CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38034 – btrfs: correct the order of prelim_ref arguments in btrfs__prelim_ref
https://notcve.org/view.php?id=CVE-2025-38034
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: btrfs: correct the order of prelim_ref arguments in btrfs__prelim_ref btrfs_prelim_ref() calls the old and new reference variables in the incorrect order. This causes a NULL pointer dereference because oldref is passed as NULL to trace_btrfs_prelim_ref_insert(). Note, trace_btrfs_prelim_ref_insert() is being called with newref as oldref (and oldref as NULL) on purpose in order to print out the values of newref. To reproduce: echo 1 > /sys/k... • https://git.kernel.org/stable/c/5755b6731655e248c4f1d52a2e1b18795b4a2a3a •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38024 – RDMA/rxe: Fix slab-use-after-free Read in rxe_queue_cleanup bug
https://notcve.org/view.php?id=CVE-2025-38024
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix slab-use-after-free Read in rxe_queue_cleanup bug Call Trace:
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38023 – nfs: handle failure of nfs_get_lock_context in unlock path
https://notcve.org/view.php?id=CVE-2025-38023
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: nfs: handle failure of nfs_get_lock_context in unlock path When memory is insufficient, the allocation of nfs_lock_context in nfs_get_lock_context() fails and returns -ENOMEM. If we mistakenly treat an nfs4_unlockdata structure (whose l_ctx member has been set to -ENOMEM) as valid and proceed to execute rpc_run_task(), this will trigger a NULL pointer dereference in nfs4_locku_prepare. For example: BUG: kernel NULL pointer dereference, addr... • https://git.kernel.org/stable/c/f30cb757f680f965ba8a2e53cb3588052a01aeb5 •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2025-38009 – wifi: mt76: disable napi on driver removal
https://notcve.org/view.php?id=CVE-2025-38009
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: disable napi on driver removal A warning on driver removal started occurring after commit 9dd05df8403b ("net: warn if NAPI instance wasn't shut down"). Disable tx napi before deleting it in mt76_dma_cleanup(). WARNING: CPU: 4 PID: 18828 at net/core/dev.c:7288 __netif_napi_del_locked+0xf0/0x100 CPU: 4 UID: 0 PID: 18828 Comm: modprobe Not tainted 6.15.0-rc4 #4 PREEMPT(lazy) Hardware name: ASUS System Product Name/PRIME X670E-PRO W... • https://git.kernel.org/stable/c/2ac515a5d74f26963362d5da9589c67ca3663338 •
CVSS: 6.4EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38004 – can: bcm: add locking for bcm_op runtime updates
https://notcve.org/view.php?id=CVE-2025-38004
08 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: can: bcm: add locking for bcm_op runtime updates The CAN broadcast manager (CAN BCM) can send a sequence of CAN frames via hrtimer. The content and also the length of the sequence can be changed resp reduced at runtime where the 'currframe' counter is then set to zero. Although this appeared to be a safe operation the updates of 'currframe' can be triggered from user space and hrtimer context in bcm_can_tx(). Anderson Nascimento created a p... • https://git.kernel.org/stable/c/ffd980f976e7fd666c2e61bf8ab35107efd11828 •
CVSS: 5.5EPSS: 0%CPEs: 10EXPL: 0CVE-2025-38003 – can: bcm: add missing rcu read protection for procfs content
https://notcve.org/view.php?id=CVE-2025-38003
08 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: can: bcm: add missing rcu read protection for procfs content When the procfs content is generated for a bcm_op which is in the process to be removed the procfs output might show unreliable data (UAF). As the removal of bcm_op's is already implemented with rcu handling this patch adds the missing rcu_read_lock() and makes sure the list entries are properly removed under rcu protection. En el kernel de Linux, se ha resuelto la siguiente vulne... • https://git.kernel.org/stable/c/5b48f5711f1c630841ab78dcc061de902f0e37bf •
CVSS: 5.5EPSS: 0%CPEs: 9EXPL: 1CVE-2025-38001 – net_sched: hfsc: Address reentrant enqueue adding class to eltree twice
https://notcve.org/view.php?id=CVE-2025-38001
06 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: net_sched: hfsc: Address reentrant enqueue adding class to eltree twice Savino says: "We are writing to report that this recent patch (141d34391abbb315d68556b7c67ad97885407547) [1] can be bypassed, and a UAF can still occur when HFSC is utilized with NETEM. The patch only checks the cl->cl_nactive field to determine whether it is the first insertion or not [2], but this field is only incremented by init_vf [3]. By using HFSC_RSC (which uses... • https://github.com/0xdevil/CVE-2025-38001 •
CVSS: 6.4EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38000 – sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue()
https://notcve.org/view.php?id=CVE-2025-38000
06 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue() When enqueuing the first packet to an HFSC class, hfsc_enqueue() calls the child qdisc's peek() operation before incrementing sch->q.qlen and sch->qstats.backlog. If the child qdisc uses qdisc_peek_dequeued(), this may trigger an immediate dequeue and potential packet drop. In such cases, qdisc_tree_reduce_backlog() is called, but the HFSC qdisc's qlen and backlog have not ... • https://git.kernel.org/stable/c/12d0ad3be9c3854e52ec74bb83bb6f43612827c7 •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2025-37998 – openvswitch: Fix unsafe attribute parsing in output_userspace()
https://notcve.org/view.php?id=CVE-2025-37998
29 May 2025 — In the Linux kernel, the following vulnerability has been resolved: openvswitch: Fix unsafe attribute parsing in output_userspace() This patch replaces the manual Netlink attribute iteration in output_userspace() with nla_for_each_nested(), which ensures that only well-formed attributes are processed. In the Linux kernel, the following vulnerability has been resolved: openvswitch: Fix unsafe attribute parsing in output_userspace() This patch replaces the manual Netlink attribute iteration in output_userspac... • https://git.kernel.org/stable/c/ccb1352e76cff0524e7ccb2074826a092dd13016 •
CVSS: 6.9EPSS: 0%CPEs: 9EXPL: 0CVE-2025-37997 – netfilter: ipset: fix region locking in hash types
https://notcve.org/view.php?id=CVE-2025-37997
29 May 2025 — In the Linux kernel, the following vulnerability has been resolved: netfilter: ipset: fix region locking in hash types Region locking introduced in v5.6-rc4 contained three macros to handle the region locks: ahash_bucket_start(), ahash_bucket_end() which gave back the start and end hash bucket values belonging to a given region lock and ahash_region() which should give back the region lock belonging to a given hash bucket. The latter was incorrect which can lead to a race condition between the garbage colle... • https://git.kernel.org/stable/c/5dd9488ae41070b69d2f4acb580f77db5705f9ca •