CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2025-38275 – phy: qcom-qmp-usb: Fix an NULL vs IS_ERR() bug
https://notcve.org/view.php?id=CVE-2025-38275
10 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: phy: qcom-qmp-usb: Fix an NULL vs IS_ERR() bug The qmp_usb_iomap() helper function currently returns the raw result of devm_ioremap() for non-exclusive mappings. Since devm_ioremap() may return a NULL pointer and the caller only checks error pointers with IS_ERR(), NULL could bypass the check and lead to an invalid dereference. Fix the issue by checking if devm_ioremap() returns NULL. When it does, qmp_usb_iomap() now returns an error point... • https://git.kernel.org/stable/c/a5d6b1ac56cbd6b5850a3a54e35f1cb71e8e8cdd •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38273 – net: tipc: fix refcount warning in tipc_aead_encrypt
https://notcve.org/view.php?id=CVE-2025-38273
10 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: net: tipc: fix refcount warning in tipc_aead_encrypt syzbot reported a refcount warning [1] caused by calling get_net() on a network namespace that is being destroyed (refcount=0). This happens when a TIPC discovery timer fires during network namespace cleanup. The recently added get_net() call in commit e279024617134 ("net/tipc: fix slab-use-after-free Read in tipc_aead_encrypt_done") attempts to hold a reference to the network namespace. ... • https://git.kernel.org/stable/c/d42ed4de6aba232d946d20653a70f79158a6535b •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2025-38272 – net: dsa: b53: do not enable EEE on bcm63xx
https://notcve.org/view.php?id=CVE-2025-38272
10 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: net: dsa: b53: do not enable EEE on bcm63xx BCM63xx internal switches do not support EEE, but provide multiple RGMII ports where external PHYs may be connected. If one of these PHYs are EEE capable, we may try to enable EEE for the MACs, which then hangs the system on access of the (non-existent) EEE registers. Fix this by checking if the switch actually supports EEE before attempting to configure it. In the Linux kernel, the following vuln... • https://git.kernel.org/stable/c/22256b0afb12333571ad11799fa68fd27e4f4e80 •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-38269 – btrfs: exit after state insertion failure at btrfs_convert_extent_bit()
https://notcve.org/view.php?id=CVE-2025-38269
10 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: btrfs: exit after state insertion failure at btrfs_convert_extent_bit() If insert_state() state failed it returns an error pointer and we call extent_io_tree_panic() which will trigger a BUG() call. However if CONFIG_BUG is disabled, which is an uncommon and exotic scenario, then we fallthrough and call cache_state() which will dereference the error pointer, resulting in an invalid memory access. So jump to the 'out' label after calling ext... • https://git.kernel.org/stable/c/58c50f45e1821a04d61b62514f9bd34afe67c622 •
CVSS: 8.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-38264 – nvme-tcp: sanitize request list handling
https://notcve.org/view.php?id=CVE-2025-38264
09 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: nvme-tcp: sanitize request list handling Validate the request in nvme_tcp_handle_r2t() to ensure it's not part of any list, otherwise a malicious R2T PDU might inject a loop in request list processing. In the Linux kernel, the following vulnerability has been resolved: nvme-tcp: sanitize request list handling Validate the request in nvme_tcp_handle_r2t() to ensure it's not part of any list, otherwise a malicious R2T PDU might inject a loop ... • https://git.kernel.org/stable/c/3f2304f8c6d6ed97849057bd16fee99e434ca796 •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2025-38263 – bcache: fix NULL pointer in cache_set_flush()
https://notcve.org/view.php?id=CVE-2025-38263
09 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: bcache: fix NULL pointer in cache_set_flush() 1. LINE#1794 - LINE#1887 is some codes about function of bch_cache_set_alloc(). 2. LINE#2078 - LINE#2142 is some codes about function of register_cache_set(). 3. register_cache_set() will call bch_cache_set_alloc() in LINE#2098. 1794 struct cache_set *bch_cache_set_alloc(struct cache_sb *sb) 1795 { ... 1860 if (!(c->devices = kcalloc(c->nr_uuids, sizeof(void *), GFP_KERNEL)) || 1861 mempool_init... • https://git.kernel.org/stable/c/cafe563591446cf80bfbc2fe3bc72a2e36cf1060 •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2025-38262 – tty: serial: uartlite: register uart driver in init
https://notcve.org/view.php?id=CVE-2025-38262
09 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: tty: serial: uartlite: register uart driver in init When two instances of uart devices are probing, a concurrency race can occur. If one thread calls uart_register_driver function, which first allocates and assigns memory to 'uart_state' member of uart_driver structure, the other instance can bypass uart driver registration and call ulite_assign. This calls uart_add_one_port, which expects the uart driver to be fully initialized. This leads... • https://git.kernel.org/stable/c/238b8721a554a33a451a3f13bdb5be8fe5cfc927 •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2025-38261 – riscv: save the SR_SUM status over switches
https://notcve.org/view.php?id=CVE-2025-38261
09 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: riscv: save the SR_SUM status over switches When threads/tasks are switched we need to ensure the old execution's SR_SUM state is saved and the new thread has the old SR_SUM state restored. The issue was seen under heavy load especially with the syz-stress tool running, with crashes as follows in schedule_tail: Unable to handle kernel access to user memory without uaccess routines at virtual address 000000002749f0d0 Oops [#1] Modules linked... • https://git.kernel.org/stable/c/76d2a0493a17d4c8ecc781366850c3c4f8e1a446 •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38259 – ASoC: codecs: wcd9335: Fix missing free of regulator supplies
https://notcve.org/view.php?id=CVE-2025-38259
09 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: ASoC: codecs: wcd9335: Fix missing free of regulator supplies Driver gets and enables all regulator supplies in probe path (wcd9335_parse_dt() and wcd9335_power_on_reset()), but does not cleanup in final error paths and in unbind (missing remove() callback). This leads to leaked memory and unbalanced regulator enable count during probe errors or unbind. Fix this by converting entire code into devm_regulator_bulk_get_enable() which also grea... • https://git.kernel.org/stable/c/20aedafdf4926e7a957f8b302a18c8fb75c7e332 •
CVSS: 7.1EPSS: 0%CPEs: 6EXPL: 0CVE-2025-38257 – s390/pkey: Prevent overflow in size calculation for memdup_user()
https://notcve.org/view.php?id=CVE-2025-38257
09 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: s390/pkey: Prevent overflow in size calculation for memdup_user() Number of apqn target list entries contained in 'nr_apqns' variable is determined by userspace via an ioctl call so the result of the product in calculation of size passed to memdup_user() may overflow. In this case the actual size of the allocated area and the value describing it won't be in sync leading to various types of unpredictable behaviour later. Use a proper memdup_... • https://git.kernel.org/stable/c/f2bbc96e7cfad3891b7bf9bd3e566b9b7ab4553d •