
CVE-2025-38185 – atm: atmtcp: Free invalid length skb in atmtcp_c_send().
https://notcve.org/view.php?id=CVE-2025-38185
04 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: atm: atmtcp: Free invalid length skb in atmtcp_c_send(). syzbot reported the splat below. [0] vcc_sendmsg() copies data passed from userspace to skb and passes it to vcc->dev->ops->send(). atmtcp_c_send() accesses skb->data as struct atmtcp_hdr after checking if skb->len is 0, but it's not enough. Also, when skb->len == 0, skb and sk (vcc) were leaked because dev_kfree_skb() is not called and sk_wmem_alloc adjustment is missing to revert at... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •

CVE-2025-38184 – tipc: fix null-ptr-deref when acquiring remote ip of ethernet bearer
https://notcve.org/view.php?id=CVE-2025-38184
04 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: tipc: fix null-ptr-deref when acquiring remote ip of ethernet bearer The reproduction steps: 1. create a tun interface 2. enable l2 bearer 3. TIPC_NL_UDP_GET_REMOTEIP with media name set to tun tipc: Started in network mode tipc: Node identity 8af312d38a21, cluster identity 4711 tipc: Enabled bearer

CVE-2025-38181 – calipso: Fix null-ptr-deref in calipso_req_{set,del}attr().
https://notcve.org/view.php?id=CVE-2025-38181
04 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: calipso: Fix null-ptr-deref in calipso_req_{set,del}attr(). syzkaller reported a null-ptr-deref in sock_omalloc() while allocating a CALIPSO option. [0] The NULL is of struct sock, which was fetched by sk_to_full_sk() in calipso_req_setattr(). Since commit a1a5344ddbe8 ("tcp: avoid two atomic ops for syncookies"), reqsk->rsk_listener could be NULL when SYN Cookie is returned to its client, as hinted by the leading SYN Cookie log. Here are 3... • https://git.kernel.org/stable/c/e1adea927080821ebfa7505bff752a4015955660 •

CVE-2025-38180 – net: atm: fix /proc/net/atm/lec handling
https://notcve.org/view.php?id=CVE-2025-38180
04 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: net: atm: fix /proc/net/atm/lec handling /proc/net/atm/lec must ensure safety against dev_lec[] changes. It appears it had dev_put() calls without prior dev_hold(), leading to imbalance and UAF. In the Linux kernel, the following vulnerability has been resolved: net: atm: fix /proc/net/atm/lec handling /proc/net/atm/lec must ensure safety against dev_lec[] changes. It appears it had dev_put() calls without prior dev_hold(), leading to imbal... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •

CVE-2025-38177 – sch_hfsc: make hfsc_qlen_notify() idempotent
https://notcve.org/view.php?id=CVE-2025-38177
04 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: sch_hfsc: make hfsc_qlen_notify() idempotent hfsc_qlen_notify() is not idempotent either and not friendly to its callers, like fq_codel_dequeue(). Let's make it idempotent to ease qdisc_tree_reduce_backlog() callers' life: 1. update_vf() decreases cl->cl_nactive, so we can check whether it is non-zero before calling it. 2. eltree_remove() always removes RB node cl->el_node, but we can use RB_EMPTY_NODE() + RB_CLEAR_NODE() to make it safe. I... • https://git.kernel.org/stable/c/0475c85426b18eccdcb7f9fb58d8f8e9c6c58c87 •

CVE-2025-38174 – thunderbolt: Do not double dequeue a configuration request
https://notcve.org/view.php?id=CVE-2025-38174
04 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: thunderbolt: Do not double dequeue a configuration request Some of our devices crash in tb_cfg_request_dequeue(): general protection fault, probably for non-canonical address 0xdead000000000122 CPU: 6 PID: 91007 Comm: kworker/6:2 Tainted: G U W 6.6.65 RIP: 0010:tb_cfg_request_dequeue+0x2d/0xa0 Call Trace:

CVE-2025-38173 – crypto: marvell/cesa - Handle zero-length skcipher requests
https://notcve.org/view.php?id=CVE-2025-38173
03 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: crypto: marvell/cesa - Handle zero-length skcipher requests Do not access random memory for zero-length skcipher requests. Just return 0. In the Linux kernel, the following vulnerability has been resolved: crypto: marvell/cesa - Handle zero-length skcipher requests Do not access random memory for zero-length skcipher requests. Just return 0. • https://git.kernel.org/stable/c/f63601fd616ab370774fa00ea10bcaaa9e48e84c •

CVE-2025-38166 – bpf: fix ktls panic with sockmap
https://notcve.org/view.php?id=CVE-2025-38166
03 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: bpf: fix ktls panic with sockmap [ 2172.936997] ------------[ cut here ]------------ [ 2172.936999] kernel BUG at lib/iov_iter.c:629! ...... [ 2172.944996] PKRU: 55555554 [ 2172.945155] Call Trace: [ 2172.945299] <TASK> [ 2172.945428] ? die+0x36/0x90 [ 2172.945601] ? do_trap+0xdd/0x100 [ 2172.945795] ? iov_iter_revert+0x178/0x180 [ 2172.946031] ? • https://git.kernel.org/stable/c/d3b18ad31f93d0b6bae105c679018a1ba7daa9ca •

CVE-2025-38163 – f2fs: fix to do sanity check on sbi->total_valid_block_count
https://notcve.org/view.php?id=CVE-2025-38163
03 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to do sanity check on sbi->total_valid_block_count syzbot reported a f2fs bug as below: ------------[ cut here ]------------ kernel BUG at fs/f2fs/f2fs.h:2521! RIP: 0010:dec_valid_block_count+0x3b2/0x3c0 fs/f2fs/f2fs.h:2521 Call Trace: f2fs_truncate_data_blocks_range+0xc8c/0x11a0 fs/f2fs/file.c:695 truncate_dnode+0x417/0x740 fs/f2fs/node.c:973 truncate_nodes+0x3ec/0xf50 fs/f2fs/node.c:1014 f2fs_truncate_inode_blocks+0x8e3/0x1370 f... • https://git.kernel.org/stable/c/39a53e0ce0df01b3cf4bb898c7ae2fd2189647d5 •

CVE-2025-38161 – RDMA/mlx5: Fix error flow upon firmware failure for RQ destruction
https://notcve.org/view.php?id=CVE-2025-38161
03 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Fix error flow upon firmware failure for RQ destruction Upon RQ destruction if the firmware command fails which is the last resource to be destroyed some SW resources were already cleaned regardless of the failure. Now properly rollback the object to its original state upon such failure. In order to avoid a use-after free in case someone tries to destroy the object again, which results in the following kernel trace: refcount_t: u... • https://git.kernel.org/stable/c/e2013b212f9f201c71fc5826ce41f39ebece0852 •