CVSS: 5.5EPSS: 0%CPEs: 9EXPL: 0CVE-2025-38700 – scsi: libiscsi: Initialize iscsi_conn->dd_data only if memory is allocated
https://notcve.org/view.php?id=CVE-2025-38700
04 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: scsi: libiscsi: Initialize iscsi_conn->dd_data only if memory is allocated In case of an ib_fast_reg_mr allocation failure during iSER setup, the machine hits a panic because iscsi_conn->dd_data is initialized unconditionally, even when no memory is allocated (dd_size == 0). This leads invalid pointer dereference during connection teardown. Fix by setting iscsi_conn->dd_data only if memory is actually allocated. Panic trace: ------------ is... • https://git.kernel.org/stable/c/5d91e209fb21fb9cc765729d4c6a85a9fb6c9187 •
CVSS: 5.5EPSS: 0%CPEs: 9EXPL: 0CVE-2025-38699 – scsi: bfa: Double-free fix
https://notcve.org/view.php?id=CVE-2025-38699
04 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: scsi: bfa: Double-free fix When the bfad_im_probe() function fails during initialization, the memory pointed to by bfad->im is freed without setting bfad->im to NULL. Subsequently, during driver uninstallation, when the state machine enters the bfad_sm_stopping state and calls the bfad_im_probe_undo() function, it attempts to free the memory pointed to by bfad->im again, thereby triggering a double-free vulnerability. Set bfad->im to NULL i... • https://git.kernel.org/stable/c/7725ccfda59715ecf8f99e3b520a0b84cc2ea79e •
CVSS: 7.1EPSS: 0%CPEs: 9EXPL: 0CVE-2025-38698 – jfs: Regular file corruption check
https://notcve.org/view.php?id=CVE-2025-38698
04 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: jfs: Regular file corruption check The reproducer builds a corrupted file on disk with a negative i_size value. Add a check when opening this file to avoid subsequent operation failures. In the Linux kernel, the following vulnerability has been resolved: jfs: Regular file corruption check The reproducer builds a corrupted file on disk with a negative i_size value. Add a check when opening this file to avoid subsequent operation failures. It... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 7.1EPSS: 0%CPEs: 9EXPL: 0CVE-2025-38697 – jfs: upper bound check of tree index in dbAllocAG
https://notcve.org/view.php?id=CVE-2025-38697
04 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: jfs: upper bound check of tree index in dbAllocAG When computing the tree index in dbAllocAG, we never check if we are out of bounds realative to the size of the stree. This could happen in a scenario where the filesystem metadata are corrupted. In the Linux kernel, the following vulnerability has been resolved: jfs: upper bound check of tree index in dbAllocAG When computing the tree index in dbAllocAG, we never check if we are out of boun... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 5.5EPSS: 0%CPEs: 9EXPL: 0CVE-2025-38694 – media: dvb-frontends: dib7090p: fix null-ptr-deref in dib7090p_rw_on_apb()
https://notcve.org/view.php?id=CVE-2025-38694
04 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: media: dvb-frontends: dib7090p: fix null-ptr-deref in dib7090p_rw_on_apb() In dib7090p_rw_on_apb, msg is controlled by user. When msg[0].buf is null and msg[0].len is zero, former checks on msg[0].buf would be passed. If accessing msg[0].buf[2] without sanity check, null pointer deref would happen. We add check on msg[0].len to prevent crash. Similar issue occurs when access msg[1].buf[0] and msg[1].buf[1]. • https://git.kernel.org/stable/c/713d54a8bd812229410a1902cd9b332a2a27af9f •
CVSS: 5.5EPSS: 0%CPEs: 9EXPL: 0CVE-2025-38693 – media: dvb-frontends: w7090p: fix null-ptr-deref in w7090p_tuner_write_serpar and w7090p_tuner_read_serpar
https://notcve.org/view.php?id=CVE-2025-38693
04 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: media: dvb-frontends: w7090p: fix null-ptr-deref in w7090p_tuner_write_serpar and w7090p_tuner_read_serpar In w7090p_tuner_write_serpar, msg is controlled by user. When msg[0].buf is null and msg[0].len is zero, former checks on msg[0].buf would be passed. If accessing msg[0].buf[2] without sanity check, null pointer deref would happen. We add check on msg[0].len to prevent crash. Similar commit: commit 0ed554fd769a ("media: dvb-usb: az6027... • https://git.kernel.org/stable/c/713d54a8bd812229410a1902cd9b332a2a27af9f •
CVSS: 7.8EPSS: 0%CPEs: 7EXPL: 0CVE-2025-38685 – fbdev: Fix vmalloc out-of-bounds write in fast_imageblit
https://notcve.org/view.php?id=CVE-2025-38685
04 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: fbdev: Fix vmalloc out-of-bounds write in fast_imageblit This issue triggers when a userspace program does an ioctl FBIOPUT_CON2FBMAP by passing console number and frame buffer number. Ideally this maps console to frame buffer and updates the screen if console is visible. As part of mapping it has to do resize of console according to frame buffer info. if this resize fails and returns from vc_do_resize() and continues further. At this point... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 7.1EPSS: 0%CPEs: 9EXPL: 0CVE-2025-38680 – media: uvcvideo: Fix 1-byte out-of-bounds read in uvc_parse_format()
https://notcve.org/view.php?id=CVE-2025-38680
04 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: media: uvcvideo: Fix 1-byte out-of-bounds read in uvc_parse_format() The buffer length check before calling uvc_parse_format() only ensured that the buffer has at least 3 bytes (buflen > 2), buf the function accesses buffer[3], requiring at least 4 bytes. This can lead to an out-of-bounds read if the buffer has exactly 3 bytes. Fix it by checking that the buffer has at least 4 bytes in uvc_parse_format(). In the Linux kernel, the following ... • https://git.kernel.org/stable/c/c0efd232929c2cd87238de2cccdaf4e845be5b0c •
CVSS: 5.6EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38666 – net: appletalk: Fix use-after-free in AARP proxy probe
https://notcve.org/view.php?id=CVE-2025-38666
22 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: net: appletalk: Fix use-after-free in AARP proxy probe The AARP proxy‐probe routine (aarp_proxy_probe_network) sends a probe, releases the aarp_lock, sleeps, then re-acquires the lock. During that window an expire timer thread (__aarp_expire_timer) can remove and kfree() the same entry, leading to a use-after-free. race condition: cpu 0 | cpu 1 atalk_sendmsg() | atif_proxy_probe_device() aarp_send_ddp() | aarp_proxy_probe_network() mod_time... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38665 – can: netlink: can_changelink(): fix NULL pointer deref of struct can_priv::do_set_mode
https://notcve.org/view.php?id=CVE-2025-38665
22 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: can: netlink: can_changelink(): fix NULL pointer deref of struct can_priv::do_set_mode Andrei Lalaev reported a NULL pointer deref when a CAN device is restarted from Bus Off and the driver does not implement the struct can_priv::do_set_mode callback. There are 2 code path that call struct can_priv::do_set_mode: - directly by a manual restart from the user space, via can_changelink() - delayed automatic restart after bus off (deactivated by... • https://git.kernel.org/stable/c/39549eef3587f1c1e8c65c88a2400d10fd30ea17 •