CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-39851 – vxlan: Fix NPD when refreshing an FDB entry with a nexthop object
https://notcve.org/view.php?id=CVE-2025-39851
19 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: vxlan: Fix NPD when refreshing an FDB entry with a nexthop object VXLAN FDB entries can point to either a remote destination or an FDB nexthop group. The latter is usually used in EVPN deployments where learning is disabled. However, when learning is enabled, an incoming packet might try to refresh an FDB entry that points to an FDB nexthop group and therefore does not have a remote. Such packets should be dropped, but they are only dropped... • https://git.kernel.org/stable/c/1274e1cc42264d4e629841e4f182795cb0becfd2 •
CVSS: 6.6EPSS: 0%CPEs: 3EXPL: 0CVE-2025-39850 – vxlan: Fix NPD in {arp,neigh}_reduce() when using nexthop objects
https://notcve.org/view.php?id=CVE-2025-39850
19 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: vxlan: Fix NPD in {arp,neigh}_reduce() when using nexthop objects When the "proxy" option is enabled on a VXLAN device, the device will suppress ARP requests and IPv6 Neighbor Solicitation messages if it is able to reply on behalf of the remote host. That is, if a matching and valid neighbor entry is configured on the VXLAN device whose MAC address is not behind the "any" remote (0.0.0.0 / ::). The code currently assumes that the FDB entry ... • https://git.kernel.org/stable/c/1274e1cc42264d4e629841e4f182795cb0becfd2 •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2025-39849 – wifi: cfg80211: sme: cap SSID length in __cfg80211_connect_result()
https://notcve.org/view.php?id=CVE-2025-39849
19 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: sme: cap SSID length in __cfg80211_connect_result() If the ssid->datalen is more than IEEE80211_MAX_SSID_LEN (32) it would lead to memory corruption so add some bounds checking. In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: sme: cap SSID length in __cfg80211_connect_result() If the ssid->datalen is more than IEEE80211_MAX_SSID_LEN (32) it would lead to memory corruption so add some bound... • https://git.kernel.org/stable/c/dd43f8f90206054e7da7593de0a334fb2cd0ea88 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-39848 – ax25: properly unshare skbs in ax25_kiss_rcv()
https://notcve.org/view.php?id=CVE-2025-39848
19 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: ax25: properly unshare skbs in ax25_kiss_rcv() Bernard Pidoux reported a regression apparently caused by commit c353e8983e0d ("net: introduce per netns packet chains"). skb->dev becomes NULL and we crash in __netif_receive_skb_core(). Before above commit, different kind of bugs or corruptions could happen without a major crash. But the root cause is that ax25_kiss_rcv() can queue/mangle input skb without checking if this skb is shared or no... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-39847 – ppp: fix memory leak in pad_compress_skb
https://notcve.org/view.php?id=CVE-2025-39847
19 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: ppp: fix memory leak in pad_compress_skb If alloc_skb() fails in pad_compress_skb(), it returns NULL without releasing the old skb. The caller does: skb = pad_compress_skb(ppp, skb); if (!skb) goto drop; drop: kfree_skb(skb); When pad_compress_skb() returns NULL, the reference to the old skb is lost and kfree_skb(skb) ends up doing nothing, leading to a memory leak. Align pad_compress_skb() semantics with realloc(): only free the old skb if... • https://git.kernel.org/stable/c/b3f9b92a6ec1a9a5e4b4b36e484f2f62cc73277c •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-39846 – pcmcia: Fix a NULL pointer dereference in __iodyn_find_io_region()
https://notcve.org/view.php?id=CVE-2025-39846
19 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: pcmcia: Fix a NULL pointer dereference in __iodyn_find_io_region() In __iodyn_find_io_region(), pcmcia_make_resource() is assigned to res and used in pci_bus_alloc_resource(). There is a dereference of res in pci_bus_alloc_resource(), which could lead to a NULL pointer dereference on failure of pcmcia_make_resource(). Fix this bug by adding a check of res. In the Linux kernel, the following vulnerability has been resolved: pcmcia: Fix a NUL... • https://git.kernel.org/stable/c/49b1153adfe18a3cce7e70aa26c690f275917cd0 •
CVSS: 7.1EPSS: 0%CPEs: 6EXPL: 0CVE-2025-39845 – x86/mm/64: define ARCH_PAGE_TABLE_SYNC_MASK and arch_sync_kernel_mappings()
https://notcve.org/view.php?id=CVE-2025-39845
19 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: x86/mm/64: define ARCH_PAGE_TABLE_SYNC_MASK and arch_sync_kernel_mappings() Define ARCH_PAGE_TABLE_SYNC_MASK and arch_sync_kernel_mappings() to ensure page tables are properly synchronized when calling p*d_populate_kernel(). For 5-level paging, synchronization is performed via pgd_populate_kernel(). In 4-level paging, pgd_populate() is a no-op, so synchronization is instead performed at the P4D level via p4d_populate_kernel(). This fixes in... • https://git.kernel.org/stable/c/8d400913c231bd1da74067255816453f96cd35b0 •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2025-39844 – mm: move page table sync declarations to linux/pgtable.h
https://notcve.org/view.php?id=CVE-2025-39844
19 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: mm: move page table sync declarations to linux/pgtable.h During our internal testing, we started observing intermittent boot failures when the machine uses 4-level paging and has a large amount of persistent memory: BUG: unable to handle page fault for address: ffffe70000000034 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 0 P4D 0 Oops: 0002 [#1] SMP NOPTI RIP: 0010:__init_single_page+0x9/0x6d Ca... • https://git.kernel.org/stable/c/8d400913c231bd1da74067255816453f96cd35b0 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-39843 – mm: slub: avoid wake up kswapd in set_track_prepare
https://notcve.org/view.php?id=CVE-2025-39843
19 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: mm: slub: avoid wake up kswapd in set_track_prepare set_track_prepare() can incur lock recursion. The issue is that it is called from hrtimer_start_range_ns holding the per_cpu(hrtimer_bases)[n].lock, but when enabled CONFIG_DEBUG_OBJECTS_TIMERS, may wake up kswapd in set_track_prepare, and try to hold the per_cpu(hrtimer_bases)[n].lock. Avoid deadlock caused by implicitly waking up kswapd by passing in allocation flags, which do not contai... • https://git.kernel.org/stable/c/5cf909c553e9efed573811de4b3f5172898d5515 •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2025-39842 – ocfs2: prevent release journal inode after journal shutdown
https://notcve.org/view.php?id=CVE-2025-39842
19 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: ocfs2: prevent release journal inode after journal shutdown Before calling ocfs2_delete_osb(), ocfs2_journal_shutdown() has already been executed in ocfs2_dismount_volume(), so osb->journal must be NULL. Therefore, the following calltrace will inevitably fail when it reaches jbd2_journal_release_jbd_inode(). ocfs2_dismount_volume()-> ocfs2_delete_osb()-> ocfs2_free_slot_info()-> __ocfs2_free_slot_info()-> evict()-> ocfs2_evict_inode()-> ocf... • https://git.kernel.org/stable/c/da5e7c87827e8caa6a1eeec6d95dcf74ab592a01 •