CVSS: 6.6EPSS: %CPEs: 6EXPL: 0CVE-2025-38623 – PCI: pnv_php: Fix surprise plug detection and recovery
https://notcve.org/view.php?id=CVE-2025-38623
22 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: PCI: pnv_php: Fix surprise plug detection and recovery The existing PowerNV hotplug code did not handle surprise plug events correctly, leading to a complete failure of the hotplug system after device removal and a required reboot to detect new devices. This comes down to two issues: 1) When a device is surprise removed, often the bridge upstream port will cause a PE freeze on the PHB. If this freeze is not cleared, the MSI interrupts from ... • https://git.kernel.org/stable/c/473999ba937eac9776be791deed7c84a21d7880b •
CVSS: 5.5EPSS: %CPEs: 6EXPL: 0CVE-2025-38622 – net: drop UFO packets in udp_rcv_segment()
https://notcve.org/view.php?id=CVE-2025-38622
22 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: net: drop UFO packets in udp_rcv_segment() When sending a packet with virtio_net_hdr to tun device, if the gso_type in virtio_net_hdr is SKB_GSO_UDP and the gso_size is less than udphdr size, below crash may happen. ------------[ cut here ]------------ kernel BUG at net/core/skbuff.c:4572! Oops: invalid opcode: 0000 [#1] SMP NOPTI CPU: 0 UID: 0 PID: 62 Comm: mytest Not tainted 6.16.0-rc7 #203 PREEMPT(voluntary) Hardware name: QEMU Standard ... • https://git.kernel.org/stable/c/cf329aa42b6659204fee865bbce0ea20462552eb •
CVSS: 5.5EPSS: %CPEs: 2EXPL: 0CVE-2025-38621 – md: make rdev_addable usable for rcu mode
https://notcve.org/view.php?id=CVE-2025-38621
22 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: md: make rdev_addable usable for rcu mode Our testcase trigger panic: BUG: kernel NULL pointer dereference, address: 00000000000000e0 ... Oops: Oops: 0000 [#1] SMP NOPTI CPU: 2 UID: 0 PID: 85 Comm: kworker/2:1 Not tainted 6.16.0+ #94 PREEMPT(none) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014 Workqueue: md_misc md_start_sync RIP: 0010:rdev_addable+0x4d/0xf0 ... Call Trace:
CVSS: 6.2EPSS: %CPEs: 4EXPL: 0CVE-2025-38619 – media: ti: j721e-csi2rx: fix list_del corruption
https://notcve.org/view.php?id=CVE-2025-38619
22 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: media: ti: j721e-csi2rx: fix list_del corruption If ti_csi2rx_start_dma() fails in ti_csi2rx_dma_callback(), the buffer is marked done with VB2_BUF_STATE_ERROR but is not removed from the DMA queue. This causes the same buffer to be retried in the next iteration, resulting in a double list_del() and eventual list corruption. Fix this by removing the buffer from the queue before calling vb2_buffer_done() on error. This resolves a crash due t... • https://git.kernel.org/stable/c/b4a3d877dc92963a4db16ddb71df3d333c0d40bd •
CVSS: 7.1EPSS: %CPEs: 6EXPL: 0CVE-2025-38618 – vsock: Do not allow binding to VMADDR_PORT_ANY
https://notcve.org/view.php?id=CVE-2025-38618
22 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: vsock: Do not allow binding to VMADDR_PORT_ANY It is possible for a vsock to autobind to VMADDR_PORT_ANY. This can cause a use-after-free when a connection is made to the bound socket. The socket returned by accept() also has port VMADDR_PORT_ANY but is not on the list of unbound sockets. Binding it will result in an extra refcount decrement similar to the one fixed in fcdd2242c023 (vsock: Keep the binding until socket destruction). Modify ... • https://git.kernel.org/stable/c/d021c344051af91f42c5ba9fdedc176740cbd238 •
CVSS: 6.9EPSS: %CPEs: 6EXPL: 0CVE-2025-38617 – net/packet: fix a race in packet_set_ring() and packet_notifier()
https://notcve.org/view.php?id=CVE-2025-38617
22 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: net/packet: fix a race in packet_set_ring() and packet_notifier() When packet_set_ring() releases po->bind_lock, another thread can run packet_notifier() and process an NETDEV_UP event. This race and the fix are both similar to that of commit 15fe076edea7 ("net/packet: fix a race in packet_bind() and packet_notifier()"). There too the packet_notifier NETDEV_UP event managed to run while a po->bind_lock critical section had to be temporarily... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 7.1EPSS: %CPEs: 4EXPL: 0CVE-2025-38616 – tls: handle data disappearing from under the TLS ULP
https://notcve.org/view.php?id=CVE-2025-38616
22 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: tls: handle data disappearing from under the TLS ULP TLS expects that it owns the receive queue of the TCP socket. This cannot be guaranteed in case the reader of the TCP socket entered before the TLS ULP was installed, or uses some non-standard read API (eg. zerocopy ones). Replace the WARN_ON() and a buggy early exit (which leaves anchor pointing to a freed skb) with real error handling. Wipe the parsing state and tell the reader to retry... • https://git.kernel.org/stable/c/84c61fe1a75b4255df1e1e7c054c9e6d048da417 •
CVSS: 5.5EPSS: %CPEs: 7EXPL: 0CVE-2024-58239 – tls: stop recv() if initial process_rx_list gave us non-DATA
https://notcve.org/view.php?id=CVE-2024-58239
22 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: tls: stop recv() if initial process_rx_list gave us non-DATA If we have a non-DATA record on the rx_list and another record of the same type still on the queue, we will end up merging them: - process_rx_list copies the non-DATA record - we start the loop and process the first available record since it's of the same type - we break out of the loop since the record was not DATA Just check the record type and jump to the end in case process_rx... • https://git.kernel.org/stable/c/692d7b5d1f9125a1cf0595e979e3b5fb7210547e •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38615 – fs/ntfs3: cancle set bad inode after removing name fails
https://notcve.org/view.php?id=CVE-2025-38615
19 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: cancle set bad inode after removing name fails The reproducer uses a file0 on a ntfs3 file system with a corrupted i_link. When renaming, the file0's inode is marked as a bad inode because the file name cannot be deleted. The underlying bug is that make_bad_inode() is called on a live inode. In some cases it's "icache lookup finds a normal inode, d_splice_alias() is called to attach it to dentry, while another thread decides to ca... • https://git.kernel.org/stable/c/78ab59fee07f22464f32eafebab2bd97ba94ff2d •
CVSS: 6.2EPSS: 0%CPEs: 9EXPL: 0CVE-2025-38614 – eventpoll: Fix semi-unbounded recursion
https://notcve.org/view.php?id=CVE-2025-38614
19 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: eventpoll: Fix semi-unbounded recursion Ensure that epoll instances can never form a graph deeper than EP_MAX_NESTS+1 links. Currently, ep_loop_check_proc() ensures that the graph is loop-free and does some recursion depth checks, but those recursion depth checks don't limit the depth of the resulting tree for two reasons: - They don't look upwards in the tree. - If there are multiple downwards paths of different lengths, only one of the pa... • https://git.kernel.org/stable/c/22bacca48a1755f79b7e0f192ddb9fbb7fc6e64e •