CVSS: -EPSS: %CPEs: 4EXPL: 0CVE-2025-38559 – platform/x86/intel/pmt: fix a crashlog NULL pointer access
https://notcve.org/view.php?id=CVE-2025-38559
19 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: platform/x86/intel/pmt: fix a crashlog NULL pointer access Usage of the intel_pmt_read() for binary sysfs, requires a pcidev. The current use of the endpoint value is only valid for telemetry endpoint usage. Without the ep, the crashlog usage causes the following NULL pointer exception: BUG: kernel NULL pointer dereference, address: 0000000000000000 Oops: Oops: 0000 [#1] SMP NOPTI RIP: 0010:intel_pmt_read+0x3b/0x70 [pmt_class] Code: Call Tr... • https://git.kernel.org/stable/c/045a513040cc0242d364c05c3791594e2294f32d •
CVSS: -EPSS: %CPEs: 4EXPL: 0CVE-2025-38557 – HID: apple: validate feature-report field count to prevent NULL pointer dereference
https://notcve.org/view.php?id=CVE-2025-38557
19 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: HID: apple: validate feature-report field count to prevent NULL pointer dereference A malicious HID device with quirk APPLE_MAGIC_BACKLIGHT can trigger a NULL pointer dereference whilst the power feature-report is toggled and sent to the device in apple_magic_backlight_report_set(). The power feature-report is expected to have two data fields, but if the descriptor declares one field then accessing field[1] and dereferencing it in apple_mag... • https://git.kernel.org/stable/c/394ba612f9419ec5bfebbffb72212fd3b2094986 •
CVSS: -EPSS: %CPEs: 3EXPL: 0CVE-2025-38556 – HID: core: Harden s32ton() against conversion to 0 bits
https://notcve.org/view.php?id=CVE-2025-38556
19 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: HID: core: Harden s32ton() against conversion to 0 bits Testing by the syzbot fuzzer showed that the HID core gets a shift-out-of-bounds exception when it tries to convert a 32-bit quantity to a 0-bit quantity. Ideally this should never occur, but there are buggy devices and some might have a report field with size set to zero; we shouldn't reject the report or the device just because of that. Instead, harden the s32ton() routine so that it... • https://git.kernel.org/stable/c/dde5845a529ff753364a6d1aea61180946270bfa •
CVSS: -EPSS: %CPEs: 6EXPL: 0CVE-2025-38555 – usb: gadget : fix use-after-free in composite_dev_cleanup()
https://notcve.org/view.php?id=CVE-2025-38555
19 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: usb: gadget : fix use-after-free in composite_dev_cleanup() 1. In func configfs_composite_bind() -> composite_os_desc_req_prepare(): if kmalloc fails, the pointer cdev->os_desc_req will be freed but not set to NULL. Then it will return a failure to the upper-level function. 2. in func configfs_composite_bind() -> composite_dev_cleanup(): it will checks whether cdev->os_desc_req is NULL. If it is not NULL, it will attempt to use it.This will... • https://git.kernel.org/stable/c/37a3a533429ef9b3cc9f15a656c19623f0e88df7 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2025-38553 – net/sched: Restrict conditions for adding duplicating netems to qdisc tree
https://notcve.org/view.php?id=CVE-2025-38553
19 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: net/sched: Restrict conditions for adding duplicating netems to qdisc tree netem_enqueue's duplication prevention logic breaks when a netem resides in a qdisc tree with other netems - this can lead to a soft lockup and OOM loop in netem_dequeue, as seen in [1]. Ensure that a duplicating netem cannot exist in a tree with other netems. Previous approaches suggested in discussions in chronological order: 1) Track duplication status or ttl in t... • https://git.kernel.org/stable/c/0afb51e72855971dba83b3c6b70c547c2d1161fd •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2023-4130 – ksmbd: fix wrong next length validation of ea buffer in smb2_set_ea()
https://notcve.org/view.php?id=CVE-2023-4130
16 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix wrong next length validation of ea buffer in smb2_set_ea() There are multiple smb2_ea_info buffers in FILE_FULL_EA_INFORMATION request from client. ksmbd find next smb2_ea_info using ->NextEntryOffset of current smb2_ea_info. ksmbd need to validate buffer length Before accessing the next ea. ksmbd should check buffer length using buf_len, not next variable. next is the start offset of current ea that got from previous ea. In the ... • https://git.kernel.org/stable/c/0626e6641f6b467447c81dd7678a69c66f7746cf •
CVSS: 10.0EPSS: 0%CPEs: 5EXPL: 0CVE-2023-4515 – ksmbd: validate command request size
https://notcve.org/view.php?id=CVE-2023-4515
16 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: validate command request size In commit 2b9b8f3b68ed ("ksmbd: validate command payload size"), except for SMB2_OPLOCK_BREAK_HE command, the request size of other commands is not checked, it's not expected. Fix it by add check for request size of other commands. In the Linux kernel, the following vulnerability has been resolved: ksmbd: validate command request size In commit 2b9b8f3b68ed ("ksmbd: validate command payload size"), excep... • https://git.kernel.org/stable/c/35f450f54dca1519bb24faacd0428db09f89a11f •
CVSS: 7.1EPSS: 0%CPEs: 4EXPL: 0CVE-2025-38552 – mptcp: plug races between subflow fail and subflow creation
https://notcve.org/view.php?id=CVE-2025-38552
16 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: mptcp: plug races between subflow fail and subflow creation We have races similar to the one addressed by the previous patch between subflow failing and additional subflow creation. They are just harder to trigger. The solution is similar. Use a separate flag to track the condition 'socket state prevent any additional subflow creation' protected by the fallback lock. The socket fallback makes such flag true, and also receiving or sending an... • https://git.kernel.org/stable/c/478d770008b03ed9d74bdc8add2315b7fd124ecc •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-38551 – virtio-net: fix recursived rtnl_lock() during probe()
https://notcve.org/view.php?id=CVE-2025-38551
16 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: virtio-net: fix recursived rtnl_lock() during probe() The deadlock appears in a stack trace like: virtnet_probe() rtnl_lock() virtio_config_changed_work() netdev_notify_peers() rtnl_lock() It happens if the VMM sends a VIRTIO_NET_S_ANNOUNCE request while the virtio-net driver is still probing. The config_work in probe() will get scheduled until virtnet_open() enables the config change notification via virtio_config_driver_enable(). In the L... • https://git.kernel.org/stable/c/df28de7b00502761eba62490f413c65c9b175ed9 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38550 – ipv6: mcast: Delay put pmc->idev in mld_del_delrec()
https://notcve.org/view.php?id=CVE-2025-38550
16 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: ipv6: mcast: Delay put pmc->idev in mld_del_delrec() pmc->idev is still used in ip6_mc_clear_src(), so as mld_clear_delrec() does, the reference should be put after ip6_mc_clear_src() return. In the Linux kernel, the following vulnerability has been resolved: ipv6: mcast: Delay put pmc->idev in mld_del_delrec() pmc->idev is still used in ip6_mc_clear_src(), so as mld_clear_delrec() does, the reference should be put after ip6_mc_clear_src() ... • https://git.kernel.org/stable/c/63ed8de4be81b699ca727e9f8e3344bd487806d7 •