CVSS: 7.1EPSS: 0%CPEs: 6EXPL: 0CVE-2025-38193 – net_sched: sch_sfq: reject invalid perturb period
https://notcve.org/view.php?id=CVE-2025-38193
04 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: net_sched: sch_sfq: reject invalid perturb period Gerrard Tai reported that SFQ perturb_period has no range check yet, and this can be used to trigger a race condition fixed in a separate patch. We want to make sure ctl->perturb_period * HZ will not overflow and is positive. tc qd add dev lo root sfq perturb -10 # negative value : error Error: sch_sfq: invalid perturb period. tc qd add dev lo root sfq perturb 1000000000 # too big : error Er... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38190 – atm: Revert atm_account_tx() if copy_from_iter_full() fails.
https://notcve.org/view.php?id=CVE-2025-38190
04 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: atm: Revert atm_account_tx() if copy_from_iter_full() fails. In vcc_sendmsg(), we account skb->truesize to sk->sk_wmem_alloc by atm_account_tx(). It is expected to be reverted by atm_pop_raw() later called by vcc->dev->ops->send(vcc, skb). However, vcc_sendmsg() misses the same revert when copy_from_iter_full() fails, and then we will leak a socket. Let's factorise the revert part as atm_return_tx() and call it in the failure path. • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 6.1EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38185 – atm: atmtcp: Free invalid length skb in atmtcp_c_send().
https://notcve.org/view.php?id=CVE-2025-38185
04 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: atm: atmtcp: Free invalid length skb in atmtcp_c_send(). syzbot reported the splat below. [0] vcc_sendmsg() copies data passed from userspace to skb and passes it to vcc->dev->ops->send(). atmtcp_c_send() accesses skb->data as struct atmtcp_hdr after checking if skb->len is 0, but it's not enough. Also, when skb->len == 0, skb and sk (vcc) were leaked because dev_kfree_skb() is not called and sk_wmem_alloc adjustment is missing to revert at... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38180 – net: atm: fix /proc/net/atm/lec handling
https://notcve.org/view.php?id=CVE-2025-38180
04 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: net: atm: fix /proc/net/atm/lec handling /proc/net/atm/lec must ensure safety against dev_lec[] changes. It appears it had dev_put() calls without prior dev_hold(), leading to imbalance and UAF. In the Linux kernel, the following vulnerability has been resolved: net: atm: fix /proc/net/atm/lec handling /proc/net/atm/lec must ensure safety against dev_lec[] changes. It appears it had dev_put() calls without prior dev_hold(), leading to imbal... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38177 – sch_hfsc: make hfsc_qlen_notify() idempotent
https://notcve.org/view.php?id=CVE-2025-38177
04 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: sch_hfsc: make hfsc_qlen_notify() idempotent hfsc_qlen_notify() is not idempotent either and not friendly to its callers, like fq_codel_dequeue(). Let's make it idempotent to ease qdisc_tree_reduce_backlog() callers' life: 1. update_vf() decreases cl->cl_nactive, so we can check whether it is non-zero before calling it. 2. eltree_remove() always removes RB node cl->el_node, but we can use RB_EMPTY_NODE() + RB_CLEAR_NODE() to make it safe. I... • https://git.kernel.org/stable/c/0475c85426b18eccdcb7f9fb58d8f8e9c6c58c87 •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2025-38105 – ALSA: usb-audio: Kill timer properly at removal
https://notcve.org/view.php?id=CVE-2025-38105
03 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Kill timer properly at removal The USB-audio MIDI code initializes the timer, but in a rare case, the driver might be freed without the disconnect call. This leaves the timer in an active state while the assigned object is released via snd_usbmidi_free(), which ends up with a kernel warning when the debug configuration is enabled, as spotted by fuzzer. For avoiding the problem, put timer_shutdown_sync() at snd_usbmidi_free(... • https://git.kernel.org/stable/c/62066758d2ae169278e5d6aea5995b1b6f6ddeb5 •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-38099 – Bluetooth: Disable SCO support if READ_VOICE_SETTING is unsupported/broken
https://notcve.org/view.php?id=CVE-2025-38099
03 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Disable SCO support if READ_VOICE_SETTING is unsupported/broken A SCO connection without the proper voice_setting can cause the controller to lock up. In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Disable SCO support if READ_VOICE_SETTING is unsupported/broken A SCO connection without the proper voice_setting can cause the controller to lock up. • https://git.kernel.org/stable/c/f48ee562c095e552a30b8d9cc0566a267b410f8a •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-38098 – drm/amd/display: Don't treat wb connector as physical in create_validate_stream_for_sink
https://notcve.org/view.php?id=CVE-2025-38098
03 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Don't treat wb connector as physical in create_validate_stream_for_sink Don't try to operate on a drm_wb_connector as an amdgpu_dm_connector. While dereferencing aconnector->base will "work" it's wrong and might lead to unknown bad things. Just... don't. In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Don't treat wb connector as physical in create_validate_stream_for_sink Don't try to op... • https://git.kernel.org/stable/c/b14e726d57f61085485f107a6203c50a09695abd •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2025-38096 – wifi: iwlwifi: don't warn when if there is a FW error
https://notcve.org/view.php?id=CVE-2025-38096
03 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: don't warn when if there is a FW error iwl_trans_reclaim is warning if it is called when the FW is not alive. But if it is called when there is a pending restart, i.e. after a FW error, there is no need to warn, instead - return silently. In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: don't warn when if there is a FW error iwl_trans_reclaim is warning if it is called when the FW is not aliv... • https://git.kernel.org/stable/c/0446d34a853d9576e2a7628c803d2abd2f8cf3a8 •
CVSS: 7.1EPSS: 0%CPEs: 2EXPL: 0CVE-2022-50224 – KVM: x86/mmu: Treat NX as a valid SPTE bit for NPT
https://notcve.org/view.php?id=CVE-2022-50224
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: KVM: x86/mmu: Treat NX as a valid SPTE bit for NPT Treat the NX bit as valid when using NPT, as KVM will set the NX bit when the NX huge page mitigation is enabled (mindblowing) and trigger the WARN that fires on reserved SPTE bits being set. KVM has required NX support for SVM since commit b26a71a1a5b9 ("KVM: SVM: Refuse to load kvm_amd if NX support is not available") for exactly this reason, but apparently it never occurred to anyone to ... • https://git.kernel.org/stable/c/6271f2854b9233702e236e576b885a876dde4889 •