CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2025-38441 – netfilter: flowtable: account for Ethernet header in nf_flow_pppoe_proto()
https://notcve.org/view.php?id=CVE-2025-38441
25 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: netfilter: flowtable: account for Ethernet header in nf_flow_pppoe_proto() syzbot found a potential access to uninit-value in nf_flow_pppoe_proto() Blamed commit forgot the Ethernet header. BUG: KMSAN: uninit-value in nf_flow_offload_inet_hook+0x7e4/0x940 net/netfilter/nf_flow_table_inet.c:27 nf_flow_offload_inet_hook+0x7e4/0x940 net/netfilter/nf_flow_table_inet.c:27 nf_hook_entry_hookfn include/linux/netfilter.h:157 [inline] nf_hook_slow+0... • https://git.kernel.org/stable/c/d06977b9a4109f8738bb276125eb6a0b772bc433 •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2025-38440 – net/mlx5e: Fix race between DIM disable and net_dim()
https://notcve.org/view.php?id=CVE-2025-38440
25 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix race between DIM disable and net_dim() There's a race between disabling DIM and NAPI callbacks using the dim pointer on the RQ or SQ. If NAPI checks the DIM state bit and sees it still set, it assumes `rq->dim` or `sq->dim` is valid. But if DIM gets disabled right after that check, the pointer might already be set to NULL, leading to a NULL pointer dereference in net_dim(). Fix this by calling `synchronize_net()` before freei... • https://git.kernel.org/stable/c/445a25f6e1a2f6a132b06af6ede4f3c9b5f9af68 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38439 – bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT
https://notcve.org/view.php?id=CVE-2025-38439
25 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT When transmitting an XDP_REDIRECT packet, call dma_unmap_len_set() with the proper length instead of 0. This bug triggers this warning on a system with IOMMU enabled: WARNING: CPU: 36 PID: 0 at drivers/iommu/dma-iommu.c:842 __iommu_dma_unmap+0x159/0x170 RIP: 0010:__iommu_dma_unmap+0x159/0x170 Code: a8 00 00 00 00 48 c7 45 b0 00 00 00 00 48 c7 45 c8 00 00 00 00 48 c7 45 a0 ff ff ff ff 4c ... • https://git.kernel.org/stable/c/f18c2b77b2e4eec2313d519ba125bd6a069513cf •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2025-38438 – ASoC: SOF: Intel: hda: Use devm_kstrdup() to avoid memleak.
https://notcve.org/view.php?id=CVE-2025-38438
25 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: ASoC: SOF: Intel: hda: Use devm_kstrdup() to avoid memleak. sof_pdata->tplg_filename can have address allocated by kstrdup() and can be overwritten. Memory leak was detected with kmemleak: unreferenced object 0xffff88812391ff60 (size 16): comm "kworker/4:1", pid 161, jiffies 4294802931 hex dump (first 16 bytes): 73 6f 66 2d 68 64 61 2d 67 65 6e 65 72 69 63 00 sof-hda-generic. backtrace (crc 4bf1675c): __kmalloc_node_track_caller_noprof+0x49... • https://git.kernel.org/stable/c/68397fda2caa90e99a7c0bcb2cf604e42ef3b91f •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38437 – ksmbd: fix potential use-after-free in oplock/lease break ack
https://notcve.org/view.php?id=CVE-2025-38437
25 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix potential use-after-free in oplock/lease break ack If ksmbd_iov_pin_rsp return error, use-after-free can happen by accessing opinfo->state and opinfo_put and ksmbd_fd_put could called twice. • https://git.kernel.org/stable/c/e38ec88a2b42c494601b1213816d75f0b54d9bf0 •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2025-38436 – drm/scheduler: signal scheduled fence when kill job
https://notcve.org/view.php?id=CVE-2025-38436
25 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/scheduler: signal scheduled fence when kill job When an entity from application B is killed, drm_sched_entity_kill() removes all jobs belonging to that entity through drm_sched_entity_kill_jobs_work(). If application A's job depends on a scheduled fence from application B's job, and that fence is not properly signaled during the killing process, application A's dependency cannot be cleared. This leads to application A hanging indefinite... • https://git.kernel.org/stable/c/c5734f9bab6f0d40577ad0633af4090a5fda2407 •
CVSS: 7.1EPSS: 0%CPEs: 3EXPL: 0CVE-2025-38434 – Revert "riscv: Define TASK_SIZE_MAX for __access_ok()"
https://notcve.org/view.php?id=CVE-2025-38434
25 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: Revert "riscv: Define TASK_SIZE_MAX for __access_ok()" This reverts commit ad5643cf2f69 ("riscv: Define TASK_SIZE_MAX for __access_ok()"). This commit changes TASK_SIZE_MAX to be LONG_MAX to optimize access_ok(), because the previous TASK_SIZE_MAX (default to TASK_SIZE) requires some computation. The reasoning was that all user addresses are less than LONG_MAX, and all kernel addresses are greater than LONG_MAX. Therefore access_ok() can fi... • https://git.kernel.org/stable/c/ad5643cf2f699989daa85d909403febd6712fccb •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38430 – nfsd: nfsd4_spo_must_allow() must check this is a v4 compound request
https://notcve.org/view.php?id=CVE-2025-38430
25 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: nfsd: nfsd4_spo_must_allow() must check this is a v4 compound request If the request being processed is not a v4 compound request, then examining the cstate can have undefined results. This patch adds a check that the rpc procedure being executed (rq_procinfo) is the NFSPROC4_COMPOUND procedure. • https://git.kernel.org/stable/c/bf78a2706ce975981eb5167f2d3b609eb5d24c19 •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2025-38429 – bus: mhi: ep: Update read pointer only after buffer is written
https://notcve.org/view.php?id=CVE-2025-38429
25 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: bus: mhi: ep: Update read pointer only after buffer is written Inside mhi_ep_ring_add_element, the read pointer (rd_offset) is updated before the buffer is written, potentially causing race conditions where the host sees an updated read pointer before the buffer is actually written. Updating rd_offset prematurely can lead to the host accessing an uninitialized or incomplete element, resulting in data corruption. Invoke the buffer write befo... • https://git.kernel.org/stable/c/bbdcba57a1a26a4439a4f4ecdbfaf80a10fd8f34 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38428 – Input: ims-pcu - check record size in ims_pcu_flash_firmware()
https://notcve.org/view.php?id=CVE-2025-38428
25 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: Input: ims-pcu - check record size in ims_pcu_flash_firmware() The "len" variable comes from the firmware and we generally do trust firmware, but it's always better to double check. If the "len" is too large it could result in memory corruption when we do "memcpy(fragment->data, rec->data, len);" • https://git.kernel.org/stable/c/628329d52474323938a03826941e166bc7c8eff4 •