CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-40032 – PCI: endpoint: pci-epf-test: Add NULL check for DMA channels before release
https://notcve.org/view.php?id=CVE-2025-40032
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: PCI: endpoint: pci-epf-test: Add NULL check for DMA channels before release The fields dma_chan_tx and dma_chan_rx of the struct pci_epf_test can be NULL even after EPF initialization. Then it is prudent to check that they have non-NULL values before releasing the channels. Add the checks in pci_epf_test_clean_dma_chan(). Without the checks, NULL pointer dereferences happen and they can lead to a kernel panic in some cases: Unable to handle... • https://git.kernel.org/stable/c/5ebf3fc59bd20d17df3ba26159787d13cf20d362 •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-40031 – tee: fix register_shm_helper()
https://notcve.org/view.php?id=CVE-2025-40031
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: tee: fix register_shm_helper() In register_shm_helper(), fix incorrect error handling for a call to iov_iter_extract_pages(). A case is missing for when iov_iter_extract_pages() only got some pages and return a number larger than 0, but not the requested amount. This fixes a possible NULL pointer dereference following a bad input from ioctl(TEE_IOC_SHM_REGISTER) where parts of the buffer isn't mapped. In the Linux kernel, the following vuln... • https://git.kernel.org/stable/c/7bdee41575919773818e525ea19e54eb817770af •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40030 – pinctrl: check the return value of pinmux_ops::get_function_name()
https://notcve.org/view.php?id=CVE-2025-40030
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: pinctrl: check the return value of pinmux_ops::get_function_name() While the API contract in docs doesn't specify it explicitly, the generic implementation of the get_function_name() callback from struct pinmux_ops - pinmux_generic_get_function_name() - can fail and return NULL. This is already checked in pinmux_check_ops() so add a similar check in pinmux_func_name_to_selector() instead of passing the returned pointer right down to strcmp(... • https://git.kernel.org/stable/c/1a7fc8fed2bb2e113604fde7a45432ace2056b97 •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2025-40029 – bus: fsl-mc: Check return value of platform_get_resource()
https://notcve.org/view.php?id=CVE-2025-40029
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: bus: fsl-mc: Check return value of platform_get_resource() platform_get_resource() returns NULL in case of failure, so check its return value and propagate the error in order to prevent NULL pointer dereference. In the Linux kernel, the following vulnerability has been resolved: bus: fsl-mc: Check return value of platform_get_resource() platform_get_resource() returns NULL in case of failure, so check its return value and propagate the erro... • https://git.kernel.org/stable/c/6305166c8771c33a8d5992fb53f93cfecedc14fd •
CVSS: 7.2EPSS: 0%CPEs: 4EXPL: 0CVE-2025-40028 – binder: fix double-free in dbitmap
https://notcve.org/view.php?id=CVE-2025-40028
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: binder: fix double-free in dbitmap A process might fail to allocate a new bitmap when trying to expand its proc->dmap. In that case, dbitmap_grow() fails and frees the old bitmap via dbitmap_free(). However, the driver calls dbitmap_free() again when the same process terminates, leading to a double-free error: ================================================================== BUG: KASAN: double-free in binder_proc_dec_tmpref+0x2e0/0x55c Fre... • https://git.kernel.org/stable/c/15d9da3f818cae676f822a04407d3c17b53357d2 •
CVSS: 5.5EPSS: 0%CPEs: 9EXPL: 0CVE-2025-40027 – net/9p: fix double req put in p9_fd_cancelled
https://notcve.org/view.php?id=CVE-2025-40027
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: net/9p: fix double req put in p9_fd_cancelled Syzkaller reports a KASAN issue as below: general protection fault, probably for non-canonical address 0xfbd59c0000000021: 0000 [#1] PREEMPT SMP KASAN NOPTI KASAN: maybe wild-memory-access in range [0xdead000000000108-0xdead00000000010f] CPU: 0 PID: 5083 Comm: syz-executor.2 Not tainted 6.1.134-syzkaller-00037-g855bd1d7d838 #0 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 ... • https://git.kernel.org/stable/c/afd8d65411551839b7ab14a539d00075b2793451 •
CVSS: 7.8EPSS: 0%CPEs: 9EXPL: 0CVE-2025-40026 – KVM: x86: Don't (re)check L1 intercepts when completing userspace I/O
https://notcve.org/view.php?id=CVE-2025-40026
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Don't (re)check L1 intercepts when completing userspace I/O When completing emulation of instruction that generated a userspace exit for I/O, don't recheck L1 intercepts as KVM has already finished that phase of instruction execution, i.e. has already committed to allowing L2 to perform I/O. If L1 (or host userspace) modifies the I/O permission bitmaps during the exit to userspace, KVM will treat the access as being intercepted de... • https://git.kernel.org/stable/c/8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9 •
CVSS: 6.6EPSS: 0%CPEs: 2EXPL: 0CVE-2025-40025 – f2fs: fix to do sanity check on node footer for non inode dnode
https://notcve.org/view.php?id=CVE-2025-40025
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to do sanity check on node footer for non inode dnode As syzbot reported below: ------------[ cut here ]------------ kernel BUG at fs/f2fs/file.c:1243! Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI CPU: 0 UID: 0 PID: 5354 Comm: syz.0.0 Not tainted 6.17.0-rc1-syzkaller-00211-g90d970cade8e #0 PREEMPT(full) RIP: 0010:f2fs_truncate_hole+0x69e/0x6c0 fs/f2fs/file.c:1243 Call Trace:
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-40024 – vhost: Take a reference on the task in struct vhost_task.
https://notcve.org/view.php?id=CVE-2025-40024
24 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: vhost: Take a reference on the task in struct vhost_task. vhost_task_create() creates a task and keeps a reference to its task_struct. That task may exit early via a signal and its task_struct will be released. A pending vhost_task_wake() will then attempt to wake the task and access a task_struct which is no longer there. Acquire a reference on the task_struct while creating the thread and release the reference while the struct vhost_task ... • https://git.kernel.org/stable/c/f9010dbdce911ee1f1af1398a24b1f9f992e0080 •
CVSS: 5.6EPSS: 0%CPEs: 4EXPL: 0CVE-2025-40022 – crypto: af_alg - Fix incorrect boolean values in af_alg_ctx
https://notcve.org/view.php?id=CVE-2025-40022
24 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: crypto: af_alg - Fix incorrect boolean values in af_alg_ctx Commit 1b34cbbf4f01 ("crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg") changed some fields from bool to 1-bit bitfields of type u32. However, some assignments to these fields, specifically 'more' and 'merge', assign values greater than 1. These relied on C's implicit conversion to bool, such that zero becomes false and nonzero becomes true. With a 1-bit bitfields of ... • https://git.kernel.org/stable/c/1f323a48e9b5ebfe6dc7d130fdf5c3c0e92a07c8 •