CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2025-38574 – pptp: ensure minimal skb length in pptp_xmit()
https://notcve.org/view.php?id=CVE-2025-38574
19 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: pptp: ensure minimal skb length in pptp_xmit() Commit aabc6596ffb3 ("net: ppp: Add bound checking for skb data on ppp_sync_txmung") fixed ppp_sync_txmunge() We need a similar fix in pptp_xmit(), otherwise we might read uninit data as reported by syzbot. BUG: KMSAN: uninit-value in pptp_xmit+0xc34/0x2720 drivers/net/ppp/pptp.c:193 pptp_xmit+0xc34/0x2720 drivers/net/ppp/pptp.c:193 ppp_channel_bridge_input drivers/net/ppp/ppp_generic.c:2290 [i... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 7.2EPSS: 0%CPEs: 4EXPL: 0CVE-2025-38573 – spi: cs42l43: Property entry should be a null-terminated array
https://notcve.org/view.php?id=CVE-2025-38573
19 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: spi: cs42l43: Property entry should be a null-terminated array The software node does not specify a count of property entries, so the array must be null-terminated. When unterminated, this can lead to a fault in the downstream cs35l56 amplifier driver, because the node parse walks off the end of the array into unknown memory. In the Linux kernel, the following vulnerability has been resolved: spi: cs42l43: Property entry should be a null-te... • https://git.kernel.org/stable/c/0ca645ab5b1528666f6662a0e620140355b5aea3 •
CVSS: 6.8EPSS: 0%CPEs: 6EXPL: 0CVE-2025-38572 – ipv6: reject malicious packets in ipv6_gso_segment()
https://notcve.org/view.php?id=CVE-2025-38572
19 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: ipv6: reject malicious packets in ipv6_gso_segment() syzbot was able to craft a packet with very long IPv6 extension headers leading to an overflow of skb->transport_header. This 16bit field has a limited range. Add skb_reset_transport_header_careful() helper and use it from ipv6_gso_segment() WARNING: CPU: 0 PID: 5871 at ./include/linux/skbuff.h:3032 skb_reset_transport_header include/linux/skbuff.h:3032 [inline] WARNING: CPU: 0 PID: 5871 ... • https://git.kernel.org/stable/c/d1da932ed4ecad2a14cbcc01ed589d617d0f0f09 •
CVSS: 6.3EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38571 – sunrpc: fix client side handling of tls alerts
https://notcve.org/view.php?id=CVE-2025-38571
19 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: sunrpc: fix client side handling of tls alerts A security exploit was discovered in NFS over TLS in tls_alert_recv due to its assumption that there is valid data in the msghdr's iterator's kvec. Instead, this patch proposes the rework how control messages are setup and used by sock_recvmsg(). If no control message structure is setup, kTLS layer will read and process TLS data record types. As soon as it encounters a TLS control message, it w... • https://git.kernel.org/stable/c/dea034b963c8901bdcc3d3880c04f0d75c95112f •
CVSS: 5.6EPSS: 0%CPEs: 3EXPL: 0CVE-2025-38570 – eth: fbnic: unlink NAPIs from queues on error to open
https://notcve.org/view.php?id=CVE-2025-38570
19 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: eth: fbnic: unlink NAPIs from queues on error to open CI hit a UaF in fbnic in the AF_XDP portion of the queues.py test. The UaF is in the __sk_mark_napi_id_once() call in xsk_bind(), NAPI has been freed. Looks like the device failed to open earlier, and we lack clearing the NAPI pointer from the queue. In the Linux kernel, the following vulnerability has been resolved: eth: fbnic: unlink NAPIs from queues on error to open CI hit a UaF in f... • https://git.kernel.org/stable/c/557d02238e05eb66b9aba9a1f90f3a2131c6c887 •
CVSS: 5.5EPSS: 0%CPEs: 10EXPL: 0CVE-2025-38569 – benet: fix BUG when creating VFs
https://notcve.org/view.php?id=CVE-2025-38569
19 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: benet: fix BUG when creating VFs benet crashes as soon as SRIOV VFs are created: kernel BUG at mm/vmalloc.c:3457! Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI CPU: 4 UID: 0 PID: 7408 Comm: test.sh Kdump: loaded Not tainted 6.16.0+ #1 PREEMPT(voluntary) [...] RIP: 0010:vunmap+0x5f/0x70 [...] Call Trace:
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38568 – net/sched: mqprio: fix stack out-of-bounds write in tc entry parsing
https://notcve.org/view.php?id=CVE-2025-38568
19 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: net/sched: mqprio: fix stack out-of-bounds write in tc entry parsing TCA_MQPRIO_TC_ENTRY_INDEX is validated using NLA_POLICY_MAX(NLA_U32, TC_QOPT_MAX_QUEUE), which allows the value TC_QOPT_MAX_QUEUE (16). This leads to a 4-byte out-of-bounds stack write in the fp[] array, which only has room for 16 elements (0–15). Fix this by changing the policy to allow only up to TC_QOPT_MAX_QUEUE - 1. In the Linux kernel, the following vulnerability has... • https://git.kernel.org/stable/c/f62af20bed2d9e824f51cfc97ff01bc261f40e58 •
CVSS: 7.1EPSS: 0%CPEs: 3EXPL: 0CVE-2025-38567 – nfsd: avoid ref leak in nfsd_open_local_fh()
https://notcve.org/view.php?id=CVE-2025-38567
19 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: nfsd: avoid ref leak in nfsd_open_local_fh() If two calls to nfsd_open_local_fh() race and both successfully call nfsd_file_acquire_local(), they will both get an extra reference to the net to accompany the file reference stored in *pnf. One of them will fail to store (using xchg()) the file reference in *pnf and will drop that reference but WON'T drop the accompanying reference to the net. This leak means that when the nfs server is shut d... • https://git.kernel.org/stable/c/986a21ace186433e0397a59491646edad8c8d636 •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38566 – sunrpc: fix handling of server side tls alerts
https://notcve.org/view.php?id=CVE-2025-38566
19 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: sunrpc: fix handling of server side tls alerts Scott Mayhew discovered a security exploit in NFS over TLS in tls_alert_recv() due to its assumption it can read data from the msg iterator's kvec.. kTLS implementation splits TLS non-data record payload between the control message buffer (which includes the type such as TLS aler or TLS cipher change) and the rest of the payload (say TLS alert's level/description) which goes into the msg payloa... • https://git.kernel.org/stable/c/5e052dda121e2870dd87181783da4a95d7d2927b •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2025-38565 – perf/core: Exit early on perf_mmap() fail
https://notcve.org/view.php?id=CVE-2025-38565
19 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: perf/core: Exit early on perf_mmap() fail When perf_mmap() fails to allocate a buffer, it still invokes the event_mapped() callback of the related event. On X86 this might increase the perf_rdpmc_allowed reference counter. But nothing undoes this as perf_mmap_close() is never called in this case, which causes another reference count leak. Return early on failure to prevent that. In the Linux kernel, the following vulnerability has been reso... • https://git.kernel.org/stable/c/1e0fb9ec679c9273a641f1d6f3d25ea47baef2bb •