CVSS: 5.5EPSS: 0%CPEs: 9EXPL: 0CVE-2025-40070 – pps: fix warning in pps_register_cdev when register device fail
https://notcve.org/view.php?id=CVE-2025-40070
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: pps: fix warning in pps_register_cdev when register device fail Similar to previous commit 2a934fdb01db ("media: v4l2-dev: fix error handling in __video_register_device()"), the release hook should be set before device_register(). Otherwise, when device_register() return error and put_device() try to callback the release function, the below warning may happen. ------------[ cut here ]------------ WARNING: CPU: 1 PID: 4760 at drivers/base/co... • https://git.kernel.org/stable/c/785c78ed0d39d1717cca3ef931d3e51337b5e90e •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2025-40068 – fs: ntfs3: Fix integer overflow in run_unpack()
https://notcve.org/view.php?id=CVE-2025-40068
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: fs: ntfs3: Fix integer overflow in run_unpack() The MFT record relative to the file being opened contains its runlist, an array containing information about the file's location on the physical disk. Analysis of all Call Stack paths showed that the values of the runlist array, from which LCNs are calculated, are not validated before run_unpack function. The run_unpack function decodes the compressed runlist data format from MFT attributes (f... • https://git.kernel.org/stable/c/4342306f0f0d5ff4315a204d315c1b51b914fca5 •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2025-40067 – fs/ntfs3: reject index allocation if $BITMAP is empty but blocks exist
https://notcve.org/view.php?id=CVE-2025-40067
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: reject index allocation if $BITMAP is empty but blocks exist Index allocation requires at least one bit in the $BITMAP attribute to track usage of index entries. If the bitmap is empty while index blocks are already present, this reflects on-disk corruption. syzbot triggered this condition using a malformed NTFS image. During a rename() operation involving a long filename (which spans multiple index entries), the empty bitmap allo... • https://git.kernel.org/stable/c/b35a50d639ca5259466ef5fea85529bb4fb17d5b •
CVSS: 7.1EPSS: 0%CPEs: 2EXPL: 0CVE-2025-40065 – RISC-V: KVM: Write hgatp register with valid mode bits
https://notcve.org/view.php?id=CVE-2025-40065
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: RISC-V: KVM: Write hgatp register with valid mode bits According to the RISC-V Privileged Architecture Spec, when MODE=Bare is selected,software must write zero to the remaining fields of hgatp. We have detected the valid mode supported by the HW before, So using a valid mode to detect how many vmid bits are supported. In the Linux kernel, the following vulnerability has been resolved: RISC-V: KVM: Write hgatp register with valid mode bits ... • https://git.kernel.org/stable/c/fd7bb4a251dfc1da3496bf59a4793937c13e8c1f •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2025-40064 – smc: Fix use-after-free in __pnet_find_base_ndev().
https://notcve.org/view.php?id=CVE-2025-40064
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: smc: Fix use-after-free in __pnet_find_base_ndev(). syzbot reported use-after-free of net_device in __pnet_find_base_ndev(), which was called during connect(). [0] smc_pnet_find_ism_resource() fetches sk_dst_get(sk)->dev and passes down to pnet_find_base_ndev(), where RTNL is held. Then, UAF happened at __pnet_find_base_ndev() when the dev is first used. This means dev had already been freed before acquiring RTNL in pnet_find_base_ndev(). W... • https://git.kernel.org/stable/c/0afff91c6f5ecef27715ea71e34dc2baacba1060 •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2025-40062 – crypto: hisilicon/qm - set NULL to qm->debug.qm_diff_regs
https://notcve.org/view.php?id=CVE-2025-40062
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: crypto: hisilicon/qm - set NULL to qm->debug.qm_diff_regs When the initialization of qm->debug.acc_diff_reg fails, the probe process does not exit. However, after qm->debug.qm_diff_regs is freed, it is not set to NULL. This can lead to a double free when the remove process attempts to free it again. Therefore, qm->debug.qm_diff_regs should be set to NULL after it is freed. In the Linux kernel, the following vulnerability has been resolved: ... • https://git.kernel.org/stable/c/eda60520cfe3aba9f088c68ebd5bcbca9fc6ac3c •
CVSS: 6.3EPSS: 0%CPEs: 4EXPL: 0CVE-2025-40061 – RDMA/rxe: Fix race in do_task() when draining
https://notcve.org/view.php?id=CVE-2025-40061
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix race in do_task() when draining When do_task() exhausts its iteration budget (!ret), it sets the state to TASK_STATE_IDLE to reschedule, without a secondary check on the current task->state. This can overwrite the TASK_STATE_DRAINING state set by a concurrent call to rxe_cleanup_task() or rxe_disable_task(). While state changes are protected by a spinlock, both rxe_cleanup_task() and rxe_disable_task() release the lock while w... • https://git.kernel.org/stable/c/9b4b7c1f9f54120940e243251e2b1407767b3381 •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2025-40060 – coresight: trbe: Return NULL pointer for allocation failures
https://notcve.org/view.php?id=CVE-2025-40060
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: coresight: trbe: Return NULL pointer for allocation failures When the TRBE driver fails to allocate a buffer, it currently returns the error code "-ENOMEM". However, the caller etm_setup_aux() only checks for a NULL pointer, so it misses the error. As a result, the driver continues and eventually causes a kernel panic. Fix this by returning a NULL pointer from arm_trbe_alloc_buffer() on allocation failures. This allows that the callers can ... • https://git.kernel.org/stable/c/3fbf7f011f2426dac8c982f1d2ef469a7959a524 •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-40059 – coresight: Fix incorrect handling for return value of devm_kzalloc
https://notcve.org/view.php?id=CVE-2025-40059
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: coresight: Fix incorrect handling for return value of devm_kzalloc The return value of devm_kzalloc could be an null pointer, use "!desc.pdata" to fix incorrect handling return value of devm_kzalloc. In the Linux kernel, the following vulnerability has been resolved: coresight: Fix incorrect handling for return value of devm_kzalloc The return value of devm_kzalloc could be an null pointer, use "!desc.pdata" to fix incorrect handling return... • https://git.kernel.org/stable/c/4277f035d227e829133df284be7e35b7236a5b0f •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2025-40058 – iommu/vt-d: Disallow dirty tracking if incoherent page walk
https://notcve.org/view.php?id=CVE-2025-40058
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Disallow dirty tracking if incoherent page walk Dirty page tracking relies on the IOMMU atomically updating the dirty bit in the paging-structure entry. For this operation to succeed, the paging- structure memory must be coherent between the IOMMU and the CPU. In another word, if the iommu page walk is incoherent, dirty page tracking doesn't work. The Intel VT-d specification, Section 3.10 "Snoop Behavior" states: "Remapping har... • https://git.kernel.org/stable/c/f35f22cc760eb2c7034bf53251399685d611e03f •