CVSS: 6.6EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40140 – net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast
https://notcve.org/view.php?id=CVE-2025-40140
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast syzbot reported WARNING in rtl8150_start_xmit/usb_submit_urb. This is the sequence of events that leads to the warning: rtl8150_start_xmit() { netif_stop_queue(); usb_submit_urb(dev->tx_urb); } rtl8150_set_multicast() { netif_stop_queue(); netif_wake_queue(); <-- wakes up TX queue before URB is done } rtl8150_start_xmit() { netif_stop_queue(); usb_submit_urb(dev->tx_urb);... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 6.6EPSS: 0%CPEs: 2EXPL: 0CVE-2025-40139 – smc: Use __sk_dst_get() and dst_dev_rcu() in in smc_clc_prfx_set().
https://notcve.org/view.php?id=CVE-2025-40139
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: smc: Use __sk_dst_get() and dst_dev_rcu() in in smc_clc_prfx_set(). smc_clc_prfx_set() is called during connect() and not under RCU nor RTNL. Using sk_dst_get(sk)->dev could trigger UAF. Let's use __sk_dst_get() and dev_dst_rcu() under rcu_read_lock() after kernel_getsockname(). Note that the returned value of smc_clc_prfx_set() is not used in the caller. While at it, we change the 1st arg of smc_clc_prfx_set[46]_rcu() not to touch dst ther... • https://git.kernel.org/stable/c/a046d57da19f812216f393e7c535f5858f793ac3 •
CVSS: 5.0EPSS: 0%CPEs: 4EXPL: 0CVE-2025-40137 – f2fs: fix to truncate first page in error path of f2fs_truncate()
https://notcve.org/view.php?id=CVE-2025-40137
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to truncate first page in error path of f2fs_truncate() syzbot reports a bug as below: loop0: detected capacity change from 0 to 40427 F2FS-fs (loop0): Wrong SSA boundary, start(3584) end(4096) blocks(3072) F2FS-fs (loop0): Can't find valid F2FS filesystem in 1th superblock F2FS-fs (loop0): invalid crc value F2FS-fs (loop0): f2fs_convert_inline_folio: corrupted inline inode ino=3, i_addr[0]:0x1601, run fsck to fix. ------------[ c... • https://git.kernel.org/stable/c/92dffd01790a5219d234fc83c3ba854f4490b7f4 •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2025-40135 – ipv6: use RCU in ip6_xmit()
https://notcve.org/view.php?id=CVE-2025-40135
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: ipv6: use RCU in ip6_xmit() Use RCU in ip6_xmit() in order to use dst_dev_rcu() to prevent possible UAF. In the Linux kernel, the following vulnerability has been resolved: ipv6: use RCU in ip6_xmit() Use RCU in ip6_xmit() in order to use dst_dev_rcu() to prevent possible UAF. • https://git.kernel.org/stable/c/4a6ce2b6f2ecabbddcfe47e7cf61dd0f00b10e36 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40134 – dm: fix NULL pointer dereference in __dm_suspend()
https://notcve.org/view.php?id=CVE-2025-40134
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: dm: fix NULL pointer dereference in __dm_suspend() There is a race condition between dm device suspend and table load that can lead to null pointer dereference. The issue occurs when suspend is invoked before table load completes: BUG: kernel NULL pointer dereference, address: 0000000000000054 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 6 PID: 6798 Comm: dmsetup Not tainted 6.6.0-g7e52f5f0ca9b #62 Hardware name: QEMU Standard PC (i440FX + PIIX, 19... • https://git.kernel.org/stable/c/c4576aed8d85d808cd6443bda58393d525207d01 •
CVSS: 7.8EPSS: 0%CPEs: 7EXPL: 0CVE-2025-40127 – hwrng: ks-sa - fix division by zero in ks_sa_rng_init
https://notcve.org/view.php?id=CVE-2025-40127
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: hwrng: ks-sa - fix division by zero in ks_sa_rng_init Fix division by zero in ks_sa_rng_init caused by missing clock pointer initialization. The clk_get_rate() call is performed on an uninitialized clk pointer, resulting in division by zero when calculating delay values. Add clock initialization code before using the clock. drivers/char/hw_random/ks-sa-rng.c | 7 +++++++ 1 file changed, 7 insertions(+) In the Linux kernel, the following vuln... • https://git.kernel.org/stable/c/6d01d8511dceb9cd40f72eb102b7d24f0b2e997b •
CVSS: 5.5EPSS: 0%CPEs: 10EXPL: 0CVE-2025-40126 – sparc: fix accurate exception reporting in copy_{from_to}_user for UltraSPARC
https://notcve.org/view.php?id=CVE-2025-40126
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: sparc: fix accurate exception reporting in copy_{from_to}_user for UltraSPARC The referenced commit introduced exception handlers on user-space memory references in copy_from_user and copy_to_user. These handlers return from the respective function and calculate the remaining bytes left to copy using the current register contents. This commit fixes a couple of bad calculations. This will fix the return value of copy_from_user and copy_to_us... • https://git.kernel.org/stable/c/cb736fdbb208eb3420f1a2eb2bfc024a6e9dcada •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40125 – blk-mq: check kobject state_in_sysfs before deleting in blk_mq_unregister_hctx
https://notcve.org/view.php?id=CVE-2025-40125
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: blk-mq: check kobject state_in_sysfs before deleting in blk_mq_unregister_hctx In __blk_mq_update_nr_hw_queues() the return value of blk_mq_sysfs_register_hctxs() is not checked. If sysfs creation for hctx fails, later changing the number of hw_queues or removing disk will trigger the following warning: kernfs: can not remove 'nr_tags', no directory WARNING: CPU: 2 PID: 637 at fs/kernfs/dir.c:1707 kernfs_remove_by_name_ns+0x13f/0x160 Call T... • https://git.kernel.org/stable/c/477e19dedc9d3e1f4443a1d4ae00572a988120ea •
CVSS: 5.5EPSS: 0%CPEs: 10EXPL: 0CVE-2025-40124 – sparc: fix accurate exception reporting in copy_{from_to}_user for UltraSPARC III
https://notcve.org/view.php?id=CVE-2025-40124
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: sparc: fix accurate exception reporting in copy_{from_to}_user for UltraSPARC III Anthony Yznaga tracked down that a BUG_ON in ext4 code with large folios enabled resulted from copy_from_user() returning impossibly large values greater than the size to be copied. This lead to __copy_from_iter() returning impossible values instead of the actual number of bytes it was able to copy. The BUG_ON has been reported in https://lore.kernel.org/r/b14... • https://git.kernel.org/stable/c/ee841d0aff649164080e445e84885015958d8ff4 •
CVSS: 6.9EPSS: 0%CPEs: 5EXPL: 0CVE-2025-40123 – bpf: Enforce expected_attach_type for tailcall compatibility
https://notcve.org/view.php?id=CVE-2025-40123
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: bpf: Enforce expected_attach_type for tailcall compatibility Yinhao et al. recently reported: Our fuzzer tool discovered an uninitialized pointer issue in the bpf_prog_test_run_xdp() function within the Linux kernel's BPF subsystem. This leads to a NULL pointer dereference when a BPF program attempts to deference the txq member of struct xdp_buff object. The test initializes two programs of BPF_PROG_TYPE_XDP: progA acts as the entry point f... • https://git.kernel.org/stable/c/5e43f899b03a3492ce5fc44e8900becb04dae9c0 •