CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40049 – Squashfs: fix uninit-value in squashfs_get_parent
https://notcve.org/view.php?id=CVE-2025-40049
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: Squashfs: fix uninit-value in squashfs_get_parent Syzkaller reports a "KMSAN: uninit-value in squashfs_get_parent" bug. This is caused by open_by_handle_at() being called with a file handle containing an invalid parent inode number. In particular the inode number is that of a symbolic link, rather than a directory. Squashfs_get_parent() gets called with that symbolic link inode, and accesses the parent member field. unsigned int parent_ino ... • https://git.kernel.org/stable/c/122601408d20c77704268f1dea9f9ce4abf997c2 •
CVSS: 8.4EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40048 – uio_hv_generic: Let userspace take care of interrupt mask
https://notcve.org/view.php?id=CVE-2025-40048
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: uio_hv_generic: Let userspace take care of interrupt mask Remove the logic to set interrupt mask by default in uio_hv_generic driver as the interrupt mask value is supposed to be controlled completely by the user space. If the mask bit gets changed by the driver, concurrently with user mode operating on the ring, the mask bit may be set when it is supposed to be clear, and the user-mode driver will miss an interrupt which will cause a hang.... • https://git.kernel.org/stable/c/95096f2fbd10186d3e78a328b327afc71428f65f •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40044 – fs: udf: fix OOB read in lengthAllocDescs handling
https://notcve.org/view.php?id=CVE-2025-40044
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: fs: udf: fix OOB read in lengthAllocDescs handling When parsing Allocation Extent Descriptor, lengthAllocDescs comes from on-disk data and must be validated against the block size. Crafted or corrupted images may set lengthAllocDescs so that the total descriptor length (sizeof(allocExtDesc) + lengthAllocDescs) exceeds the buffer, leading udf_update_tag() to call crc_itu_t() on out-of-bounds memory and trigger a KASAN use-after-free read. BU... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 5.6EPSS: 0%CPEs: 6EXPL: 0CVE-2025-40043 – net: nfc: nci: Add parameter validation for packet data
https://notcve.org/view.php?id=CVE-2025-40043
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: net: nfc: nci: Add parameter validation for packet data Syzbot reported an uninitialized value bug in nci_init_req, which was introduced by commit 5aca7966d2a7 ("Merge tag 'perf-tools-fixes-for-v6.17-2025-09-16' of git://git.kernel.org/pub/scm/linux/kernel/git/perf/perf-tools"). This bug arises due to very limited and poor input validation that was done at nic_valid_size(). This validation only validates the skb->len (directly reflects size... • https://git.kernel.org/stable/c/6a2968aaf50c7a22fced77a5e24aa636281efca8 •
CVSS: 4.7EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40042 – tracing: Fix race condition in kprobe initialization causing NULL pointer dereference
https://notcve.org/view.php?id=CVE-2025-40042
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: tracing: Fix race condition in kprobe initialization causing NULL pointer dereference There is a critical race condition in kprobe initialization that can lead to NULL pointer dereference and kernel crash. [1135630.084782] Unable to handle kernel paging request at virtual address 0000710a04630000 ... [1135630.260314] pstate: 404003c9 (nZcv DAIF +PAN -UAO) [1135630.269239] pc : kprobe_perf_func+0x30/0x260 [1135630.277643] lr : kprobe_dispatc... • https://git.kernel.org/stable/c/50d780560785b068c358675c5f0bf6c83b5c373e •
CVSS: 6.6EPSS: 0%CPEs: 5EXPL: 0CVE-2025-40040 – mm/ksm: fix flag-dropping behavior in ksm_madvise
https://notcve.org/view.php?id=CVE-2025-40040
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: mm/ksm: fix flag-dropping behavior in ksm_madvise syzkaller discovered the following crash: (kernel BUG) [ 44.607039] ------------[ cut here ]------------ [ 44.607422] kernel BUG at mm/userfaultfd.c:2067! [ 44.608148] Oops: invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN NOPTI [ 44.608814] CPU: 1 UID: 0 PID: 2475 Comm: reproducer Not tainted 6.16.0-rc6 #1 PREEMPT(none) [ 44.609635] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), ... • https://git.kernel.org/stable/c/7677f7fd8be76659cd2d0db8ff4093bbb51c20e5 •
CVSS: 5.6EPSS: 0%CPEs: 5EXPL: 0CVE-2025-40036 – misc: fastrpc: fix possible map leak in fastrpc_put_args
https://notcve.org/view.php?id=CVE-2025-40036
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: misc: fastrpc: fix possible map leak in fastrpc_put_args copy_to_user() failure would cause an early return without cleaning up the fdlist, which has been updated by the DSP. This could lead to map leak. Fix this by redirecting to a cleanup path on failure, ensuring that all mapped buffers are properly released before returning. In the Linux kernel, the following vulnerability has been resolved: misc: fastrpc: fix possible map leak in fastr... • https://git.kernel.org/stable/c/c68cfb718c8f97b7f7a50ed66be5feb42d0c8988 •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40035 – Input: uinput - zero-initialize uinput_ff_upload_compat to avoid info leak
https://notcve.org/view.php?id=CVE-2025-40035
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: Input: uinput - zero-initialize uinput_ff_upload_compat to avoid info leak Struct ff_effect_compat is embedded twice inside uinput_ff_upload_compat, contains internal padding. In particular, there is a hole after struct ff_replay to satisfy alignment requirements for the following union member. Without clearing the structure, copy_to_user() may leak stack data to userspace. Initialize ff_up_compat to zero before filling valid fields. In the... • https://git.kernel.org/stable/c/2d56f3a32c0e62f99c043d2579840f9731fe5855 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-40032 – PCI: endpoint: pci-epf-test: Add NULL check for DMA channels before release
https://notcve.org/view.php?id=CVE-2025-40032
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: PCI: endpoint: pci-epf-test: Add NULL check for DMA channels before release The fields dma_chan_tx and dma_chan_rx of the struct pci_epf_test can be NULL even after EPF initialization. Then it is prudent to check that they have non-NULL values before releasing the channels. Add the checks in pci_epf_test_clean_dma_chan(). Without the checks, NULL pointer dereferences happen and they can lead to a kernel panic in some cases: Unable to handle... • https://git.kernel.org/stable/c/5ebf3fc59bd20d17df3ba26159787d13cf20d362 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40030 – pinctrl: check the return value of pinmux_ops::get_function_name()
https://notcve.org/view.php?id=CVE-2025-40030
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: pinctrl: check the return value of pinmux_ops::get_function_name() While the API contract in docs doesn't specify it explicitly, the generic implementation of the get_function_name() callback from struct pinmux_ops - pinmux_generic_get_function_name() - can fail and return NULL. This is already checked in pinmux_check_ops() so add a similar check in pinmux_func_name_to_selector() instead of passing the returned pointer right down to strcmp(... • https://git.kernel.org/stable/c/1a7fc8fed2bb2e113604fde7a45432ace2056b97 •