CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38313 – bus: fsl-mc: fix double-free on mc_dev
https://notcve.org/view.php?id=CVE-2025-38313
10 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: bus: fsl-mc: fix double-free on mc_dev The blamed commit tried to simplify how the deallocations are done but, in the process, introduced a double-free on the mc_dev variable. In case the MC device is a DPRC, a new mc_bus is allocated and the mc_dev variable is just a reference to one of its fields. In this circumstance, on the error path only the mc_bus should be freed. This commit introduces back the following checkpatch warning which is ... • https://git.kernel.org/stable/c/a042fbed02904493ae6df26ec836045f5a7d3ce2 •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38312 – fbdev: core: fbcvt: avoid division by 0 in fb_cvt_hperiod()
https://notcve.org/view.php?id=CVE-2025-38312
10 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: fbdev: core: fbcvt: avoid division by 0 in fb_cvt_hperiod() In fb_find_mode_cvt(), iff mode->refresh somehow happens to be 0x80000000, cvt.f_refresh will become 0 when multiplying it by 2 due to overflow. It's then passed to fb_cvt_hperiod(), where it's used as a divider -- division by 0 will result in kernel oops. Add a sanity check for cvt.f_refresh to avoid such overflow... Found by Linux Verification Center (linuxtesting.org) with the S... • https://git.kernel.org/stable/c/96fe6a2109db29cd15b90a093c16e6cb4b19371a •
CVSS: 7.1EPSS: 0%CPEs: 6EXPL: 0CVE-2025-38310 – seg6: Fix validation of nexthop addresses
https://notcve.org/view.php?id=CVE-2025-38310
10 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: seg6: Fix validation of nexthop addresses The kernel currently validates that the length of the provided nexthop address does not exceed the specified length. This can lead to the kernel reading uninitialized memory if user space provided a shorter length than the specified one. Fix by validating that the provided length exactly matches the specified one. In the Linux kernel, the following vulnerability has been resolved: seg6: Fix validati... • https://git.kernel.org/stable/c/d1df6fd8a1d22d37cffa0075ab8ad423ce656777 •
CVSS: 8.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38286 – pinctrl: at91: Fix possible out-of-boundary access
https://notcve.org/view.php?id=CVE-2025-38286
10 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: pinctrl: at91: Fix possible out-of-boundary access at91_gpio_probe() doesn't check that given OF alias is not available or something went wrong when trying to get it. This might have consequences when accessing gpio_chips array with that value as an index. Note, that BUG() can be compiled out and hence won't actually perform the required checks. In the Linux kernel, the following vulnerability has been resolved: pinctrl: at91: Fix possible ... • https://git.kernel.org/stable/c/6732ae5cb47c4f9a72727585956f2a5e069d1637 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38280 – bpf: Avoid __bpf_prog_ret0_warn when jit fails
https://notcve.org/view.php?id=CVE-2025-38280
10 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: bpf: Avoid __bpf_prog_ret0_warn when jit fails syzkaller reported an issue: WARNING: CPU: 3 PID: 217 at kernel/bpf/core.c:2357 __bpf_prog_ret0_warn+0xa/0x20 kernel/bpf/core.c:2357 Modules linked in: CPU: 3 UID: 0 PID: 217 Comm: kworker/u32:6 Not tainted 6.15.0-rc4-syzkaller-00040-g8bac8898fe39 RIP: 0010:__bpf_prog_ret0_warn+0xa/0x20 kernel/bpf/core.c:2357 Call Trace:
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-38269 – btrfs: exit after state insertion failure at btrfs_convert_extent_bit()
https://notcve.org/view.php?id=CVE-2025-38269
10 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: btrfs: exit after state insertion failure at btrfs_convert_extent_bit() If insert_state() state failed it returns an error pointer and we call extent_io_tree_panic() which will trigger a BUG() call. However if CONFIG_BUG is disabled, which is an uncommon and exotic scenario, then we fallthrough and call cache_state() which will dereference the error pointer, resulting in an invalid memory access. So jump to the 'out' label after calling ext... • https://git.kernel.org/stable/c/58c50f45e1821a04d61b62514f9bd34afe67c622 •
CVSS: 8.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-38264 – nvme-tcp: sanitize request list handling
https://notcve.org/view.php?id=CVE-2025-38264
09 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: nvme-tcp: sanitize request list handling Validate the request in nvme_tcp_handle_r2t() to ensure it's not part of any list, otherwise a malicious R2T PDU might inject a loop in request list processing. In the Linux kernel, the following vulnerability has been resolved: nvme-tcp: sanitize request list handling Validate the request in nvme_tcp_handle_r2t() to ensure it's not part of any list, otherwise a malicious R2T PDU might inject a loop ... • https://git.kernel.org/stable/c/78a4adcd3fedb0728436e8094848ebf4c6bae006 •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2025-38263 – bcache: fix NULL pointer in cache_set_flush()
https://notcve.org/view.php?id=CVE-2025-38263
09 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: bcache: fix NULL pointer in cache_set_flush() 1. LINE#1794 - LINE#1887 is some codes about function of bch_cache_set_alloc(). 2. LINE#2078 - LINE#2142 is some codes about function of register_cache_set(). 3. register_cache_set() will call bch_cache_set_alloc() in LINE#2098. 1794 struct cache_set *bch_cache_set_alloc(struct cache_sb *sb) 1795 { ... 1860 if (!(c->devices = kcalloc(c->nr_uuids, sizeof(void *), GFP_KERNEL)) || 1861 mempool_init... • https://git.kernel.org/stable/c/1f25f2d3fa29325320c19a30abf787e0bd5fc91b •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2025-38262 – tty: serial: uartlite: register uart driver in init
https://notcve.org/view.php?id=CVE-2025-38262
09 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: tty: serial: uartlite: register uart driver in init When two instances of uart devices are probing, a concurrency race can occur. If one thread calls uart_register_driver function, which first allocates and assigns memory to 'uart_state' member of uart_driver structure, the other instance can bypass uart driver registration and call ulite_assign. This calls uart_add_one_port, which expects the uart driver to be fully initialized. This leads... • https://git.kernel.org/stable/c/9c905fdbba68a6d73d39a6b7de9b9f0d6c46df87 •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2025-38261 – riscv: save the SR_SUM status over switches
https://notcve.org/view.php?id=CVE-2025-38261
09 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: riscv: save the SR_SUM status over switches When threads/tasks are switched we need to ensure the old execution's SR_SUM state is saved and the new thread has the old SR_SUM state restored. The issue was seen under heavy load especially with the syz-stress tool running, with crashes as follows in schedule_tail: Unable to handle kernel access to user memory without uaccess routines at virtual address 000000002749f0d0 Oops [#1] Modules linked... • https://git.kernel.org/stable/c/69ea599a8dab93a620c92c255be4239a06290a77 •