CVSS: 7.8EPSS: %CPEs: 6EXPL: 0CVE-2025-37923 – tracing: Fix oob write in trace_seq_to_buffer()
https://notcve.org/view.php?id=CVE-2025-37923
20 May 2025 — In the Linux kernel, the following vulnerability has been resolved: tracing: Fix oob write in trace_seq_to_buffer() syzbot reported this bug: ================================================================== BUG: KASAN: slab-out-of-bounds in trace_seq_to_buffer kernel/trace/trace.c:1830 [inline] BUG: KASAN: slab-out-of-bounds in tracing_splice_read_pipe+0x6be/0xdd0 kernel/trace/trace.c:6822 Write of size 4507 at addr ffff888032b6b000 by task syz.2.320/7260 CPU: 1 UID: 0 PID: 7260 Comm: syz.2.320 Not tainte... • https://git.kernel.org/stable/c/3c56819b14b00dd449bd776303e61f8532fad09f •
CVSS: 4.3EPSS: %CPEs: 3EXPL: 0CVE-2025-37907 – accel/ivpu: Fix locking order in ivpu_job_submit
https://notcve.org/view.php?id=CVE-2025-37907
20 May 2025 — In the Linux kernel, the following vulnerability has been resolved: accel/ivpu: Fix locking order in ivpu_job_submit Fix deadlock in job submission and abort handling. When a thread aborts currently executing jobs due to a fault, it first locks the global lock protecting submitted_jobs (#1). After the last job is destroyed, it proceeds to release the related context and locks file_priv (#2). Meanwhile, in the job submission thread, the file_priv lock (#2) is taken first, and then the submitted_jobs lock (#1... • https://git.kernel.org/stable/c/079d2622f8c9e0c380149645fff21d35c59ce6ff •
CVSS: 7.8EPSS: %CPEs: 3EXPL: 0CVE-2025-37899 – ksmbd: fix use-after-free in session logoff
https://notcve.org/view.php?id=CVE-2025-37899
20 May 2025 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in session logoff The sess->user object can currently be in use by another thread, for example if another connection has sent a session setup request to bind to the session being free'd. The handler for that connection could be in the smb2_sess_setup function which makes use of sess->user. In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in session logoff The sess->user ... • https://git.kernel.org/stable/c/d5ec1d79509b3ee01de02c236f096bc050221b7f •
CVSS: 5.5EPSS: 0%CPEs: 9EXPL: 0CVE-2025-37892 – mtd: inftlcore: Add error check for inftl_read_oob()
https://notcve.org/view.php?id=CVE-2025-37892
20 May 2025 — In the Linux kernel, the following vulnerability has been resolved: mtd: inftlcore: Add error check for inftl_read_oob() In INFTL_findwriteunit(), the return value of inftl_read_oob() need to be checked. A proper implementation can be found in INFTL_deleteblock(). The status will be set as SECTOR_IGNORE to break from the while-loop correctly if the inftl_read_oob() fails. In the Linux kernel, the following vulnerability has been resolved: mtd: inftlcore: Add error check for inftl_read_oob() In INFTL_findwri... • https://git.kernel.org/stable/c/8593fbc68b0df1168995de76d1af38eb62fd6b62 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2023-53146 – media: dw2102: Fix null-ptr-deref in dw2102_i2c_transfer()
https://notcve.org/view.php?id=CVE-2023-53146
14 May 2025 — In the Linux kernel, the following vulnerability has been resolved: media: dw2102: Fix null-ptr-deref in dw2102_i2c_transfer() In dw2102_i2c_transfer, msg is controlled by user. When msg[i].buf is null and msg[i].len is zero, former checks on msg[i].buf would be passed. Malicious data finally reach dw2102_i2c_transfer. If accessing msg[i].buf[0] without sanity check, null ptr deref would happen. We add check on msg[i].len to prevent crash. Similar commit: commit 950e252cb469 ("[media] dw2102: limit messages... • https://git.kernel.org/stable/c/77cbd42d29de9ffc93d5529bab8813cde53af14c •
CVSS: 7.1EPSS: 0%CPEs: 7EXPL: 0CVE-2023-53145 – Bluetooth: btsdio: fix use after free bug in btsdio_remove due to race condition
https://notcve.org/view.php?id=CVE-2023-53145
10 May 2025 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btsdio: fix use after free bug in btsdio_remove due to race condition In btsdio_probe, the data->work is bound with btsdio_work. It will be started in btsdio_send_frame. If the btsdio_remove runs with a unfinished work, there may be a race condition that hdev is freed but used in btsdio_work. Fix it by canceling the work before do cleanup in btsdio_remove. In the Linux kernel, the following vulnerability has been resolved: Blueto... • https://git.kernel.org/stable/c/6c3653627397a0d6eab19b20a59423e118985a6b •
CVSS: 7.2EPSS: 0%CPEs: 7EXPL: 0CVE-2025-37885 – KVM: x86: Reset IRTE to host control if *new* route isn't postable
https://notcve.org/view.php?id=CVE-2025-37885
09 May 2025 — In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Reset IRTE to host control if *new* route isn't postable Restore an IRTE back to host control (remapped or posted MSI mode) if the *new* GSI route prevents posting the IRQ directly to a vCPU, regardless of the GSI routing type. Updating the IRTE if and only if the new GSI is an MSI results in KVM leaving an IRTE posting to a vCPU. The dangling IRTE can result in interrupts being incorrectly delivered to the guest, and in the worst... • https://git.kernel.org/stable/c/efc644048ecde54f016011fe10110addd0de348f •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-37884 – bpf: Fix deadlock between rcu_tasks_trace and event_mutex.
https://notcve.org/view.php?id=CVE-2025-37884
09 May 2025 — In the Linux kernel, the following vulnerability has been resolved: bpf: Fix deadlock between rcu_tasks_trace and event_mutex. Fix the following deadlock: CPU A _free_event() perf_kprobe_destroy() mutex_lock(&event_mutex) perf_trace_event_unreg() synchronize_rcu_tasks_trace() There are several paths where _free_event() grabs event_mutex and calls sync_rcu_tasks_trace. Above is one such case. CPU B bpf_prog_test_run_syscall() rcu_read_lock_trace() bpf_prog_run_pin_on_cpu() bpf_prog_load() bpf_tracing_func_pr... • https://git.kernel.org/stable/c/255cbc9db7067a83713fd2f4b31034ddd266549a •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2025-37883 – s390/sclp: Add check for get_zeroed_page()
https://notcve.org/view.php?id=CVE-2025-37883
09 May 2025 — In the Linux kernel, the following vulnerability has been resolved: s390/sclp: Add check for get_zeroed_page() Add check for the return value of get_zeroed_page() in sclp_console_init() to prevent null pointer dereference. Furthermore, to solve the memory leak caused by the loop allocation, add a free helper to do the free job. In the Linux kernel, the following vulnerability has been resolved: s390/sclp: Add check for get_zeroed_page() Add check for the return value of get_zeroed_page() in sclp_console_ini... • https://git.kernel.org/stable/c/e1e00dc45648125ef7cb87ebc3b581ac224e7b39 •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-37882 – usb: xhci: Fix isochronous Ring Underrun/Overrun event handling
https://notcve.org/view.php?id=CVE-2025-37882
09 May 2025 — In the Linux kernel, the following vulnerability has been resolved: usb: xhci: Fix isochronous Ring Underrun/Overrun event handling The TRB pointer of these events points at enqueue at the time of error occurrence on xHCI 1.1+ HCs or it's NULL on older ones. By the time we are handling the event, a new TD may be queued at this ring position. I can trigger this race by rising interrupt moderation to increase IRQ handling delay. Similar delay may occur naturally due to system load. If this ever happens after ... • https://git.kernel.org/stable/c/16a7a8e6c47fea5c847beb696c8c21a7a44c1915 •