CVSS: 7.2EPSS: 0%CPEs: 8EXPL: 0CVE-2025-39766 – net/sched: Make cake_enqueue return NET_XMIT_CN when past buffer_limit
https://notcve.org/view.php?id=CVE-2025-39766
11 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: net/sched: Make cake_enqueue return NET_XMIT_CN when past buffer_limit The following setup can trigger a WARNING in htb_activate due to the condition: !cl->leaf.q->q.qlen tc qdisc del dev lo root tc qdisc add dev lo root handle 1: htb default 1 tc class add dev lo parent 1: classid 1:1 \ htb rate 64bit tc qdisc add dev lo parent 1:1 handle f: \ cake memlimit 1b ping -I lo -f -c1 -s64 -W0.001 127.0.0.1 This is because the low memlimit leads ... • https://git.kernel.org/stable/c/046f6fd5daefac7f5abdafb436b30f63bc7c602b •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2025-39764 – netfilter: ctnetlink: remove refcounting in expectation dumpers
https://notcve.org/view.php?id=CVE-2025-39764
11 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: netfilter: ctnetlink: remove refcounting in expectation dumpers Same pattern as previous patch: do not keep the expectation object alive via refcount, only store a cookie value and then use that as the skip hint for dump resumption. AFAICS this has the same issue as the one resolved in the conntrack dumper, when we do if (!refcount_inc_not_zero(&exp->use)) to increment the refcount, there is a chance that exp == last, which causes a double-... • https://git.kernel.org/stable/c/cf6994c2b9812a9f02b99e89df411ffc5db9c779 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-39763 – ACPI: APEI: send SIGBUS to current task if synchronous memory error not recovered
https://notcve.org/view.php?id=CVE-2025-39763
11 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: ACPI: APEI: send SIGBUS to current task if synchronous memory error not recovered If a synchronous error is detected as a result of user-space process triggering a 2-bit uncorrected error, the CPU will take a synchronous error exception such as Synchronous External Abort (SEA) on Arm64. The kernel will queue a memory_failure() work which poisons the related page, unmaps the page, and then sends a SIGBUS to the process, so that a system wide... • https://git.kernel.org/stable/c/082735fbcdb6cd0cf20fbec94516ab2996f1cdd5 •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-39762 – drm/amd/display: add null check
https://notcve.org/view.php?id=CVE-2025-39762
11 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: add null check [WHY] Prevents null pointer dereferences to enhance function robustness [HOW] Adds early null check and return false if invalid. In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: add null check [WHY] Prevents null pointer dereferences to enhance function robustness [HOW] Adds early null check and return false if invalid. • https://git.kernel.org/stable/c/4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2025-39761 – wifi: ath12k: Decrement TID on RX peer frag setup error handling
https://notcve.org/view.php?id=CVE-2025-39761
11 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: Decrement TID on RX peer frag setup error handling Currently, TID is not decremented before peer cleanup, during error handling path of ath12k_dp_rx_peer_frag_setup(). This could lead to out-of-bounds access in peer->rx_tid[]. Hence, add a decrement operation for TID, before peer cleanup to ensures proper cleanup and prevents out-of-bounds access issues when the RX peer frag setup fails. Found during code review. Compile teste... • https://git.kernel.org/stable/c/d889913205cf7ebda905b1e62c5867ed4e39f6c2 • CWE-125: Out-of-bounds Read •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2025-39760 – usb: core: config: Prevent OOB read in SS endpoint companion parsing
https://notcve.org/view.php?id=CVE-2025-39760
11 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: usb: core: config: Prevent OOB read in SS endpoint companion parsing usb_parse_ss_endpoint_companion() checks descriptor type before length, enabling a potentially odd read outside of the buffer size. Fix this up by checking the size first before looking at any of the fields in the descriptor. In the Linux kernel, the following vulnerability has been resolved: usb: core: config: Prevent OOB read in SS endpoint companion parsing usb_parse_ss... • https://git.kernel.org/stable/c/5c3097ede7835d3caf6543eb70ff689af4550cd2 •
CVSS: 6.3EPSS: 0%CPEs: 6EXPL: 0CVE-2025-39759 – btrfs: qgroup: fix race between quota disable and quota rescan ioctl
https://notcve.org/view.php?id=CVE-2025-39759
11 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: btrfs: qgroup: fix race between quota disable and quota rescan ioctl There's a race between a task disabling quotas and another running the rescan ioctl that can result in a use-after-free of qgroup records from the fs_info->qgroup_tree rbtree. This happens as follows: 1) Task A enters btrfs_ioctl_quota_rescan() -> btrfs_qgroup_rescan(); 2) Task B enters btrfs_quota_disable() and calls btrfs_qgroup_wait_for_completion(), which does nothing ... • https://git.kernel.org/stable/c/7cda0fdde5d9890976861421d207870500f9aace •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-39758 – RDMA/siw: Fix the sendmsg byte count in siw_tcp_sendpages
https://notcve.org/view.php?id=CVE-2025-39758
11 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: RDMA/siw: Fix the sendmsg byte count in siw_tcp_sendpages Ever since commit c2ff29e99a76 ("siw: Inline do_tcp_sendpages()"), we have been doing this: static int siw_tcp_sendpages(struct socket *s, struct page **page, int offset, size_t size) [...] /* Calculate the number of bytes we need to push, for this page * specifically */ size_t bytes = min_t(size_t, PAGE_SIZE - offset, size); /* If we can't splice it, then copy it in, as normal */ if... • https://git.kernel.org/stable/c/c2ff29e99a764769eb2ce3a1a5585013633ee9a6 •
CVSS: 7.2EPSS: 0%CPEs: 9EXPL: 0CVE-2025-39757 – ALSA: usb-audio: Validate UAC3 cluster segment descriptors
https://notcve.org/view.php?id=CVE-2025-39757
11 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Validate UAC3 cluster segment descriptors UAC3 class segment descriptors need to be verified whether their sizes match with the declared lengths and whether they fit with the allocated buffer sizes, too. Otherwise malicious firmware may lead to the unexpected OOB accesses. In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Validate UAC3 cluster segment descriptors UAC3 class segment descrip... • https://git.kernel.org/stable/c/11785ef53228d23ec386f5fe4a34601536f0c891 • CWE-20: Improper Input Validation •
CVSS: 5.5EPSS: 0%CPEs: 9EXPL: 0CVE-2025-39756 – fs: Prevent file descriptor table allocations exceeding INT_MAX
https://notcve.org/view.php?id=CVE-2025-39756
11 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: fs: Prevent file descriptor table allocations exceeding INT_MAX When sysctl_nr_open is set to a very high value (for example, 1073741816 as set by systemd), processes attempting to use file descriptors near the limit can trigger massive memory allocation attempts that exceed INT_MAX, resulting in a WARNING in mm/slub.c: WARNING: CPU: 0 PID: 44 at mm/slub.c:5027 __kvmalloc_node_noprof+0x21a/0x288 This happens because kvmalloc_array() and kvm... • https://git.kernel.org/stable/c/9cfe015aa424b3c003baba3841a60dd9b5ad319b •