CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2025-39691 – fs/buffer: fix use-after-free when call bh_read() helper
https://notcve.org/view.php?id=CVE-2025-39691
05 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: fs/buffer: fix use-after-free when call bh_read() helper There's issue as follows: BUG: KASAN: stack-out-of-bounds in end_buffer_read_sync+0xe3/0x110 Read of size 8 at addr ffffc9000168f7f8 by task swapper/3/0 CPU: 3 UID: 0 PID: 0 Comm: swapper/3 Not tainted 6.16.0-862.14.0.6.x86_64 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) Call Trace:
CVSS: 7.2EPSS: 0%CPEs: 6EXPL: 0CVE-2025-39686 – comedi: Make insn_rw_emulate_bits() do insn->n samples
https://notcve.org/view.php?id=CVE-2025-39686
05 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: comedi: Make insn_rw_emulate_bits() do insn->n samples The `insn_rw_emulate_bits()` function is used as a default handler for `INSN_READ` instructions for subdevices that have a handler for `INSN_BITS` but not for `INSN_READ`. Similarly, it is used as a default handler for `INSN_WRITE` instructions for subdevices that have a handler for `INSN_BITS` but not for `INSN_WRITE`. It works by emulating the `INSN_READ` or `INSN_WRITE` instruction h... • https://git.kernel.org/stable/c/ed9eccbe8970f6eedc1b978c157caf1251a896d4 •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2025-39685 – comedi: pcl726: Prevent invalid irq number
https://notcve.org/view.php?id=CVE-2025-39685
05 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: comedi: pcl726: Prevent invalid irq number The reproducer passed in an irq number(0x80008000) that was too large, which triggered the oob. Added an interrupt number check to prevent users from passing in an irq number that was too large. If `it->options[1]` is 31, then `1 << it->options[1]` is still invalid because it shifts a 1-bit into the sign bit (which is UB in C). Possible solutions include reducing the upper bound on the `it->options... • https://git.kernel.org/stable/c/fff46207245cd9e39c05b638afaee2478e64914b •
CVSS: 7.1EPSS: 0%CPEs: 6EXPL: 0CVE-2025-39684 – comedi: Fix use of uninitialized memory in do_insn_ioctl() and do_insnlist_ioctl()
https://notcve.org/view.php?id=CVE-2025-39684
05 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: comedi: Fix use of uninitialized memory in do_insn_ioctl() and do_insnlist_ioctl() syzbot reports a KMSAN kernel-infoleak in `do_insn_ioctl()`. A kernel buffer is allocated to hold `insn->n` samples (each of which is an `unsigned int`). For some instruction types, `insn->n` samples are copied back to user-space, unless an error code is being returned. The problem is that not all the instruction handlers that need to return data to userspace... • https://git.kernel.org/stable/c/ed9eccbe8970f6eedc1b978c157caf1251a896d4 •
CVSS: 6.6EPSS: 0%CPEs: 2EXPL: 0CVE-2025-39677 – net/sched: Fix backlog accounting in qdisc_dequeue_internal
https://notcve.org/view.php?id=CVE-2025-39677
05 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: net/sched: Fix backlog accounting in qdisc_dequeue_internal This issue applies for the following qdiscs: hhf, fq, fq_codel, and fq_pie, and occurs in their change handlers when adjusting to the new limit. The problem is the following in the values passed to the subsequent qdisc_tree_reduce_backlog call given a tbf parent: When the tbf parent runs out of tokens, skbs of these qdiscs will be placed in gso_skb. Their peek handlers are qdisc_pe... • https://git.kernel.org/stable/c/4b549a2ef4bef9965d97cbd992ba67930cd3e0fe •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-39676 – scsi: qla4xxx: Prevent a potential error pointer dereference
https://notcve.org/view.php?id=CVE-2025-39676
05 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: scsi: qla4xxx: Prevent a potential error pointer dereference The qla4xxx_get_ep_fwdb() function is supposed to return NULL on error, but qla4xxx_ep_connect() returns error pointers. Propagating the error pointers will lead to an Oops in the caller, so change the error pointers to NULL. In the Linux kernel, the following vulnerability has been resolved: scsi: qla4xxx: Prevent a potential error pointer dereference The qla4xxx_get_ep_fwdb() fu... • https://git.kernel.org/stable/c/13483730a13bef372894aefcf73760f5c6c297be •
CVSS: 7.1EPSS: 0%CPEs: 9EXPL: 0CVE-2025-38724 – nfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm()
https://notcve.org/view.php?id=CVE-2025-38724
04 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: nfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm() Lei Lu recently reported that nfsd4_setclientid_confirm() did not check the return value from get_client_locked(). a SETCLIENTID_CONFIRM could race with a confirmed client expiring and fail to get a reference. That could later lead to a UAF. Fix this by getting a reference early in the case where there is an extant confirmed client. If that fails then treat it as if the... • https://git.kernel.org/stable/c/d20c11d86d8f821a64eac7d6c8f296f06d935f4f •
CVSS: 5.5EPSS: 0%CPEs: 9EXPL: 0CVE-2025-38721 – netfilter: ctnetlink: fix refcount leak on table dump
https://notcve.org/view.php?id=CVE-2025-38721
04 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: netfilter: ctnetlink: fix refcount leak on table dump There is a reference count leak in ctnetlink_dump_table(): if (res < 0) { nf_conntrack_get(&ct->ct_general); // HERE cb->args[1] = (unsigned long)ct; ... While its very unlikely, its possible that ct == last. If this happens, then the refcount of ct was already incremented. This 2nd increment is never undone. This prevents the conntrack object from being released, which in turn keeps pre... • https://git.kernel.org/stable/c/d205dc40798d97d63ad348bfaf7394f445d152d4 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38716 – hfs: fix general protection fault in hfs_find_init()
https://notcve.org/view.php?id=CVE-2025-38716
04 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: hfs: fix general protection fault in hfs_find_init() The hfs_find_init() method can trigger the crash if tree pointer is NULL: [ 45.746290][ T9787] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000008: 0000 [#1] SMP KAI [ 45.747287][ T9787] KASAN: null-ptr-deref in range [0x0000000000000040-0x0000000000000047] [ 45.748716][ T9787] CPU: 2 UID: 0 PID: 9787 Comm: repro Not tainted 6.16.0-rc3 #10 PREEMPT(full) [... • https://git.kernel.org/stable/c/4f032979b63ad52e08aadf0faeac34ed35133ec0 •
CVSS: 6.6EPSS: 0%CPEs: 9EXPL: 0CVE-2025-38715 – hfs: fix slab-out-of-bounds in hfs_bnode_read()
https://notcve.org/view.php?id=CVE-2025-38715
04 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: hfs: fix slab-out-of-bounds in hfs_bnode_read() This patch introduces is_bnode_offset_valid() method that checks the requested offset value. Also, it introduces check_and_correct_requested_length() method that checks and correct the requested length (if it is necessary). These methods are used in hfs_bnode_read(), hfs_bnode_write(), hfs_bnode_clear(), hfs_bnode_copy(), and hfs_bnode_move() with the goal to prevent the access out of allocate... • https://git.kernel.org/stable/c/e7d2dc2421e821e4045775e6dc226378328de6f6 •