CVSS: 7.2EPSS: 0%CPEs: 2EXPL: 0CVE-2025-39910 – mm/vmalloc, mm/kasan: respect gfp mask in kasan_populate_vmalloc()
https://notcve.org/view.php?id=CVE-2025-39910
01 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: mm/vmalloc, mm/kasan: respect gfp mask in kasan_populate_vmalloc() kasan_populate_vmalloc() and its helpers ignore the caller's gfp_mask and always allocate memory using the hardcoded GFP_KERNEL flag. This makes them inconsistent with vmalloc(), which was recently extended to support GFP_NOFS and GFP_NOIO allocations. Page table allocations performed during shadow population also ignore the external gfp_mask. To preserve the intended semant... • https://git.kernel.org/stable/c/451769ebb7e792c3404db53b3c2a422990de654e •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-39909 – mm/damon/lru_sort: avoid divide-by-zero in damon_lru_sort_apply_parameters()
https://notcve.org/view.php?id=CVE-2025-39909
01 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: mm/damon/lru_sort: avoid divide-by-zero in damon_lru_sort_apply_parameters() Patch series "mm/damon: avoid divide-by-zero in DAMON module's parameters application". DAMON's RECLAIM and LRU_SORT modules perform no validation on user-configured parameters during application, which may lead to division-by-zero errors. Avoid the divide-by-zero by adding validation checks when DAMON modules attempt to apply the parameters. This patch (of 2): Dur... • https://git.kernel.org/stable/c/40e983cca9274e177bd5b9379299b44d9536ac68 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-39907 – mtd: rawnand: stm32_fmc2: avoid overlapping mappings on ECC buffer
https://notcve.org/view.php?id=CVE-2025-39907
01 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: mtd: rawnand: stm32_fmc2: avoid overlapping mappings on ECC buffer Avoid below overlapping mappings by using a contiguous non-cacheable buffer. [ 4.077708] DMA-API: stm32_fmc2_nfc 48810000.nand-controller: cacheline tracking EEXIST, overlapping mappings aren't supported [ 4.089103] WARNING: CPU: 1 PID: 44 at kernel/dma/debug.c:568 add_dma_entry+0x23c/0x300 [ 4.097071] Modules linked in: [ 4.100101] CPU: 1 PID: 44 Comm: kworker/u4:2 Not tain... • https://git.kernel.org/stable/c/2cd457f328c100bc98e36d55fe210e9ab067c704 •
CVSS: 7.1EPSS: 0%CPEs: 2EXPL: 0CVE-2025-39905 – net: phylink: add lock for serializing concurrent pl->phydev writes with resolver
https://notcve.org/view.php?id=CVE-2025-39905
01 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: net: phylink: add lock for serializing concurrent pl->phydev writes with resolver Currently phylink_resolve() protects itself against concurrent phylink_bringup_phy() or phylink_disconnect_phy() calls which modify pl->phydev by relying on pl->state_mutex. The problem is that in phylink_resolve(), pl->state_mutex is in a lock inversion state with pl->phydev->lock. So pl->phydev->lock needs to be acquired prior to pl->state_mutex. But that re... • https://git.kernel.org/stable/c/56fe63b05ec84ae6674269d78397cec43a7a295a •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-39902 – mm/slub: avoid accessing metadata when pointer is invalid in object_err()
https://notcve.org/view.php?id=CVE-2025-39902
01 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: mm/slub: avoid accessing metadata when pointer is invalid in object_err() object_err() reports details of an object for further debugging, such as the freelist pointer, redzone, etc. However, if the pointer is invalid, attempting to access object metadata can lead to a crash since it does not point to a valid object. One known path to the crash is when alloc_consistency_checks() determines the pointer to the allocated object is invalid beca... • https://git.kernel.org/stable/c/81819f0fc8285a2a5a921c019e3e3d7b6169d225 •
CVSS: 7.1EPSS: 0%CPEs: 3EXPL: 0CVE-2025-39901 – i40e: remove read access to debugfs files
https://notcve.org/view.php?id=CVE-2025-39901
01 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: i40e: remove read access to debugfs files The 'command' and 'netdev_ops' debugfs files are a legacy debugging interface supported by the i40e driver since its early days by commit 02e9c290814c ("i40e: debugfs interface"). Both of these debugfs files provide a read handler which is mostly useless, and which is implemented with questionable logic. They both use a static 256 byte buffer which is initialized to the empty string. In the case of ... • https://git.kernel.org/stable/c/02e9c290814cc143ceccecb14eac3e7a05da745e •
CVSS: 6.6EPSS: 0%CPEs: 7EXPL: 0CVE-2025-39894 – netfilter: br_netfilter: do not check confirmed bit in br_nf_local_in() after confirm
https://notcve.org/view.php?id=CVE-2025-39894
01 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: netfilter: br_netfilter: do not check confirmed bit in br_nf_local_in() after confirm When send a broadcast packet to a tap device, which was added to a bridge, br_nf_local_in() is called to confirm the conntrack. If another conntrack with the same hash value is added to the hash table, which can be triggered by a normal packet to a non-bridge device, the below warning may happen. ------------[ cut here ]------------ WARNING: CPU: 1 PID: 96... • https://git.kernel.org/stable/c/7c3f28599652acf431a2211168de4a583f30b6d5 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-39891 – wifi: mwifiex: Initialize the chan_stats array to zero
https://notcve.org/view.php?id=CVE-2025-39891
01 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: mwifiex: Initialize the chan_stats array to zero The adapter->chan_stats[] array is initialized in mwifiex_init_channel_scan_gap() with vmalloc(), which doesn't zero out memory. The array is filled in mwifiex_update_chan_statistics() and then the user can query the data in mwifiex_cfg80211_dump_survey(). There are two potential issues here. What if the user calls mwifiex_cfg80211_dump_survey() before the data has been filled in. Also ... • https://git.kernel.org/stable/c/bf35443314acb43fa8a3f9f8046e14cbe178762b •
CVSS: 5.7EPSS: 0%CPEs: 6EXPL: 0CVE-2025-39889 – Bluetooth: l2cap: Check encryption key size on incoming connection
https://notcve.org/view.php?id=CVE-2025-39889
24 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: l2cap: Check encryption key size on incoming connection This is required for passing GAP/SEC/SEM/BI-04-C PTS test case: Security Mode 4 Level 4, Responder - Invalid Encryption Key Size - 128 bit This tests the security key with size from 1 to 15 bytes while the Security Mode 4 Level 4 requests 16 bytes key size. Currently PTS fails with the following logs: - expected:Connection Response: Code: [3 (0x03)] Code Identifier: (lt)Wild... • https://git.kernel.org/stable/c/288c06973daae4637f25a0d1bdaf65fdbf8455f9 •
CVSS: 7.1EPSS: 0%CPEs: 9EXPL: 0CVE-2024-58241 – Bluetooth: hci_core: Disable works on hci_unregister_dev
https://notcve.org/view.php?id=CVE-2024-58241
24 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_core: Disable works on hci_unregister_dev This make use of disable_work_* on hci_unregister_dev since the hci_dev is about to be freed new submissions are not disarable. In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_core: Disable works on hci_unregister_dev This make use of disable_work_* on hci_unregister_dev since the hci_dev is about to be freed new submissions are not disarable. • https://git.kernel.org/stable/c/0d151a103775dd9645c78c97f77d6e2a5298d913 •