CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-21967 – ksmbd: fix use-after-free in ksmbd_free_work_struct
https://notcve.org/view.php?id=CVE-2025-21967
01 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in ksmbd_free_work_struct ->interim_entry of ksmbd_work could be deleted after oplock is freed. We don't need to manage it with linked list. The interim request could be immediately sent whenever a oplock break wait is needed. In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in ksmbd_free_work_struct ->interim_entry of ksmbd_work could be deleted after oplock is freed. W... • https://git.kernel.org/stable/c/0626e6641f6b467447c81dd7678a69c66f7746cf •
CVSS: 10.0EPSS: 0%CPEs: 4EXPL: 0CVE-2025-21966 – dm-flakey: Fix memory corruption in optional corrupt_bio_byte feature
https://notcve.org/view.php?id=CVE-2025-21966
01 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: dm-flakey: Fix memory corruption in optional corrupt_bio_byte feature Fix memory corruption due to incorrect parameter being passed to bio_init • https://git.kernel.org/stable/c/1d9a943898533e83f20370c0e1448d606627522e •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-21965 – sched_ext: Validate prev_cpu in scx_bpf_select_cpu_dfl()
https://notcve.org/view.php?id=CVE-2025-21965
01 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: sched_ext: Validate prev_cpu in scx_bpf_select_cpu_dfl() If a BPF scheduler provides an invalid CPU (outside the nr_cpu_ids range) as prev_cpu to scx_bpf_select_cpu_dfl() it can cause a kernel crash. To prevent this, validate prev_cpu in scx_bpf_select_cpu_dfl() and trigger an scx error if an invalid CPU is specified. In the Linux kernel, the following vulnerability has been resolved: sched_ext: Validate prev_cpu in scx_bpf_select_cpu_dfl()... • https://git.kernel.org/stable/c/f0e1a0643a59bf1f922fa209cec86a170b784f3f •
CVSS: 9.8EPSS: 0%CPEs: 5EXPL: 0CVE-2025-21964 – cifs: Fix integer overflow while processing acregmax mount option
https://notcve.org/view.php?id=CVE-2025-21964
01 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: cifs: Fix integer overflow while processing acregmax mount option User-provided mount parameter acregmax of type u32 is intended to have an upper limit, but before it is validated, the value is converted from seconds to jiffies which can lead to an integer overflow. Found by Linux Verification Center (linuxtesting.org) with SVACE. In the Linux kernel, the following vulnerability has been resolved: cifs: Fix integer overflow while processing... • https://git.kernel.org/stable/c/5780464614f6abe6026f00cf5a0777aa453ba450 •
CVSS: 9.8EPSS: 0%CPEs: 5EXPL: 0CVE-2025-21963 – cifs: Fix integer overflow while processing acdirmax mount option
https://notcve.org/view.php?id=CVE-2025-21963
01 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: cifs: Fix integer overflow while processing acdirmax mount option User-provided mount parameter acdirmax of type u32 is intended to have an upper limit, but before it is validated, the value is converted from seconds to jiffies which can lead to an integer overflow. Found by Linux Verification Center (linuxtesting.org) with SVACE. In the Linux kernel, the following vulnerability has been resolved: cifs: Fix integer overflow while processing... • https://git.kernel.org/stable/c/4c9f948142a550af416a2bfb5e56d29ce29e92cf •
CVSS: 9.8EPSS: 0%CPEs: 6EXPL: 0CVE-2025-21962 – cifs: Fix integer overflow while processing closetimeo mount option
https://notcve.org/view.php?id=CVE-2025-21962
01 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: cifs: Fix integer overflow while processing closetimeo mount option User-provided mount parameter closetimeo of type u32 is intended to have an upper limit, but before it is validated, the value is converted from seconds to jiffies which can lead to an integer overflow. Found by Linux Verification Center (linuxtesting.org) with SVACE. In the Linux kernel, the following vulnerability has been resolved: cifs: Fix integer overflow while proces... • https://git.kernel.org/stable/c/5efdd9122eff772eae2feae9f0fc0ec02d4846a3 •
CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 0CVE-2025-21961 – eth: bnxt: fix truesize for mb-xdp-pass case
https://notcve.org/view.php?id=CVE-2025-21961
01 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: eth: bnxt: fix truesize for mb-xdp-pass case When mb-xdp is set and return is XDP_PASS, packet is converted from xdp_buff to sk_buff with xdp_update_skb_shared_info() in bnxt_xdp_build_skb(). bnxt_xdp_build_skb() passes incorrect truesize argument to xdp_update_skb_shared_info(). The truesize is calculated as BNXT_RX_PAGE_SIZE * sinfo->nr_frags but the skb_shared_info was wiped by napi_build_skb() before. So it stores sinfo->nr_frags before... • https://git.kernel.org/stable/c/1dc4c557bfedfcdf7fc0c46795857773b7ad66e7 •
CVSS: 9.8EPSS: 0%CPEs: 5EXPL: 0CVE-2025-21960 – eth: bnxt: do not update checksum in bnxt_xdp_build_skb()
https://notcve.org/view.php?id=CVE-2025-21960
01 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: eth: bnxt: do not update checksum in bnxt_xdp_build_skb() The bnxt_rx_pkt() updates ip_summed value at the end if checksum offload is enabled. When the XDP-MB program is attached and it returns XDP_PASS, the bnxt_xdp_build_skb() is called to update skb_shared_info. The main purpose of bnxt_xdp_build_skb() is to update skb_shared_info, but it updates ip_summed value too if checksum offload is enabled. This is actually duplicate work. When th... • https://git.kernel.org/stable/c/1dc4c557bfedfcdf7fc0c46795857773b7ad66e7 •
CVSS: 9.8EPSS: 0%CPEs: 6EXPL: 0CVE-2025-21959 – netfilter: nf_conncount: Fully initialize struct nf_conncount_tuple in insert_tree()
https://notcve.org/view.php?id=CVE-2025-21959
01 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conncount: Fully initialize struct nf_conncount_tuple in insert_tree() Since commit b36e4523d4d5 ("netfilter: nf_conncount: fix garbage collection confirm race"), `cpu` and `jiffies32` were introduced to the struct nf_conncount_tuple. The commit made nf_conncount_add() initialize `conn->cpu` and `conn->jiffies32` when allocating the struct. In contrast, count_tree() was not changed to initialize them. By commit 34848d5c896e ("... • https://git.kernel.org/stable/c/b36e4523d4d56e2595e28f16f6ccf1cd6a9fc452 •
CVSS: 7.1EPSS: 0%CPEs: 3EXPL: 0CVE-2025-21958 – Revert "openvswitch: switch to per-action label counting in conntrack"
https://notcve.org/view.php?id=CVE-2025-21958
01 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: Revert "openvswitch: switch to per-action label counting in conntrack" Currently, ovs_ct_set_labels() is only called for confirmed conntrack entries (ct) within ovs_ct_commit(). However, if the conntrack entry does not have the labels_ext extension, attempting to allocate it in ovs_ct_get_conn_labels() for a confirmed entry triggers a warning in nf_ct_ext_add(): WARN_ON(nf_ct_is_confirmed(ct)); This happens when the conntrack entry is creat... • https://git.kernel.org/stable/c/fcb1aa5163b1ae4cf2864b688b08927aac51f51e •