CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2025-23141 – KVM: x86: Acquire SRCU in KVM_GET_MP_STATE to protect guest memory accesses
https://notcve.org/view.php?id=CVE-2025-23141
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Acquire SRCU in KVM_GET_MP_STATE to protect guest memory accesses Acquire a lock on kvm->srcu when userspace is getting MP state to handle a rather extreme edge case where "accepting" APIC events, i.e. processing pending INIT or SIPI, can trigger accesses to guest memory. If the vCPU is in L2 with INIT *and* a TRIPLE_FAULT request pending, then getting MP state will trigger a nested VM-Exit by way of ->check_nested_events(), and e... • https://git.kernel.org/stable/c/0357c8406dfa09430dd9858ebe813feb65524b6e •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-23140 – misc: pci_endpoint_test: Avoid issue of interrupts remaining after request_irq error
https://notcve.org/view.php?id=CVE-2025-23140
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: misc: pci_endpoint_test: Avoid issue of interrupts remaining after request_irq error After devm_request_irq() fails with error in pci_endpoint_test_request_irq(), the pci_endpoint_test_free_irq_vectors() is called assuming that all IRQs have been released. However, some requested IRQs remain unreleased, so there are still /proc/irq/* entries remaining, and this results in WARN() with the following message: remove_proc_entry: removing non-em... • https://git.kernel.org/stable/c/e03327122e2c8e6ae4565ef5b3d3cbe4364546a1 •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-23139 – Bluetooth: hci_uart: Fix another race during initialization
https://notcve.org/view.php?id=CVE-2025-23139
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_uart: Fix another race during initialization Do not set 'HCI_UART_PROTO_READY' before call 'hci_uart_register_dev()'. Possible race is when someone calls 'hci_tty_uart_close()' after this bit is set, but 'hci_uart_register_dev()' wasn't done. This leads to access to uninitialized fields. To fix it let's set this bit after device was registered (as before patch c411c62cc133) and to fix previous problem let's add one more bit i... • https://git.kernel.org/stable/c/5df5dafc171b90d0b8d51547a82657cd5a1986c7 •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2024-58099 – vmxnet3: Fix packet corruption in vmxnet3_xdp_xmit_frame
https://notcve.org/view.php?id=CVE-2024-58099
29 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: vmxnet3: Fix packet corruption in vmxnet3_xdp_xmit_frame Andrew and Nikolay reported connectivity issues with Cilium's service load-balancing in case of vmxnet3. If a BPF program for native XDP adds an encapsulation header such as IPIP and transmits the packet out the same interface, then in case of vmxnet3 a corrupted packet is being sent and subsequently dropped on the path. vmxnet3_xdp_xmit_frame() which is called e.g. via vmxnet3_run_xd... • https://git.kernel.org/stable/c/54f00cce11786742bd11e5e68c3bf85e6dc048c9 •
CVSS: 7.8EPSS: 0%CPEs: 9EXPL: 0CVE-2025-37838 – HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition
https://notcve.org/view.php?id=CVE-2025-37838
18 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition In the ssi_protocol_probe() function, &ssi->work is bound with ssip_xmit_work(), In ssip_pn_setup(), the ssip_pn_xmit() function within the ssip_pn_ops structure is capable of starting the work. If we remove the module which will call ssi_protocol_remove() to make a cleanup, it will free ssi through kfree(ssi), while the work mentioned above wil... • https://git.kernel.org/stable/c/d03abc1c2b21324550fa71e12d53e7d3498e0af6 • CWE-416: Use After Free •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2025-40364 – io_uring: fix io_req_prep_async with provided buffers
https://notcve.org/view.php?id=CVE-2025-40364
18 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: io_uring: fix io_req_prep_async with provided buffers io_req_prep_async() can import provided buffers, commit the ring state by giving up on that before, it'll be reimported later if needed. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: io_uring: corrige io_req_prep_async con búferes proporcionados io_req_prep_async() puede importar búferes proporcionados, confirmar el estado del anillo renunciando a eso antes, se volve... • https://git.kernel.org/stable/c/c7fb19428d67dd0a2a78a4f237af01d39c78dc5a •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2025-40325 – md/raid10: wait barrier before returning discard request with REQ_NOWAIT
https://notcve.org/view.php?id=CVE-2025-40325
18 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: md/raid10: wait barrier before returning discard request with REQ_NOWAIT raid10_handle_discard should wait barrier before returning a discard bio which has REQ_NOWAIT. And there is no need to print warning calltrace if a discard bio has REQ_NOWAIT flag. Quality engineer usually checks dmesg and reports error if dmesg has warning/error calltrace. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: md/raid10: esperar la barrera... • https://git.kernel.org/stable/c/c9aa889b035fca4598ae985a0f0c76ebbb547ad2 •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2025-40014 – objtool, spi: amd: Fix out-of-bounds stack access in amd_set_spi_freq()
https://notcve.org/view.php?id=CVE-2025-40014
18 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: objtool, spi: amd: Fix out-of-bounds stack access in amd_set_spi_freq() If speed_hz < AMD_SPI_MIN_HZ, amd_set_spi_freq() iterates over the entire amd_spi_freq array without breaking out early, causing 'i' to go beyond the array bounds. Fix that by stopping the loop when it gets to the last entry, so the low speed_hz value gets clamped up to AMD_SPI_MIN_HZ. Fixes the following warning with an UBSAN kernel: drivers/spi/spi-amd.o: error: objto... • https://git.kernel.org/stable/c/3fe26121dc3a9bf64e18fe0075cd9a92c9cd1b1a •
CVSS: 6.3EPSS: 0%CPEs: 6EXPL: 0CVE-2025-39989 – x86/mce: use is_copy_from_user() to determine copy-from-user context
https://notcve.org/view.php?id=CVE-2025-39989
18 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: x86/mce: use is_copy_from_user() to determine copy-from-user context Patch series "mm/hwpoison: Fix regressions in memory failure handling", v4. ## 1. What am I trying to do: This patchset resolves two critical regressions related to memory failure handling that have appeared in the upstream kernel since version 5.17, as compared to 5.10 LTS. - copyin case: poison found in user page while kernel copying from user space - instr case: poison ... • https://git.kernel.org/stable/c/4c132d1d844a53fc4e4b5c34e36ef10d6124b783 •
CVSS: 7.1EPSS: 0%CPEs: 11EXPL: 0CVE-2025-39735 – jfs: fix slab-out-of-bounds read in ea_get()
https://notcve.org/view.php?id=CVE-2025-39735
18 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: jfs: fix slab-out-of-bounds read in ea_get() During the "size_check" label in ea_get(), the code checks if the extended attribute list (xattr) size matches ea_size. If not, it logs "ea_get: invalid extended attribute" and calls print_hex_dump(). Here, EALIST_SIZE(ea_buf->xattr) returns 4110417968, which exceeds INT_MAX (2,147,483,647). Then ea_size is clamped: int size = clamp_t(int, ea_size, 0, EALIST_SIZE(ea_buf->xattr)); Although clamp_t... • https://git.kernel.org/stable/c/6e39b681d1eb16f408493bf5023788b57f68998c •