CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38181 – calipso: Fix null-ptr-deref in calipso_req_{set,del}attr().
https://notcve.org/view.php?id=CVE-2025-38181
04 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: calipso: Fix null-ptr-deref in calipso_req_{set,del}attr(). syzkaller reported a null-ptr-deref in sock_omalloc() while allocating a CALIPSO option. [0] The NULL is of struct sock, which was fetched by sk_to_full_sk() in calipso_req_setattr(). Since commit a1a5344ddbe8 ("tcp: avoid two atomic ops for syncookies"), reqsk->rsk_listener could be NULL when SYN Cookie is returned to its client, as hinted by the leading SYN Cookie log. Here are 3... • https://git.kernel.org/stable/c/e1adea927080821ebfa7505bff752a4015955660 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38180 – net: atm: fix /proc/net/atm/lec handling
https://notcve.org/view.php?id=CVE-2025-38180
04 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: net: atm: fix /proc/net/atm/lec handling /proc/net/atm/lec must ensure safety against dev_lec[] changes. It appears it had dev_put() calls without prior dev_hold(), leading to imbalance and UAF. In the Linux kernel, the following vulnerability has been resolved: net: atm: fix /proc/net/atm/lec handling /proc/net/atm/lec must ensure safety against dev_lec[] changes. It appears it had dev_put() calls without prior dev_hold(), leading to imbal... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38177 – sch_hfsc: make hfsc_qlen_notify() idempotent
https://notcve.org/view.php?id=CVE-2025-38177
04 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: sch_hfsc: make hfsc_qlen_notify() idempotent hfsc_qlen_notify() is not idempotent either and not friendly to its callers, like fq_codel_dequeue(). Let's make it idempotent to ease qdisc_tree_reduce_backlog() callers' life: 1. update_vf() decreases cl->cl_nactive, so we can check whether it is non-zero before calling it. 2. eltree_remove() always removes RB node cl->el_node, but we can use RB_EMPTY_NODE() + RB_CLEAR_NODE() to make it safe. I... • https://git.kernel.org/stable/c/0475c85426b18eccdcb7f9fb58d8f8e9c6c58c87 •
CVSS: 5.5EPSS: 0%CPEs: 9EXPL: 0CVE-2025-38174 – thunderbolt: Do not double dequeue a configuration request
https://notcve.org/view.php?id=CVE-2025-38174
04 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: thunderbolt: Do not double dequeue a configuration request Some of our devices crash in tb_cfg_request_dequeue(): general protection fault, probably for non-canonical address 0xdead000000000122 CPU: 6 PID: 91007 Comm: kworker/6:2 Tainted: G U W 6.6.65 RIP: 0010:tb_cfg_request_dequeue+0x2d/0xa0 Call Trace:
CVSS: 8.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38173 – crypto: marvell/cesa - Handle zero-length skcipher requests
https://notcve.org/view.php?id=CVE-2025-38173
03 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: crypto: marvell/cesa - Handle zero-length skcipher requests Do not access random memory for zero-length skcipher requests. Just return 0. In the Linux kernel, the following vulnerability has been resolved: crypto: marvell/cesa - Handle zero-length skcipher requests Do not access random memory for zero-length skcipher requests. Just return 0. • https://git.kernel.org/stable/c/f63601fd616ab370774fa00ea10bcaaa9e48e84c •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38163 – f2fs: fix to do sanity check on sbi->total_valid_block_count
https://notcve.org/view.php?id=CVE-2025-38163
03 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to do sanity check on sbi->total_valid_block_count syzbot reported a f2fs bug as below: ------------[ cut here ]------------ kernel BUG at fs/f2fs/f2fs.h:2521! RIP: 0010:dec_valid_block_count+0x3b2/0x3c0 fs/f2fs/f2fs.h:2521 Call Trace: f2fs_truncate_data_blocks_range+0xc8c/0x11a0 fs/f2fs/file.c:695 truncate_dnode+0x417/0x740 fs/f2fs/node.c:973 truncate_nodes+0x3ec/0xf50 fs/f2fs/node.c:1014 f2fs_truncate_inode_blocks+0x8e3/0x1370 f... • https://git.kernel.org/stable/c/39a53e0ce0df01b3cf4bb898c7ae2fd2189647d5 •
CVSS: 7.8EPSS: 0%CPEs: 7EXPL: 0CVE-2025-38161 – RDMA/mlx5: Fix error flow upon firmware failure for RQ destruction
https://notcve.org/view.php?id=CVE-2025-38161
03 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Fix error flow upon firmware failure for RQ destruction Upon RQ destruction if the firmware command fails which is the last resource to be destroyed some SW resources were already cleaned regardless of the failure. Now properly rollback the object to its original state upon such failure. In order to avoid a use-after free in case someone tries to destroy the object again, which results in the following kernel trace: refcount_t: u... • https://git.kernel.org/stable/c/e2013b212f9f201c71fc5826ce41f39ebece0852 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38157 – wifi: ath9k_htc: Abort software beacon handling if disabled
https://notcve.org/view.php?id=CVE-2025-38157
03 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: ath9k_htc: Abort software beacon handling if disabled A malicious USB device can send a WMI_SWBA_EVENTID event from an ath9k_htc-managed device before beaconing has been enabled. This causes a device-by-zero error in the driver, leading to either a crash or an out of bounds read. Prevent this by aborting the handling in ath9k_htc_swba() if beacons are not enabled. In the Linux kernel, the following vulnerability has been resolved: wif... • https://git.kernel.org/stable/c/832f6a18fc2aead14954c081ece03b7a5b425f81 •
CVSS: 5.6EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38147 – calipso: Don't call calipso functions for AF_INET sk.
https://notcve.org/view.php?id=CVE-2025-38147
03 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: calipso: Don't call calipso functions for AF_INET sk. syzkaller reported a null-ptr-deref in txopt_get(). [0] The offset 0x70 was of struct ipv6_txoptions in struct ipv6_pinfo, so struct ipv6_pinfo was NULL there. However, this never happens for IPv6 sockets as inet_sk(sk)->pinet6 is always set in inet6_create(), meaning the socket was not IPv6 one. The root cause is missing validation in netlbl_conn_setattr(). netlbl_conn_setattr() switche... • https://git.kernel.org/stable/c/ceba1832b1b2da0149c51de62a847c00bca1677a •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38136 – usb: renesas_usbhs: Reorder clock handling and power management in probe
https://notcve.org/view.php?id=CVE-2025-38136
03 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: usb: renesas_usbhs: Reorder clock handling and power management in probe Reorder the initialization sequence in `usbhs_probe()` to enable runtime PM before accessing registers, preventing potential crashes due to uninitialized clocks. Currently, in the probe path, registers are accessed before enabling the clocks, leading to a synchronous external abort on the RZ/V2H SoC. The problematic call flow is as follows: usbhs_probe() usbhs_sys_cloc... • https://git.kernel.org/stable/c/f1407d5c66240b33d11a7f1a41d55ccf6a9d7647 •