CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2025-40218 – mm/damon/vaddr: do not repeat pte_offset_map_lock() until success
https://notcve.org/view.php?id=CVE-2025-40218
04 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: mm/damon/vaddr: do not repeat pte_offset_map_lock() until success DAMON's virtual address space operation set implementation (vaddr) calls pte_offset_map_lock() inside the page table walk callback function. This is for reading and writing page table accessed bits. If pte_offset_map_lock() fails, it retries by returning the page table walk callback function with ACTION_AGAIN. pte_offset_map_lock() can continuously fail if the target is a pmd... • https://git.kernel.org/stable/c/7780d04046a2288ab85d88bedacc60fa4fad9971 •
CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2025-40215 – xfrm: delete x->tunnel as we delete x
https://notcve.org/view.php?id=CVE-2025-40215
04 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: xfrm: delete x->tunnel as we delete x The ipcomp fallback tunnels currently get deleted (from the various lists and hashtables) as the last user state that needed that fallback is destroyed (not deleted). If a reference to that user state still exists, the fallback state will remain on the hashtables/lists, triggering the WARN in xfrm_state_fini. Because of those remaining references, the fix in commit f75a2804da39 ("xfrm: destroy xfrm_stat... • https://git.kernel.org/stable/c/9d4139c76905833afcb77fe8ccc17f302a0eb9ab •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2025-40214 – af_unix: Initialise scc_index in unix_add_edge().
https://notcve.org/view.php?id=CVE-2025-40214
04 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: af_unix: Initialise scc_index in unix_add_edge(). Quang Le reported that the AF_UNIX GC could garbage-collect a receive queue of an alive in-flight socket, with a nice repro. The repro consists of three stages. 1) 1-a. Create a single cyclic reference with many sockets 1-b. close() all sockets 1-c. Trigger GC 2) 2-a. • https://git.kernel.org/stable/c/adfb68b39b39767d6bfb53e48c4f19c183765686 •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40211 – ACPI: video: Fix use-after-free in acpi_video_switch_brightness()
https://notcve.org/view.php?id=CVE-2025-40211
21 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: ACPI: video: Fix use-after-free in acpi_video_switch_brightness() The switch_brightness_work delayed work accesses device->brightness and device->backlight, freed by acpi_video_dev_unregister_backlight() during device removal. If the work executes after acpi_video_bus_unregister_backlight() frees these resources, it causes a use-after-free when acpi_video_switch_brightness() dereferences device->brightness or device->backlight. Fix this by ... • https://git.kernel.org/stable/c/8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7 •
CVSS: 6.6EPSS: 0%CPEs: 2EXPL: 0CVE-2025-40210 – Revert "NFSD: Remove the cap on number of operations per NFSv4 COMPOUND"
https://notcve.org/view.php?id=CVE-2025-40210
21 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: Revert "NFSD: Remove the cap on number of operations per NFSv4 COMPOUND" I've found that pynfs COMP6 now leaves the connection or lease in a strange state, which causes CLOSE9 to hang indefinitely. I've dug into it a little, but I haven't been able to root-cause it yet. However, I bisected to commit 48aab1606fa8 ("NFSD: Remove the cap on number of operations per NFSv4 COMPOUND"). Tianshuo Han also reports a potential vulnerability when deco... • https://git.kernel.org/stable/c/b3ee7ce432289deac87b9d14e01f2fe6958f7f0b •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-40207 – media: v4l2-subdev: Fix alloc failure check in v4l2_subdev_call_state_try()
https://notcve.org/view.php?id=CVE-2025-40207
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: media: v4l2-subdev: Fix alloc failure check in v4l2_subdev_call_state_try() v4l2_subdev_call_state_try() macro allocates a subdev state with __v4l2_subdev_state_alloc(), but does not check the returned value. If __v4l2_subdev_state_alloc fails, it returns an ERR_PTR, and that would cause v4l2_subdev_call_state_try() to crash. Add proper error handling to v4l2_subdev_call_state_try(). In the Linux kernel, the following vulnerability has been... • https://git.kernel.org/stable/c/982c0487185bd466059ff618f398a8d074ddb654 •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-40206 – netfilter: nft_objref: validate objref and objrefmap expressions
https://notcve.org/view.php?id=CVE-2025-40206
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_objref: validate objref and objrefmap expressions Referencing a synproxy stateful object from OUTPUT hook causes kernel crash due to infinite recursive calls: BUG: TASK stack guard page was hit at 000000008bda5b8c (stack is 000000003ab1c4a5..00000000494d8b12) [...] Call Trace: __find_rr_leaf+0x99/0x230 fib6_table_lookup+0x13b/0x2d0 ip6_pol_route+0xa4/0x400 fib6_rule_lookup+0x156/0x240 ip6_route_output_flags+0xc6/0x150 __nf_ip... • https://git.kernel.org/stable/c/ee394f96ad7517fbc0de9106dcc7ce9efb14f264 •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40205 – btrfs: avoid potential out-of-bounds in btrfs_encode_fh()
https://notcve.org/view.php?id=CVE-2025-40205
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: btrfs: avoid potential out-of-bounds in btrfs_encode_fh() The function btrfs_encode_fh() does not properly account for the three cases it handles. Before writing to the file handle (fh), the function only returns to the user BTRFS_FID_SIZE_NON_CONNECTABLE (5 dwords, 20 bytes) or BTRFS_FID_SIZE_CONNECTABLE (8 dwords, 32 bytes). However, when a parent exists and the root ID of the parent and the inode are different, the function writes BTRFS_... • https://git.kernel.org/stable/c/be6e8dc0ba84029997075a1ec77b4ddb863cbe15 •
CVSS: 6.3EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40204 – sctp: Fix MAC comparison to be constant-time
https://notcve.org/view.php?id=CVE-2025-40204
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: sctp: Fix MAC comparison to be constant-time To prevent timing attacks, MACs need to be compared in constant time. Use the appropriate helper function for this. In the Linux kernel, the following vulnerability has been resolved: sctp: Fix MAC comparison to be constant-time To prevent timing attacks, MACs need to be compared in constant time. Use the appropriate helper function for this. The SUSE Linux Enterprise 15 SP6 kernel was updated to... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 7.2EPSS: 0%CPEs: 3EXPL: 0CVE-2025-40203 – listmount: don't call path_put() under namespace semaphore
https://notcve.org/view.php?id=CVE-2025-40203
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: listmount: don't call path_put() under namespace semaphore Massage listmount() and make sure we don't call path_put() under the namespace semaphore. If we put the last reference we're fscked. In the Linux kernel, the following vulnerability has been resolved: listmount: don't call path_put() under namespace semaphore Massage listmount() and make sure we don't call path_put() under the namespace semaphore. If we put the last reference we're ... • https://git.kernel.org/stable/c/b4c2bea8ceaa50cd42a8f73667389d801a3ecf2d •