CVSS: 6.3EPSS: 0%CPEs: 6EXPL: 0CVE-2025-38102 – VMCI: fix race between vmci_host_setup_notify and vmci_ctx_unset_notify
https://notcve.org/view.php?id=CVE-2025-38102
03 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: VMCI: fix race between vmci_host_setup_notify and vmci_ctx_unset_notify During our test, it is found that a warning can be trigger in try_grab_folio as follow: ------------[ cut here ]------------ WARNING: CPU: 0 PID: 1678 at mm/gup.c:147 try_grab_folio+0x106/0x130 Modules linked in: CPU: 0 UID: 0 PID: 1678 Comm: syz.3.31 Not tainted 6.15.0-rc5 #163 PREEMPT(undef) RIP: 0010:try_grab_folio+0x106/0x130 Call Trace:
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-38099 – Bluetooth: Disable SCO support if READ_VOICE_SETTING is unsupported/broken
https://notcve.org/view.php?id=CVE-2025-38099
03 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Disable SCO support if READ_VOICE_SETTING is unsupported/broken A SCO connection without the proper voice_setting can cause the controller to lock up. In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Disable SCO support if READ_VOICE_SETTING is unsupported/broken A SCO connection without the proper voice_setting can cause the controller to lock up. • https://git.kernel.org/stable/c/f48ee562c095e552a30b8d9cc0566a267b410f8a •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-38098 – drm/amd/display: Don't treat wb connector as physical in create_validate_stream_for_sink
https://notcve.org/view.php?id=CVE-2025-38098
03 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Don't treat wb connector as physical in create_validate_stream_for_sink Don't try to operate on a drm_wb_connector as an amdgpu_dm_connector. While dereferencing aconnector->base will "work" it's wrong and might lead to unknown bad things. Just... don't. In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Don't treat wb connector as physical in create_validate_stream_for_sink Don't try to op... • https://git.kernel.org/stable/c/b14e726d57f61085485f107a6203c50a09695abd •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2025-38096 – wifi: iwlwifi: don't warn when if there is a FW error
https://notcve.org/view.php?id=CVE-2025-38096
03 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: don't warn when if there is a FW error iwl_trans_reclaim is warning if it is called when the FW is not alive. But if it is called when there is a pending restart, i.e. after a FW error, there is no need to warn, instead - return silently. In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: don't warn when if there is a FW error iwl_trans_reclaim is warning if it is called when the FW is not aliv... • https://git.kernel.org/stable/c/0446d34a853d9576e2a7628c803d2abd2f8cf3a8 •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2025-38094 – net: cadence: macb: Fix a possible deadlock in macb_halt_tx.
https://notcve.org/view.php?id=CVE-2025-38094
03 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: net: cadence: macb: Fix a possible deadlock in macb_halt_tx. There is a situation where after THALT is set high, TGO stays high as well. Because jiffies are never updated, as we are in a context with interrupts disabled, we never exit that loop and have a deadlock. That deadlock was noticed on a sama5d4 device that stayed locked for days. Use retries instead of jiffies so that the timeout really works and we do not have a deadlock anymore. • https://git.kernel.org/stable/c/e86cd53afc5907f7c221b709916e2dd354e14691 •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38090 – drivers/rapidio/rio_cm.c: prevent possible heap overwrite
https://notcve.org/view.php?id=CVE-2025-38090
30 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: drivers/rapidio/rio_cm.c: prevent possible heap overwrite In riocm_cdev_ioctl(RIO_CM_CHAN_SEND) -> cm_chan_msg_send() -> riocm_ch_send() cm_chan_msg_send() checks that userspace didn't send too much data but riocm_ch_send() failed to check that userspace sent sufficient data. The result is that riocm_ch_send() can write to fields in the rio_ch_chan_hdr which were outside the bounds of the space which cm_chan_msg_send() allocated. Address th... • https://git.kernel.org/stable/c/b6e8d4aa1110306378af0f3472a6b85a1f039a16 •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38086 – net: ch9200: fix uninitialised access during mii_nway_restart
https://notcve.org/view.php?id=CVE-2025-38086
28 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: net: ch9200: fix uninitialised access during mii_nway_restart In mii_nway_restart() the code attempts to call mii->mdio_read which is ch9200_mdio_read(). ch9200_mdio_read() utilises a local buffer called "buff", which is initialised with control_read(). However "buff" is conditionally initialised inside control_read(): if (err == size) { memcpy(data, buf, size); } If the condition of "err == size" is not met, then "buff" remains uninitialis... • https://git.kernel.org/stable/c/4a476bd6d1d923922ec950ddc4c27b279f6901eb •
CVSS: 7.1EPSS: 0%CPEs: 7EXPL: 0CVE-2025-38085 – mm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race
https://notcve.org/view.php?id=CVE-2025-38085
28 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: mm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race huge_pmd_unshare() drops a reference on a page table that may have previously been shared across processes, potentially turning it into a normal page table used in another process in which unrelated VMAs can afterwards be installed. If this happens in the middle of a concurrent gup_fast(), gup_fast() could end up walking the page tables of another process. While I don't see any way in whic... • https://git.kernel.org/stable/c/39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa •
CVSS: 5.6EPSS: 0%CPEs: 7EXPL: 0CVE-2025-38084 – mm/hugetlb: unshare page tables during VMA split, not before
https://notcve.org/view.php?id=CVE-2025-38084
28 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: mm/hugetlb: unshare page tables during VMA split, not before Currently, __split_vma() triggers hugetlb page table unsharing through vm_ops->may_split(). This happens before the VMA lock and rmap locks are taken - which is too early, it allows racing VMA-locked page faults in our process and racing rmap walks from other processes to cause page tables to be shared again before we actually perform the split. Fix it by explicitly calling into t... • https://git.kernel.org/stable/c/39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa •
CVSS: 7.1EPSS: 0%CPEs: 9EXPL: 0CVE-2022-50229 – ALSA: bcd2000: Fix a UAF bug on the error path of probing
https://notcve.org/view.php?id=CVE-2022-50229
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: ALSA: bcd2000: Fix a UAF bug on the error path of probing When the driver fails in snd_card_register() at probe time, it will free the 'bcd2k->midi_out_urb' before killing it, which may cause a UAF bug. The following log can reveal it: [ 50.727020] BUG: KASAN: use-after-free in bcd2000_input_complete+0x1f1/0x2e0 [snd_bcd2000] [ 50.727623] Read of size 8 at addr ffff88810fab0e88 by task swapper/4/0 [ 50.729530] Call Trace: [ 50.732899] bcd20... • https://git.kernel.org/stable/c/b47a22290d581277be70e8a597824a4985d39e83 •