CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38495 – HID: core: ensure the allocated report buffer can contain the reserved report ID
https://notcve.org/view.php?id=CVE-2025-38495
28 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: HID: core: ensure the allocated report buffer can contain the reserved report ID When the report ID is not used, the low level transport drivers expect the first byte to be 0. However, currently the allocated buffer not account for that extra byte, meaning that instead of having 8 guaranteed bytes for implement to be working, we only have 7. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: HID: núcleo: garantizar que el bú... • https://git.kernel.org/stable/c/d3ed1d84a84538a39b3eb2055d6a97a936c108f2 •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38494 – HID: core: do not bypass hid_hw_raw_request
https://notcve.org/view.php?id=CVE-2025-38494
28 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: HID: core: do not bypass hid_hw_raw_request hid_hw_raw_request() is actually useful to ensure the provided buffer and length are valid. Directly calling in the low level transport driver function bypassed those checks and allowed invalid paramto be used. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: HID: núcleo: no omitir hid_hw_raw_request. hid_hw_raw_request() es útil para garantizar la validez del búfer y la longitud... • https://git.kernel.org/stable/c/a62a895edb2bfebffa865b5129a66e3b4287f34f •
CVSS: 8.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38483 – comedi: das16m1: Fix bit shift out of bounds
https://notcve.org/view.php?id=CVE-2025-38483
28 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: comedi: das16m1: Fix bit shift out of bounds When checking for a supported IRQ number, the following test is used: /* only irqs 2, 3, 4, 5, 6, 7, 10, 11, 12, 14, and 15 are valid */ if ((1 << it->options[1]) & 0xdcfc) { However, `it->options[i]` is an unchecked `int` value from userspace, so the shift amount could be negative or out of bounds. Fix the test by requiring `it->options[1]` to be within bounds before proceeding with the original... • https://git.kernel.org/stable/c/729988507680b2ce934bce61d9ce0ea7b235914c •
CVSS: 5.6EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38482 – comedi: das6402: Fix bit shift out of bounds
https://notcve.org/view.php?id=CVE-2025-38482
28 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: comedi: das6402: Fix bit shift out of bounds When checking for a supported IRQ number, the following test is used: /* IRQs 2,3,5,6,7, 10,11,15 are valid for "enhanced" mode */ if ((1 << it->options[1]) & 0x8cec) { However, `it->options[i]` is an unchecked `int` value from userspace, so the shift amount could be negative or out of bounds. Fix the test by requiring `it->options[1]` to be within bounds before proceeding with the original test.... • https://git.kernel.org/stable/c/79e5e6addbb18bf56075f0ff552094a28636dd03 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38481 – comedi: Fail COMEDI_INSNLIST ioctl if n_insns is too large
https://notcve.org/view.php?id=CVE-2025-38481
28 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: comedi: Fail COMEDI_INSNLIST ioctl if n_insns is too large The handling of the `COMEDI_INSNLIST` ioctl allocates a kernel buffer to hold the array of `struct comedi_insn`, getting the length from the `n_insns` member of the `struct comedi_insnlist` supplied by the user. The allocation will fail with a WARNING and a stack dump if it is too large. Avoid that by failing with an `-EINVAL` error if the supplied `n_insns` value is unreasonable. D... • https://git.kernel.org/stable/c/ed9eccbe8970f6eedc1b978c157caf1251a896d4 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38480 – comedi: Fix use of uninitialized data in insn_rw_emulate_bits()
https://notcve.org/view.php?id=CVE-2025-38480
28 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: comedi: Fix use of uninitialized data in insn_rw_emulate_bits() For Comedi `INSN_READ` and `INSN_WRITE` instructions on "digital" subdevices (subdevice types `COMEDI_SUBD_DI`, `COMEDI_SUBD_DO`, and `COMEDI_SUBD_DIO`), it is common for the subdevice driver not to have `insn_read` and `insn_write` handler functions, but to have an `insn_bits` handler function for handling Comedi `INSN_BITS` instructions. In that case, the subdevice's `insn_re... • https://git.kernel.org/stable/c/ed9eccbe8970f6eedc1b978c157caf1251a896d4 •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38478 – comedi: Fix initialization of data for instructions that write to subdevice
https://notcve.org/view.php?id=CVE-2025-38478
28 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: comedi: Fix initialization of data for instructions that write to subdevice Some Comedi subdevice instruction handlers are known to access instruction data elements beyond the first `insn->n` elements in some cases. The `do_insn_ioctl()` and `do_insnlist_ioctl()` functions allocate at least `MIN_SAMPLES` (16) data elements to deal with this, but they do not initialize all of that. For Comedi instruction codes that write to the subdevice, th... • https://git.kernel.org/stable/c/ed9eccbe8970f6eedc1b978c157caf1251a896d4 •
CVSS: 6.9EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38477 – net/sched: sch_qfq: Fix race condition on qfq_aggregate
https://notcve.org/view.php?id=CVE-2025-38477
28 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_qfq: Fix race condition on qfq_aggregate A race condition can occur when 'agg' is modified in qfq_change_agg (called during qfq_enqueue) while other threads access it concurrently. For example, qfq_dump_class may trigger a NULL dereference, and qfq_delete_class may cause a use-after-free. This patch addresses the issue by: 1. Moved qfq_destroy_class into the critical section. 2. Added sch_tree_lock protection to qfq_dump_clas... • https://git.kernel.org/stable/c/462dbc9101acd38e92eda93c0726857517a24bbd •
CVSS: 5.6EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38474 – usb: net: sierra: check for no status endpoint
https://notcve.org/view.php?id=CVE-2025-38474
28 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: usb: net: sierra: check for no status endpoint The driver checks for having three endpoints and having bulk in and out endpoints, but not that the third endpoint is interrupt input. Rectify the omission. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: usb: net: sierra: comprobar si el endpoint no tiene estado. El controlador comprueba si hay tres endpoints y si hay endpoints de entrada y salida masivos, pero no si el terc... • https://git.kernel.org/stable/c/eb4fd8cd355c8ec425a12ec6cbdac614e8a4819d •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38473 – Bluetooth: Fix null-ptr-deref in l2cap_sock_resume_cb()
https://notcve.org/view.php?id=CVE-2025-38473
28 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix null-ptr-deref in l2cap_sock_resume_cb() syzbot reported null-ptr-deref in l2cap_sock_resume_cb(). [0] l2cap_sock_resume_cb() has a similar problem that was fixed by commit 1bff51ea59a9 ("Bluetooth: fix use-after-free error in lock_sock_nested()"). Since both l2cap_sock_kill() and l2cap_sock_resume_cb() are executed under l2cap_sock_resume_cb(), we can avoid the issue simply by checking if chan->data is NULL. Let's not access... • https://git.kernel.org/stable/c/d97c899bde330cd1c76c3a162558177563a74362 •