CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38212 – ipc: fix to protect IPCS lookups using RCU
https://notcve.org/view.php?id=CVE-2025-38212
04 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: ipc: fix to protect IPCS lookups using RCU syzbot reported that it discovered a use-after-free vulnerability, [0] [0]: https://lore.kernel.org/all/67af13f8.050a0220.21dd3.0038.GAE@google.com/ idr_for_each() is protected by rwsem, but this is not enough. If it is not protected by RCU read-critical region, when idr_for_each() calls radix_tree_node_free() through call_rcu() to free the radix_tree_node structure, the node will be freed immediat... • https://git.kernel.org/stable/c/b34a6b1da371ed8af1221459a18c67970f7e3d53 •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-38208 – smb: client: add NULL check in automount_fullpath
https://notcve.org/view.php?id=CVE-2025-38208
04 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: smb: client: add NULL check in automount_fullpath page is checked for null in __build_path_from_dentry_optional_prefix when tcon->origin_fullpath is not set. However, the check is missing when it is set. Add a check to prevent a potential NULL pointer dereference. In the Linux kernel, the following vulnerability has been resolved: smb: client: add NULL check in automount_fullpath page is checked for null in __build_path_from_dentry_optional... • https://git.kernel.org/stable/c/37166d63e42c34846a16001950ecec96229a8d17 •
CVSS: 7.1EPSS: 0%CPEs: 2EXPL: 0CVE-2025-38207 – mm: fix uprobe pte be overwritten when expanding vma
https://notcve.org/view.php?id=CVE-2025-38207
04 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: mm: fix uprobe pte be overwritten when expanding vma Patch series "Fix uprobe pte be overwritten when expanding vma". This patch (of 4): We encountered a BUG alert triggered by Syzkaller as follows: BUG: Bad rss-counter state mm:00000000b4a60fca type:MM_ANONPAGES val:1 And we can reproduce it with the following steps: 1. register uprobe on file at zero offset 2. mmap the file at zero offset: addr1 = mmap(NULL, 2 * 4096, PROT_NONE, MAP_PRIVA... • https://git.kernel.org/stable/c/2b144498350860b6ee9dc57ff27a93ad488de5dc •
CVSS: 8.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38204 – jfs: fix array-index-out-of-bounds read in add_missing_indices
https://notcve.org/view.php?id=CVE-2025-38204
04 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: jfs: fix array-index-out-of-bounds read in add_missing_indices stbl is s8 but it must contain offsets into slot which can go from 0 to 127. Added a bound check for that error and return -EIO if the check fails. Also make jfs_readdir return with error if add_missing_indices returns with an error. In the Linux kernel, the following vulnerability has been resolved: jfs: fix array-index-out-of-bounds read in add_missing_indices stbl is s8 but i... • https://git.kernel.org/stable/c/81af4b34fd72d390d7f237c6a545cc6d09707956 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38203 – jfs: Fix null-ptr-deref in jfs_ioc_trim
https://notcve.org/view.php?id=CVE-2025-38203
04 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: jfs: Fix null-ptr-deref in jfs_ioc_trim [ Syzkaller Report ] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000087: 0000 [#1 KASAN: null-ptr-deref in range [0x0000000000000438-0x000000000000043f] CPU: 2 UID: 0 PID: 10614 Comm: syz-executor.0 Not tainted 6.13.0-rc6-gfbfd64d25c7a-dirty #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Sched_ext: serialise (enabled+all), task: ru... • https://git.kernel.org/stable/c/b40c2e665cd552eae5fbdbb878bc29a34357668e •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38198 – fbcon: Make sure modelist not set on unregistered console
https://notcve.org/view.php?id=CVE-2025-38198
04 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: fbcon: Make sure modelist not set on unregistered console It looks like attempting to write to the "store_modes" sysfs node will run afoul of unregistered consoles: UBSAN: array-index-out-of-bounds in drivers/video/fbdev/core/fbcon.c:122:28 index -1 is out of range for type 'fb_info *[32]' ... fbcon_info_from_console+0x192/0x1a0 drivers/video/fbdev/core/fbcon.c:122 fbcon_new_modelist+0xbf/0x2d0 drivers/video/fbdev/core/fbcon.c:3048 fb_new_m... • https://git.kernel.org/stable/c/b3237d451bf3a4490cb1a76f3b7c91d9888f1c4b •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38194 – jffs2: check that raw node were preallocated before writing summary
https://notcve.org/view.php?id=CVE-2025-38194
04 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: jffs2: check that raw node were preallocated before writing summary Syzkaller detected a kernel bug in jffs2_link_node_ref, caused by fault injection in jffs2_prealloc_raw_node_refs. jffs2_sum_write_sumnode doesn't check return value of jffs2_prealloc_raw_node_refs and simply lets any error propagate into jffs2_sum_write_data, which eventually calls jffs2_link_node_ref in order to link the summary to an expectedly allocated node. kernel BUG... • https://git.kernel.org/stable/c/2f785402f39b96a077b6e62bf26164bfb8e0c980 •
CVSS: 7.1EPSS: 0%CPEs: 6EXPL: 0CVE-2025-38193 – net_sched: sch_sfq: reject invalid perturb period
https://notcve.org/view.php?id=CVE-2025-38193
04 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: net_sched: sch_sfq: reject invalid perturb period Gerrard Tai reported that SFQ perturb_period has no range check yet, and this can be used to trigger a race condition fixed in a separate patch. We want to make sure ctl->perturb_period * HZ will not overflow and is positive. tc qd add dev lo root sfq perturb -10 # negative value : error Error: sch_sfq: invalid perturb period. tc qd add dev lo root sfq perturb 1000000000 # too big : error Er... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38190 – atm: Revert atm_account_tx() if copy_from_iter_full() fails.
https://notcve.org/view.php?id=CVE-2025-38190
04 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: atm: Revert atm_account_tx() if copy_from_iter_full() fails. In vcc_sendmsg(), we account skb->truesize to sk->sk_wmem_alloc by atm_account_tx(). It is expected to be reverted by atm_pop_raw() later called by vcc->dev->ops->send(vcc, skb). However, vcc_sendmsg() misses the same revert when copy_from_iter_full() fails, and then we will leak a socket. Let's factorise the revert part as atm_return_tx() and call it in the failure path. • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 6.1EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38185 – atm: atmtcp: Free invalid length skb in atmtcp_c_send().
https://notcve.org/view.php?id=CVE-2025-38185
04 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: atm: atmtcp: Free invalid length skb in atmtcp_c_send(). syzbot reported the splat below. [0] vcc_sendmsg() copies data passed from userspace to skb and passes it to vcc->dev->ops->send(). atmtcp_c_send() accesses skb->data as struct atmtcp_hdr after checking if skb->len is 0, but it's not enough. Also, when skb->len == 0, skb and sk (vcc) were leaked because dev_kfree_skb() is not called and sk_wmem_alloc adjustment is missing to revert at... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •