CVSS: 7.1EPSS: %CPEs: 10EXPL: 0CVE-2025-37961 – ipvs: fix uninit-value for saddr in do_output_route4
https://notcve.org/view.php?id=CVE-2025-37961
20 May 2025 — In the Linux kernel, the following vulnerability has been resolved: ipvs: fix uninit-value for saddr in do_output_route4 syzbot reports for uninit-value for the saddr argument [1]. commit 4754957f04f5 ("ipvs: do not use random local source address for tunnels") already implies that the input value of saddr should be ignored but the code is still reading it which can prevent to connect the route. Fix it by changing the argument to ret_saddr. [1] BUG: KMSAN: uninit-value in do_output_route4+0x42c/0x4d0 net/ne... • https://git.kernel.org/stable/c/4754957f04f5f368792a0eb7dab0ae89fb93dcfd •
CVSS: 5.5EPSS: %CPEs: 3EXPL: 0CVE-2025-37960 – memblock: Accept allocated memory before use in memblock_double_array()
https://notcve.org/view.php?id=CVE-2025-37960
20 May 2025 — In the Linux kernel, the following vulnerability has been resolved: memblock: Accept allocated memory before use in memblock_double_array() When increasing the array size in memblock_double_array() and the slab is not yet available, a call to memblock_find_in_range() is used to reserve/allocate memory. However, the range returned may not have been accepted, which can result in a crash when booting an SNP guest: RIP: 0010:memcpy_orig+0x68/0x130 Code: ... RSP: 0000:ffffffff9cc03ce8 EFLAGS: 00010006 RAX: ff110... • https://git.kernel.org/stable/c/dcdfdd40fa82b6704d2841938e5c8ec3051eb0d6 •
CVSS: 7.3EPSS: %CPEs: 5EXPL: 0CVE-2025-37959 – bpf: Scrub packet on bpf_redirect_peer
https://notcve.org/view.php?id=CVE-2025-37959
20 May 2025 — In the Linux kernel, the following vulnerability has been resolved: bpf: Scrub packet on bpf_redirect_peer When bpf_redirect_peer is used to redirect packets to a device in another network namespace, the skb isn't scrubbed. That can lead skb information from one namespace to be "misused" in another namespace. As one example, this is causing Cilium to drop traffic when using bpf_redirect_peer to redirect packets that just went through IPsec decryption to a container namespace. The following pwru trace shows ... • https://git.kernel.org/stable/c/9aa1206e8f48222f35a0c809f33b2f4aaa1e2661 •
CVSS: 6.6EPSS: %CPEs: 3EXPL: 0CVE-2025-37958 – mm/huge_memory: fix dereferencing invalid pmd migration entry
https://notcve.org/view.php?id=CVE-2025-37958
20 May 2025 — In the Linux kernel, the following vulnerability has been resolved: mm/huge_memory: fix dereferencing invalid pmd migration entry When migrating a THP, concurrent access to the PMD migration entry during a deferred split scan can lead to an invalid address access, as illustrated below. To prevent this invalid access, it is necessary to check the PMD migration entry and return early. In this context, there is no need to use pmd_to_swp_entry and pfn_swap_entry_to_page to verify the equality of the target foli... • https://git.kernel.org/stable/c/84c3fc4e9c563d8fb91cfdf5948da48fe1af34d3 •
CVSS: 8.4EPSS: %CPEs: 5EXPL: 0CVE-2025-37957 – KVM: SVM: Forcibly leave SMM mode on SHUTDOWN interception
https://notcve.org/view.php?id=CVE-2025-37957
20 May 2025 — In the Linux kernel, the following vulnerability has been resolved: KVM: SVM: Forcibly leave SMM mode on SHUTDOWN interception Previously, commit ed129ec9057f ("KVM: x86: forcibly leave nested mode on vCPU reset") addressed an issue where a triple fault occurring in nested mode could lead to use-after-free scenarios. However, the commit did not handle the analogous situation for System Management Mode (SMM). This omission results in triggering a WARN when KVM forces a vCPU INIT after SHUTDOWN interception w... • https://git.kernel.org/stable/c/ed129ec9057f89d615ba0c81a4984a90345a1684 •
CVSS: 5.5EPSS: %CPEs: 4EXPL: 0CVE-2025-37956 – ksmbd: prevent rename with empty string
https://notcve.org/view.php?id=CVE-2025-37956
20 May 2025 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: prevent rename with empty string Client can send empty newname string to ksmbd server. It will cause a kernel oops from d_alloc. This patch return the error when attempting to rename a file or directory with an empty new name string. In the Linux kernel, the following vulnerability has been resolved: ksmbd: prevent rename with empty string Client can send empty newname string to ksmbd server. It will cause a kernel oops from d_alloc.... • https://git.kernel.org/stable/c/6ee551672c8cf36108b0cfba92ec0c7c28ac3439 •
CVSS: 5.5EPSS: %CPEs: 3EXPL: 0CVE-2025-37955 – virtio-net: free xsk_buffs on error in virtnet_xsk_pool_enable()
https://notcve.org/view.php?id=CVE-2025-37955
20 May 2025 — In the Linux kernel, the following vulnerability has been resolved: virtio-net: free xsk_buffs on error in virtnet_xsk_pool_enable() The selftests added to our CI by Bui Quang Minh recently reveals that there is a mem leak on the error path of virtnet_xsk_pool_enable(): unreferenced object 0xffff88800a68a000 (size 2048): comm "xdp_helper", pid 318, jiffies 4294692778 hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ..... • https://git.kernel.org/stable/c/e9f3962441c0a4d6f16c656e6c8aa02a3ccdd568 •
CVSS: 4.7EPSS: %CPEs: 4EXPL: 0CVE-2025-37954 – smb: client: Avoid race in open_cached_dir with lease breaks
https://notcve.org/view.php?id=CVE-2025-37954
20 May 2025 — In the Linux kernel, the following vulnerability has been resolved: smb: client: Avoid race in open_cached_dir with lease breaks A pre-existing valid cfid returned from find_or_create_cached_dir might race with a lease break, meaning open_cached_dir doesn't consider it valid, and thinks it's newly-constructed. This leaks a dentry reference if the allocation occurs before the queued lease break work runs. Avoid the race by extending holding the cfid_list_lock across find_or_create_cached_dir and when the res... • https://git.kernel.org/stable/c/2ed98e89ebc2e1bc73534dc3c18cb7843a889ff9 •
CVSS: 5.5EPSS: %CPEs: 5EXPL: 0CVE-2025-37953 – sch_htb: make htb_deactivate() idempotent
https://notcve.org/view.php?id=CVE-2025-37953
20 May 2025 — In the Linux kernel, the following vulnerability has been resolved: sch_htb: make htb_deactivate() idempotent Alan reported a NULL pointer dereference in htb_next_rb_node() after we made htb_qlen_notify() idempotent. It turns out in the following case it introduced some regression: htb_dequeue_tree(): |-> fq_codel_dequeue() |-> qdisc_tree_reduce_backlog() |-> htb_qlen_notify() |-> htb_deactivate() |-> htb_next_rb_node() |-> htb_deactivate() For htb_next_rb_node(), after calling the 1st htb_deactivate(), the... • https://git.kernel.org/stable/c/73cf6af13153d62f9b76eff422eea79dbc70f15e •
CVSS: 7.1EPSS: %CPEs: 4EXPL: 0CVE-2025-37952 – ksmbd: Fix UAF in __close_file_table_ids
https://notcve.org/view.php?id=CVE-2025-37952
20 May 2025 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: Fix UAF in __close_file_table_ids A use-after-free is possible if one thread destroys the file via __ksmbd_close_fd while another thread holds a reference to it. The existing checks on fp->refcount are not sufficient to prevent this. The fix takes ft->lock around the section which removes the file from the file table. This prevents two threads acquiring the same file pointer via __close_file_table_ids, as well as the other functions ... • https://git.kernel.org/stable/c/fec1f9e9a650e8e7011330a085c77e7bf2a08ea9 •