CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2025-40146 – blk-mq: fix potential deadlock while nr_requests grown
https://notcve.org/view.php?id=CVE-2025-40146
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: blk-mq: fix potential deadlock while nr_requests grown Allocate and free sched_tags while queue is freezed can deadlock[1], this is a long term problem, hence allocate memory before freezing queue and free memory after queue is unfreezed. [1] https://lore.kernel.org/all/0659ea8d-a463-47c8-9180-43c719e106eb@linux.ibm.com/ In the Linux kernel, the following vulnerability has been resolved: blk-mq: fix potential deadlock while nr_requests grow... • https://git.kernel.org/stable/c/e3a2b3f931f59d5284abd13faf8bded726884ffd •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2025-40144 – nvdimm: ndtest: Return -ENOMEM if devm_kcalloc() fails in ndtest_probe()
https://notcve.org/view.php?id=CVE-2025-40144
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: nvdimm: ndtest: Return -ENOMEM if devm_kcalloc() fails in ndtest_probe() devm_kcalloc() may fail. ndtest_probe() allocates three DMA address arrays (dcr_dma, label_dma, dimm_dma) and later unconditionally uses them in ndtest_nvdimm_init(), which can lead to a NULL pointer dereference under low-memory conditions. Check all three allocations and return -ENOMEM if any allocation fails, jumping to the common error path. Do not emit an extra err... • https://git.kernel.org/stable/c/9399ab61ad82154911563dd8635c585e3f24b16a •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-40141 – Bluetooth: ISO: Fix possible UAF on iso_conn_free
https://notcve.org/view.php?id=CVE-2025-40141
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: ISO: Fix possible UAF on iso_conn_free This attempt to fix similar issue to sco_conn_free where if the conn->sk is not set to NULL may lead to UAF on iso_conn_free. In the Linux kernel, the following vulnerability has been resolved: Bluetooth: ISO: Fix possible UAF on iso_conn_free This attempt to fix similar issue to sco_conn_free where if the conn->sk is not set to NULL may lead to UAF on iso_conn_free. • https://git.kernel.org/stable/c/ccf74f2390d60a2f9a75ef496d2564abb478f46a •
CVSS: 6.6EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40140 – net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast
https://notcve.org/view.php?id=CVE-2025-40140
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast syzbot reported WARNING in rtl8150_start_xmit/usb_submit_urb. This is the sequence of events that leads to the warning: rtl8150_start_xmit() { netif_stop_queue(); usb_submit_urb(dev->tx_urb); } rtl8150_set_multicast() { netif_stop_queue(); netif_wake_queue(); <-- wakes up TX queue before URB is done } rtl8150_start_xmit() { netif_stop_queue(); usb_submit_urb(dev->tx_urb);... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 6.6EPSS: 0%CPEs: 2EXPL: 0CVE-2025-40139 – smc: Use __sk_dst_get() and dst_dev_rcu() in in smc_clc_prfx_set().
https://notcve.org/view.php?id=CVE-2025-40139
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: smc: Use __sk_dst_get() and dst_dev_rcu() in in smc_clc_prfx_set(). smc_clc_prfx_set() is called during connect() and not under RCU nor RTNL. Using sk_dst_get(sk)->dev could trigger UAF. Let's use __sk_dst_get() and dev_dst_rcu() under rcu_read_lock() after kernel_getsockname(). Note that the returned value of smc_clc_prfx_set() is not used in the caller. While at it, we change the 1st arg of smc_clc_prfx_set[46]_rcu() not to touch dst ther... • https://git.kernel.org/stable/c/a046d57da19f812216f393e7c535f5858f793ac3 •
CVSS: 5.0EPSS: 0%CPEs: 4EXPL: 0CVE-2025-40137 – f2fs: fix to truncate first page in error path of f2fs_truncate()
https://notcve.org/view.php?id=CVE-2025-40137
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to truncate first page in error path of f2fs_truncate() syzbot reports a bug as below: loop0: detected capacity change from 0 to 40427 F2FS-fs (loop0): Wrong SSA boundary, start(3584) end(4096) blocks(3072) F2FS-fs (loop0): Can't find valid F2FS filesystem in 1th superblock F2FS-fs (loop0): invalid crc value F2FS-fs (loop0): f2fs_convert_inline_folio: corrupted inline inode ino=3, i_addr[0]:0x1601, run fsck to fix. ------------[ c... • https://git.kernel.org/stable/c/92dffd01790a5219d234fc83c3ba854f4490b7f4 •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2025-40136 – crypto: hisilicon/qm - request reserved interrupt for virtual function
https://notcve.org/view.php?id=CVE-2025-40136
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: crypto: hisilicon/qm - request reserved interrupt for virtual function The device interrupt vector 3 is an error interrupt for physical function and a reserved interrupt for virtual function. However, the driver has not registered the reserved interrupt for virtual function. When allocating interrupts, the number of interrupts is allocated based on powers of two, which includes this interrupt. When the system enables GICv4 and the virtual f... • https://git.kernel.org/stable/c/3536cc55cadaf2a03241915f9cfdaf6cd073e4fe •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2025-40135 – ipv6: use RCU in ip6_xmit()
https://notcve.org/view.php?id=CVE-2025-40135
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: ipv6: use RCU in ip6_xmit() Use RCU in ip6_xmit() in order to use dst_dev_rcu() to prevent possible UAF. In the Linux kernel, the following vulnerability has been resolved: ipv6: use RCU in ip6_xmit() Use RCU in ip6_xmit() in order to use dst_dev_rcu() to prevent possible UAF. • https://git.kernel.org/stable/c/4a6ce2b6f2ecabbddcfe47e7cf61dd0f00b10e36 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40134 – dm: fix NULL pointer dereference in __dm_suspend()
https://notcve.org/view.php?id=CVE-2025-40134
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: dm: fix NULL pointer dereference in __dm_suspend() There is a race condition between dm device suspend and table load that can lead to null pointer dereference. The issue occurs when suspend is invoked before table load completes: BUG: kernel NULL pointer dereference, address: 0000000000000054 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 6 PID: 6798 Comm: dmsetup Not tainted 6.6.0-g7e52f5f0ca9b #62 Hardware name: QEMU Standard PC (i440FX + PIIX, 19... • https://git.kernel.org/stable/c/c4576aed8d85d808cd6443bda58393d525207d01 •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-40129 – sunrpc: fix null pointer dereference on zero-length checksum
https://notcve.org/view.php?id=CVE-2025-40129
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: sunrpc: fix null pointer dereference on zero-length checksum In xdr_stream_decode_opaque_auth(), zero-length checksum.len causes checksum.data to be set to NULL. This triggers a NPD when accessing checksum.data in gss_krb5_verify_mic_v2(). This patch ensures that the value of checksum.len is not less than XDR_UNIT. In the Linux kernel, the following vulnerability has been resolved: sunrpc: fix null pointer dereference on zero-length checksu... • https://git.kernel.org/stable/c/0653028e8f1c97fec30710813a001ad8a2ec34f4 •