CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2025-39675 – drm/amd/display: Add null pointer check in mod_hdcp_hdcp1_create_session()
https://notcve.org/view.php?id=CVE-2025-39675
05 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add null pointer check in mod_hdcp_hdcp1_create_session() The function mod_hdcp_hdcp1_create_session() calls the function get_first_active_display(), but does not check its return value. The return value is a null pointer if the display list is empty. This will lead to a null pointer dereference. Add a null pointer check for get_first_active_display() and return MOD_HDCP_STATUS_DISPLAY_NOT_FOUND if the function return null.... • https://git.kernel.org/stable/c/2deade5ede56581722c0d7672f28b09548dc0fc4 •
CVSS: 6.9EPSS: 0%CPEs: 6EXPL: 0CVE-2025-39673 – ppp: fix race conditions in ppp_fill_forward_path
https://notcve.org/view.php?id=CVE-2025-39673
05 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: ppp: fix race conditions in ppp_fill_forward_path ppp_fill_forward_path() has two race conditions: 1. The ppp->channels list can change between list_empty() and list_first_entry(), as ppp_lock() is not held. If the only channel is deleted in ppp_disconnect_channel(), list_first_entry() may access an empty head or a freed entry, and trigger a panic. 2. pch->chan can be NULL. When ppp_unregister_channel() is called, pch->chan is set to NULL b... • https://git.kernel.org/stable/c/f6efc675c9dd8d93f826b79ae7e33e03301db609 •
CVSS: 6.6EPSS: 0%CPEs: 4EXPL: 0CVE-2025-38734 – net/smc: fix UAF on smcsk after smc_listen_out()
https://notcve.org/view.php?id=CVE-2025-38734
05 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: net/smc: fix UAF on smcsk after smc_listen_out() BPF CI testing report a UAF issue: [ 16.446633] BUG: kernel NULL pointer dereference, address: 000000000000003 0 [ 16.447134] #PF: supervisor read access in kernel mod e [ 16.447516] #PF: error_code(0x0000) - not-present pag e [ 16.447878] PGD 0 P4D 0 [ 16.448063] Oops: Oops: 0000 [#1] PREEMPT SMP NOPT I [ 16.448409] CPU: 0 UID: 0 PID: 9 Comm: kworker/0:1 Tainted: G OE 6.13.0-rc3-g89e8a75fda7... • https://git.kernel.org/stable/c/3b2dec2603d5b06ad3af71c1164ca0b92df3d2a8 •
CVSS: 5.6EPSS: 0%CPEs: 7EXPL: 0CVE-2025-38732 – netfilter: nf_reject: don't leak dst refcount for loopback packets
https://notcve.org/view.php?id=CVE-2025-38732
05 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_reject: don't leak dst refcount for loopback packets recent patches to add a WARN() when replacing skb dst entry found an old bug: WARNING: include/linux/skbuff.h:1165 skb_dst_check_unset include/linux/skbuff.h:1164 [inline] WARNING: include/linux/skbuff.h:1165 skb_dst_set include/linux/skbuff.h:1210 [inline] WARNING: include/linux/skbuff.h:1165 nf_reject_fill_skb_dst+0x2a4/0x330 net/ipv4/netfilter/nf_reject_ipv4.c:234 [..] Ca... • https://git.kernel.org/stable/c/f53b9b0bdc59c0823679f2e3214e0d538f5951b9 •
CVSS: 7.2EPSS: 0%CPEs: 9EXPL: 0CVE-2025-38729 – ALSA: usb-audio: Validate UAC3 power domain descriptors, too
https://notcve.org/view.php?id=CVE-2025-38729
04 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Validate UAC3 power domain descriptors, too UAC3 power domain descriptors need to be verified with its variable bLength for avoiding the unexpected OOB accesses by malicious firmware, too. In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Validate UAC3 power domain descriptors, too UAC3 power domain descriptors need to be verified with its variable bLength for avoiding the unexpected OOB a... • https://git.kernel.org/stable/c/9a2fe9b801f585baccf8352d82839dcd54b300cf •
CVSS: 6.9EPSS: 0%CPEs: 6EXPL: 0CVE-2025-38728 – smb3: fix for slab out of bounds on mount to ksmbd
https://notcve.org/view.php?id=CVE-2025-38728
04 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: smb3: fix for slab out of bounds on mount to ksmbd With KASAN enabled, it is possible to get a slab out of bounds during mount to ksmbd due to missing check in parse_server_interfaces() (see below): BUG: KASAN: slab-out-of-bounds in parse_server_interfaces+0x14ee/0x1880 [cifs] Read of size 4 at addr ffff8881433dba98 by task mount/9827 CPU: 5 UID: 0 PID: 9827 Comm: mount Tainted: G OE 6.16.0-rc2-kasan #2 PREEMPT(voluntary) Tainted: [O]=OOT_M... • https://git.kernel.org/stable/c/9bdb8e98a0073c73ab3e6c631ec78877ceb64565 •
CVSS: 6.6EPSS: 0%CPEs: 9EXPL: 0CVE-2025-38727 – netlink: avoid infinite retry looping in netlink_unicast()
https://notcve.org/view.php?id=CVE-2025-38727
04 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: netlink: avoid infinite retry looping in netlink_unicast() netlink_attachskb() checks for the socket's read memory allocation constraints. Firstly, it has: rmem < READ_ONCE(sk->sk_rcvbuf) to check if the just increased rmem value fits into the socket's receive buffer. If not, it proceeds and tries to wait for the memory under: rmem + skb->truesize > READ_ONCE(sk->sk_rcvbuf) The checks don't cover the case when skb->truesize + sk->sk_rmem_al... • https://git.kernel.org/stable/c/9da025150b7c14a8390fc06aea314c0a4011e82c •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2025-38725 – net: usb: asix_devices: add phy_mask for ax88772 mdio bus
https://notcve.org/view.php?id=CVE-2025-38725
04 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: net: usb: asix_devices: add phy_mask for ax88772 mdio bus Without setting phy_mask for ax88772 mdio bus, current driver may create at most 32 mdio phy devices with phy address range from 0x00 ~ 0x1f. DLink DUB-E100 H/W Ver B1 is such a device. However, only one main phy device will bind to net phy driver. This is creating issue during system suspend/resume since phy_polling_mode() in phy_state_machine() will directly deference member of phy... • https://git.kernel.org/stable/c/e532a096be0e5e570b383e71d4560e7f04384e0f •
CVSS: 7.1EPSS: 0%CPEs: 9EXPL: 0CVE-2025-38724 – nfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm()
https://notcve.org/view.php?id=CVE-2025-38724
04 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: nfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm() Lei Lu recently reported that nfsd4_setclientid_confirm() did not check the return value from get_client_locked(). a SETCLIENTID_CONFIRM could race with a confirmed client expiring and fail to get a reference. That could later lead to a UAF. Fix this by getting a reference early in the case where there is an extant confirmed client. If that fails then treat it as if the... • https://git.kernel.org/stable/c/d20c11d86d8f821a64eac7d6c8f296f06d935f4f •
CVSS: 5.5EPSS: 0%CPEs: 9EXPL: 0CVE-2025-38721 – netfilter: ctnetlink: fix refcount leak on table dump
https://notcve.org/view.php?id=CVE-2025-38721
04 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: netfilter: ctnetlink: fix refcount leak on table dump There is a reference count leak in ctnetlink_dump_table(): if (res < 0) { nf_conntrack_get(&ct->ct_general); // HERE cb->args[1] = (unsigned long)ct; ... While its very unlikely, its possible that ct == last. If this happens, then the refcount of ct was already incremented. This 2nd increment is never undone. This prevents the conntrack object from being released, which in turn keeps pre... • https://git.kernel.org/stable/c/d205dc40798d97d63ad348bfaf7394f445d152d4 •