CVSS: 5.5EPSS: %CPEs: 5EXPL: 0CVE-2025-22090 – x86/mm/pat: Fix VM_PAT handling when fork() fails in copy_page_range()
https://notcve.org/view.php?id=CVE-2025-22090
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: x86/mm/pat: Fix VM_PAT handling when fork() fails in copy_page_range() If track_pfn_copy() fails, we already added the dst VMA to the maple tree. As fork() fails, we'll cleanup the maple tree, and stumble over the dst VMA for which we neither performed any reservation nor copied any page tables. Consequently untrack_pfn() will see VM_PAT and try obtaining the PAT information from the page table -- which fails because the page table was not ... • https://git.kernel.org/stable/c/2ab640379a0ab4cef746ced1d7e04a0941774bcb •
CVSS: 5.5EPSS: %CPEs: 7EXPL: 0CVE-2025-22089 – RDMA/core: Don't expose hw_counters outside of init net namespace
https://notcve.org/view.php?id=CVE-2025-22089
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: RDMA/core: Don't expose hw_counters outside of init net namespace Commit 467f432a521a ("RDMA/core: Split port and device counter sysfs attributes") accidentally almost exposed hw counters to non-init net namespaces. It didn't expose them fully, as an attempt to read any of those counters leads to a crash like this one: [42021.807566] BUG: kernel NULL pointer dereference, address: 0000000000000028 [42021.814463] #PF: supervisor read access i... • https://git.kernel.org/stable/c/467f432a521a284c418e3d521ee51840a5e23424 •
CVSS: 5.5EPSS: %CPEs: 6EXPL: 0CVE-2025-22088 – RDMA/erdma: Prevent use-after-free in erdma_accept_newconn()
https://notcve.org/view.php?id=CVE-2025-22088
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: RDMA/erdma: Prevent use-after-free in erdma_accept_newconn() After the erdma_cep_put(new_cep) being called, new_cep will be freed, and the following dereference will cause a UAF problem. Fix this issue. In the Linux kernel, the following vulnerability has been resolved: RDMA/erdma: Prevent use-after-free in erdma_accept_newconn() After the erdma_cep_put(new_cep) being called, new_cep will be freed, and the following dereference will cause a... • https://git.kernel.org/stable/c/920d93eac8b97778fef48f34f10e58ddf870fc2a •
CVSS: 5.5EPSS: %CPEs: 9EXPL: 0CVE-2025-22086 – RDMA/mlx5: Fix mlx5_poll_one() cur_qp update flow
https://notcve.org/view.php?id=CVE-2025-22086
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Fix mlx5_poll_one() cur_qp update flow When cur_qp isn't NULL, in order to avoid fetching the QP from the radix tree again we check if the next cqe QP is identical to the one we already have. The bug however is that we are checking if the QP is identical by checking the QP number inside the CQE against the QP number inside the mlx5_ib_qp, but that's wrong since the QP number from the CQE is from FW so it should be matched against... • https://git.kernel.org/stable/c/e126ba97dba9edeb6fafa3665b5f8497fc9cdf8c •
CVSS: 5.5EPSS: %CPEs: 5EXPL: 0CVE-2025-22083 – vhost-scsi: Fix handling of multiple calls to vhost_scsi_set_endpoint
https://notcve.org/view.php?id=CVE-2025-22083
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: vhost-scsi: Fix handling of multiple calls to vhost_scsi_set_endpoint If vhost_scsi_set_endpoint is called multiple times without a vhost_scsi_clear_endpoint between them, we can hit multiple bugs found by Haoran Zhang: 1. Use-after-free when no tpgs are found: This fixes a use after free that occurs when vhost_scsi_set_endpoint is called more than once and calls after the first call do not find any tpgs to add to the vs_tpg. When vhost_scs... • https://git.kernel.org/stable/c/4f7f46d32c9875004fae1d57ae3c02cc2e6cd6a3 •
CVSS: 7.8EPSS: %CPEs: 7EXPL: 0CVE-2025-22081 – fs/ntfs3: Fix a couple integer overflows on 32bit systems
https://notcve.org/view.php?id=CVE-2025-22081
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Fix a couple integer overflows on 32bit systems On 32bit systems the "off + sizeof(struct NTFS_DE)" addition can have an integer wrapping issue. Fix it by using size_add(). In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Fix a couple integer overflows on 32bit systems On 32bit systems the "off + sizeof(struct NTFS_DE)" addition can have an integer wrapping issue. Fix it by using size_add(). • https://git.kernel.org/stable/c/82cae269cfa953032fbb8980a7d554d60fb00b17 •
CVSS: 5.5EPSS: %CPEs: 5EXPL: 0CVE-2025-22080 – fs/ntfs3: Prevent integer overflow in hdr_first_de()
https://notcve.org/view.php?id=CVE-2025-22080
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Prevent integer overflow in hdr_first_de() The "de_off" and "used" variables come from the disk so they both need to check. The problem is that on 32bit systems if they're both greater than UINT_MAX - 16 then the check does work as intended because of an integer overflow. In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Prevent integer overflow in hdr_first_de() The "de_off" and "used" variables come f... • https://git.kernel.org/stable/c/60ce8dfde03558bfc290cd915c60fa243ba2ae84 •
CVSS: 7.1EPSS: %CPEs: 9EXPL: 0CVE-2025-22079 – ocfs2: validate l_tree_depth to avoid out-of-bounds access
https://notcve.org/view.php?id=CVE-2025-22079
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: ocfs2: validate l_tree_depth to avoid out-of-bounds access The l_tree_depth field is 16-bit (__le16), but the actual maximum depth is limited to OCFS2_MAX_PATH_DEPTH. Add a check to prevent out-of-bounds access if l_tree_depth has an invalid value, which may occur when reading from a corrupted mounted disk [1]. In the Linux kernel, the following vulnerability has been resolved: ocfs2: validate l_tree_depth to avoid out-of-bounds access The ... • https://git.kernel.org/stable/c/ccd979bdbce9fba8412beb3f1de68a9d0171b12c •
CVSS: 8.5EPSS: %CPEs: 7EXPL: 0CVE-2025-22077 – smb: client: Fix netns refcount imbalance causing leaks and use-after-free
https://notcve.org/view.php?id=CVE-2025-22077
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: smb: client: Fix netns refcount imbalance causing leaks and use-after-free Commit ef7134c7fc48 ("smb: client: Fix use-after-free of network namespace.") attempted to fix a netns use-after-free issue by manually adjusting reference counts via sk->sk_net_refcnt and sock_inuse_add(). However, a later commit e9f2517a3e18 ("smb: client: fix TCP timers deadlock after rmmod") pointed out that the approach of manually setting sk->sk_net_refcnt in t... • https://git.kernel.org/stable/c/e8c71494181153a134c96da28766a57bd1eac8cb •
CVSS: 5.5EPSS: %CPEs: 8EXPL: 0CVE-2025-22075 – rtnetlink: Allocate vfinfo size for VF GUIDs when supported
https://notcve.org/view.php?id=CVE-2025-22075
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: rtnetlink: Allocate vfinfo size for VF GUIDs when supported Commit 30aad41721e0 ("net/core: Add support for getting VF GUIDs") added support for getting VF port and node GUIDs in netlink ifinfo messages, but their size was not taken into consideration in the function that allocates the netlink message, causing the following warning when a netlink message is filled with many VF port and node GUIDs: # echo 64 > /sys/bus/pci/devices/0000\:08\:... • https://git.kernel.org/stable/c/30aad41721e087babcf27c5192474724d555936c •