CVSS: -EPSS: %CPEs: 8EXPL: 0CVE-2025-22056 – netfilter: nft_tunnel: fix geneve_opt type confusion addition
https://notcve.org/view.php?id=CVE-2025-22056
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_tunnel: fix geneve_opt type confusion addition When handling multiple NFTA_TUNNEL_KEY_OPTS_GENEVE attributes, the parsing logic should place every geneve_opt structure one by one compactly. Hence, when deciding the next geneve_opt position, the pointer addition should be in units of char *. However, the current implementation erroneously does type conversion before the addition, which will lead to heap out-of-bounds write. [ ... • https://git.kernel.org/stable/c/925d844696d9287f841d6b3e0ed62a35fb175970 •
CVSS: -EPSS: %CPEs: 8EXPL: 0CVE-2025-22055 – net: fix geneve_opt length integer overflow
https://notcve.org/view.php?id=CVE-2025-22055
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: net: fix geneve_opt length integer overflow struct geneve_opt uses 5 bit length for each single option, which means every vary size option should be smaller than 128 bytes. However, all current related Netlink policies cannot promise this length condition and the attacker can exploit a exact 128-byte size option to *fake* a zero length option and confuse the parsing logic, further achieve heap out-of-bounds read. One example crash log is li... • https://git.kernel.org/stable/c/0ed5269f9e41f495c8e9020c85f5e1644c1afc57 •
CVSS: -EPSS: %CPEs: 10EXPL: 0CVE-2025-22054 – arcnet: Add NULL check in com20020pci_probe()
https://notcve.org/view.php?id=CVE-2025-22054
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: arcnet: Add NULL check in com20020pci_probe() devm_kasprintf() returns NULL when memory allocation fails. Currently, com20020pci_probe() does not check for this case, which results in a NULL pointer dereference. Add NULL check after devm_kasprintf() to prevent this issue and ensure no resources are left allocated. • https://git.kernel.org/stable/c/e38cd53421ed4e37fc99662a0f2a0c567993844f •
CVSS: -EPSS: %CPEs: 5EXPL: 0CVE-2025-22053 – net: ibmveth: make veth_pool_store stop hanging
https://notcve.org/view.php?id=CVE-2025-22053
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: net: ibmveth: make veth_pool_store stop hanging v2: - Created a single error handling unlock and exit in veth_pool_store - Greatly expanded commit message with previous explanatory-only text Summary: Use rtnl_mutex to synchronize veth_pool_store with itself, ibmveth_close and ibmveth_open, preventing multiple calls in a row to napi_disable. Background: Two (or more) threads could call veth_pool_store through writing to /sys/devices/vio/3000... • https://git.kernel.org/stable/c/860f242eb5340d0b0cfe243cb86b2a98f92e8b91 •
CVSS: -EPSS: %CPEs: 9EXPL: 0CVE-2025-22050 – usbnet:fix NPE during rx_complete
https://notcve.org/view.php?id=CVE-2025-22050
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: usbnet:fix NPE during rx_complete Missing usbnet_going_away Check in Critical Path. The usb_submit_urb function lacks a usbnet_going_away validation, whereas __usbnet_queue_skb includes this check. This inconsistency creates a race condition where: A URB request may succeed, but the corresponding SKB data fails to be queued. Subsequent processes: (e.g., rx_complete → defer_bh → __skb_unlink(skb, list)) attempt to access skb->next, triggerin... • https://git.kernel.org/stable/c/b80aacfea6e8d6ed6e430aa13922d6ccf044415a •
CVSS: -EPSS: %CPEs: 6EXPL: 0CVE-2025-22049 – LoongArch: Increase ARCH_DMA_MINALIGN up to 16
https://notcve.org/view.php?id=CVE-2025-22049
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: LoongArch: Increase ARCH_DMA_MINALIGN up to 16 ARCH_DMA_MINALIGN is 1 by default, but some LoongArch-specific devices (such as APBDMA) require 16 bytes alignment. When the data buffer length is too small, the hardware may make an error writing cacheline. Thus, it is dangerous to allocate a small memory buffer for DMA. It's always safe to define ARCH_DMA_MINALIGN as L1_CACHE_BYTES but unnecessary (kmalloc() need small memory objects). Theref... • https://git.kernel.org/stable/c/f39af67f03b564b763b06e44cb960c10a382d54a •
CVSS: -EPSS: %CPEs: 7EXPL: 0CVE-2025-22048 – LoongArch: BPF: Don't override subprog's return value
https://notcve.org/view.php?id=CVE-2025-22048
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: LoongArch: BPF: Don't override subprog's return value The verifier test `calls: div by 0 in subprog` triggers a panic at the ld.bu instruction. The ld.bu insn is trying to load byte from memory address returned by the subprog. The subprog actually set the correct address at the a5 register (dedicated register for BPF return values). But at commit 73c359d1d356 ("LoongArch: BPF: Sign-extend return values") we also sign extended a5 to the a0 r... • https://git.kernel.org/stable/c/0c8d50501bc13cacecc19caaddc10db372592a39 •
CVSS: -EPSS: %CPEs: 9EXPL: 0CVE-2025-22045 – x86/mm: Fix flush_tlb_range() when used for zapping normal PMDs
https://notcve.org/view.php?id=CVE-2025-22045
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: x86/mm: Fix flush_tlb_range() when used for zapping normal PMDs On the following path, flush_tlb_range() can be used for zapping normal PMD entries (PMD entries that point to page tables) together with the PTE entries in the pointed-to page table: collapse_pte_mapped_thp pmdp_collapse_flush flush_tlb_range The arm64 version of flush_tlb_range() has a comment describing that it can be used for page table removal, and does not use any last-le... • https://git.kernel.org/stable/c/016c4d92cd16f569c6485ae62b076c1a4b779536 •
CVSS: -EPSS: %CPEs: 8EXPL: 0CVE-2025-22044 – acpi: nfit: fix narrowing conversion in acpi_nfit_ctl
https://notcve.org/view.php?id=CVE-2025-22044
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: acpi: nfit: fix narrowing conversion in acpi_nfit_ctl Syzkaller has reported a warning in to_nfit_bus_uuid(): "only secondary bus families can be translated". This warning is emited if the argument is equal to NVDIMM_BUS_FAMILY_NFIT == 0. Function acpi_nfit_ctl() first verifies that a user-provided value call_pkg->nd_family of type u64 is not equal to 0. Then the value is converted to int, and only after that is compared to NVDIMM_BUS_FAMIL... • https://git.kernel.org/stable/c/6450ddbd5d8e83ea9927c7f9076a21f829699e0f •
CVSS: -EPSS: %CPEs: 5EXPL: 0CVE-2025-22043 – ksmbd: add bounds check for durable handle context
https://notcve.org/view.php?id=CVE-2025-22043
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: add bounds check for durable handle context Add missing bounds check for durable handle context. • https://git.kernel.org/stable/c/8d4848c45943c9cf5e86142fd7347efa97f497db •