CVSS: 5.6EPSS: 0%CPEs: 6EXPL: 0CVE-2025-40043 – net: nfc: nci: Add parameter validation for packet data
https://notcve.org/view.php?id=CVE-2025-40043
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: net: nfc: nci: Add parameter validation for packet data Syzbot reported an uninitialized value bug in nci_init_req, which was introduced by commit 5aca7966d2a7 ("Merge tag 'perf-tools-fixes-for-v6.17-2025-09-16' of git://git.kernel.org/pub/scm/linux/kernel/git/perf/perf-tools"). This bug arises due to very limited and poor input validation that was done at nic_valid_size(). This validation only validates the skb->len (directly reflects size... • https://git.kernel.org/stable/c/6a2968aaf50c7a22fced77a5e24aa636281efca8 •
CVSS: 4.7EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40042 – tracing: Fix race condition in kprobe initialization causing NULL pointer dereference
https://notcve.org/view.php?id=CVE-2025-40042
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: tracing: Fix race condition in kprobe initialization causing NULL pointer dereference There is a critical race condition in kprobe initialization that can lead to NULL pointer dereference and kernel crash. [1135630.084782] Unable to handle kernel paging request at virtual address 0000710a04630000 ... [1135630.260314] pstate: 404003c9 (nZcv DAIF +PAN -UAO) [1135630.269239] pc : kprobe_perf_func+0x30/0x260 [1135630.277643] lr : kprobe_dispatc... • https://git.kernel.org/stable/c/50d780560785b068c358675c5f0bf6c83b5c373e •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40035 – Input: uinput - zero-initialize uinput_ff_upload_compat to avoid info leak
https://notcve.org/view.php?id=CVE-2025-40035
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: Input: uinput - zero-initialize uinput_ff_upload_compat to avoid info leak Struct ff_effect_compat is embedded twice inside uinput_ff_upload_compat, contains internal padding. In particular, there is a hole after struct ff_replay to satisfy alignment requirements for the following union member. Without clearing the structure, copy_to_user() may leak stack data to userspace. Initialize ff_up_compat to zero before filling valid fields. In the... • https://git.kernel.org/stable/c/2d56f3a32c0e62f99c043d2579840f9731fe5855 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40030 – pinctrl: check the return value of pinmux_ops::get_function_name()
https://notcve.org/view.php?id=CVE-2025-40030
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: pinctrl: check the return value of pinmux_ops::get_function_name() While the API contract in docs doesn't specify it explicitly, the generic implementation of the get_function_name() callback from struct pinmux_ops - pinmux_generic_get_function_name() - can fail and return NULL. This is already checked in pinmux_check_ops() so add a similar check in pinmux_func_name_to_selector() instead of passing the returned pointer right down to strcmp(... • https://git.kernel.org/stable/c/1a7fc8fed2bb2e113604fde7a45432ace2056b97 •
CVSS: 7.8EPSS: 0%CPEs: 9EXPL: 0CVE-2025-40026 – KVM: x86: Don't (re)check L1 intercepts when completing userspace I/O
https://notcve.org/view.php?id=CVE-2025-40026
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Don't (re)check L1 intercepts when completing userspace I/O When completing emulation of instruction that generated a userspace exit for I/O, don't recheck L1 intercepts as KVM has already finished that phase of instruction execution, i.e. has already committed to allowing L2 to perform I/O. If L1 (or host userspace) modifies the I/O permission bitmaps during the exit to userspace, KVM will treat the access as being intercepted de... • https://git.kernel.org/stable/c/8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9 •
CVSS: 6.6EPSS: 0%CPEs: 2EXPL: 0CVE-2025-40025 – f2fs: fix to do sanity check on node footer for non inode dnode
https://notcve.org/view.php?id=CVE-2025-40025
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to do sanity check on node footer for non inode dnode As syzbot reported below: ------------[ cut here ]------------ kernel BUG at fs/f2fs/file.c:1243! Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI CPU: 0 UID: 0 PID: 5354 Comm: syz.0.0 Not tainted 6.17.0-rc1-syzkaller-00211-g90d970cade8e #0 PREEMPT(full) RIP: 0010:f2fs_truncate_hole+0x69e/0x6c0 fs/f2fs/file.c:1243 Call Trace:
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40020 – can: peak_usb: fix shift-out-of-bounds issue
https://notcve.org/view.php?id=CVE-2025-40020
24 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: can: peak_usb: fix shift-out-of-bounds issue Explicitly uses a 64-bit constant when the number of bits used for its shifting is 32 (which is the case for PC CAN FD interfaces supported by this driver). [mkl: update subject, apply manually] In the Linux kernel, the following vulnerability has been resolved: can: peak_usb: fix shift-out-of-bounds issue Explicitly uses a 64-bit constant when the number of bits used for its shifting is 32 (whic... • https://git.kernel.org/stable/c/bb4785551f64e18b2c8bb15a3bd2b22f5ebf624d •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40018 – ipvs: Defer ip_vs_ftp unregister during netns cleanup
https://notcve.org/view.php?id=CVE-2025-40018
24 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: ipvs: Defer ip_vs_ftp unregister during netns cleanup On the netns cleanup path, __ip_vs_ftp_exit() may unregister ip_vs_ftp before connections with valid cp->app pointers are flushed, leading to a use-after-free. Fix this by introducing a global `exiting_module` flag, set to true in ip_vs_ftp_exit() before unregistering the pernet subsystem. In __ip_vs_ftp_exit(), skip ip_vs_ftp unregister if called during netns cleanup (when exiting_modul... • https://git.kernel.org/stable/c/61b1ab4583e275af216c8454b9256de680499b19 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2023-53728 – posix-timers: Ensure timer ID search-loop limit is valid
https://notcve.org/view.php?id=CVE-2023-53728
22 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: posix-timers: Ensure timer ID search-loop limit is valid posix_timer_add() tries to allocate a posix timer ID by starting from the cached ID which was stored by the last successful allocation. This is done in a loop searching the ID space for a free slot one by one. The loop has to terminate when the search wrapped around to the starting point. But that's racy vs. establishing the starting point. That is read out lockless, which leads to th... • https://git.kernel.org/stable/c/8dc52c200b889bc1cb34288fbf623d4ff381d2ae •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2023-53725 – clocksource/drivers/cadence-ttc: Fix memory leak in ttc_timer_probe
https://notcve.org/view.php?id=CVE-2023-53725
22 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: clocksource/drivers/cadence-ttc: Fix memory leak in ttc_timer_probe Smatch reports: drivers/clocksource/timer-cadence-ttc.c:529 ttc_timer_probe() warn: 'timer_baseaddr' from of_iomap() not released on lines: 498,508,516. timer_baseaddr may have the problem of not being released after use, I replaced it with the devm_of_iomap() function and added the clk_put() function to cleanup the "clk_ce" and "clk_cs". In the Linux kernel, the following ... • https://git.kernel.org/stable/c/e932900a3279b5dbb6d8f43c7b369003620e137c •