CVSS: 6.1EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38185 – atm: atmtcp: Free invalid length skb in atmtcp_c_send().
https://notcve.org/view.php?id=CVE-2025-38185
04 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: atm: atmtcp: Free invalid length skb in atmtcp_c_send(). syzbot reported the splat below. [0] vcc_sendmsg() copies data passed from userspace to skb and passes it to vcc->dev->ops->send(). atmtcp_c_send() accesses skb->data as struct atmtcp_hdr after checking if skb->len is 0, but it's not enough. Also, when skb->len == 0, skb and sk (vcc) were leaked because dev_kfree_skb() is not called and sk_wmem_alloc adjustment is missing to revert at... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38180 – net: atm: fix /proc/net/atm/lec handling
https://notcve.org/view.php?id=CVE-2025-38180
04 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: net: atm: fix /proc/net/atm/lec handling /proc/net/atm/lec must ensure safety against dev_lec[] changes. It appears it had dev_put() calls without prior dev_hold(), leading to imbalance and UAF. In the Linux kernel, the following vulnerability has been resolved: net: atm: fix /proc/net/atm/lec handling /proc/net/atm/lec must ensure safety against dev_lec[] changes. It appears it had dev_put() calls without prior dev_hold(), leading to imbal... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38177 – sch_hfsc: make hfsc_qlen_notify() idempotent
https://notcve.org/view.php?id=CVE-2025-38177
04 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: sch_hfsc: make hfsc_qlen_notify() idempotent hfsc_qlen_notify() is not idempotent either and not friendly to its callers, like fq_codel_dequeue(). Let's make it idempotent to ease qdisc_tree_reduce_backlog() callers' life: 1. update_vf() decreases cl->cl_nactive, so we can check whether it is non-zero before calling it. 2. eltree_remove() always removes RB node cl->el_node, but we can use RB_EMPTY_NODE() + RB_CLEAR_NODE() to make it safe. I... • https://git.kernel.org/stable/c/0475c85426b18eccdcb7f9fb58d8f8e9c6c58c87 •
CVSS: 5.5EPSS: 0%CPEs: 9EXPL: 0CVE-2025-38174 – thunderbolt: Do not double dequeue a configuration request
https://notcve.org/view.php?id=CVE-2025-38174
04 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: thunderbolt: Do not double dequeue a configuration request Some of our devices crash in tb_cfg_request_dequeue(): general protection fault, probably for non-canonical address 0xdead000000000122 CPU: 6 PID: 91007 Comm: kworker/6:2 Tainted: G U W 6.6.65 RIP: 0010:tb_cfg_request_dequeue+0x2d/0xa0 Call Trace:
CVSS: 8.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38173 – crypto: marvell/cesa - Handle zero-length skcipher requests
https://notcve.org/view.php?id=CVE-2025-38173
03 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: crypto: marvell/cesa - Handle zero-length skcipher requests Do not access random memory for zero-length skcipher requests. Just return 0. In the Linux kernel, the following vulnerability has been resolved: crypto: marvell/cesa - Handle zero-length skcipher requests Do not access random memory for zero-length skcipher requests. Just return 0. • https://git.kernel.org/stable/c/f63601fd616ab370774fa00ea10bcaaa9e48e84c •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38163 – f2fs: fix to do sanity check on sbi->total_valid_block_count
https://notcve.org/view.php?id=CVE-2025-38163
03 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to do sanity check on sbi->total_valid_block_count syzbot reported a f2fs bug as below: ------------[ cut here ]------------ kernel BUG at fs/f2fs/f2fs.h:2521! RIP: 0010:dec_valid_block_count+0x3b2/0x3c0 fs/f2fs/f2fs.h:2521 Call Trace: f2fs_truncate_data_blocks_range+0xc8c/0x11a0 fs/f2fs/file.c:695 truncate_dnode+0x417/0x740 fs/f2fs/node.c:973 truncate_nodes+0x3ec/0xf50 fs/f2fs/node.c:1014 f2fs_truncate_inode_blocks+0x8e3/0x1370 f... • https://git.kernel.org/stable/c/39a53e0ce0df01b3cf4bb898c7ae2fd2189647d5 •
CVSS: 7.8EPSS: 0%CPEs: 7EXPL: 0CVE-2025-38161 – RDMA/mlx5: Fix error flow upon firmware failure for RQ destruction
https://notcve.org/view.php?id=CVE-2025-38161
03 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Fix error flow upon firmware failure for RQ destruction Upon RQ destruction if the firmware command fails which is the last resource to be destroyed some SW resources were already cleaned regardless of the failure. Now properly rollback the object to its original state upon such failure. In order to avoid a use-after free in case someone tries to destroy the object again, which results in the following kernel trace: refcount_t: u... • https://git.kernel.org/stable/c/e2013b212f9f201c71fc5826ce41f39ebece0852 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38157 – wifi: ath9k_htc: Abort software beacon handling if disabled
https://notcve.org/view.php?id=CVE-2025-38157
03 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: ath9k_htc: Abort software beacon handling if disabled A malicious USB device can send a WMI_SWBA_EVENTID event from an ath9k_htc-managed device before beaconing has been enabled. This causes a device-by-zero error in the driver, leading to either a crash or an out of bounds read. Prevent this by aborting the handling in ath9k_htc_swba() if beacons are not enabled. In the Linux kernel, the following vulnerability has been resolved: wif... • https://git.kernel.org/stable/c/832f6a18fc2aead14954c081ece03b7a5b425f81 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38136 – usb: renesas_usbhs: Reorder clock handling and power management in probe
https://notcve.org/view.php?id=CVE-2025-38136
03 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: usb: renesas_usbhs: Reorder clock handling and power management in probe Reorder the initialization sequence in `usbhs_probe()` to enable runtime PM before accessing registers, preventing potential crashes due to uninitialized clocks. Currently, in the probe path, registers are accessed before enabling the clocks, leading to a synchronous external abort on the RZ/V2H SoC. The problematic call flow is as follows: usbhs_probe() usbhs_sys_cloc... • https://git.kernel.org/stable/c/f1407d5c66240b33d11a7f1a41d55ccf6a9d7647 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38126 – net: stmmac: make sure that ptp_rate is not 0 before configuring timestamping
https://notcve.org/view.php?id=CVE-2025-38126
03 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: net: stmmac: make sure that ptp_rate is not 0 before configuring timestamping The stmmac platform drivers that do not open-code the clk_ptp_rate value after having retrieved the default one from the device-tree can end up with 0 in clk_ptp_rate (as clk_get_rate can return 0). It will eventually propagate up to PTP initialization when bringing up the interface, leading to a divide by 0: Division by zero in kernel. CPU: 1 UID: 0 PID: 1 Comm: ... • https://git.kernel.org/stable/c/19d857c9038e5c07db8f8cc02b5ad0cd0098714f •