CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38538 – dmaengine: nbpfaxi: Fix memory corruption in probe()
https://notcve.org/view.php?id=CVE-2025-38538
16 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: dmaengine: nbpfaxi: Fix memory corruption in probe() The nbpf->chan[] array is allocated earlier in the nbpf_probe() function and it has "num_channels" elements. These three loops iterate one element farther than they should and corrupt memory. The changes to the second loop are more involved. In this case, we're copying data from the irqbuf[] array into the nbpf->chan[] array. If the data in irqbuf[i] is the error IRQ then we skip it, so t... • https://git.kernel.org/stable/c/b45b262cefd5b8eb2ba88d20e5bd295881293894 •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38535 – phy: tegra: xusb: Fix unbalanced regulator disable in UTMI PHY mode
https://notcve.org/view.php?id=CVE-2025-38535
16 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: phy: tegra: xusb: Fix unbalanced regulator disable in UTMI PHY mode When transitioning from USB_ROLE_DEVICE to USB_ROLE_NONE, the code assumed that the regulator should be disabled. However, if the regulator is marked as always-on, regulator_is_enabled() continues to return true, leading to an incorrect attempt to disable a regulator which is not enabled. This can result in warnings such as: [ 250.155624] WARNING: CPU: 1 PID: 7326 at driver... • https://git.kernel.org/stable/c/49d46e3c7e597e8b00c6fc16e6fd7a92044f4371 •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-38531 – iio: common: st_sensors: Fix use of uninitialize device structs
https://notcve.org/view.php?id=CVE-2025-38531
16 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: iio: common: st_sensors: Fix use of uninitialize device structs Throughout the various probe functions &indio_dev->dev is used before it is initialized. This caused a kernel panic in st_sensors_power_enable() when the call to devm_regulator_bulk_get_enable() fails and then calls dev_err_probe() with the uninitialized device. This seems to only cause a panic with dev_err_probe(), dev_err(), dev_warn() and dev_info() don't seem to cause a pan... • https://git.kernel.org/stable/c/610615c9668037e3eca11132063b93b2d945af13 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38530 – comedi: pcl812: Fix bit shift out of bounds
https://notcve.org/view.php?id=CVE-2025-38530
16 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: comedi: pcl812: Fix bit shift out of bounds When checking for a supported IRQ number, the following test is used: if ((1 << it->options[1]) & board->irq_bits) { However, `it->options[i]` is an unchecked `int` value from userspace, so the shift amount could be negative or out of bounds. Fix the test by requiring `it->options[1]` to be within bounds before proceeding with the original test. Valid `it->options[1]` values that select the IRQ wi... • https://git.kernel.org/stable/c/fcdb427bc7cf5e9e5d7280cf09c08dec49b49432 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38529 – comedi: aio_iiro_16: Fix bit shift out of bounds
https://notcve.org/view.php?id=CVE-2025-38529
16 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: comedi: aio_iiro_16: Fix bit shift out of bounds When checking for a supported IRQ number, the following test is used: if ((1 << it->options[1]) & 0xdcfc) { However, `it->options[i]` is an unchecked `int` value from userspace, so the shift amount could be negative or out of bounds. Fix the test by requiring `it->options[1]` to be within bounds before proceeding with the original test. Valid `it->options[1]` values that select the IRQ will b... • https://git.kernel.org/stable/c/ad7a370c8be47247f68f7187cc82f4f25a347116 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38528 – bpf: Reject %p% format string in bprintf-like helpers
https://notcve.org/view.php?id=CVE-2025-38528
16 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: bpf: Reject %p% format string in bprintf-like helpers static const char fmt[] = "%p%"; bpf_trace_printk(fmt, sizeof(fmt)); The above BPF program isn't rejected and causes a kernel warning at runtime: Please remove unsupported %\x00 in format string WARNING: CPU: 1 PID: 7244 at lib/vsprintf.c:2680 format_decode+0x49c/0x5d0 This happens because bpf_bprintf_prepare skips over the second %, detected as punctuation, while processing %p. This pat... • https://git.kernel.org/stable/c/48cac3f4a96ddf08df8e53809ed066de0dc93915 •
CVSS: 7.0EPSS: 0%CPEs: 10EXPL: 0CVE-2025-38527 – smb: client: fix use-after-free in cifs_oplock_break
https://notcve.org/view.php?id=CVE-2025-38527
16 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: smb: client: fix use-after-free in cifs_oplock_break A race condition can occur in cifs_oplock_break() leading to a use-after-free of the cinode structure when unmounting: cifs_oplock_break() _cifsFileInfo_put(cfile) cifsFileInfo_put_final() cifs_sb_deactive() [last ref, start releasing sb] kill_sb() kill_anon_super() generic_shutdown_super() evict_inodes() dispose_list() evict() destroy_inode() call_rcu(&inode->i_rcu, i_callback) spin_lock... • https://git.kernel.org/stable/c/b98749cac4a695f084a5ff076f4510b23e353ecd •
CVSS: 4.7EPSS: 0%CPEs: 4EXPL: 0CVE-2025-38524 – rxrpc: Fix recv-recv race of completed call
https://notcve.org/view.php?id=CVE-2025-38524
16 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix recv-recv race of completed call If a call receives an event (such as incoming data), the call gets placed on the socket's queue and a thread in recvmsg can be awakened to go and process it. Once the thread has picked up the call off of the queue, further events will cause it to be requeued, and once the socket lock is dropped (recvmsg uses call->user_mutex to allow the socket to be used in parallel), a second thread can come in ... • https://git.kernel.org/stable/c/248f219cb8bcbfbd7f132752d44afa2df7c241d1 •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2025-38520 – drm/amdkfd: Don't call mmput from MMU notifier callback
https://notcve.org/view.php?id=CVE-2025-38520
16 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Don't call mmput from MMU notifier callback If the process is exiting, the mmput inside mmu notifier callback from compactd or fork or numa balancing could release the last reference of mm struct to call exit_mmap and free_pgtable, this triggers deadlock with below backtrace. The deadlock will leak kfd process as mmu notifier release is not called and cause VRAM leaking. The fix is to take mm reference mmget_non_zero when adding... • https://git.kernel.org/stable/c/fa582c6f3684ac0098a9d02ddf0ed52a02b37127 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38516 – pinctrl: qcom: msm: mark certain pins as invalid for interrupts
https://notcve.org/view.php?id=CVE-2025-38516
16 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: pinctrl: qcom: msm: mark certain pins as invalid for interrupts On some platforms, the UFS-reset pin has no interrupt logic in TLMM but is nevertheless registered as a GPIO in the kernel. This enables the user-space to trigger a BUG() in the pinctrl-msm driver by running, for example: `gpiomon -c 0 113` on RB2. The exact culprit is requesting pins whose intr_detection_width setting is not 1 or 2 for interrupts. This hits a BUG() in msm_gpio... • https://git.kernel.org/stable/c/f365be0925729508fd8e62f8bdb504ef896cb6e0 •