CVSS: 7.8EPSS: 0%CPEs: 9EXPL: 0CVE-2025-40118 – scsi: pm80xx: Fix array-index-out-of-of-bounds on rmmod
https://notcve.org/view.php?id=CVE-2025-40118
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: scsi: pm80xx: Fix array-index-out-of-of-bounds on rmmod Since commit f7b705c238d1 ("scsi: pm80xx: Set phy_attached to zero when device is gone") UBSAN reports: UBSAN: array-index-out-of-bounds in drivers/scsi/pm8001/pm8001_sas.c:786:17 index 28 is out of range for type 'pm8001_phy [16]' on rmmod when using an expander. For a direct attached device, attached_phy contains the local phy id. For a device behind an expander, attached_phy contain... • https://git.kernel.org/stable/c/05b512879eab41faa515b67fa3896d0005e97909 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40116 – usb: host: max3421-hcd: Fix error pointer dereference in probe cleanup
https://notcve.org/view.php?id=CVE-2025-40116
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: usb: host: max3421-hcd: Fix error pointer dereference in probe cleanup The kthread_run() function returns error pointers so the max3421_hcd->spi_thread pointer can be either error pointers or NULL. Check for both before dereferencing it. In the Linux kernel, the following vulnerability has been resolved: usb: host: max3421-hcd: Fix error pointer dereference in probe cleanup The kthread_run() function returns error pointers so the max3421_hc... • https://git.kernel.org/stable/c/05dfa5c9bc37933181b619e42ec0eeb41ef31362 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40115 – scsi: mpt3sas: Fix crash in transport port remove by using ioc_info()
https://notcve.org/view.php?id=CVE-2025-40115
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: scsi: mpt3sas: Fix crash in transport port remove by using ioc_info() During mpt3sas_transport_port_remove(), messages were logged with dev_printk() against &mpt3sas_port->port->dev. At this point the SAS transport device may already be partially unregistered or freed, leading to a crash when accessing its struct device. Using ioc_info(), which logs via the PCI device (ioc->pdev->dev), guaranteed to remain valid until driver removal. [83428... • https://git.kernel.org/stable/c/f92363d12359498f9a9960511de1a550f0ec41c2 •
CVSS: 5.5EPSS: 0%CPEs: 10EXPL: 0CVE-2025-40112 – sparc: fix accurate exception reporting in copy_{from_to}_user for Niagara
https://notcve.org/view.php?id=CVE-2025-40112
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: sparc: fix accurate exception reporting in copy_{from_to}_user for Niagara The referenced commit introduced exception handlers on user-space memory references in copy_from_user and copy_to_user. These handlers return from the respective function and calculate the remaining bytes left to copy using the current register contents. This commit fixes a couple of bad calculations and a broken epilogue in the exception handlers. This will prevent ... • https://git.kernel.org/stable/c/7ae3aaf53f1695877ccd5ebbc49ea65991e41f1e •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40111 – drm/vmwgfx: Fix Use-after-free in validation
https://notcve.org/view.php?id=CVE-2025-40111
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Fix Use-after-free in validation Nodes stored in the validation duplicates hashtable come from an arena allocator that is cleared at the end of vmw_execbuf_process. All nodes are expected to be cleared in vmw_validation_drop_ht but this node escaped because its resource was destroyed prematurely. In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Fix Use-after-free in validation Nodes stored in the v... • https://git.kernel.org/stable/c/64ad2abfe9a628ce79859d072704bd1ef7682044 •
CVSS: 7.2EPSS: 0%CPEs: 4EXPL: 0CVE-2025-40110 – drm/vmwgfx: Fix a null-ptr access in the cursor snooper
https://notcve.org/view.php?id=CVE-2025-40110
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Fix a null-ptr access in the cursor snooper Check that the resource which is converted to a surface exists before trying to use the cursor snooper on it. vmw_cmd_res_check allows explicit invalid (SVGA3D_INVALID_ID) identifiers because some svga commands accept SVGA3D_INVALID_ID to mean "no surface", unfortunately functions that accept the actual surfaces as objects might (and in case of the cursor snooper, do not) be able to ha... • https://git.kernel.org/stable/c/c0951b797e7d0f2c6b0df2c0e18185c72d0cf1a1 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40109 – crypto: rng - Ensure set_ent is always present
https://notcve.org/view.php?id=CVE-2025-40109
09 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: crypto: rng - Ensure set_ent is always present Ensure that set_ent is always set since only drbg provides it. Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. For the oldstable distribution (bookworm), these problems have been fixed in version 6.1.158-1. • https://git.kernel.org/stable/c/77ebdabe8de7c02f43c6de3357f79ff96f9f0579 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-40107 – can: hi311x: fix null pointer dereference when resuming from sleep before interface was enabled
https://notcve.org/view.php?id=CVE-2025-40107
03 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: can: hi311x: fix null pointer dereference when resuming from sleep before interface was enabled This issue is similar to the vulnerability in the `mcp251x` driver, which was fixed in commit 03c427147b2d ("can: mcp251x: fix resume from sleep before interface was brought up"). In the `hi311x` driver, when the device resumes from sleep, the driver schedules `priv->restart_work`. However, if the network interface was not previously enabled, the... • https://git.kernel.org/stable/c/d1fc4c041459e2d4856c1b2501486ba4f0cbf96b •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40106 – comedi: fix divide-by-zero in comedi_buf_munge()
https://notcve.org/view.php?id=CVE-2025-40106
31 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: comedi: fix divide-by-zero in comedi_buf_munge() The comedi_buf_munge() function performs a modulo operation `async->munge_chan %= async->cmd.chanlist_len` without first checking if chanlist_len is zero. If a user program submits a command with chanlist_len set to zero, this causes a divide-by-zero error when the device processes data in the interrupt handler path. Add a check for zero chanlist_len at the beginning of the function, similar ... • https://git.kernel.org/stable/c/4ffea48c69cb2b96a281cb7e5e42d706996631db •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40105 – vfs: Don't leak disconnected dentries on umount
https://notcve.org/view.php?id=CVE-2025-40105
30 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: vfs: Don't leak disconnected dentries on umount When user calls open_by_handle_at() on some inode that is not cached, we will create disconnected dentry for it. If such dentry is a directory, exportfs_decode_fh_raw() will then try to connect this dentry to the dentry tree through reconnect_path(). It may happen for various reasons (such as corrupted fs or race with rename) that the call to lookup_one_unlocked() in reconnect_one() will fail ... • https://git.kernel.org/stable/c/f1ee616214cb22410e939d963bbb2349c2570f02 •