CVSS: 6.1EPSS: %CPEs: 2EXPL: 0CVE-2025-22113 – ext4: avoid journaling sb update on error if journal is destroying
https://notcve.org/view.php?id=CVE-2025-22113
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: ext4: avoid journaling sb update on error if journal is destroying Presently we always BUG_ON if trying to start a transaction on a journal marked with JBD2_UNMOUNT, since this should never happen. However, while ltp running stress tests, it was observed that in case of some error handling paths, it is possible for update_super_work to start a transaction after the journal is destroyed eg: (umount) ext4_kill_sb kill_block_super generic_shut... • https://git.kernel.org/stable/c/2d01ddc86606564fb08c56e3bc93a0693895f710 •
CVSS: 4.7EPSS: %CPEs: 2EXPL: 0CVE-2025-22111 – net: Remove RTNL dance for SIOCBRADDIF and SIOCBRDELIF.
https://notcve.org/view.php?id=CVE-2025-22111
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: net: Remove RTNL dance for SIOCBRADDIF and SIOCBRDELIF. SIOCBRDELIF is passed to dev_ioctl() first and later forwarded to br_ioctl_call(), which causes unnecessary RTNL dance and the splat below [0] under RTNL pressure. Let's say Thread A is trying to detach a device from a bridge and Thread B is trying to remove the bridge. In dev_ioctl(), Thread A bumps the bridge device's refcnt by netdev_hold() and releases RTNL because the following br... • https://git.kernel.org/stable/c/893b195875340cb44b54c9db99e708145f1210e8 •
CVSS: 5.5EPSS: %CPEs: 2EXPL: 0CVE-2025-22109 – ax25: Remove broken autobind
https://notcve.org/view.php?id=CVE-2025-22109
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: ax25: Remove broken autobind Binding AX25 socket by using the autobind feature leads to memory leaks in ax25_connect() and also refcount leaks in ax25_release(). Memory leak was detected with kmemleak: ================================================================ unreferenced object 0xffff8880253cd680 (size 96): backtrace: __kmalloc_node_track_caller_noprof (./include/linux/kmemleak.h:43) kmemdup_noprof (mm/util.c:136) ax25_rt_autobind (... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 5.5EPSS: %CPEs: 2EXPL: 0CVE-2025-22108 – bnxt_en: Mask the bd_cnt field in the TX BD properly
https://notcve.org/view.php?id=CVE-2025-22108
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Mask the bd_cnt field in the TX BD properly The bd_cnt field in the TX BD specifies the total number of BDs for the TX packet. The bd_cnt field has 5 bits and the maximum number supported is 32 with the value 0. CONFIG_MAX_SKB_FRAGS can be modified and the total number of SKB fragments can approach or exceed the maximum supported by the chip. Add a macro to properly mask the bd_cnt field so that the value 32 will be properly masked... • https://git.kernel.org/stable/c/3948b05950fdd64002a5f182c65ba5cf2d53cf71 •
CVSS: 9.0EPSS: %CPEs: 2EXPL: 0CVE-2025-22107 – net: dsa: sja1105: fix kasan out-of-bounds warning in sja1105_table_delete_entry()
https://notcve.org/view.php?id=CVE-2025-22107
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: net: dsa: sja1105: fix kasan out-of-bounds warning in sja1105_table_delete_entry() There are actually 2 problems: - deleting the last element doesn't require the memmove of elements [i + 1, end) over it. Actually, element i+1 is out of bounds. - The memmove itself should move size - i - 1 elements, because the last element is out of bounds. The out-of-bounds element still remains out of bounds after being accessed, so the problem is only th... • https://git.kernel.org/stable/c/6666cebc5e306f49a25bd20aa8c1cb8ef8950df5 •
CVSS: 7.8EPSS: %CPEs: 2EXPL: 0CVE-2025-22106 – vmxnet3: unregister xdp rxq info in the reset path
https://notcve.org/view.php?id=CVE-2025-22106
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: vmxnet3: unregister xdp rxq info in the reset path vmxnet3 does not unregister xdp rxq info in the vmxnet3_reset_work() code path as vmxnet3_rq_destroy() is not invoked in this code path. So, we get below message with a backtrace. Missing unregister, handled but fix driver WARNING: CPU:48 PID: 500 at net/core/xdp.c:182 __xdp_rxq_info_reg+0x93/0xf0 This patch fixes the problem by moving the unregister code of XDP from vmxnet3_rq_destroy() to... • https://git.kernel.org/stable/c/54f00cce11786742bd11e5e68c3bf85e6dc048c9 •
CVSS: 7.1EPSS: %CPEs: 2EXPL: 0CVE-2025-22105 – bonding: check xdp prog when set bond mode
https://notcve.org/view.php?id=CVE-2025-22105
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: bonding: check xdp prog when set bond mode Following operations can trigger a warning[1]: ip netns add ns1 ip netns exec ns1 ip link add bond0 type bond mode balance-rr ip netns exec ns1 ip link set dev bond0 xdp obj af_xdp_kern.o sec xdp ip netns exec ns1 ip link set bond0 type bond mode broadcast ip netns del ns1 When delete the namespace, dev_xdp_uninstall() is called to remove xdp program on bond dev, and bond_xdp_set() will check the b... • https://git.kernel.org/stable/c/9e2ee5c7e7c35d195e2aa0692a7241d47a433d1e •
CVSS: 7.1EPSS: %CPEs: 2EXPL: 0CVE-2025-22104 – ibmvnic: Use kernel helpers for hex dumps
https://notcve.org/view.php?id=CVE-2025-22104
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: ibmvnic: Use kernel helpers for hex dumps Previously, when the driver was printing hex dumps, the buffer was cast to an 8 byte long and printed using string formatters. If the buffer size was not a multiple of 8 then a read buffer overflow was possible. Therefore, create a new ibmvnic function that loops over a buffer and calls hex_dump_to_buffer instead. This patch address KASAN reports like the one below: ibmvnic 30000003 env3: Login Buff... • https://git.kernel.org/stable/c/032c5e82847a2214c3196a90f0aeba0ce252de58 •
CVSS: 5.5EPSS: %CPEs: 2EXPL: 0CVE-2025-22103 – net: fix NULL pointer dereference in l3mdev_l3_rcv
https://notcve.org/view.php?id=CVE-2025-22103
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: net: fix NULL pointer dereference in l3mdev_l3_rcv When delete l3s ipvlan: ip link del link eth0 ipvlan1 type ipvlan mode l3s This may cause a null pointer dereference: Call trace: ip_rcv_finish+0x48/0xd0 ip_rcv+0x5c/0x100 __netif_receive_skb_one_core+0x64/0xb0 __netif_receive_skb+0x20/0x80 process_backlog+0xb4/0x204 napi_poll+0xe8/0x294 net_rx_action+0xd8/0x22c __do_softirq+0x12c/0x354 This is because l3mdev_l3_rcv() visit dev->l3mdev_ops ... • https://git.kernel.org/stable/c/c675e06a98a474f7ad0af32ce467613da818da52 •
CVSS: 7.1EPSS: %CPEs: 2EXPL: 0CVE-2025-22102 – Bluetooth: btnxpuart: Fix kernel panic during FW release
https://notcve.org/view.php?id=CVE-2025-22102
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btnxpuart: Fix kernel panic during FW release This fixes a kernel panic seen during release FW in a stress test scenario where WLAN and BT FW download occurs simultaneously, and due to a HW bug, chip sends out only 1 bootloader signatures. When driver receives the bootloader signature, it enters FW download mode, but since no consequtive bootloader signatures seen, FW file is not requested. After 60 seconds, when FW download time... • https://git.kernel.org/stable/c/689ca16e523278470c38832a3010645a78c544d8 •