
CVE-2022-49936 – USB: core: Prevent nested device-reset calls
https://notcve.org/view.php?id=CVE-2022-49936
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: USB: core: Prevent nested device-reset calls Automatic kernel fuzzing revealed a recursive locking violation in usb-storage: ============================================ WARNING: possible recursive locking detected 5.18.0 #3 Not tainted -------------------------------------------- kworker/1:3/1205 is trying to acquire lock: ffff888018638db8 (&us_interface_key[i]){+.+.}-{3:3}, at: usb_stor_pre_reset+0x35/0x40 drivers/usb/storage/usb.c:230 bu... • https://git.kernel.org/stable/c/d90419b8b8322b6924f6da9da952647f2dadc21b •

CVE-2022-49935 – dma-buf/dma-resv: check if the new fence is really later
https://notcve.org/view.php?id=CVE-2022-49935
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: dma-buf/dma-resv: check if the new fence is really later Previously when we added a fence to a dma_resv object we always assumed the the newer than all the existing fences. With Jason's work to add an UAPI to explicit export/import that's not necessary the case any more. So without this check we would allow userspace to force the kernel into an use after free error. Since the change is very small and defensive it's probably a good idea to b... • https://git.kernel.org/stable/c/c4c798fe98adceb642050819cb57cbc8f5c27870 •

CVE-2022-49934 – wifi: mac80211: Fix UAF in ieee80211_scan_rx()
https://notcve.org/view.php?id=CVE-2022-49934
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: Fix UAF in ieee80211_scan_rx() ieee80211_scan_rx() tries to access scan_req->flags after a null check, but a UAF is observed when the scan is completed and __ieee80211_scan_completed() executes, which then calls cfg80211_scan_done() leading to the freeing of scan_req. Since scan_req is rcu_dereference()'d, prevent the racing in __ieee80211_scan_completed() by ensuring that from mac80211's POV it is no longer accessed from an... • https://git.kernel.org/stable/c/6eb181a64fdabf10be9e54de728876667da20255 •

CVE-2025-38082 – gpio: virtuser: fix potential out-of-bound write
https://notcve.org/view.php?id=CVE-2025-38082
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: gpio: virtuser: fix potential out-of-bound write If the caller wrote more characters, count is truncated to the max available space in "simple_write_to_buffer". Check that the input size does not exceed the buffer size. Write a zero termination afterwards. In the Linux kernel, the following vulnerability has been resolved: gpio: virtuser: fix potential out-of-bound write If the caller wrote more characters, count is truncated to the max ava... • https://git.kernel.org/stable/c/afe090366f470f77e140ff3407db813f57852c04 •

CVE-2025-38081 – spi-rockchip: Fix register out of bounds access
https://notcve.org/view.php?id=CVE-2025-38081
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: spi-rockchip: Fix register out of bounds access Do not write native chip select stuff for GPIO chip selects. GPIOs can be numbered much higher than native CS. Also, it makes no sense. In the Linux kernel, the following vulnerability has been resolved: spi-rockchip: Fix register out of bounds access Do not write native chip select stuff for GPIO chip selects. GPIOs can be numbered much higher than native CS. Also, it makes no sense. • https://git.kernel.org/stable/c/4a120221661fcecb253448d7b041a52d47f1d91f •

CVE-2025-38080 – drm/amd/display: Increase block_sequence array size
https://notcve.org/view.php?id=CVE-2025-38080
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Increase block_sequence array size [Why] It's possible to generate more than 50 steps in hwss_build_fast_sequence, for example with a 6-pipe asic where all pipes are in one MPC chain. This overflows the block_sequence buffer and corrupts block_sequence_steps, causing a crash. [How] Expand block_sequence to 100 items. A naive upper bound on the possible number of steps for a 6-pipe asic, ignoring the potential for steps to b... • https://git.kernel.org/stable/c/de67e80ab48f1f23663831007a2fa3c1471a7757 •

CVE-2025-38079 – crypto: algif_hash - fix double free in hash_accept
https://notcve.org/view.php?id=CVE-2025-38079
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: crypto: algif_hash - fix double free in hash_accept If accept(2) is called on socket type algif_hash with MSG_MORE flag set and crypto_ahash_import fails, sk2 is freed. However, it is also freed in af_alg_release, leading to slab-use-after-free error. In the Linux kernel, the following vulnerability has been resolved: crypto: algif_hash - fix double free in hash_accept If accept(2) is called on socket type algif_hash with MSG_MORE flag set ... • https://git.kernel.org/stable/c/fe869cdb89c95d060c77eea20204d6c91f233b53 •

CVE-2025-38078 – ALSA: pcm: Fix race of buffer access at PCM OSS layer
https://notcve.org/view.php?id=CVE-2025-38078
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: ALSA: pcm: Fix race of buffer access at PCM OSS layer The PCM OSS layer tries to clear the buffer with the silence data at initialization (or reconfiguration) of a stream with the explicit call of snd_pcm_format_set_silence() with runtime->dma_area. But this may lead to a UAF because the accessed runtime->dma_area might be freed concurrently, as it's performed outside the PCM ops. For avoiding it, move the code into the PCM core and perform... • https://git.kernel.org/stable/c/c0e05a76fc727929524ef24a19c302e6dd40233f •

CVE-2025-38075 – scsi: target: iscsi: Fix timeout on deleted connection
https://notcve.org/view.php?id=CVE-2025-38075
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: scsi: target: iscsi: Fix timeout on deleted connection NOPIN response timer may expire on a deleted connection and crash with such logs: Did not receive response to NOPIN on CID: 0, failing connection for I_T Nexus (null),i,0x00023d000125,iqn.2017-01.com.iscsi.target,t,0x3d BUG: Kernel NULL pointer dereference on read at 0x00000000 NIP strlcpy+0x8/0xb0 LR iscsit_fill_cxn_timeout_err_stats+0x5c/0xc0 [iscsi_target_mod] Call Trace: iscsit_hand... • https://git.kernel.org/stable/c/571ce6b6f5cbaf7d24af03cad592fc0e2a54de35 •

CVE-2025-38074 – vhost-scsi: protect vq->log_used with vq->mutex
https://notcve.org/view.php?id=CVE-2025-38074
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: vhost-scsi: protect vq->log_used with vq->mutex The vhost-scsi completion path may access vq->log_base when vq->log_used is already set to false. vhost-thread QEMU-thread vhost_scsi_complete_cmd_work() -> vhost_add_used() -> vhost_add_used_n() if (unlikely(vq->log_used)) QEMU disables vq->log_used via VHOST_SET_VRING_ADDR. mutex_lock(&vq->mutex); vq->log_used = false now! mutex_unlock(&vq->mutex); QEMU gfree(vq->log_base) log_used() -> log_... • https://git.kernel.org/stable/c/ca85c2d0db5f8309832be45858b960d933c2131c •