CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-38311 – iavf: get rid of the crit lock
https://notcve.org/view.php?id=CVE-2025-38311
10 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: iavf: get rid of the crit lock Get rid of the crit lock. That frees us from the error prone logic of try_locks. Thanks to netdev_lock() by Jakub it is now easy, and in most cases we were protected by it already - replace crit lock by netdev lock when it was not the case. Lockdep reports that we should cancel the work under crit_lock [splat1], and that was the scheme we have mostly followed since [1] by Slawomir. But when that is done we sti... • https://git.kernel.org/stable/c/d1639a17319ba78a018280cd2df6577a7e5d9fab •
CVSS: 7.1EPSS: 0%CPEs: 6EXPL: 0CVE-2025-38310 – seg6: Fix validation of nexthop addresses
https://notcve.org/view.php?id=CVE-2025-38310
10 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: seg6: Fix validation of nexthop addresses The kernel currently validates that the length of the provided nexthop address does not exceed the specified length. This can lead to the kernel reading uninitialized memory if user space provided a shorter length than the specified one. Fix by validating that the provided length exactly matches the specified one. In the Linux kernel, the following vulnerability has been resolved: seg6: Fix validati... • https://git.kernel.org/stable/c/d1df6fd8a1d22d37cffa0075ab8ad423ce656777 •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-38307 – ASoC: Intel: avs: Verify content returned by parse_int_array()
https://notcve.org/view.php?id=CVE-2025-38307
10 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: avs: Verify content returned by parse_int_array() The first element of the returned array stores its length. If it is 0, any manipulation beyond the element at index 0 ends with null-ptr-deref. In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: avs: Verify content returned by parse_int_array() The first element of the returned array stores its length. If it is 0, any manipulation beyond the element... • https://git.kernel.org/stable/c/5a565ba23abe478f3d4c3b0c8798bcb5215b82f5 •
CVSS: 6.3EPSS: 0%CPEs: 2EXPL: 0CVE-2025-38306 – fs/fhandle.c: fix a race in call of has_locked_children()
https://notcve.org/view.php?id=CVE-2025-38306
10 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: fs/fhandle.c: fix a race in call of has_locked_children() may_decode_fh() is calling has_locked_children() while holding no locks. That's an oopsable race... The rest of the callers are safe since they are holding namespace_sem and are guaranteed a positive refcount on the mount in question. Rename the current has_locked_children() to __has_locked_children(), make it static and switch the fs/namespace.c users to it. Make has_locked_children... • https://git.kernel.org/stable/c/620c266f394932e5decc4b34683a75dfc59dc2f4 •
CVSS: 5.6EPSS: 0%CPEs: 6EXPL: 0CVE-2025-38305 – ptp: remove ptp->n_vclocks check logic in ptp_vclock_in_use()
https://notcve.org/view.php?id=CVE-2025-38305
10 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: ptp: remove ptp->n_vclocks check logic in ptp_vclock_in_use() There is no disagreement that we should check both ptp->is_virtual_clock and ptp->n_vclocks to check if the ptp virtual clock is in use. However, when we acquire ptp->n_vclocks_mux to read ptp->n_vclocks in ptp_vclock_in_use(), we observe a recursive lock in the call trace starting from n_vclocks_store(). ============================================ WARNING: possible recursive lo... • https://git.kernel.org/stable/c/73f37068d540eba5f93ba3a0019bf479d35ebd76 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38304 – Bluetooth: Fix NULL pointer deference on eir_get_service_data
https://notcve.org/view.php?id=CVE-2025-38304
10 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix NULL pointer deference on eir_get_service_data The len parameter is considered optional so it can be NULL so it cannot be used for skipping to next entry of EIR_SERVICE_DATA. In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix NULL pointer deference on eir_get_service_data The len parameter is considered optional so it can be NULL so it cannot be used for skipping to next entry of EIR_SERVICE_DA... • https://git.kernel.org/stable/c/8f9ae5b3ae80f168a6224529e3787f4fb27f299a •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-38303 – Bluetooth: eir: Fix possible crashes on eir_create_adv_data
https://notcve.org/view.php?id=CVE-2025-38303
10 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: eir: Fix possible crashes on eir_create_adv_data eir_create_adv_data may attempt to add EIR_FLAGS and EIR_TX_POWER without checking if that would fit. In the Linux kernel, the following vulnerability has been resolved: Bluetooth: eir: Fix possible crashes on eir_create_adv_data eir_create_adv_data may attempt to add EIR_FLAGS and EIR_TX_POWER without checking if that would fit. • https://git.kernel.org/stable/c/01ce70b0a274bd76a5a311fb90d4d446d9bdfea1 •
CVSS: 7.1EPSS: 0%CPEs: 3EXPL: 0CVE-2025-38302 – block: don't use submit_bio_noacct_nocheck in blk_zone_wplug_bio_work
https://notcve.org/view.php?id=CVE-2025-38302
10 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: block: don't use submit_bio_noacct_nocheck in blk_zone_wplug_bio_work Bios queued up in the zone write plug have already gone through all all preparation in the submit_bio path, including the freeze protection. Submitting them through submit_bio_noacct_nocheck duplicates the work and can can cause deadlocks when freezing a queue with pending bio write plugs. Go straight to ->submit_bio or blk_mq_submit_bio to bypass the superfluous extra fr... • https://git.kernel.org/stable/c/9b1ce7f0c6f82e241196febabddba5fab66c8f05 •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-38301 – nvmem: zynqmp_nvmem: unbreak driver after cleanup
https://notcve.org/view.php?id=CVE-2025-38301
10 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: nvmem: zynqmp_nvmem: unbreak driver after cleanup Commit 29be47fcd6a0 ("nvmem: zynqmp_nvmem: zynqmp_nvmem_probe cleanup") changed the driver to expect the device pointer to be passed as the "context", but in nvmem the context parameter comes from nvmem_config.priv which is never set - Leading to null pointer exceptions when the device is accessed. In the Linux kernel, the following vulnerability has been resolved: nvmem: zynqmp_nvmem: unbre... • https://git.kernel.org/stable/c/29be47fcd6a06ea2e79eeeca6e69ad1e23254a69 •
CVSS: 6.6EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38300 – crypto: sun8i-ce-cipher - fix error handling in sun8i_ce_cipher_prepare()
https://notcve.org/view.php?id=CVE-2025-38300
10 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: crypto: sun8i-ce-cipher - fix error handling in sun8i_ce_cipher_prepare() Fix two DMA cleanup issues on the error path in sun8i_ce_cipher_prepare(): 1] If dma_map_sg() fails for areq->dst, the device driver would try to free DMA memory it has not allocated in the first place. To fix this, on the "theend_sgs" error path, call dma unmap only if the corresponding dma map was successful. 2] If the dma_map_single() call for the IV fails, the dev... • https://git.kernel.org/stable/c/06f751b613296cc34b86fc83fccaf30d646eb8bc •