CVSS: 5.5EPSS: 0%CPEs: 10EXPL: 0CVE-2025-40126 – sparc: fix accurate exception reporting in copy_{from_to}_user for UltraSPARC
https://notcve.org/view.php?id=CVE-2025-40126
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: sparc: fix accurate exception reporting in copy_{from_to}_user for UltraSPARC The referenced commit introduced exception handlers on user-space memory references in copy_from_user and copy_to_user. These handlers return from the respective function and calculate the remaining bytes left to copy using the current register contents. This commit fixes a couple of bad calculations. This will fix the return value of copy_from_user and copy_to_us... • https://git.kernel.org/stable/c/cb736fdbb208eb3420f1a2eb2bfc024a6e9dcada •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40125 – blk-mq: check kobject state_in_sysfs before deleting in blk_mq_unregister_hctx
https://notcve.org/view.php?id=CVE-2025-40125
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: blk-mq: check kobject state_in_sysfs before deleting in blk_mq_unregister_hctx In __blk_mq_update_nr_hw_queues() the return value of blk_mq_sysfs_register_hctxs() is not checked. If sysfs creation for hctx fails, later changing the number of hw_queues or removing disk will trigger the following warning: kernfs: can not remove 'nr_tags', no directory WARNING: CPU: 2 PID: 637 at fs/kernfs/dir.c:1707 kernfs_remove_by_name_ns+0x13f/0x160 Call T... • https://git.kernel.org/stable/c/477e19dedc9d3e1f4443a1d4ae00572a988120ea •
CVSS: 5.5EPSS: 0%CPEs: 10EXPL: 0CVE-2025-40124 – sparc: fix accurate exception reporting in copy_{from_to}_user for UltraSPARC III
https://notcve.org/view.php?id=CVE-2025-40124
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: sparc: fix accurate exception reporting in copy_{from_to}_user for UltraSPARC III Anthony Yznaga tracked down that a BUG_ON in ext4 code with large folios enabled resulted from copy_from_user() returning impossibly large values greater than the size to be copied. This lead to __copy_from_iter() returning impossible values instead of the actual number of bytes it was able to copy. The BUG_ON has been reported in https://lore.kernel.org/r/b14... • https://git.kernel.org/stable/c/ee841d0aff649164080e445e84885015958d8ff4 •
CVSS: 6.9EPSS: 0%CPEs: 5EXPL: 0CVE-2025-40123 – bpf: Enforce expected_attach_type for tailcall compatibility
https://notcve.org/view.php?id=CVE-2025-40123
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: bpf: Enforce expected_attach_type for tailcall compatibility Yinhao et al. recently reported: Our fuzzer tool discovered an uninitialized pointer issue in the bpf_prog_test_run_xdp() function within the Linux kernel's BPF subsystem. This leads to a NULL pointer dereference when a BPF program attempts to deference the txq member of struct xdp_buff object. The test initializes two programs of BPF_PROG_TYPE_XDP: progA acts as the entry point f... • https://git.kernel.org/stable/c/5e43f899b03a3492ce5fc44e8900becb04dae9c0 •
CVSS: 7.2EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40121 – ASoC: Intel: bytcr_rt5651: Fix invalid quirk input mapping
https://notcve.org/view.php?id=CVE-2025-40121
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: bytcr_rt5651: Fix invalid quirk input mapping When an invalid value is passed via quirk option, currently bytcr_rt5640 driver just ignores and leaves as is, which may lead to unepxected results like OOB access. This patch adds the sanity check and corrects the input mapping to the certain default value if an invalid value is passed. In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: bytcr_rt5651: F... • https://git.kernel.org/stable/c/64484ccee7af53f08cca2ee3853cb8e18914d8b2 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40116 – usb: host: max3421-hcd: Fix error pointer dereference in probe cleanup
https://notcve.org/view.php?id=CVE-2025-40116
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: usb: host: max3421-hcd: Fix error pointer dereference in probe cleanup The kthread_run() function returns error pointers so the max3421_hcd->spi_thread pointer can be either error pointers or NULL. Check for both before dereferencing it. In the Linux kernel, the following vulnerability has been resolved: usb: host: max3421-hcd: Fix error pointer dereference in probe cleanup The kthread_run() function returns error pointers so the max3421_hc... • https://git.kernel.org/stable/c/05dfa5c9bc37933181b619e42ec0eeb41ef31362 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40115 – scsi: mpt3sas: Fix crash in transport port remove by using ioc_info()
https://notcve.org/view.php?id=CVE-2025-40115
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: scsi: mpt3sas: Fix crash in transport port remove by using ioc_info() During mpt3sas_transport_port_remove(), messages were logged with dev_printk() against &mpt3sas_port->port->dev. At this point the SAS transport device may already be partially unregistered or freed, leading to a crash when accessing its struct device. Using ioc_info(), which logs via the PCI device (ioc->pdev->dev), guaranteed to remain valid until driver removal. [83428... • https://git.kernel.org/stable/c/f92363d12359498f9a9960511de1a550f0ec41c2 •
CVSS: 5.5EPSS: 0%CPEs: 10EXPL: 0CVE-2025-40112 – sparc: fix accurate exception reporting in copy_{from_to}_user for Niagara
https://notcve.org/view.php?id=CVE-2025-40112
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: sparc: fix accurate exception reporting in copy_{from_to}_user for Niagara The referenced commit introduced exception handlers on user-space memory references in copy_from_user and copy_to_user. These handlers return from the respective function and calculate the remaining bytes left to copy using the current register contents. This commit fixes a couple of bad calculations and a broken epilogue in the exception handlers. This will prevent ... • https://git.kernel.org/stable/c/7ae3aaf53f1695877ccd5ebbc49ea65991e41f1e •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40111 – drm/vmwgfx: Fix Use-after-free in validation
https://notcve.org/view.php?id=CVE-2025-40111
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Fix Use-after-free in validation Nodes stored in the validation duplicates hashtable come from an arena allocator that is cleared at the end of vmw_execbuf_process. All nodes are expected to be cleared in vmw_validation_drop_ht but this node escaped because its resource was destroyed prematurely. In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Fix Use-after-free in validation Nodes stored in the v... • https://git.kernel.org/stable/c/64ad2abfe9a628ce79859d072704bd1ef7682044 •
CVSS: 7.2EPSS: 0%CPEs: 4EXPL: 0CVE-2025-40110 – drm/vmwgfx: Fix a null-ptr access in the cursor snooper
https://notcve.org/view.php?id=CVE-2025-40110
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Fix a null-ptr access in the cursor snooper Check that the resource which is converted to a surface exists before trying to use the cursor snooper on it. vmw_cmd_res_check allows explicit invalid (SVGA3D_INVALID_ID) identifiers because some svga commands accept SVGA3D_INVALID_ID to mean "no surface", unfortunately functions that accept the actual surfaces as objects might (and in case of the cursor snooper, do not) be able to ha... • https://git.kernel.org/stable/c/c0951b797e7d0f2c6b0df2c0e18185c72d0cf1a1 •