CVSS: 6.6EPSS: 0%CPEs: 5EXPL: 0CVE-2025-39682 – tls: fix handling of zero-length records on the rx_list
https://notcve.org/view.php?id=CVE-2025-39682
05 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: tls: fix handling of zero-length records on the rx_list Each recvmsg() call must process either - only contiguous DATA records (any number of them) - one non-DATA record If the next record has different type than what has already been processed we break out of the main processing loop. If the record has already been decrypted (which may be the case for TLS 1.3 where we don't know type until decryption) we queue the pending record to the rx_... • https://git.kernel.org/stable/c/84c61fe1a75b4255df1e1e7c054c9e6d048da417 •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2025-39681 – x86/cpu/hygon: Add missing resctrl_cpu_detect() in bsp_init helper
https://notcve.org/view.php?id=CVE-2025-39681
05 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: x86/cpu/hygon: Add missing resctrl_cpu_detect() in bsp_init helper Since 923f3a2b48bd ("x86/resctrl: Query LLC monitoring properties once during boot") resctrl_cpu_detect() has been moved from common CPU initialization code to the vendor-specific BSP init helper, while Hygon didn't put that call in their code. This triggers a division by zero fault during early booting stage on our machines with X86_FEATURE_CQM* supported, where get_rdt_mon... • https://git.kernel.org/stable/c/923f3a2b48bdccb6a1d1f0dd48de03de7ad936d9 •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-39679 – drm/nouveau/nvif: Fix potential memory leak in nvif_vmm_ctor().
https://notcve.org/view.php?id=CVE-2025-39679
05 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/nouveau/nvif: Fix potential memory leak in nvif_vmm_ctor(). When the nvif_vmm_type is invalid, we will return error directly without freeing the args in nvif_vmm_ctor(), which leading a memory leak. Fix it by setting the ret -EINVAL and goto done. In the Linux kernel, the following vulnerability has been resolved: drm/nouveau/nvif: Fix potential memory leak in nvif_vmm_ctor(). When the nvif_vmm_type is invalid, we will return error dire... • https://git.kernel.org/stable/c/6b252cf42281045a9f803d2198023500cfa6ebd2 •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2025-39678 – platform/x86/amd/hsmp: Ensure sock->metric_tbl_addr is non-NULL
https://notcve.org/view.php?id=CVE-2025-39678
05 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: platform/x86/amd/hsmp: Ensure sock->metric_tbl_addr is non-NULL If metric table address is not allocated, accessing metrics_bin will result in a NULL pointer dereference, so add a check. In the Linux kernel, the following vulnerability has been resolved: platform/x86/amd/hsmp: Ensure sock->metric_tbl_addr is non-NULL If metric table address is not allocated, accessing metrics_bin will result in a NULL pointer dereference, so add a check. • https://git.kernel.org/stable/c/5150542b8ec5fb561be080ed0ef3bab8598154c3 •
CVSS: 6.6EPSS: 0%CPEs: 2EXPL: 0CVE-2025-39677 – net/sched: Fix backlog accounting in qdisc_dequeue_internal
https://notcve.org/view.php?id=CVE-2025-39677
05 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: net/sched: Fix backlog accounting in qdisc_dequeue_internal This issue applies for the following qdiscs: hhf, fq, fq_codel, and fq_pie, and occurs in their change handlers when adjusting to the new limit. The problem is the following in the values passed to the subsequent qdisc_tree_reduce_backlog call given a tbf parent: When the tbf parent runs out of tokens, skbs of these qdiscs will be placed in gso_skb. Their peek handlers are qdisc_pe... • https://git.kernel.org/stable/c/4b549a2ef4bef9965d97cbd992ba67930cd3e0fe •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-39676 – scsi: qla4xxx: Prevent a potential error pointer dereference
https://notcve.org/view.php?id=CVE-2025-39676
05 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: scsi: qla4xxx: Prevent a potential error pointer dereference The qla4xxx_get_ep_fwdb() function is supposed to return NULL on error, but qla4xxx_ep_connect() returns error pointers. Propagating the error pointers will lead to an Oops in the caller, so change the error pointers to NULL. In the Linux kernel, the following vulnerability has been resolved: scsi: qla4xxx: Prevent a potential error pointer dereference The qla4xxx_get_ep_fwdb() fu... • https://git.kernel.org/stable/c/13483730a13bef372894aefcf73760f5c6c297be •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2025-39675 – drm/amd/display: Add null pointer check in mod_hdcp_hdcp1_create_session()
https://notcve.org/view.php?id=CVE-2025-39675
05 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add null pointer check in mod_hdcp_hdcp1_create_session() The function mod_hdcp_hdcp1_create_session() calls the function get_first_active_display(), but does not check its return value. The return value is a null pointer if the display list is empty. This will lead to a null pointer dereference. Add a null pointer check for get_first_active_display() and return MOD_HDCP_STATUS_DISPLAY_NOT_FOUND if the function return null.... • https://git.kernel.org/stable/c/2deade5ede56581722c0d7672f28b09548dc0fc4 •
CVSS: 6.9EPSS: 0%CPEs: 6EXPL: 0CVE-2025-39673 – ppp: fix race conditions in ppp_fill_forward_path
https://notcve.org/view.php?id=CVE-2025-39673
05 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: ppp: fix race conditions in ppp_fill_forward_path ppp_fill_forward_path() has two race conditions: 1. The ppp->channels list can change between list_empty() and list_first_entry(), as ppp_lock() is not held. If the only channel is deleted in ppp_disconnect_channel(), list_first_entry() may access an empty head or a freed entry, and trigger a panic. 2. pch->chan can be NULL. When ppp_unregister_channel() is called, pch->chan is set to NULL b... • https://git.kernel.org/stable/c/f6efc675c9dd8d93f826b79ae7e33e03301db609 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38735 – gve: prevent ethtool ops after shutdown
https://notcve.org/view.php?id=CVE-2025-38735
05 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: gve: prevent ethtool ops after shutdown A crash can occur if an ethtool operation is invoked after shutdown() is called. shutdown() is invoked during system shutdown to stop DMA operations without performing expensive deallocations. It is discouraged to unregister the netdev in this path, so the device may still be visible to userspace and kernel helpers. In gve, shutdown() tears down most internal data structures. If an ethtool operation i... • https://git.kernel.org/stable/c/974365e518617c9ce917f61aacbba07e4bedcca0 •
CVSS: 6.6EPSS: 0%CPEs: 4EXPL: 0CVE-2025-38734 – net/smc: fix UAF on smcsk after smc_listen_out()
https://notcve.org/view.php?id=CVE-2025-38734
05 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: net/smc: fix UAF on smcsk after smc_listen_out() BPF CI testing report a UAF issue: [ 16.446633] BUG: kernel NULL pointer dereference, address: 000000000000003 0 [ 16.447134] #PF: supervisor read access in kernel mod e [ 16.447516] #PF: error_code(0x0000) - not-present pag e [ 16.447878] PGD 0 P4D 0 [ 16.448063] Oops: Oops: 0000 [#1] PREEMPT SMP NOPT I [ 16.448409] CPU: 0 UID: 0 PID: 9 Comm: kworker/0:1 Tainted: G OE 6.13.0-rc3-g89e8a75fda7... • https://git.kernel.org/stable/c/3b2dec2603d5b06ad3af71c1164ca0b92df3d2a8 •