CPU: 3 PID: 15172 Comm: syz-executor.0 Call Trace: __dump_stack lib/dump_stack.c:82 [inline] dump_stack+0xbe/0xfd lib/dump_stack.c:123 print_address_description.constprop.0+0x1e/0x280 mm/kasan/report.c:400 __kasan_re... • https://git.kernel.org/stable/c/e50e5129f384ae282adebfb561189cdb19b81cee •
CVSS: 5.4EPSS: 0%CPEs: 4EXPL: 0CVE-2025-22115 – btrfs: fix block group refcount race in btrfs_create_pending_block_groups()
https://notcve.org/view.php?id=CVE-2025-22115
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: btrfs: fix block group refcount race in btrfs_create_pending_block_groups() Block group creation is done in two phases, which results in a slightly unintuitive property: a block group can be allocated/deallocated from after btrfs_make_block_group() adds it to the space_info with btrfs_add_bg_to_space_info(), but before creation is completely completed in btrfs_create_pending_block_groups(). As a result, it is possible for a block group to g... • https://git.kernel.org/stable/c/0657b20c5a76c938612f8409735a8830d257866e •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2025-22113 – ext4: avoid journaling sb update on error if journal is destroying
https://notcve.org/view.php?id=CVE-2025-22113
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: ext4: avoid journaling sb update on error if journal is destroying Presently we always BUG_ON if trying to start a transaction on a journal marked with JBD2_UNMOUNT, since this should never happen. However, while ltp running stress tests, it was observed that in case of some error handling paths, it is possible for update_super_work to start a transaction after the journal is destroyed eg: (umount) ext4_kill_sb kill_block_super generic_shut... • https://git.kernel.org/stable/c/2d01ddc86606564fb08c56e3bc93a0693895f710 •
CVSS: 4.7EPSS: 0%CPEs: 2EXPL: 0CVE-2025-22111 – net: Remove RTNL dance for SIOCBRADDIF and SIOCBRDELIF.
https://notcve.org/view.php?id=CVE-2025-22111
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: net: Remove RTNL dance for SIOCBRADDIF and SIOCBRDELIF. SIOCBRDELIF is passed to dev_ioctl() first and later forwarded to br_ioctl_call(), which causes unnecessary RTNL dance and the splat below [0] under RTNL pressure. Let's say Thread A is trying to detach a device from a bridge and Thread B is trying to remove the bridge. In dev_ioctl(), Thread A bumps the bridge device's refcnt by netdev_hold() and releases RTNL because the following br... • https://git.kernel.org/stable/c/893b195875340cb44b54c9db99e708145f1210e8 •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2025-22109 – ax25: Remove broken autobind
https://notcve.org/view.php?id=CVE-2025-22109
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: ax25: Remove broken autobind Binding AX25 socket by using the autobind feature leads to memory leaks in ax25_connect() and also refcount leaks in ax25_release(). Memory leak was detected with kmemleak: ================================================================ unreferenced object 0xffff8880253cd680 (size 96): backtrace: __kmalloc_node_track_caller_noprof (./include/linux/kmemleak.h:43) kmemdup_noprof (mm/util.c:136) ax25_rt_autobind (... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 0CVE-2025-22107 – net: dsa: sja1105: fix kasan out-of-bounds warning in sja1105_table_delete_entry()
https://notcve.org/view.php?id=CVE-2025-22107
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: net: dsa: sja1105: fix kasan out-of-bounds warning in sja1105_table_delete_entry() There are actually 2 problems: - deleting the last element doesn't require the memmove of elements [i + 1, end) over it. Actually, element i+1 is out of bounds. - The memmove itself should move size - i - 1 elements, because the last element is out of bounds. The out-of-bounds element still remains out of bounds after being accessed, so the problem is only th... • https://git.kernel.org/stable/c/6666cebc5e306f49a25bd20aa8c1cb8ef8950df5 •
CVSS: 7.1EPSS: 0%CPEs: 2EXPL: 0CVE-2025-22105 – bonding: check xdp prog when set bond mode
https://notcve.org/view.php?id=CVE-2025-22105
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: bonding: check xdp prog when set bond mode Following operations can trigger a warning[1]: ip netns add ns1 ip netns exec ns1 ip link add bond0 type bond mode balance-rr ip netns exec ns1 ip link set dev bond0 xdp obj af_xdp_kern.o sec xdp ip netns exec ns1 ip link set bond0 type bond mode broadcast ip netns del ns1 When delete the namespace, dev_xdp_uninstall() is called to remove xdp program on bond dev, and bond_xdp_set() will check the b... • https://git.kernel.org/stable/c/9e2ee5c7e7c35d195e2aa0692a7241d47a433d1e •
CVSS: 7.1EPSS: 0%CPEs: 2EXPL: 0CVE-2025-22104 – ibmvnic: Use kernel helpers for hex dumps
https://notcve.org/view.php?id=CVE-2025-22104
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: ibmvnic: Use kernel helpers for hex dumps Previously, when the driver was printing hex dumps, the buffer was cast to an 8 byte long and printed using string formatters. If the buffer size was not a multiple of 8 then a read buffer overflow was possible. Therefore, create a new ibmvnic function that loops over a buffer and calls hex_dump_to_buffer instead. This patch address KASAN reports like the one below: ibmvnic 30000003 env3: Login Buff... • https://git.kernel.org/stable/c/032c5e82847a2214c3196a90f0aeba0ce252de58 •