CVSS: 6.9EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38448 – usb: gadget: u_serial: Fix race condition in TTY wakeup
https://notcve.org/view.php?id=CVE-2025-38448
25 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: usb: gadget: u_serial: Fix race condition in TTY wakeup A race condition occurs when gs_start_io() calls either gs_start_rx() or gs_start_tx(), as those functions briefly drop the port_lock for usb_ep_queue(). This allows gs_close() and gserial_disconnect() to clear port.tty and port_usb, respectively. Use the null-safe TTY Port helper function to wake up TTY. Example CPU1: CPU2: gserial_connect() // lock gs_close() // await lock gs_start_r... • https://git.kernel.org/stable/c/35f95fd7f234d2b58803bab6f6ebd6bb988050a2 •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38445 – md/raid1: Fix stack memory use after return in raid1_reshape
https://notcve.org/view.php?id=CVE-2025-38445
25 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: md/raid1: Fix stack memory use after return in raid1_reshape In the raid1_reshape function, newpool is allocated on the stack and assigned to conf->r1bio_pool. This results in conf->r1bio_pool.wait.head pointing to a stack address. Accessing this address later can lead to a kernel panic. Example access path: raid1_reshape() { // newpool is on the stack mempool_t newpool, oldpool; // initialize newpool.wait.head to stack address mempool_init... • https://git.kernel.org/stable/c/afeee514ce7f4cab605beedd03be71ebaf0c5fc8 •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2025-38444 – raid10: cleanup memleak at raid10_make_request
https://notcve.org/view.php?id=CVE-2025-38444
25 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: raid10: cleanup memleak at raid10_make_request If raid10_read_request or raid10_write_request registers a new request and the REQ_NOWAIT flag is set, the code does not free the malloc from the mempool. unreferenced object 0xffff8884802c3200 (size 192): comm "fio", pid 9197, jiffies 4298078271 hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 88 41 02 00 00 00 00 00 .........A...... 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ............. • https://git.kernel.org/stable/c/39db562b3fedb93978a7e42dd216b306740959f8 •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2025-38443 – nbd: fix uaf in nbd_genl_connect() error path
https://notcve.org/view.php?id=CVE-2025-38443
25 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: nbd: fix uaf in nbd_genl_connect() error path There is a use-after-free issue in nbd: block nbd6: Receive control failed (result -104) block nbd6: shutting down sockets ================================================================== BUG: KASAN: slab-use-after-free in recv_work+0x694/0xa80 drivers/block/nbd.c:1022 Write of size 4 at addr ffff8880295de478 by task kworker/u33:0/67 CPU: 2 UID: 0 PID: 67 Comm: kworker/u33:0 Not tainted 6.15.0... • https://git.kernel.org/stable/c/6497ef8df568afbf5f3e38825a4590ff41611a54 •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38439 – bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT
https://notcve.org/view.php?id=CVE-2025-38439
25 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT When transmitting an XDP_REDIRECT packet, call dma_unmap_len_set() with the proper length instead of 0. This bug triggers this warning on a system with IOMMU enabled: WARNING: CPU: 36 PID: 0 at drivers/iommu/dma-iommu.c:842 __iommu_dma_unmap+0x159/0x170 RIP: 0010:__iommu_dma_unmap+0x159/0x170 Code: a8 00 00 00 00 48 c7 45 b0 00 00 00 00 48 c7 45 c8 00 00 00 00 48 c7 45 a0 ff ff ff ff 4c ... • https://git.kernel.org/stable/c/f18c2b77b2e4eec2313d519ba125bd6a069513cf •
CVSS: 5.6EPSS: 0%CPEs: 3EXPL: 0CVE-2025-38438 – ASoC: SOF: Intel: hda: Use devm_kstrdup() to avoid memleak.
https://notcve.org/view.php?id=CVE-2025-38438
25 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: ASoC: SOF: Intel: hda: Use devm_kstrdup() to avoid memleak. sof_pdata->tplg_filename can have address allocated by kstrdup() and can be overwritten. Memory leak was detected with kmemleak: unreferenced object 0xffff88812391ff60 (size 16): comm "kworker/4:1", pid 161, jiffies 4294802931 hex dump (first 16 bytes): 73 6f 66 2d 68 64 61 2d 67 65 6e 65 72 69 63 00 sof-hda-generic. backtrace (crc 4bf1675c): __kmalloc_node_track_caller_noprof+0x49... • https://git.kernel.org/stable/c/dd96daca6c83ecaf37f38ff49d8d174bbff576b4 •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38437 – ksmbd: fix potential use-after-free in oplock/lease break ack
https://notcve.org/view.php?id=CVE-2025-38437
25 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix potential use-after-free in oplock/lease break ack If ksmbd_iov_pin_rsp return error, use-after-free can happen by accessing opinfo->state and opinfo_put and ksmbd_fd_put could called twice. In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix potential use-after-free in oplock/lease break ack If ksmbd_iov_pin_rsp return error, use-after-free can happen by accessing opinfo->state and opinfo_put and ksmbd... • https://git.kernel.org/stable/c/0626e6641f6b467447c81dd7678a69c66f7746cf •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2025-38436 – drm/scheduler: signal scheduled fence when kill job
https://notcve.org/view.php?id=CVE-2025-38436
25 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/scheduler: signal scheduled fence when kill job When an entity from application B is killed, drm_sched_entity_kill() removes all jobs belonging to that entity through drm_sched_entity_kill_jobs_work(). If application A's job depends on a scheduled fence from application B's job, and that fence is not properly signaled during the killing process, application A's dependency cannot be cleared. This leads to application A hanging indefinite... • https://git.kernel.org/stable/c/a72ce6f84109c1dec1ab236d65979d3250668af3 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38430 – nfsd: nfsd4_spo_must_allow() must check this is a v4 compound request
https://notcve.org/view.php?id=CVE-2025-38430
25 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: nfsd: nfsd4_spo_must_allow() must check this is a v4 compound request If the request being processed is not a v4 compound request, then examining the cstate can have undefined results. This patch adds a check that the rpc procedure being executed (rq_procinfo) is the NFSPROC4_COMPOUND procedure. • https://git.kernel.org/stable/c/bf78a2706ce975981eb5167f2d3b609eb5d24c19 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38428 – Input: ims-pcu - check record size in ims_pcu_flash_firmware()
https://notcve.org/view.php?id=CVE-2025-38428
25 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: Input: ims-pcu - check record size in ims_pcu_flash_firmware() The "len" variable comes from the firmware and we generally do trust firmware, but it's always better to double check. If the "len" is too large it could result in memory corruption when we do "memcpy(fragment->data, rec->data, len);" • https://git.kernel.org/stable/c/628329d52474323938a03826941e166bc7c8eff4 •