CVSS: 6.3EPSS: 0%CPEs: 9EXPL: 0CVE-2025-38687 – comedi: fix race between polling and detaching
https://notcve.org/view.php?id=CVE-2025-38687
04 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: comedi: fix race between polling and detaching syzbot reports a use-after-free in comedi in the below link, which is due to comedi gladly removing the allocated async area even though poll requests are still active on the wait_queue_head inside of it. This can cause a use-after-free when the poll entries are later triggered or removed, as the memory for the wait_queue_head has been freed. We need to check there are no tasks queued on any of... • https://git.kernel.org/stable/c/2f3fdcd7ce935f6f2899ceab57dc8fe5286db3e1 •
CVSS: 7.8EPSS: 0%CPEs: 7EXPL: 0CVE-2025-38685 – fbdev: Fix vmalloc out-of-bounds write in fast_imageblit
https://notcve.org/view.php?id=CVE-2025-38685
04 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: fbdev: Fix vmalloc out-of-bounds write in fast_imageblit This issue triggers when a userspace program does an ioctl FBIOPUT_CON2FBMAP by passing console number and frame buffer number. Ideally this maps console to frame buffer and updates the screen if console is visible. As part of mapping it has to do resize of console according to frame buffer info. if this resize fails and returns from vc_do_resize() and continues further. At this point... • https://git.kernel.org/stable/c/078e62bffca4b7e72e8f3550eb063ab981c36c7a •
CVSS: 7.1EPSS: 0%CPEs: 9EXPL: 0CVE-2025-38680 – media: uvcvideo: Fix 1-byte out-of-bounds read in uvc_parse_format()
https://notcve.org/view.php?id=CVE-2025-38680
04 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: media: uvcvideo: Fix 1-byte out-of-bounds read in uvc_parse_format() The buffer length check before calling uvc_parse_format() only ensured that the buffer has at least 3 bytes (buflen > 2), buf the function accesses buffer[3], requiring at least 4 bytes. This can lead to an out-of-bounds read if the buffer has exactly 3 bytes. Fix it by checking that the buffer has at least 4 bytes in uvc_parse_format(). In the Linux kernel, the following ... • https://git.kernel.org/stable/c/c0efd232929c2cd87238de2cccdaf4e845be5b0c •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38677 – f2fs: fix to avoid out-of-boundary access in dnode page
https://notcve.org/view.php?id=CVE-2025-38677
30 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid out-of-boundary access in dnode page As Jiaming Zhang reported:
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38668 – regulator: core: fix NULL dereference on unbind due to stale coupling data
https://notcve.org/view.php?id=CVE-2025-38668
22 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: regulator: core: fix NULL dereference on unbind due to stale coupling data Failing to reset coupling_desc.n_coupled after freeing coupled_rdevs can lead to NULL pointer dereference when regulators are accessed post-unbind. This can happen during runtime PM or other regulator operations that rely on coupling metadata. For example, on ridesx4, unbinding the 'reg-dummy' platform device triggers a panic in regulator_lock_recursive() due to stal... • https://git.kernel.org/stable/c/7574892e259bbb16262ebfb4b65a2054a5e03a49 •
CVSS: 5.6EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38666 – net: appletalk: Fix use-after-free in AARP proxy probe
https://notcve.org/view.php?id=CVE-2025-38666
22 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: net: appletalk: Fix use-after-free in AARP proxy probe The AARP proxy‐probe routine (aarp_proxy_probe_network) sends a probe, releases the aarp_lock, sleeps, then re-acquires the lock. During that window an expire timer thread (__aarp_expire_timer) can remove and kfree() the same entry, leading to a use-after-free. race condition: cpu 0 | cpu 1 atalk_sendmsg() | atif_proxy_probe_device() aarp_send_ddp() | aarp_proxy_probe_network() mod_time... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38665 – can: netlink: can_changelink(): fix NULL pointer deref of struct can_priv::do_set_mode
https://notcve.org/view.php?id=CVE-2025-38665
22 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: can: netlink: can_changelink(): fix NULL pointer deref of struct can_priv::do_set_mode Andrei Lalaev reported a NULL pointer deref when a CAN device is restarted from Bus Off and the driver does not implement the struct can_priv::do_set_mode callback. There are 2 code path that call struct can_priv::do_set_mode: - directly by a manual restart from the user space, via can_changelink() - delayed automatic restart after bus off (deactivated by... • https://git.kernel.org/stable/c/39549eef3587f1c1e8c65c88a2400d10fd30ea17 •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38663 – nilfs2: reject invalid file types when reading inodes
https://notcve.org/view.php?id=CVE-2025-38663
22 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: nilfs2: reject invalid file types when reading inodes To prevent inodes with invalid file types from tripping through the vfs and causing malfunctions or assertion failures, add a missing sanity check when reading an inode from a block device. If the file type is not valid, treat it as a filesystem error. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: nilfs2: rechaza tipos de archivo no válidos al leer inodos. Para evita... • https://git.kernel.org/stable/c/05fe58fdc10df9ebea04c0eaed57adc47af5c184 •
CVSS: 5.6EPSS: 0%CPEs: 6EXPL: 0CVE-2025-38644 – wifi: mac80211: reject TDLS operations when station is not associated
https://notcve.org/view.php?id=CVE-2025-38644
22 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: reject TDLS operations when station is not associated syzbot triggered a WARN in ieee80211_tdls_oper() by sending NL80211_TDLS_ENABLE_LINK immediately after NL80211_CMD_CONNECT, before association completed and without prior TDLS setup. This left internal state like sdata->u.mgd.tdls_peer uninitialized, leading to a WARN_ON() in code paths that assumed it was valid. Reject the operation early if not in station mode or not as... • https://git.kernel.org/stable/c/81dd2b8822410e56048b927be779d95a2b6dc186 •
CVSS: 5.5EPSS: 0%CPEs: 9EXPL: 0CVE-2025-38639 – netfilter: xt_nfacct: don't assume acct name is null-terminated
https://notcve.org/view.php?id=CVE-2025-38639
22 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: netfilter: xt_nfacct: don't assume acct name is null-terminated BUG: KASAN: slab-out-of-bounds in .. lib/vsprintf.c:721 Read of size 1 at addr ffff88801eac95c8 by task syz-executor183/5851 [..] string+0x231/0x2b0 lib/vsprintf.c:721 vsnprintf+0x739/0xf00 lib/vsprintf.c:2874 [..] nfacct_mt_checkentry+0xd2/0xe0 net/netfilter/xt_nfacct.c:41 xt_check_match+0x3d1/0xab0 net/netfilter/x_tables.c:523 nfnl_acct_find_get() handles non-null input, but ... • https://git.kernel.org/stable/c/ceb98d03eac5704820f2ac1f370c9ff385e3a9f5 •