CVSS: -EPSS: %CPEs: 4EXPL: 0CVE-2025-38117 – Bluetooth: MGMT: Protect mgmt_pending list with its own lock
https://notcve.org/view.php?id=CVE-2025-38117
03 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Protect mgmt_pending list with its own lock This uses a mutex to protect from concurrent access of mgmt_pending list which can cause crashes like: ================================================================== BUG: KASAN: slab-use-after-free in hci_sock_get_channel+0x60/0x68 net/bluetooth/hci_sock.c:91 Read of size 2 at addr ffff0000c48885b2 by task syz.4.334/7318 CPU: 0 UID: 0 PID: 7318 Comm: syz.4.334 Not tainted 6.15... • https://git.kernel.org/stable/c/a380b6cff1a2d2139772e88219d08330f84d0381 •
CVSS: -EPSS: %CPEs: 8EXPL: 0CVE-2025-38115 – net_sched: sch_sfq: fix a potential crash on gso_skb handling
https://notcve.org/view.php?id=CVE-2025-38115
03 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: net_sched: sch_sfq: fix a potential crash on gso_skb handling SFQ has an assumption of always being able to queue at least one packet. However, after the blamed commit, sch->q.len can be inflated by packets in sch->gso_skb, and an enqueue() on an empty SFQ qdisc can be followed by an immediate drop. Fix sfq_drop() to properly clear q->tail in this situation. ip netns add lb ip link add dev to-lb type veth peer name in-lb netns lb ethtool -K... • https://git.kernel.org/stable/c/a53851e2c3218aa30b77abd6e68cf1c371f15afe •
CVSS: -EPSS: %CPEs: 7EXPL: 0CVE-2025-38112 – net: Fix TOCTOU issue in sk_is_readable()
https://notcve.org/view.php?id=CVE-2025-38112
03 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: net: Fix TOCTOU issue in sk_is_readable() sk->sk_prot->sock_is_readable is a valid function pointer when sk resides in a sockmap. After the last sk_psock_put() (which usually happens when socket is removed from sockmap), sk->sk_prot gets restored and sk->sk_prot->sock_is_readable becomes NULL. This makes sk_is_readable() racy, if the value of sk->sk_prot is reloaded after the initial check. Which in turn may lead to a null pointer dereferen... • https://git.kernel.org/stable/c/8934ce2fd08171e8605f7fada91ee7619fe17ab8 •
CVSS: -EPSS: %CPEs: 7EXPL: 0CVE-2025-38111 – net/mdiobus: Fix potential out-of-bounds read/write access
https://notcve.org/view.php?id=CVE-2025-38111
03 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: net/mdiobus: Fix potential out-of-bounds read/write access When using publicly available tools like 'mdio-tools' to read/write data from/to network interface and its PHY via mdiobus, there is no verification of parameters passed to the ioctl and it accepts any mdio address. Currently there is support for 32 addresses in kernel via PHY_MAX_ADDR define, but it is possible to pass higher value than that via ioctl. While read/write operation sh... • https://git.kernel.org/stable/c/080bb352fad00d04995102f681b134e3754bfb6e •
CVSS: -EPSS: %CPEs: 8EXPL: 0CVE-2025-38108 – net_sched: red: fix a race in __red_change()
https://notcve.org/view.php?id=CVE-2025-38108
03 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: net_sched: red: fix a race in __red_change() Gerrard Tai reported a race condition in RED, whenever SFQ perturb timer fires at the wrong time. The race is as follows: CPU 0 CPU 1 [1]: lock root [2]: qdisc_tree_flush_backlog() [3]: unlock root | | [5]: lock root | [6]: rehash | [7]: qdisc_tree_reduce_backlog() | [4]: qdisc_put() This can be abused to underflow a parent's qlen. Calling qdisc_purge_queue() instead of qdisc_tree_flush_backlog()... • https://git.kernel.org/stable/c/0c8d13ac96070000da33f394f45e9c19638483c5 •
CVSS: -EPSS: %CPEs: 9EXPL: 0CVE-2025-38107 – net_sched: ets: fix a race in ets_qdisc_change()
https://notcve.org/view.php?id=CVE-2025-38107
03 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: net_sched: ets: fix a race in ets_qdisc_change() Gerrard Tai reported a race condition in ETS, whenever SFQ perturb timer fires at the wrong time. The race is as follows: CPU 0 CPU 1 [1]: lock root [2]: qdisc_tree_flush_backlog() [3]: unlock root | | [5]: lock root | [6]: rehash | [7]: qdisc_tree_reduce_backlog() | [4]: qdisc_put() This can be abused to underflow a parent's qlen. Calling qdisc_purge_queue() instead of qdisc_tree_flush_backl... • https://git.kernel.org/stable/c/699d82e9a6db29d509a71f1f2f4316231e6232e6 •
CVSS: -EPSS: %CPEs: 2EXPL: 0CVE-2025-38105 – ALSA: usb-audio: Kill timer properly at removal
https://notcve.org/view.php?id=CVE-2025-38105
03 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Kill timer properly at removal The USB-audio MIDI code initializes the timer, but in a rare case, the driver might be freed without the disconnect call. This leaves the timer in an active state while the assigned object is released via snd_usbmidi_free(), which ends up with a kernel warning when the debug configuration is enabled, as spotted by fuzzer. For avoiding the problem, put timer_shutdown_sync() at snd_usbmidi_free(... • https://git.kernel.org/stable/c/62066758d2ae169278e5d6aea5995b1b6f6ddeb5 •
CVSS: -EPSS: %CPEs: 15EXPL: 0CVE-2025-38103 – HID: usbhid: Eliminate recurrent out-of-bounds bug in usbhid_parse()
https://notcve.org/view.php?id=CVE-2025-38103
03 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: HID: usbhid: Eliminate recurrent out-of-bounds bug in usbhid_parse() Update struct hid_descriptor to better reflect the mandatory and optional parts of the HID Descriptor as per USB HID 1.11 specification. Note: the kernel currently does not parse any optional HID class descriptors, only the mandatory report descriptor. Update all references to member element desc[0] to rpt_desc. Add test to verify bLength and bNumDescriptors values are val... • https://git.kernel.org/stable/c/f043bfc98c193c284e2cd768fefabe18ac2fed9b •
CVSS: -EPSS: %CPEs: 6EXPL: 0CVE-2025-38102 – VMCI: fix race between vmci_host_setup_notify and vmci_ctx_unset_notify
https://notcve.org/view.php?id=CVE-2025-38102
03 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: VMCI: fix race between vmci_host_setup_notify and vmci_ctx_unset_notify During our test, it is found that a warning can be trigger in try_grab_folio as follow: ------------[ cut here ]------------ WARNING: CPU: 0 PID: 1678 at mm/gup.c:147 try_grab_folio+0x106/0x130 Modules linked in: CPU: 0 UID: 0 PID: 1678 Comm: syz.3.31 Not tainted 6.15.0-rc5 #163 PREEMPT(undef) RIP: 0010:try_grab_folio+0x106/0x130 Call Trace:
CVSS: -EPSS: %CPEs: 7EXPL: 0CVE-2025-38100 – x86/iopl: Cure TIF_IO_BITMAP inconsistencies
https://notcve.org/view.php?id=CVE-2025-38100
03 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: x86/iopl: Cure TIF_IO_BITMAP inconsistencies io_bitmap_exit() is invoked from exit_thread() when a task exists or when a fork fails. In the latter case the exit_thread() cleans up resources which were allocated during fork(). io_bitmap_exit() invokes task_update_io_bitmap(), which in turn ends up in tss_update_io_bitmap(). tss_update_io_bitmap() operates on the current task. If current has TIF_IO_BITMAP set, but no bitmap installed, tss_upd... • https://git.kernel.org/stable/c/ea5f1cd7ab494f65f50f338299eabb40ad6a1767 •