CVSS: 6.6EPSS: 0%CPEs: 8EXPL: 0CVE-2025-21862 – drop_monitor: fix incorrect initialization order
https://notcve.org/view.php?id=CVE-2025-21862
12 Mar 2025 — In the Linux kernel, the following vulnerability has been resolved: drop_monitor: fix incorrect initialization order Syzkaller reports the following bug: BUG: spinlock bad magic on CPU#1, syz-executor.0/7995 lock: 0xffff88805303f3e0, .magic: 00000000, .owner:
CVSS: 7.9EPSS: 0%CPEs: 3EXPL: 0CVE-2025-21861 – mm/migrate_device: don't add folio to be freed to LRU in migrate_device_finalize()
https://notcve.org/view.php?id=CVE-2025-21861
12 Mar 2025 — In the Linux kernel, the following vulnerability has been resolved: mm/migrate_device: don't add folio to be freed to LRU in migrate_device_finalize() If migration succeeded, we called folio_migrate_flags()->mem_cgroup_migrate() to migrate the memcg from the old to the new folio. This will set memcg_data of the old folio to 0. Similarly, if migration failed, memcg_data of the dst folio is left unset. If we call folio_putback_lru() on such folios (memcg_data == 0), we will add the folio to be freed to the LR... • https://git.kernel.org/stable/c/8763cb45ab967a92a5ee49e9c544c0f0ea90e2d6 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-21859 – USB: gadget: f_midi: f_midi_complete to call queue_work
https://notcve.org/view.php?id=CVE-2025-21859
12 Mar 2025 — In the Linux kernel, the following vulnerability has been resolved: USB: gadget: f_midi: f_midi_complete to call queue_work When using USB MIDI, a lock is attempted to be acquired twice through a re-entrant call to f_midi_transmit, causing a deadlock. Fix it by using queue_work() to schedule the inner f_midi_transmit() via a high priority work queue from the completion handler. In the Linux kernel, the following vulnerability has been resolved: USB: gadget: f_midi: f_midi_complete to call queue_work When us... • https://git.kernel.org/stable/c/d5daf49b58661ec4af7a55b277176efbf945ca05 •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2025-21858 – geneve: Fix use-after-free in geneve_find_dev().
https://notcve.org/view.php?id=CVE-2025-21858
12 Mar 2025 — In the Linux kernel, the following vulnerability has been resolved: geneve: Fix use-after-free in geneve_find_dev(). syzkaller reported a use-after-free in geneve_find_dev() [0] without repro. geneve_configure() links struct geneve_dev.next to net_generic(net, geneve_net_id)->geneve_list. The net here could differ from dev_net(dev) if IFLA_NET_NS_PID, IFLA_NET_NS_FD, or IFLA_TARGET_NETNSID is set. When dev_net(dev) is dismantled, geneve_exit_batch_rtnl() finally calls unregister_netdevice_queue() for each d... • https://git.kernel.org/stable/c/2d07dc79fe04a43d82a346ced6bbf07bdb523f1b • CWE-416: Use After Free •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-21857 – net/sched: cls_api: fix error handling causing NULL dereference
https://notcve.org/view.php?id=CVE-2025-21857
12 Mar 2025 — In the Linux kernel, the following vulnerability has been resolved: net/sched: cls_api: fix error handling causing NULL dereference tcf_exts_miss_cookie_base_alloc() calls xa_alloc_cyclic() which can return 1 if the allocation succeeded after wrapping. This was treated as an error, with value 1 returned to caller tcf_exts_init_ex() which sets exts->actions to NULL and returns 1 to caller fl_change(). fl_change() treats err == 1 as success, calling tcf_exts_validate_ex() which calls tcf_action_init() with ex... • https://git.kernel.org/stable/c/80cd22c35c9001fe72bf614d29439de41933deca •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-21856 – s390/ism: add release function for struct device
https://notcve.org/view.php?id=CVE-2025-21856
12 Mar 2025 — In the Linux kernel, the following vulnerability has been resolved: s390/ism: add release function for struct device According to device_release() in /drivers/base/core.c, a device without a release function is a broken device and must be fixed. The current code directly frees the device after calling device_add() without waiting for other kernel parts to release their references. Thus, a reference could still be held to a struct device, e.g., by sysfs, leading to potential use-after-free issues if a proper... • https://git.kernel.org/stable/c/8c81ba20349daf9f7e58bb05a0c12f4b71813a30 •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2025-21855 – ibmvnic: Don't reference skb after sending to VIOS
https://notcve.org/view.php?id=CVE-2025-21855
12 Mar 2025 — In the Linux kernel, the following vulnerability has been resolved: ibmvnic: Don't reference skb after sending to VIOS Previously, after successfully flushing the xmit buffer to VIOS, the tx_bytes stat was incremented by the length of the skb. It is invalid to access the skb memory after sending the buffer to the VIOS because, at any point after sending, the VIOS can trigger an interrupt to free this memory. A race between reading skb->len and freeing the skb is possible (especially during LPM) and will res... • https://git.kernel.org/stable/c/032c5e82847a2214c3196a90f0aeba0ce252de58 • CWE-416: Use After Free •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-21854 – sockmap, vsock: For connectible sockets allow only connected
https://notcve.org/view.php?id=CVE-2025-21854
12 Mar 2025 — In the Linux kernel, the following vulnerability has been resolved: sockmap, vsock: For connectible sockets allow only connected sockmap expects all vsocks to have a transport assigned, which is expressed in vsock_proto::psock_update_sk_prot(). However, there is an edge case where an unconnected (connectible) socket may lose its previously assigned transport. This is handled with a NULL check in the vsock/BPF recv path. Another design detail is that listening vsocks are not supposed to have any transport as... • https://git.kernel.org/stable/c/634f1a7110b439c65fd8a809171c1d2d28bcea6f •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-21853 – bpf: avoid holding freeze_mutex during mmap operation
https://notcve.org/view.php?id=CVE-2025-21853
12 Mar 2025 — In the Linux kernel, the following vulnerability has been resolved: bpf: avoid holding freeze_mutex during mmap operation We use map->freeze_mutex to prevent races between map_freeze() and memory mapping BPF map contents with writable permissions. The way we naively do this means we'll hold freeze_mutex for entire duration of all the mm and VMA manipulations, which is completely unnecessary. This can potentially also lead to deadlocks, as reported by syzbot in [0]. So, instead, hold freeze_mutex only during... • https://git.kernel.org/stable/c/fc9702273e2edb90400a34b3be76f7b08fa3344b •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-21852 – net: Add rx_skb of kfree_skb to raw_tp_null_args[].
https://notcve.org/view.php?id=CVE-2025-21852
12 Mar 2025 — In the Linux kernel, the following vulnerability has been resolved: net: Add rx_skb of kfree_skb to raw_tp_null_args[]. Yan Zhai reported a BPF prog could trigger a null-ptr-deref [0] in trace_kfree_skb if the prog does not check if rx_sk is NULL. Commit c53795d48ee8 ("net: add rx_sk to trace_kfree_skb") added rx_sk to trace_kfree_skb, but rx_sk is optional and could be NULL. Let's add kfree_skb to raw_tp_null_args[] to let the BPF verifier validate such a prog and prevent the issue. Now we fail to load suc... • https://git.kernel.org/stable/c/c53795d48ee8f385c6a9e394651e7ee914baaeba •