CVSS: 7.1EPSS: 0%CPEs: 2EXPL: 0CVE-2025-40174 – x86/mm: Fix SMP ordering in switch_mm_irqs_off()
https://notcve.org/view.php?id=CVE-2025-40174
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: x86/mm: Fix SMP ordering in switch_mm_irqs_off() Stephen noted that it is possible to not have an smp_mb() between the loaded_mm store and the tlb_gen load in switch_mm(), meaning the ordering against flush_tlb_mm_range() goes out the window, and it becomes possible for switch_mm() to not observe a recent tlb_gen update and fail to flush the TLBs. [ dhansen: merge conflict fixed by Ingo ] In the Linux kernel, the following vulnerability has... • https://git.kernel.org/stable/c/209954cbc7d0ce1a190fc725d20ce303d74d2680 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40173 – net/ip6_tunnel: Prevent perpetual tunnel growth
https://notcve.org/view.php?id=CVE-2025-40173
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: net/ip6_tunnel: Prevent perpetual tunnel growth Similarly to ipv4 tunnel, ipv6 version updates dev->needed_headroom, too. While ipv4 tunnel headroom adjustment growth was limited in commit 5ae1e9922bbd ("net: ip_tunnel: prevent perpetual headroom growth"), ipv6 tunnel yet increases the headroom without any ceiling. Reflect ipv4 tunnel headroom adjustment limit on ipv6 version. Credits to Francesco Ruggeri, who was originally debugging this ... • https://git.kernel.org/stable/c/8eb30be0352d09165e94a41fef1c7b994dca0714 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-40172 – accel/qaic: Treat remaining == 0 as error in find_and_map_user_pages()
https://notcve.org/view.php?id=CVE-2025-40172
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: accel/qaic: Treat remaining == 0 as error in find_and_map_user_pages() Currently, if find_and_map_user_pages() takes a DMA xfer request from the user with a length field set to 0, or in a rare case, the host receives QAIC_TRANS_DMA_XFER_CONT from the device where resources->xferred_dma_size is equal to the requested transaction size, the function will return 0 before allocating an sgt or setting the fields of the dma_xfer struct. In that ca... • https://git.kernel.org/stable/c/96d3c1cadedb6ae2e8965e19cd12caa244afbd9c •
CVSS: 7.1EPSS: 0%CPEs: 7EXPL: 0CVE-2025-40171 – nvmet-fc: move lsop put work to nvmet_fc_ls_req_op
https://notcve.org/view.php?id=CVE-2025-40171
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: nvmet-fc: move lsop put work to nvmet_fc_ls_req_op It’s possible for more than one async command to be in flight from __nvmet_fc_send_ls_req. For each command, a tgtport reference is taken. In the current code, only one put work item is queued at a time, which results in a leaked reference. To fix this, move the work item to the nvmet_fc_ls_req_op struct, which already tracks all resources related to the command. In the Linux kernel, the fo... • https://git.kernel.org/stable/c/5e0bc09a52b6169ce90f7ac6e195791adb16cec4 •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2025-40170 – net: use dst_dev_rcu() in sk_setup_caps()
https://notcve.org/view.php?id=CVE-2025-40170
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: net: use dst_dev_rcu() in sk_setup_caps() Use RCU to protect accesses to dst->dev from sk_setup_caps() and sk_dst_gso_max_size(). Also use dst_dev_rcu() in ip6_dst_mtu_maybe_forward(), and ip_dst_mtu_maybe_forward(). ip4_dst_hoplimit() can use dst_dev_net_rcu(). In the Linux kernel, the following vulnerability has been resolved: net: use dst_dev_rcu() in sk_setup_caps() Use RCU to protect accesses to dst->dev from sk_setup_caps() and sk_dst... • https://git.kernel.org/stable/c/4a6ce2b6f2ecabbddcfe47e7cf61dd0f00b10e36 •
CVSS: 6.6EPSS: 0%CPEs: 4EXPL: 0CVE-2025-40169 – bpf: Reject negative offsets for ALU ops
https://notcve.org/view.php?id=CVE-2025-40169
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: bpf: Reject negative offsets for ALU ops When verifying BPF programs, the check_alu_op() function validates instructions with ALU operations. The 'offset' field in these instructions is a signed 16-bit integer. The existing check 'insn->off > 1' was intended to ensure the offset is either 0, or 1 for BPF_MOD/BPF_DIV. However, because 'insn->off' is signed, this check incorrectly accepts all negative values (e.g., -1). This commit tightens t... • https://git.kernel.org/stable/c/ec0e2da95f72d4a46050a4d994e4fe471474fd80 •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2025-40168 – smc: Use __sk_dst_get() and dst_dev_rcu() in smc_clc_prfx_match().
https://notcve.org/view.php?id=CVE-2025-40168
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: smc: Use __sk_dst_get() and dst_dev_rcu() in smc_clc_prfx_match(). smc_clc_prfx_match() is called from smc_listen_work() and not under RCU nor RTNL. Using sk_dst_get(sk)->dev could trigger UAF. Let's use __sk_dst_get() and dst_dev_rcu(). Note that the returned value of smc_clc_prfx_match() is not used in the caller. In the Linux kernel, the following vulnerability has been resolved: smc: Use __sk_dst_get() and dst_dev_rcu() in smc_clc_prfx_... • https://git.kernel.org/stable/c/a046d57da19f812216f393e7c535f5858f793ac3 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40167 – ext4: detect invalid INLINE_DATA + EXTENTS flag combination
https://notcve.org/view.php?id=CVE-2025-40167
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: ext4: detect invalid INLINE_DATA + EXTENTS flag combination syzbot reported a BUG_ON in ext4_es_cache_extent() when opening a verity file on a corrupted ext4 filesystem mounted without a journal. The issue is that the filesystem has an inode with both the INLINE_DATA and EXTENTS flags set: EXT4-fs error (device loop0): ext4_cache_extents:545: inode #15: comm syz.0.17: corrupted extent tree: lblk 0 < prev 66 Investigation revealed that the i... • https://git.kernel.org/stable/c/4954d297c91d292630ab43ba4d195dc371ce65d3 •
CVSS: 6.6EPSS: 0%CPEs: 3EXPL: 0CVE-2025-40166 – drm/xe/guc: Check GuC running state before deregistering exec queue
https://notcve.org/view.php?id=CVE-2025-40166
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/xe/guc: Check GuC running state before deregistering exec queue In normal operation, a registered exec queue is disabled and deregistered through the GuC, and freed only after the GuC confirms completion. However, if the driver is forced to unbind while the exec queue is still running, the user may call exec_destroy() after the GuC has already been stopped and CT communication disabled. In this case, the driver cannot receive a response... • https://git.kernel.org/stable/c/dd08ebf6c3525a7ea2186e636df064ea47281987 •
CVSS: 7.1EPSS: 0%CPEs: 4EXPL: 0CVE-2025-40165 – media: nxp: imx8-isi: m2m: Fix streaming cleanup on release
https://notcve.org/view.php?id=CVE-2025-40165
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: media: nxp: imx8-isi: m2m: Fix streaming cleanup on release If streamon/streamoff calls are imbalanced, such as when exiting an application with Ctrl+C when streaming, the m2m usage_count will never reach zero and the ISI channel won't be freed. Besides from that, if the input line width is more than 2K, it will trigger a WARN_ON(): [ 59.222120] ------------[ cut here ]------------ [ 59.226758] WARNING: drivers/media/platform/nxp/imx8-isi/i... • https://git.kernel.org/stable/c/cf21f328fcafacf4f96e7a30ef9dceede1076378 •