CVSS: 7.1EPSS: 0%CPEs: 9EXPL: 0CVE-2025-23159 – media: venus: hfi: add a check to handle OOB in sfr region
https://notcve.org/view.php?id=CVE-2025-23159
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: media: venus: hfi: add a check to handle OOB in sfr region sfr->buf_size is in shared memory and can be modified by malicious user. OOB write is possible when the size is made higher than actual sfr data buffer. Cap the size to allocated size for such cases. In the Linux kernel, the following vulnerability has been resolved: media: venus: hfi: add a check to handle OOB in sfr region sfr->buf_size is in shared memory and can be modified by m... • https://git.kernel.org/stable/c/d96d3f30c0f2f564f6922bf4ccdf4464992e31fb •
CVSS: 8.5EPSS: 0%CPEs: 9EXPL: 0CVE-2025-23158 – media: venus: hfi: add check to handle incorrect queue size
https://notcve.org/view.php?id=CVE-2025-23158
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: media: venus: hfi: add check to handle incorrect queue size qsize represents size of shared queued between driver and video firmware. Firmware can modify this value to an invalid large value. In such situation, empty_space will be bigger than the space actually available. Since new_wr_idx is not checked, so the following code will result in an OOB write. ... qsize = qhdr->q_size if (wr_idx >= rd_idx) empty_space = qsize - (wr_idx - rd_idx) ... • https://git.kernel.org/stable/c/d96d3f30c0f2f564f6922bf4ccdf4464992e31fb •
CVSS: 7.8EPSS: 0%CPEs: 9EXPL: 0CVE-2025-23157 – media: venus: hfi_parser: add check to avoid out of bound access
https://notcve.org/view.php?id=CVE-2025-23157
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: media: venus: hfi_parser: add check to avoid out of bound access There is a possibility that init_codecs is invoked multiple times during manipulated payload from video firmware. In such case, if codecs_count can get incremented to value more than MAX_CODEC_NUM, there can be OOB access. Reset the count so that it always starts from beginning. In the Linux kernel, the following vulnerability has been resolved: media: venus: hfi_parser: add c... • https://git.kernel.org/stable/c/1a73374a04e555103e5369429a30999114001dda •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2025-23156 – media: venus: hfi_parser: refactor hfi packet parsing logic
https://notcve.org/view.php?id=CVE-2025-23156
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: media: venus: hfi_parser: refactor hfi packet parsing logic words_count denotes the number of words in total payload, while data points to payload of various property within it. When words_count reaches last word, data can access memory beyond the total payload. This can lead to OOB access. With this patch, the utility api for handling individual properties now returns the size of data consumed. Accordingly remaining bytes are calculated be... • https://git.kernel.org/stable/c/1a73374a04e555103e5369429a30999114001dda •
CVSS: 7.1EPSS: 0%CPEs: 3EXPL: 0CVE-2025-23155 – net: stmmac: Fix accessing freed irq affinity_hint
https://notcve.org/view.php?id=CVE-2025-23155
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: net: stmmac: Fix accessing freed irq affinity_hint The cpumask should not be a local variable, since its pointer is saved to irq_desc and may be accessed from procfs. To fix it, use the persistent mask cpumask_of(cpu#). In the Linux kernel, the following vulnerability has been resolved: net: stmmac: Fix accessing freed irq affinity_hint The cpumask should not be a local variable, since its pointer is saved to irq_desc and may be accessed fr... • https://git.kernel.org/stable/c/8deec94c6040bb4a767f6e9456a0a44c7f2e713e •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-23154 – io_uring/net: fix io_req_post_cqe abuse by send bundle
https://notcve.org/view.php?id=CVE-2025-23154
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: io_uring/net: fix io_req_post_cqe abuse by send bundle [ 114.987980][ T5313] WARNING: CPU: 6 PID: 5313 at io_uring/io_uring.c:872 io_req_post_cqe+0x12e/0x4f0 [ 114.991597][ T5313] RIP: 0010:io_req_post_cqe+0x12e/0x4f0 [ 115.001880][ T5313] Call Trace: [ 115.002222][ T5313]
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-23151 – bus: mhi: host: Fix race between unprepare and queue_buf
https://notcve.org/view.php?id=CVE-2025-23151
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: bus: mhi: host: Fix race between unprepare and queue_buf A client driver may use mhi_unprepare_from_transfer() to quiesce incoming data during the client driver's tear down. The client driver might also be processing data at the same time, resulting in a call to mhi_queue_buf() which will invoke mhi_gen_tre(). If mhi_gen_tre() runs after mhi_unprepare_from_transfer() has torn down the channel, a panic will occur due to an invalid dereferenc... • https://git.kernel.org/stable/c/176ed1727badd2fad2158e2b214dcbc24f4be7a1 •
CVSS: 7.8EPSS: 0%CPEs: 15EXPL: 0CVE-2025-23150 – ext4: fix off-by-one error in do_split
https://notcve.org/view.php?id=CVE-2025-23150
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: ext4: fix off-by-one error in do_split Syzkaller detected a use-after-free issue in ext4_insert_dentry that was caused by out-of-bounds access due to incorrect splitting in do_split. BUG: KASAN: use-after-free in ext4_insert_dentry+0x36a/0x6d0 fs/ext4/namei.c:2109 Write of size 251 at addr ffff888074572f14 by task syz-executor335/5847 CPU: 0 UID: 0 PID: 5847 Comm: syz-executor335 Not tainted 6.12.0-rc6-syzkaller-00318-ga9cda7c0ffed #0 Hardw... • https://git.kernel.org/stable/c/ea54176e5821936d109bb45dc2c19bd53559e735 •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2025-23149 – tpm: do not start chip while suspended
https://notcve.org/view.php?id=CVE-2025-23149
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: tpm: do not start chip while suspended Checking TPM_CHIP_FLAG_SUSPENDED after the call to tpm_find_get_ops() can lead to a spurious tpm_chip_start() call: [35985.503771] i2c i2c-1: Transfer while suspended [35985.503796] WARNING: CPU: 0 PID: 74 at drivers/i2c/i2c-core.h:56 __i2c_transfer+0xbe/0x810 [35985.503802] Modules linked in: [35985.503808] CPU: 0 UID: 0 PID: 74 Comm: hwrng Tainted: G W 6.13.0-next-20250203-00005-gfa0cb5642941 #19 9c3... • https://git.kernel.org/stable/c/cfaf83501a0cbb104499c5b0892ee5ebde4e967f •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-23148 – soc: samsung: exynos-chipid: Add NULL pointer check in exynos_chipid_probe()
https://notcve.org/view.php?id=CVE-2025-23148
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: soc: samsung: exynos-chipid: Add NULL pointer check in exynos_chipid_probe() soc_dev_attr->revision could be NULL, thus, a pointer check is added to prevent potential NULL pointer dereference. This is similar to the fix in commit 3027e7b15b02 ("ice: Fix some null pointer dereference issues in ice_ptp.c"). This issue is found by our static analysis tool. In the Linux kernel, the following vulnerability has been resolved: soc: samsung: exynos... • https://git.kernel.org/stable/c/3253b7b7cd44c4dd029a4ce280ef9f409a256e5f •