CVSS: 9.4EPSS: 0%CPEs: 2EXPL: 0CVE-2024-58098 – bpf: track changes_pkt_data property for global functions
https://notcve.org/view.php?id=CVE-2024-58098
05 May 2025 — In the Linux kernel, the following vulnerability has been resolved: bpf: track changes_pkt_data property for global functions When processing calls to certain helpers, verifier invalidates all packet pointers in a current state. For example, consider the following program: __attribute__((__noinline__)) long skb_pull_data(struct __sk_buff *sk, __u32 len) { return bpf_skb_pull_data(sk, len); } SEC("tc") int test_invalidate_checks(struct __sk_buff *sk) { int *p = (void *)(long)sk->data; if ((void *)(p + 1) > (... • https://git.kernel.org/stable/c/51c39bb1d5d105a02e29aa7960f0a395086e6342 •
CVSS: 6.5EPSS: 0%CPEs: 6EXPL: 0CVE-2025-37799 – vmxnet3: Fix malformed packet sizing in vmxnet3_process_xdp
https://notcve.org/view.php?id=CVE-2025-37799
03 May 2025 — In the Linux kernel, the following vulnerability has been resolved: vmxnet3: Fix malformed packet sizing in vmxnet3_process_xdp vmxnet3 driver's XDP handling is buggy for packet sizes using ring0 (that is, packet sizes between 128 - 3k bytes). We noticed MTU-related connectivity issues with Cilium's service load- balancing in case of vmxnet3 as NIC underneath. A simple curl to a HTTP backend service where the XDP LB was doing IPIP encap led to overly large packet sizes but only for *some* of the packets (e.... • https://git.kernel.org/stable/c/aba8659caf88017507419feea06069f529329ea6 •
CVSS: 9.8EPSS: 0%CPEs: 6EXPL: 0CVE-2025-37798 – codel: remove sch->q.qlen check before qdisc_tree_reduce_backlog()
https://notcve.org/view.php?id=CVE-2025-37798
02 May 2025 — In the Linux kernel, the following vulnerability has been resolved: codel: remove sch->q.qlen check before qdisc_tree_reduce_backlog() After making all ->qlen_notify() callbacks idempotent, now it is safe to remove the check of qlen!=0 from both fq_codel_dequeue() and codel_qdisc_dequeue(). In the Linux kernel, the following vulnerability has been resolved: codel: remove sch->q.qlen check before qdisc_tree_reduce_backlog() After making all ->qlen_notify() callbacks idempotent, now it is safe to remove the c... • https://git.kernel.org/stable/c/76e3cc126bb223013a6b9a0e2a51238d1ef2e409 •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2025-37797 – net_sched: hfsc: Fix a UAF vulnerability in class handling
https://notcve.org/view.php?id=CVE-2025-37797
02 May 2025 — In the Linux kernel, the following vulnerability has been resolved: net_sched: hfsc: Fix a UAF vulnerability in class handling This patch fixes a Use-After-Free vulnerability in the HFSC qdisc class handling. The issue occurs due to a time-of-check/time-of-use condition in hfsc_change_class() when working with certain child qdiscs like netem or codel. The vulnerability works as follows: 1. hfsc_change_class() checks if a class has packets (q.qlen != 0) 2. It then calls qdisc_peek_len(), which for certain qd... • https://git.kernel.org/stable/c/21f4d5cc25ec0e6e8eb8420dd2c399e6d2fc7d14 •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2025-37796 – wifi: at76c50x: fix use after free access in at76_disconnect
https://notcve.org/view.php?id=CVE-2025-37796
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: at76c50x: fix use after free access in at76_disconnect The memory pointed to by priv is freed at the end of at76_delete_device function (using ieee80211_free_hw). But the code then accesses the udev field of the freed object to put the USB device. This may also lead to a memory leak of the usb device. Fix this by using udev from interface. In the Linux kernel, the following vulnerability has been resolved: wifi: at76c50x: fix use afte... • https://git.kernel.org/stable/c/29e20aa6c6aff35c81d4da2e2cd516dadb569061 •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2025-37795 – wifi: mac80211: Update skb's control block key in ieee80211_tx_dequeue()
https://notcve.org/view.php?id=CVE-2025-37795
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: Update skb's control block key in ieee80211_tx_dequeue() The ieee80211 skb control block key (set when skb was queued) could have been removed before ieee80211_tx_dequeue() call. ieee80211_tx_dequeue() already called ieee80211_tx_h_select_key() to get the current key, but the latter do not update the key in skb control block in case it is NULL. Because some drivers actually use this key in their TX callbacks (e.g. ath1{1,2}k... • https://git.kernel.org/stable/c/bb42f2d13ffcd0baed7547b37d05add51fcd50e1 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-37794 – wifi: mac80211: Purge vif txq in ieee80211_do_stop()
https://notcve.org/view.php?id=CVE-2025-37794
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: Purge vif txq in ieee80211_do_stop() After ieee80211_do_stop() SKB from vif's txq could still be processed. Indeed another concurrent vif schedule_and_wake_txq call could cause those packets to be dequeued (see ieee80211_handle_wake_tx_queue()) without checking the sdata current state. Because vif.drv_priv is now cleared in this function, this could lead to driver crash. For example in ath12k, ahvif is store in vif.drv_priv.... • https://git.kernel.org/stable/c/ba8c3d6f16a1f9305c23ac1d2fd3992508c5ac03 •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-37793 – ASoC: Intel: avs: Fix null-ptr-deref in avs_component_probe()
https://notcve.org/view.php?id=CVE-2025-37793
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: avs: Fix null-ptr-deref in avs_component_probe() devm_kasprintf() returns NULL when memory allocation fails. Currently, avs_component_probe() does not check for this case, which results in a NULL pointer dereference. In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: avs: Fix null-ptr-deref in avs_component_probe() devm_kasprintf() returns NULL when memory allocation fails. Currently, avs_component... • https://git.kernel.org/stable/c/739c031110da9ba966b0189fa25a2a1c0d42263c •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-37792 – Bluetooth: btrtl: Prevent potential NULL dereference
https://notcve.org/view.php?id=CVE-2025-37792
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btrtl: Prevent potential NULL dereference The btrtl_initialize() function checks that rtl_load_file() either had an error or it loaded a zero length file. However, if it loaded a zero length file then the error code is not set correctly. It results in an error pointer vs NULL bug, followed by a NULL pointer dereference. This was detected by Smatch: drivers/bluetooth/btrtl.c:592 btrtl_initialize() warn: passing zero to 'ERR_PTR' I... • https://git.kernel.org/stable/c/26503ad25de8c7c93a2037f919c2e49a62cf65f1 •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2025-37790 – net: mctp: Set SOCK_RCU_FREE
https://notcve.org/view.php?id=CVE-2025-37790
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: net: mctp: Set SOCK_RCU_FREE Bind lookup runs under RCU, so ensure that a socket doesn't go away in the middle of a lookup. In the Linux kernel, the following vulnerability has been resolved: net: mctp: Set SOCK_RCU_FREE Bind lookup runs under RCU, so ensure that a socket doesn't go away in the middle of a lookup. • https://git.kernel.org/stable/c/833ef3b91de692ef33b800bca6b1569c39dece74 •