CVSS: 5.5EPSS: %CPEs: 3EXPL: 0CVE-2025-22094 – powerpc/perf: Fix ref-counting on the PMU 'vpa_pmu'
https://notcve.org/view.php?id=CVE-2025-22094
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: powerpc/perf: Fix ref-counting on the PMU 'vpa_pmu' Commit 176cda0619b6 ("powerpc/perf: Add perf interface to expose vpa counters") introduced 'vpa_pmu' to expose Book3s-HV nested APIv2 provided L1<->L2 context switch latency counters to L1 user-space via perf-events. However the newly introduced PMU named 'vpa_pmu' doesn't assign ownership of the PMU to the module 'vpa_pmu'. Consequently the module 'vpa_pmu' can be unloaded while one of th... • https://git.kernel.org/stable/c/176cda0619b6c17a553625f6e2fcbc3981ad667d •
CVSS: 5.5EPSS: %CPEs: 6EXPL: 0CVE-2025-22093 – drm/amd/display: avoid NPD when ASIC does not support DMUB
https://notcve.org/view.php?id=CVE-2025-22093
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: avoid NPD when ASIC does not support DMUB ctx->dmub_srv will de NULL if the ASIC does not support DMUB, which is tested in dm_dmub_sw_init. However, it will be dereferenced in dmub_hw_lock_mgr_cmd if should_use_dmub_lock returns true. This has been the case since dmub support has been added for PSR1. Fix this by checking for dmub_srv in should_use_dmub_lock. [ 37.440832] BUG: kernel NULL pointer dereference, address: 000000... • https://git.kernel.org/stable/c/b7d2461858ac75c9d6bc4ab8af1a738d0814b716 •
CVSS: 5.5EPSS: %CPEs: 3EXPL: 0CVE-2025-22092 – PCI: Fix NULL dereference in SR-IOV VF creation error path
https://notcve.org/view.php?id=CVE-2025-22092
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: PCI: Fix NULL dereference in SR-IOV VF creation error path Clean up when virtfn setup fails to prevent NULL pointer dereference during device removal. The kernel oops below occurred due to incorrect error handling flow when pci_setup_device() fails. Add pci_iov_scan_device(), which handles virtfn allocation and setup and cleans up if pci_setup_device() fails, so pci_iov_add_virtfn() doesn't need to call pci_stop_and_remove_bus_device(). Thi... • https://git.kernel.org/stable/c/e3f30d563a388220a7c4e3b9a7b52ac0b0324b26 •
CVSS: 7.1EPSS: %CPEs: 4EXPL: 0CVE-2025-22091 – RDMA/mlx5: Fix page_size variable overflow
https://notcve.org/view.php?id=CVE-2025-22091
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Fix page_size variable overflow Change all variables storing mlx5_umem_mkc_find_best_pgsz() result to unsigned long to support values larger than 31 and avoid overflow. For example: If we try to register 4GB of memory that is contiguous in physical memory, the driver will optimize the page_size and try to use an mkey with 4GB entity size. The 'unsigned int' page_size variable will overflow to '0' and we'll hit the WARN_ON() in al... • https://git.kernel.org/stable/c/cef7dde8836ab09a3bfe96ada4f18ef2496eacc9 •
CVSS: 5.5EPSS: %CPEs: 5EXPL: 0CVE-2025-22090 – x86/mm/pat: Fix VM_PAT handling when fork() fails in copy_page_range()
https://notcve.org/view.php?id=CVE-2025-22090
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: x86/mm/pat: Fix VM_PAT handling when fork() fails in copy_page_range() If track_pfn_copy() fails, we already added the dst VMA to the maple tree. As fork() fails, we'll cleanup the maple tree, and stumble over the dst VMA for which we neither performed any reservation nor copied any page tables. Consequently untrack_pfn() will see VM_PAT and try obtaining the PAT information from the page table -- which fails because the page table was not ... • https://git.kernel.org/stable/c/2ab640379a0ab4cef746ced1d7e04a0941774bcb •
CVSS: 5.5EPSS: %CPEs: 7EXPL: 0CVE-2025-22089 – RDMA/core: Don't expose hw_counters outside of init net namespace
https://notcve.org/view.php?id=CVE-2025-22089
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: RDMA/core: Don't expose hw_counters outside of init net namespace Commit 467f432a521a ("RDMA/core: Split port and device counter sysfs attributes") accidentally almost exposed hw counters to non-init net namespaces. It didn't expose them fully, as an attempt to read any of those counters leads to a crash like this one: [42021.807566] BUG: kernel NULL pointer dereference, address: 0000000000000028 [42021.814463] #PF: supervisor read access i... • https://git.kernel.org/stable/c/467f432a521a284c418e3d521ee51840a5e23424 •
CVSS: 5.5EPSS: %CPEs: 6EXPL: 0CVE-2025-22088 – RDMA/erdma: Prevent use-after-free in erdma_accept_newconn()
https://notcve.org/view.php?id=CVE-2025-22088
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: RDMA/erdma: Prevent use-after-free in erdma_accept_newconn() After the erdma_cep_put(new_cep) being called, new_cep will be freed, and the following dereference will cause a UAF problem. Fix this issue. In the Linux kernel, the following vulnerability has been resolved: RDMA/erdma: Prevent use-after-free in erdma_accept_newconn() After the erdma_cep_put(new_cep) being called, new_cep will be freed, and the following dereference will cause a... • https://git.kernel.org/stable/c/920d93eac8b97778fef48f34f10e58ddf870fc2a •
CVSS: 7.1EPSS: %CPEs: 4EXPL: 0CVE-2025-22087 – bpf: Fix array bounds error with may_goto
https://notcve.org/view.php?id=CVE-2025-22087
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: bpf: Fix array bounds error with may_goto may_goto uses an additional 8 bytes on the stack, which causes the interpreters[] array to go out of bounds when calculating index by stack_size. 1. If a BPF program is rewritten, re-evaluate the stack size. For non-JIT cases, reject loading directly. 2. For non-JIT cases, calculating interpreters[idx] may still cause out-of-bounds array access, and just warn about it. 3. For jit_requested cases, th... • https://git.kernel.org/stable/c/011832b97b311bb9e3c27945bc0d1089a14209c9 •
CVSS: 5.5EPSS: %CPEs: 9EXPL: 0CVE-2025-22086 – RDMA/mlx5: Fix mlx5_poll_one() cur_qp update flow
https://notcve.org/view.php?id=CVE-2025-22086
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Fix mlx5_poll_one() cur_qp update flow When cur_qp isn't NULL, in order to avoid fetching the QP from the radix tree again we check if the next cqe QP is identical to the one we already have. The bug however is that we are checking if the QP is identical by checking the QP number inside the CQE against the QP number inside the mlx5_ib_qp, but that's wrong since the QP number from the CQE is from FW so it should be matched against... • https://git.kernel.org/stable/c/e126ba97dba9edeb6fafa3665b5f8497fc9cdf8c •
CVSS: 7.8EPSS: %CPEs: 4EXPL: 0CVE-2025-22085 – RDMA/core: Fix use-after-free when rename device name
https://notcve.org/view.php?id=CVE-2025-22085
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: RDMA/core: Fix use-after-free when rename device name Syzbot reported a slab-use-after-free with the following call trace: ================================================================== BUG: KASAN: slab-use-after-free in nla_put+0xd3/0x150 lib/nlattr.c:1099 Read of size 5 at addr ffff888140ea1c60 by task syz.0.988/10025 CPU: 0 UID: 0 PID: 10025 Comm: syz.0.988 Not tainted 6.14.0-rc4-syzkaller-00859-gf77f12010f67 #0 Hardware name: Google... • https://git.kernel.org/stable/c/9cbed5aab5aeea420d0aa945733bf608449d44fb •