CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2025-37761 – drm/xe: Fix an out-of-bounds shift when invalidating TLB
https://notcve.org/view.php?id=CVE-2025-37761
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/xe: Fix an out-of-bounds shift when invalidating TLB When the size of the range invalidated is larger than rounddown_pow_of_two(ULONG_MAX), The function macro roundup_pow_of_two(length) will hit an out-of-bounds shift [1]. Use a full TLB invalidation for such cases. v2: - Use a define for the range size limit over which we use a full TLB invalidation. (Lucas) - Use a better calculation of the limit. [1]: [ 39.202421] ------------[ cut h... • https://git.kernel.org/stable/c/332dd0116c82a75df175a459fa69dda3f23491a7 •
CVSS: 7.1EPSS: 0%CPEs: 4EXPL: 0CVE-2025-37760 – mm/vma: add give_up_on_oom option on modify/merge, use in uffd release
https://notcve.org/view.php?id=CVE-2025-37760
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: mm/vma: add give_up_on_oom option on modify/merge, use in uffd release Currently, if a VMA merge fails due to an OOM condition arising on commit merge or a failure to duplicate anon_vma's, we report this so the caller can handle it. However there are cases where the caller is only ostensibly trying a merge, and doesn't mind if it fails due to this condition. Since we do not want to introduce an implicit assumption that we only actually modi... • https://git.kernel.org/stable/c/79636d2981b066acd945117387a9533f56411f6f •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-37759 – ublk: fix handling recovery & reissue in ublk_abort_queue()
https://notcve.org/view.php?id=CVE-2025-37759
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: ublk: fix handling recovery & reissue in ublk_abort_queue() Commit 8284066946e6 ("ublk: grab request reference when the request is handled by userspace") doesn't grab request reference in case of recovery reissue. Then the request can be requeued & re-dispatch & failed when canceling uring command. If it is one zc request, the request can be freed before io_uring returns the zc buffer back, then cause kernel panic: [ 126.773061] BUG: kernel... • https://git.kernel.org/stable/c/8284066946e6d9cc979566ce698fe24e7ca0b31e •
CVSS: 5.5EPSS: 0%CPEs: 9EXPL: 0CVE-2025-37758 – ata: pata_pxa: Fix potential NULL pointer dereference in pxa_ata_probe()
https://notcve.org/view.php?id=CVE-2025-37758
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: ata: pata_pxa: Fix potential NULL pointer dereference in pxa_ata_probe() devm_ioremap() returns NULL on error. Currently, pxa_ata_probe() does not check for this case, which can result in a NULL pointer dereference. Add NULL check after devm_ioremap() to prevent this issue. In the Linux kernel, the following vulnerability has been resolved: ata: pata_pxa: Fix potential NULL pointer dereference in pxa_ata_probe() devm_ioremap() returns NULL ... • https://git.kernel.org/stable/c/2dc6c6f15da97cb3e810963c80e981f19d42cd7d •
CVSS: 5.5EPSS: 0%CPEs: 9EXPL: 0CVE-2025-37757 – tipc: fix memory leak in tipc_link_xmit
https://notcve.org/view.php?id=CVE-2025-37757
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: tipc: fix memory leak in tipc_link_xmit In case the backlog transmit queue for system-importance messages is overloaded, tipc_link_xmit() returns -ENOBUFS but the skb list is not purged. This leads to memory leak and failure when a skb is allocated. This commit fixes this issue by purging the skb list before tipc_link_xmit() returns. In the Linux kernel, the following vulnerability has been resolved: tipc: fix memory leak in tipc_link_xmit ... • https://git.kernel.org/stable/c/365ad353c2564bba8835290061308ba825166b3a •
CVSS: 5.3EPSS: 0%CPEs: 8EXPL: 0CVE-2025-37756 – net: tls: explicitly disallow disconnect
https://notcve.org/view.php?id=CVE-2025-37756
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: net: tls: explicitly disallow disconnect syzbot discovered that it can disconnect a TLS socket and then run into all sort of unexpected corner cases. I have a vague recollection of Eric pointing this out to us a long time ago. Supporting disconnect is really hard, for one thing if offload is enabled we'd need to wait for all packets to be _acked_. Disconnect is not commonly used, disallow it. The immediate problem syzbot run into is the war... • https://git.kernel.org/stable/c/3c4d7559159bfe1e3b94df3a657b2cda3a34e218 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-37755 – net: libwx: handle page_pool_dev_alloc_pages error
https://notcve.org/view.php?id=CVE-2025-37755
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: net: libwx: handle page_pool_dev_alloc_pages error page_pool_dev_alloc_pages could return NULL. There was a WARN_ON(!page) but it would still proceed to use the NULL pointer and then crash. This is similar to commit 001ba0902046 ("net: fec: handle page_pool_dev_alloc_pages error"). This is found by our static analysis tool KNighter. • https://git.kernel.org/stable/c/3c47e8ae113a68da47987750d9896e325d0aeedd •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2025-37754 – drm/i915/huc: Fix fence not released on early probe errors
https://notcve.org/view.php?id=CVE-2025-37754
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/i915/huc: Fix fence not released on early probe errors HuC delayed loading fence, introduced with commit 27536e03271da ("drm/i915/huc: track delayed HuC load with a fence"), is registered with object tracker early on driver probe but unregistered only from driver remove, which is not called on early probe errors. Since its memory is allocated under devres, then released anyway, it may happen to be allocated again to the fence and reused... • https://git.kernel.org/stable/c/27536e03271da3dafcdddf735102041a26ad5bd0 •
CVSS: 9.4EPSS: 0%CPEs: 6EXPL: 0CVE-2025-37752 – net_sched: sch_sfq: move the limit validation
https://notcve.org/view.php?id=CVE-2025-37752
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: net_sched: sch_sfq: move the limit validation It is not sufficient to directly validate the limit on the data that the user passes as it can be updated based on how the other parameters are changed. Move the check at the end of the configuration update process to also catch scenarios where the limit is indirectly updated, for example with the following configurations: tc qdisc add dev dummy0 handle 1: root sfq limit 2 flows 1 depth 1 tc qdi... • https://git.kernel.org/stable/c/35d0137305ae2f97260a9047f445bd4434bd6cc7 •
CVSS: -EPSS: 0%CPEs: 9EXPL: 0CVE-2025-37750 – smb: client: fix UAF in decryption with multichannel
https://notcve.org/view.php?id=CVE-2025-37750
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: smb: client: fix UAF in decryption with multichannel After commit f7025d861694 ("smb: client: allocate crypto only for primary server") and commit b0abcd65ec54 ("smb: client: fix UAF in async decryption"), the channels started reusing AEAD TFM from primary channel to perform synchronous decryption, but that can't done as there could be multiple cifsd threads (one per channel) simultaneously accessing it to perform decryption. This fixes the... • https://git.kernel.org/stable/c/b0abcd65ec545701b8793e12bc27dc98042b151a •