CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38395 – regulator: gpio: Fix the out-of-bounds access to drvdata::gpiods
https://notcve.org/view.php?id=CVE-2025-38395
25 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: regulator: gpio: Fix the out-of-bounds access to drvdata::gpiods drvdata::gpiods is supposed to hold an array of 'gpio_desc' pointers. But the memory is allocated for only one pointer. This will lead to out-of-bounds access later in the code if 'config::ngpios' is > 1. So fix the code to allocate enough memory to hold 'config::ngpios' of GPIO descriptors. While at it, also move the check for memory allocation failure to be below the allocat... • https://git.kernel.org/stable/c/d6cd33ad71029a3f77ba1686caf55d4dea58d916 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38393 – NFSv4/pNFS: Fix a race to wake on NFS_LAYOUT_DRAIN
https://notcve.org/view.php?id=CVE-2025-38393
25 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: NFSv4/pNFS: Fix a race to wake on NFS_LAYOUT_DRAIN We found a few different systems hung up in writeback waiting on the same page lock, and one task waiting on the NFS_LAYOUT_DRAIN bit in pnfs_update_layout(), however the pnfs_layout_hdr's plh_outstanding count was zero. It seems most likely that this is another race between the waiter and waker similar to commit ed0172af5d6f ("SUNRPC: Fix a race to wake a sync task"). Fix it up by applying... • https://git.kernel.org/stable/c/8acc3e228e1c90bd410f73597a4549e0409f22d6 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38391 – usb: typec: altmodes/displayport: do not index invalid pin_assignments
https://notcve.org/view.php?id=CVE-2025-38391
25 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: usb: typec: altmodes/displayport: do not index invalid pin_assignments A poorly implemented DisplayPort Alt Mode port partner can indicate that its pin assignment capabilities are greater than the maximum value, DP_PIN_ASSIGN_F. In this case, calls to pin_assignment_show will cause a BRK exception due to an out of bounds array access. Prevent for loop in pin_assignment_show from accessing invalid values in pin_assignments by adding DP_PIN_A... • https://git.kernel.org/stable/c/0e3bb7d6894d9b6e67d6382bb03a46a1dc989588 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38389 – drm/i915/gt: Fix timeline left held on VMA alloc error
https://notcve.org/view.php?id=CVE-2025-38389
25 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/i915/gt: Fix timeline left held on VMA alloc error The following error has been reported sporadically by CI when a test unbinds the i915 driver on a ring submission platform: <4> [239.330153] ------------[ cut here ]------------ <4> [239.330166] i915 0000:00:02.0: [drm] drm_WARN_ON(dev_priv->mm.shrink_count) <4> [239.330196] WARNING: CPU: 1 PID: 18570 at drivers/gpu/drm/i915/i915_gem.c:1309 i915_gem_cleanup_early+0x13e/0x150 [i915] ... ... • https://git.kernel.org/stable/c/75d0a7f31eec8ec4a53b4485905800e09dc5091f •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38387 – RDMA/mlx5: Initialize obj_event->obj_sub_list before xa_insert
https://notcve.org/view.php?id=CVE-2025-38387
25 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Initialize obj_event->obj_sub_list before xa_insert The obj_event may be loaded immediately after inserted, then if the list_head is not initialized then we may get a poisonous pointer. This fixes the crash below: mlx5_core 0000:03:00.0: MLX5E: StrdRq(1) RqSz(8) StrdSz(2048) RxCqeCmprss(0 enhanced) mlx5_core.sf mlx5_core.sf.4: firmware version: 32.38.3056 mlx5_core 0000:03:00.0 en3f0pf0sf2002: renamed from eth0 mlx5_core.sf mlx5_... • https://git.kernel.org/stable/c/7597385371425febdaa8c6a1da3625d4ffff16f5 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38386 – ACPICA: Refuse to evaluate a method if arguments are missing
https://notcve.org/view.php?id=CVE-2025-38386
25 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: ACPICA: Refuse to evaluate a method if arguments are missing As reported in [1], a platform firmware update that increased the number of method parameters and forgot to update a least one of its callers, caused ACPICA to crash due to use-after-free. Since this a result of a clear AML issue that arguably cannot be fixed up by the interpreter (it cannot produce missing data out of thin air), address it by making ACPICA refuse to evaluate a me... • https://git.kernel.org/stable/c/b49d224d1830c46e20adce2a239c454cdab426f1 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2025-38384 – mtd: spinand: fix memory leak of ECC engine conf
https://notcve.org/view.php?id=CVE-2025-38384
25 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: mtd: spinand: fix memory leak of ECC engine conf Memory allocated for the ECC engine conf is not released during spinand cleanup. Below kmemleak trace is seen for this memory leak: unreferenced object 0xffffff80064f00e0 (size 8): comm "swapper/0", pid 1, jiffies 4294937458 hex dump (first 8 bytes): 00 00 00 00 00 00 00 00 ........ backtrace (crc 0): kmemleak_alloc+0x30/0x40 __kmalloc_cache_noprof+0x208/0x3c0 spinand_ondie_ecc_init_ctx+0x114... • https://git.kernel.org/stable/c/68d3417305ee100dcad90fd6e5846b22497aa394 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2025-38380 – i2c/designware: Fix an initialization issue
https://notcve.org/view.php?id=CVE-2025-38380
25 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: i2c/designware: Fix an initialization issue The i2c_dw_xfer_init() function requires msgs and msg_write_idx from the dev context to be initialized. amd_i2c_dw_xfer_quirk() inits msgs and msgs_num, but not msg_write_idx. This could allow an out of bounds access (of msgs). Initialize msg_write_idx before calling i2c_dw_xfer_init(). • https://git.kernel.org/stable/c/17631e8ca2d3421090e54b39d9a1402091019ba1 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38377 – rose: fix dangling neighbour pointers in rose_rt_device_down()
https://notcve.org/view.php?id=CVE-2025-38377
25 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: rose: fix dangling neighbour pointers in rose_rt_device_down() There are two bugs in rose_rt_device_down() that can cause use-after-free: 1. The loop bound `t->count` is modified within the loop, which can cause the loop to terminate early and miss some entries. 2. When removing an entry from the neighbour array, the subsequent entries are moved up to fill the gap, but the loop index `i` is still incremented, causing the next entry to be sk... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2025-38375 – virtio-net: ensure the received length does not exceed allocated size
https://notcve.org/view.php?id=CVE-2025-38375
25 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: virtio-net: ensure the received length does not exceed allocated size In xdp_linearize_page, when reading the following buffers from the ring, we forget to check the received length with the true allocate size. This can lead to an out-of-bound read. This commit adds that missing check. • https://git.kernel.org/stable/c/4941d472bf95b4345d6e38906fcf354e74afa311 •