CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-22092 – PCI: Fix NULL dereference in SR-IOV VF creation error path
https://notcve.org/view.php?id=CVE-2025-22092
16 Apr 2025 — BUG: kernel NULL pointer dereference, address: 00000000000000d0 RIP: 0010:device_del+0x3d/0x3d0 Call Trace: pci_remove_bus_device+0x7c/0x100 pci_iov_add_virtfn+0xfa/0x200 sriov_enable+0x208/0x420 mlx5_core_sriov_configure+0x6a/0x160 [mlx5_core] sriov_numvfs_store+0xae/0x1a0 [bhelgaas: commit log, return ERR_PTR(-ENOMEM) directly] In the Linux kernel, the following vulnerability has been resolved: PCI: Fix NULL dereference in SR-IOV VF creation error path Clean up when virtfn setup fails to prevent NU... • https://git.kernel.org/stable/c/e3f30d563a388220a7c4e3b9a7b52ac0b0324b26 •
CVSS: 7.0EPSS: 0%CPEs: 4EXPL: 0CVE-2025-22091 – RDMA/mlx5: Fix page_size variable overflow
https://notcve.org/view.php?id=CVE-2025-22091
16 Apr 2025 — __pte_offset_map_lock+0x80/0x100 ib_uverbs_ioctl+0xac/0x110 [ib_uverbs] __x64_sys_ioctl+0x94/0xb0 do_syscall_64+0x50/0x110 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7fb7ecf0737b Code: ff ff ff 85 c0 79 9b 49 c7 c4 ff ff ff ff 5b 5d 4c 89 e0 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 7d 2a 0f 00 f7 d8 64 89 01 48 RSP: 002b:00007ffdbe03ecc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007ffdbe03edb8 RCX: 000... • https://git.kernel.org/stable/c/cef7dde8836ab09a3bfe96ada4f18ef2496eacc9 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-22090 – x86/mm/pat: Fix VM_PAT handling when fork() fails in copy_page_range()
https://notcve.org/view.php?id=CVE-2025-22090
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: x86/mm/pat: Fix VM_PAT handling when fork() fails in copy_page_range() If track_pfn_copy() fails, we already added the dst VMA to the maple tree. ... Keep the documentation of these functions in include/linux/pgtable.h, one place is more than sufficient -- we should clean that up for the other functions like track_pfn_remap/untrack_pfn separately. Keep the documentation of these functions in include/linux/pgtable.h, one... • https://git.kernel.org/stable/c/2ab640379a0ab4cef746ced1d7e04a0941774bcb •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2025-22089 – RDMA/core: Don't expose hw_counters outside of init net namespace
https://notcve.org/view.php?id=CVE-2025-22089
16 Apr 2025 — With this fix applied hw_counters are not available in a non-init net namespace: find /sys/class/infiniband/mlx4_0/ -name hw_counters /sys/class/infiniband/mlx4_0/ports/1/hw_counters /sys/class/infiniband/mlx4_0/ports/2/hw_counters /sys/class/infiniband/mlx4_0/hw_counters ip netns add foo ip netns exec foo bash find /sys/class/infiniband/mlx4_0/ -name hw_counters In the Linux kernel, the following vulnerability has been resolved: RDMA/core: Don't expose hw_counters outside of init net namespace Commi... • https://git.kernel.org/stable/c/467f432a521a284c418e3d521ee51840a5e23424 •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2025-22088 – RDMA/erdma: Prevent use-after-free in erdma_accept_newconn()
https://notcve.org/view.php?id=CVE-2025-22088
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: RDMA/erdma: Prevent use-after-free in erdma_accept_newconn() After the erdma_cep_put(new_cep) being called, new_cep will be freed, and the following dereference will cause a UAF problem. In the Linux kernel, the following vulnerability has been resolved: RDMA/erdma: Prevent use-after-free in erdma_accept_newconn() After the erdma_cep_put(new_cep) being called, new_cep will be freed, and the following dereference will cause a U... • https://git.kernel.org/stable/c/920d93eac8b97778fef48f34f10e58ddf870fc2a • CWE-416: Use After Free •
CVSS: 7.1EPSS: 0%CPEs: 4EXPL: 0CVE-2025-22087 – bpf: Fix array bounds error with may_goto
https://notcve.org/view.php?id=CVE-2025-22087
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: bpf: Fix array bounds error with may_goto may_goto uses an additional 8 bytes on the stack, which causes the interpreters[] array to go out of bounds when calculating index by stack_size. In the Linux kernel, the following vulnerability has been resolved: bpf: Fix array bounds error with may_goto may_goto uses an additional 8 bytes on the stack, which causes the interpreters[] array to go out of bounds when calculating index b... • https://git.kernel.org/stable/c/011832b97b311bb9e3c27945bc0d1089a14209c9 • CWE-125: Out-of-bounds Read •
CVSS: 5.5EPSS: 0%CPEs: 9EXPL: 0CVE-2025-22086 – RDMA/mlx5: Fix mlx5_poll_one() cur_qp update flow
https://notcve.org/view.php?id=CVE-2025-22086
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Fix mlx5_poll_one() cur_qp update flow When cur_qp isn't NULL, in order to avoid fetching the QP from the radix tree again we check if the next cqe QP is identical to the one we already have. ... kthreads_online_cpu+0x130/0x130 ret_from_fork_asm+0x11/0x20 In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Fix mlx5_poll_one() cur_qp update flow When cur_qp isn't NULL, in order to a... • https://git.kernel.org/stable/c/e126ba97dba9edeb6fafa3665b5f8497fc9cdf8c •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-22085 – RDMA/core: Fix use-after-free when rename device name
https://notcve.org/view.php?id=CVE-2025-22085
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: RDMA/core: Fix use-after-free when rename device name Syzbot reported a slab-use-after-free with the following call trace: ================================================================== BUG: KASAN: slab-use-after-free in nla_put+0xd3/0x150 lib/nlattr.c:1099 Read of size 5 at addr ffff888140ea1c60 by task syz.0.988/10025 CPU: 0 UID: 0 PID: 10025 Comm: syz.0.988 Not tainted 6.14.0-rc4-syzkaller-00859-gf77f12010f67 #0 Hardware name:... • https://git.kernel.org/stable/c/9cbed5aab5aeea420d0aa945733bf608449d44fb • CWE-416: Use After Free •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-22084 – w1: fix NULL pointer dereference in probe
https://notcve.org/view.php?id=CVE-2025-22084
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: w1: fix NULL pointer dereference in probe The w1_uart_probe() function calls w1_uart_serdev_open() (which includes devm_serdev_device_open()) before setting the client ops via serdev_device_set_client_ops(). In the Linux kernel, the following vulnerability has been resolved: w1: fix NULL pointer dereference in probe The w1_uart_probe() function calls w1_uart_serdev_open() (which includes devm_serdev_device_open()) before setti... • https://git.kernel.org/stable/c/a3c08804364e80328a9ffdac59bb26676b938195 •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2025-22083 – vhost-scsi: Fix handling of multiple calls to vhost_scsi_set_endpoint
https://notcve.org/view.php?id=CVE-2025-22083
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: vhost-scsi: Fix handling of multiple calls to vhost_scsi_set_endpoint If vhost_scsi_set_endpoint is called multiple times without a vhost_scsi_clear_endpoint between them, we can hit multiple bugs found by Haoran Zhang: 1. In the Linux kernel, the following vulnerability has been resolved: vhost-scsi: Fix handling of multiple calls to vhost_scsi_set_endpoint If vhost_scsi_set_endpoint is called multiple times without a vhost_s... • https://git.kernel.org/stable/c/4f7f46d32c9875004fae1d57ae3c02cc2e6cd6a3 •