CVSS: 7.2EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40078 – bpf: Explicitly check accesses to bpf_sock_addr
https://notcve.org/view.php?id=CVE-2025-40078
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: bpf: Explicitly check accesses to bpf_sock_addr Syzkaller found a kernel warning on the following sock_addr program: 0: r0 = 0 1: r2 = *(u32 *)(r1 +60) 2: exit which triggers: verifier bug: error during ctx access conversion (0) This is happening because offset 60 in bpf_sock_addr corresponds to an implicit padding of 4 bytes, right after msg_src_ip4. Access to this padding isn't rejected in sock_addr_is_valid_access and it thus later fails... • https://git.kernel.org/stable/c/1cedee13d25ab118d325f95588c1a084e9317229 •
CVSS: 8.5EPSS: 0%CPEs: 2EXPL: 0CVE-2025-40077 – f2fs: fix to avoid overflow while left shift operation
https://notcve.org/view.php?id=CVE-2025-40077
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid overflow while left shift operation Should cast type of folio->index from pgoff_t to loff_t to avoid overflow while left shift operation. In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid overflow while left shift operation Should cast type of folio->index from pgoff_t to loff_t to avoid overflow while left shift operation. These are all security issues fixed in the kernel-devel-6.17.7... • https://git.kernel.org/stable/c/3265d3db1f16395cfc6b8ea9b31b4001d98d05ef •
CVSS: 7.1EPSS: 0%CPEs: 2EXPL: 0CVE-2025-40075 – tcp_metrics: use dst_dev_net_rcu()
https://notcve.org/view.php?id=CVE-2025-40075
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: tcp_metrics: use dst_dev_net_rcu() Replace three dst_dev() with a lockdep enabled helper. These are all security issues fixed in the kernel-devel-6.17.7-1.1 package on the GA media of openSUSE Tumbleweed. • https://git.kernel.org/stable/c/4a6ce2b6f2ecabbddcfe47e7cf61dd0f00b10e36 •
CVSS: 7.1EPSS: 0%CPEs: 2EXPL: 0CVE-2025-40074 – ipv4: start using dst_dev_rcu()
https://notcve.org/view.php?id=CVE-2025-40074
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: ipv4: start using dst_dev_rcu() Change icmpv4_xrlim_allow(), ip_defrag() to prevent possible UAF. Change ipmr_prepare_xmit(), ipmr_queue_fwd_xmit(), ip_mr_output(), ipv4_neigh_lookup() to use lockdep enabled dst_dev_rcu(). In the Linux kernel, the following vulnerability has been resolved: ipv4: start using dst_dev_rcu() Change icmpv4_xrlim_allow(), ip_defrag() to prevent possible UAF. Change ipmr_prepare_xmit(), ipmr_queue_fwd_xmit(), ip_m... • https://git.kernel.org/stable/c/4a6ce2b6f2ecabbddcfe47e7cf61dd0f00b10e36 •
CVSS: 5.5EPSS: 0%CPEs: 9EXPL: 0CVE-2025-40070 – pps: fix warning in pps_register_cdev when register device fail
https://notcve.org/view.php?id=CVE-2025-40070
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: pps: fix warning in pps_register_cdev when register device fail Similar to previous commit 2a934fdb01db ("media: v4l2-dev: fix error handling in __video_register_device()"), the release hook should be set before device_register(). Otherwise, when device_register() return error and put_device() try to callback the release function, the below warning may happen. ------------[ cut here ]------------ WARNING: CPU: 1 PID: 4760 at drivers/base/co... • https://git.kernel.org/stable/c/785c78ed0d39d1717cca3ef931d3e51337b5e90e •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2025-40064 – smc: Fix use-after-free in __pnet_find_base_ndev().
https://notcve.org/view.php?id=CVE-2025-40064
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: smc: Fix use-after-free in __pnet_find_base_ndev(). syzbot reported use-after-free of net_device in __pnet_find_base_ndev(), which was called during connect(). [0] smc_pnet_find_ism_resource() fetches sk_dst_get(sk)->dev and passes down to pnet_find_base_ndev(), where RTNL is held. Then, UAF happened at __pnet_find_base_ndev() when the dev is first used. This means dev had already been freed before acquiring RTNL in pnet_find_base_ndev(). W... • https://git.kernel.org/stable/c/0afff91c6f5ecef27715ea71e34dc2baacba1060 •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40055 – ocfs2: fix double free in user_cluster_connect()
https://notcve.org/view.php?id=CVE-2025-40055
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix double free in user_cluster_connect() user_cluster_disconnect() frees "conn->cc_private" which is "lc" but then the error handling frees "lc" a second time. Set "lc" to NULL on this path to avoid a double free. In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix double free in user_cluster_connect() user_cluster_disconnect() frees "conn->cc_private" which is "lc" but then the error handling frees "lc" a... • https://git.kernel.org/stable/c/c994c2ebdbbc391a42f177c8eb7882ebf3f142d8 •
CVSS: 7.1EPSS: 0%CPEs: 2EXPL: 0CVE-2025-40054 – f2fs: fix UAF issue in f2fs_merge_page_bio()
https://notcve.org/view.php?id=CVE-2025-40054
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: f2fs: fix UAF issue in f2fs_merge_page_bio() As JY reported in bugzilla [1], Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 pc : [0xffffffe51d249484] f2fs_is_cp_guaranteed+0x70/0x98 lr : [0xffffffe51d24adbc] f2fs_merge_page_bio+0x520/0x6d4 CPU: 3 UID: 0 PID: 6790 Comm: kworker/u16:3 Tainted: P B W OE 6.12.30-android16-5-maybe-dirty-4k #1 5f7701c9cbf727d1eebe77c89bbbeb3371e895e5 Tainted: [P]=PROPRIETARY_... • https://git.kernel.org/stable/c/0b20fcec8651569935a10afe03fedc0b812d044e •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2025-40053 – net: dlink: handle copy_thresh allocation failure
https://notcve.org/view.php?id=CVE-2025-40053
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: net: dlink: handle copy_thresh allocation failure The driver did not handle failure of `netdev_alloc_skb_ip_align()`. If the allocation failed, dereferencing `skb->protocol` could lead to a NULL pointer dereference. This patch tries to allocate `skb`. If the allocation fails, it falls back to the normal path. Tested-on: D-Link DGE-550T Rev-A3 In the Linux kernel, the following vulnerability has been resolved: net: dlink: handle copy_thresh ... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40049 – Squashfs: fix uninit-value in squashfs_get_parent
https://notcve.org/view.php?id=CVE-2025-40049
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: Squashfs: fix uninit-value in squashfs_get_parent Syzkaller reports a "KMSAN: uninit-value in squashfs_get_parent" bug. This is caused by open_by_handle_at() being called with a file handle containing an invalid parent inode number. In particular the inode number is that of a symbolic link, rather than a directory. Squashfs_get_parent() gets called with that symbolic link inode, and accesses the parent member field. unsigned int parent_ino ... • https://git.kernel.org/stable/c/122601408d20c77704268f1dea9f9ce4abf997c2 •