CVSS: -EPSS: %CPEs: 4EXPL: 0CVE-2025-38117 – Bluetooth: MGMT: Protect mgmt_pending list with its own lock
https://notcve.org/view.php?id=CVE-2025-38117
03 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Protect mgmt_pending list with its own lock This uses a mutex to protect from concurrent access of mgmt_pending list which can cause crashes like: ================================================================== BUG: KASAN: slab-use-after-free in hci_sock_get_channel+0x60/0x68 net/bluetooth/hci_sock.c:91 Read of size 2 at addr ffff0000c48885b2 by task syz.4.334/7318 CPU: 0 UID: 0 PID: 7318 Comm: syz.4.334 Not tainted 6.15... • https://git.kernel.org/stable/c/a380b6cff1a2d2139772e88219d08330f84d0381 •
CVSS: -EPSS: %CPEs: 8EXPL: 0CVE-2025-38115 – net_sched: sch_sfq: fix a potential crash on gso_skb handling
https://notcve.org/view.php?id=CVE-2025-38115
03 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: net_sched: sch_sfq: fix a potential crash on gso_skb handling SFQ has an assumption of always being able to queue at least one packet. However, after the blamed commit, sch->q.len can be inflated by packets in sch->gso_skb, and an enqueue() on an empty SFQ qdisc can be followed by an immediate drop. Fix sfq_drop() to properly clear q->tail in this situation. ip netns add lb ip link add dev to-lb type veth peer name in-lb netns lb ethtool -K... • https://git.kernel.org/stable/c/a53851e2c3218aa30b77abd6e68cf1c371f15afe •
CVSS: -EPSS: %CPEs: 5EXPL: 0CVE-2025-38113 – ACPI: CPPC: Fix NULL pointer dereference when nosmp is used
https://notcve.org/view.php?id=CVE-2025-38113
03 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: ACPI: CPPC: Fix NULL pointer dereference when nosmp is used With nosmp in cmdline, other CPUs are not brought up, leaving their cpc_desc_ptr NULL. CPU0's iteration via for_each_possible_cpu() dereferences these NULL pointers, causing panic. Panic backtrace: [ 0.401123] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000b8 ... [ 0.403255] [
CVSS: -EPSS: %CPEs: 7EXPL: 0CVE-2025-38112 – net: Fix TOCTOU issue in sk_is_readable()
https://notcve.org/view.php?id=CVE-2025-38112
03 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: net: Fix TOCTOU issue in sk_is_readable() sk->sk_prot->sock_is_readable is a valid function pointer when sk resides in a sockmap. After the last sk_psock_put() (which usually happens when socket is removed from sockmap), sk->sk_prot gets restored and sk->sk_prot->sock_is_readable becomes NULL. This makes sk_is_readable() racy, if the value of sk->sk_prot is reloaded after the initial check. Which in turn may lead to a null pointer dereferen... • https://git.kernel.org/stable/c/8934ce2fd08171e8605f7fada91ee7619fe17ab8 •
CVSS: -EPSS: %CPEs: 7EXPL: 0CVE-2025-38111 – net/mdiobus: Fix potential out-of-bounds read/write access
https://notcve.org/view.php?id=CVE-2025-38111
03 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: net/mdiobus: Fix potential out-of-bounds read/write access When using publicly available tools like 'mdio-tools' to read/write data from/to network interface and its PHY via mdiobus, there is no verification of parameters passed to the ioctl and it accepts any mdio address. Currently there is support for 32 addresses in kernel via PHY_MAX_ADDR define, but it is possible to pass higher value than that via ioctl. While read/write operation sh... • https://git.kernel.org/stable/c/080bb352fad00d04995102f681b134e3754bfb6e •
CVSS: -EPSS: %CPEs: 4EXPL: 0CVE-2025-38110 – net/mdiobus: Fix potential out-of-bounds clause 45 read/write access
https://notcve.org/view.php?id=CVE-2025-38110
03 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: net/mdiobus: Fix potential out-of-bounds clause 45 read/write access When using publicly available tools like 'mdio-tools' to read/write data from/to network interface and its PHY via C45 (clause 45) mdiobus, there is no verification of parameters passed to the ioctl and it accepts any mdio address. Currently there is support for 32 addresses in kernel via PHY_MAX_ADDR define, but it is possible to pass higher value than that via ioctl. Whi... • https://git.kernel.org/stable/c/4e4aafcddbbfcdd6eed5780e190fcbfac8b4685a •
CVSS: -EPSS: %CPEs: 4EXPL: 0CVE-2025-38109 – net/mlx5: Fix ECVF vports unload on shutdown flow
https://notcve.org/view.php?id=CVE-2025-38109
03 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix ECVF vports unload on shutdown flow Fix shutdown flow UAF when a virtual function is created on the embedded chip (ECVF) of a BlueField device. In such case the vport acl ingress table is not properly destroyed. ECVF functionality is independent of ecpf_vport_exists capability and thus functions mlx5_eswitch_(enable|disable)_pf_vf_vports() should not test it when enabling/disabling ECVF vports. kernel log: [] refcount_t: under... • https://git.kernel.org/stable/c/a7719b29a82199b90ebbf355d3332e0fbfbf6045 •
CVSS: -EPSS: %CPEs: 8EXPL: 0CVE-2025-38108 – net_sched: red: fix a race in __red_change()
https://notcve.org/view.php?id=CVE-2025-38108
03 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: net_sched: red: fix a race in __red_change() Gerrard Tai reported a race condition in RED, whenever SFQ perturb timer fires at the wrong time. The race is as follows: CPU 0 CPU 1 [1]: lock root [2]: qdisc_tree_flush_backlog() [3]: unlock root | | [5]: lock root | [6]: rehash | [7]: qdisc_tree_reduce_backlog() | [4]: qdisc_put() This can be abused to underflow a parent's qlen. Calling qdisc_purge_queue() instead of qdisc_tree_flush_backlog()... • https://git.kernel.org/stable/c/0c8d13ac96070000da33f394f45e9c19638483c5 •
CVSS: -EPSS: %CPEs: 9EXPL: 0CVE-2025-38107 – net_sched: ets: fix a race in ets_qdisc_change()
https://notcve.org/view.php?id=CVE-2025-38107
03 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: net_sched: ets: fix a race in ets_qdisc_change() Gerrard Tai reported a race condition in ETS, whenever SFQ perturb timer fires at the wrong time. The race is as follows: CPU 0 CPU 1 [1]: lock root [2]: qdisc_tree_flush_backlog() [3]: unlock root | | [5]: lock root | [6]: rehash | [7]: qdisc_tree_reduce_backlog() | [4]: qdisc_put() This can be abused to underflow a parent's qlen. Calling qdisc_purge_queue() instead of qdisc_tree_flush_backl... • https://git.kernel.org/stable/c/699d82e9a6db29d509a71f1f2f4316231e6232e6 •
CVSS: -EPSS: %CPEs: 2EXPL: 0CVE-2025-38105 – ALSA: usb-audio: Kill timer properly at removal
https://notcve.org/view.php?id=CVE-2025-38105
03 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Kill timer properly at removal The USB-audio MIDI code initializes the timer, but in a rare case, the driver might be freed without the disconnect call. This leaves the timer in an active state while the assigned object is released via snd_usbmidi_free(), which ends up with a kernel warning when the debug configuration is enabled, as spotted by fuzzer. For avoiding the problem, put timer_shutdown_sync() at snd_usbmidi_free(... • https://git.kernel.org/stable/c/62066758d2ae169278e5d6aea5995b1b6f6ddeb5 •