CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2025-40285 – smb/server: fix possible refcount leak in smb2_sess_setup()
https://notcve.org/view.php?id=CVE-2025-40285
06 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: smb/server: fix possible refcount leak in smb2_sess_setup() Reference count of ksmbd_session will leak when session need reconnect. Fix this by adding the missing ksmbd_user_session_put(). In the Linux kernel, the following vulnerability has been resolved: smb/server: fix possible refcount leak in smb2_sess_setup() Reference count of ksmbd_session will leak when session need reconnect. Fix this by adding the missing ksmbd_user_session_put()... • https://git.kernel.org/stable/c/6fc935f798d44a8eb8a5e6659198399fbf57b981 •
CVSS: 6.6EPSS: 0%CPEs: 5EXPL: 0CVE-2025-40284 – Bluetooth: MGMT: cancel mesh send timer when hdev removed
https://notcve.org/view.php?id=CVE-2025-40284
06 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: cancel mesh send timer when hdev removed mesh_send_done timer is not canceled when hdev is removed, which causes crash if the timer triggers after hdev is gone. Cancel the timer when MGMT removes the hdev, like other MGMT timers. Should fix the BUG: sporadically seen by BlueZ test bot (in "Mesh - Send cancel - 1" test). Log: ------ BUG: KASAN: slab-use-after-free in run_timer_softirq+0x76b/0x7d0 ... Freed by task 36: kasan_... • https://git.kernel.org/stable/c/b338d91703fae6f6afd67f3f75caa3b8f36ddef3 •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40283 – Bluetooth: btusb: reorder cleanup in btusb_disconnect to avoid UAF
https://notcve.org/view.php?id=CVE-2025-40283
06 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btusb: reorder cleanup in btusb_disconnect to avoid UAF There is a KASAN: slab-use-after-free read in btusb_disconnect(). Calling "usb_driver_release_interface(&btusb_driver, data->intf)" will free the btusb data associated with the interface. The same data is then used later in the function, hence the UAF. Fix by moving the accesses to btusb data to before the data is free'd. In the Linux kernel, the following vulnerability has ... • https://git.kernel.org/stable/c/fd913ef7ce619467c6b0644af48ba1fec499c623 •
CVSS: 6.1EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40282 – Bluetooth: 6lowpan: reset link-local header on ipv6 recv path
https://notcve.org/view.php?id=CVE-2025-40282
06 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: 6lowpan: reset link-local header on ipv6 recv path Bluetooth 6lowpan.c netdev has header_ops, so it must set link-local header for RX skb, otherwise things crash, eg. with AF_PACKET SOCK_RAW Add missing skb_reset_mac_header() for uncompressed ipv6 RX path. For the compressed one, it is done in lowpan_header_decompress(). Log: (BlueZ 6lowpan-tester Client Recv Raw - Success) ------ kernel BUG at net/core/skbuff.c:212! Call Trace: ... • https://git.kernel.org/stable/c/18722c247023035b9e2e2a08a887adec2a9a6e49 •
CVSS: 8.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40281 – sctp: prevent possible shift-out-of-bounds in sctp_transport_update_rto
https://notcve.org/view.php?id=CVE-2025-40281
06 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: sctp: prevent possible shift-out-of-bounds in sctp_transport_update_rto syzbot reported a possible shift-out-of-bounds [1] Blamed commit added rto_alpha_max and rto_beta_max set to 1000. It is unclear if some sctp users are setting very large rto_alpha and/or rto_beta. In order to prevent user regression, perform the test at run time. Also add READ_ONCE() annotations as sysctl values can change under us. [1] UBSAN: shift-out-of-bounds in ne... • https://git.kernel.org/stable/c/b58537a1f5629bdc98a8b9dc2051ce0e952f6b4b •
CVSS: 7.2EPSS: 0%CPEs: 9EXPL: 0CVE-2025-40280 – tipc: Fix use-after-free in tipc_mon_reinit_self().
https://notcve.org/view.php?id=CVE-2025-40280
06 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: tipc: Fix use-after-free in tipc_mon_reinit_self(). syzbot reported use-after-free of tipc_net(net)->monitors[] in tipc_mon_reinit_self(). [0] The array is protected by RTNL, but tipc_mon_reinit_self() iterates over it without RTNL. tipc_mon_reinit_self() is called from tipc_net_finalize(), which is always under RTNL except for tipc_net_finalize_work(). Let's hold RTNL in tipc_net_finalize_work(). [0]: BUG: KASAN: slab-use-after-free in __r... • https://git.kernel.org/stable/c/28845c28f842e9e55e75b2c116bff714bb039055 •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2025-40279 – net: sched: act_connmark: initialize struct tc_ife to fix kernel leak
https://notcve.org/view.php?id=CVE-2025-40279
06 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: net: sched: act_connmark: initialize struct tc_ife to fix kernel leak In tcf_connmark_dump(), the variable 'opt' was partially initialized using a designatied initializer. While the padding bytes are reamined uninitialized. nla_put() copies the entire structure into a netlink message, these uninitialized bytes leaked to userspace. Initialize the structure with memset before assigning its fields to ensure all members and padding are cleared ... • https://git.kernel.org/stable/c/22a5dc0e5e3e8fef804230cd73ed7b0afd4c7bae •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40278 – net: sched: act_ife: initialize struct tc_ife to fix KMSAN kernel-infoleak
https://notcve.org/view.php?id=CVE-2025-40278
06 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: net: sched: act_ife: initialize struct tc_ife to fix KMSAN kernel-infoleak Fix a KMSAN kernel-infoleak detected by the syzbot . [net?] KMSAN: kernel-infoleak in __skb_datagram_iter In tcf_ife_dump(), the variable 'opt' was partially initialized using a designatied initializer. While the padding bytes are reamined uninitialized. nla_put() copies the entire structure into a netlink message, these uninitialized bytes leaked to userspace. Initi... • https://git.kernel.org/stable/c/ef6980b6becb1afd9d82a4f043749a10ae81bf14 •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40277 – drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE
https://notcve.org/view.php?id=CVE-2025-40277
06 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE This data originates from userspace and is used in buffer offset calculations which could potentially overflow causing an out-of-bounds access. In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE This data originates from userspace and is used in buffer offset calculations which could ... • https://git.kernel.org/stable/c/8ce75f8ab9044fe11caaaf2b2c82471023212f9f •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40275 – ALSA: usb-audio: Fix NULL pointer dereference in snd_usb_mixer_controls_badd
https://notcve.org/view.php?id=CVE-2025-40275
06 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix NULL pointer dereference in snd_usb_mixer_controls_badd In snd_usb_create_streams(), for UAC version 3 devices, the Interface Association Descriptor (IAD) is retrieved via usb_ifnum_to_if(). If this call fails, a fallback routine attempts to obtain the IAD from the next interface and sets a BADD profile. However, snd_usb_mixer_controls_badd() assumes that the IAD retrieved from usb_ifnum_to_if() is always valid, without... • https://git.kernel.org/stable/c/17156f23e93c0f59e06dd2aaffd06221341caaee •