CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2025-37796 – wifi: at76c50x: fix use after free access in at76_disconnect
https://notcve.org/view.php?id=CVE-2025-37796
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: at76c50x: fix use after free access in at76_disconnect The memory pointed to by priv is freed at the end of at76_delete_device function (using ieee80211_free_hw). But the code then accesses the udev field of the freed object to put the USB device. This may also lead to a memory leak of the usb device. Fix this by using udev from interface. In the Linux kernel, the following vulnerability has been resolved: wifi: at76c50x: fix use afte... • https://git.kernel.org/stable/c/29e20aa6c6aff35c81d4da2e2cd516dadb569061 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-37794 – wifi: mac80211: Purge vif txq in ieee80211_do_stop()
https://notcve.org/view.php?id=CVE-2025-37794
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: Purge vif txq in ieee80211_do_stop() After ieee80211_do_stop() SKB from vif's txq could still be processed. Indeed another concurrent vif schedule_and_wake_txq call could cause those packets to be dequeued (see ieee80211_handle_wake_tx_queue()) without checking the sdata current state. Because vif.drv_priv is now cleared in this function, this could lead to driver crash. For example in ath12k, ahvif is store in vif.drv_priv.... • https://git.kernel.org/stable/c/ba8c3d6f16a1f9305c23ac1d2fd3992508c5ac03 •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2025-37789 – net: openvswitch: fix nested key length validation in the set() action
https://notcve.org/view.php?id=CVE-2025-37789
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: net: openvswitch: fix nested key length validation in the set() action It's not safe to access nla_len(ovs_key) if the data is smaller than the netlink header. Check that the attribute is OK first. In the Linux kernel, the following vulnerability has been resolved: net: openvswitch: fix nested key length validation in the set() action It's not safe to access nla_len(ovs_key) if the data is smaller than the netlink header. Check that the att... • https://git.kernel.org/stable/c/ccb1352e76cff0524e7ccb2074826a092dd13016 •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2025-37781 – i2c: cros-ec-tunnel: defer probe if parent EC is not present
https://notcve.org/view.php?id=CVE-2025-37781
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: i2c: cros-ec-tunnel: defer probe if parent EC is not present When i2c-cros-ec-tunnel and the EC driver are built-in, the EC parent device will not be found, leading to NULL pointer dereference. That can also be reproduced by unbinding the controller driver and then loading i2c-cros-ec-tunnel module (or binding the device). [ 271.991245] BUG: kernel NULL pointer dereference, address: 0000000000000058 [ 271.998215] #PF: supervisor read access... • https://git.kernel.org/stable/c/9d230c9e4f4e67cb1c1cb9e0f6142da16b0f2796 •
CVSS: 7.3EPSS: 0%CPEs: 8EXPL: 0CVE-2025-37780 – isofs: Prevent the use of too small fid
https://notcve.org/view.php?id=CVE-2025-37780
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: isofs: Prevent the use of too small fid syzbot reported a slab-out-of-bounds Read in isofs_fh_to_parent. [1] The handle_bytes value passed in by the reproducing program is equal to 12. In handle_to_path(), only 12 bytes of memory are allocated for the structure file_handle->f_handle member, which causes an out-of-bounds access when accessing the member parent_block of the structure isofs_fid in isofs, because accessing parent_block requires... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2025-37765 – drm/nouveau: prime: fix ttm_bo_delayed_delete oops
https://notcve.org/view.php?id=CVE-2025-37765
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/nouveau: prime: fix ttm_bo_delayed_delete oops Fix an oops in ttm_bo_delayed_delete which results from dererencing a dangling pointer: Oops: general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6b7b: 0000 [#1] PREEMPT SMP CPU: 4 UID: 0 PID: 1082 Comm: kworker/u65:2 Not tainted 6.14.0-rc4-00267-g505460b44513-dirty #216 Hardware name: LENOVO 82N6/LNVNB161216, BIOS GKCN65WW 01/16/2024 Workqueue: ttm ttm_bo_delayed_del... • https://git.kernel.org/stable/c/22b33e8ed0e38b8ddcf082e35580f2e67a3a0262 •
CVSS: 5.5EPSS: 0%CPEs: 9EXPL: 0CVE-2025-37758 – ata: pata_pxa: Fix potential NULL pointer dereference in pxa_ata_probe()
https://notcve.org/view.php?id=CVE-2025-37758
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: ata: pata_pxa: Fix potential NULL pointer dereference in pxa_ata_probe() devm_ioremap() returns NULL on error. Currently, pxa_ata_probe() does not check for this case, which can result in a NULL pointer dereference. Add NULL check after devm_ioremap() to prevent this issue. In the Linux kernel, the following vulnerability has been resolved: ata: pata_pxa: Fix potential NULL pointer dereference in pxa_ata_probe() devm_ioremap() returns NULL ... • https://git.kernel.org/stable/c/2dc6c6f15da97cb3e810963c80e981f19d42cd7d •
CVSS: 5.5EPSS: 0%CPEs: 9EXPL: 0CVE-2025-37757 – tipc: fix memory leak in tipc_link_xmit
https://notcve.org/view.php?id=CVE-2025-37757
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: tipc: fix memory leak in tipc_link_xmit In case the backlog transmit queue for system-importance messages is overloaded, tipc_link_xmit() returns -ENOBUFS but the skb list is not purged. This leads to memory leak and failure when a skb is allocated. This commit fixes this issue by purging the skb list before tipc_link_xmit() returns. In the Linux kernel, the following vulnerability has been resolved: tipc: fix memory leak in tipc_link_xmit ... • https://git.kernel.org/stable/c/365ad353c2564bba8835290061308ba825166b3a •
CVSS: 5.3EPSS: 0%CPEs: 8EXPL: 0CVE-2025-37756 – net: tls: explicitly disallow disconnect
https://notcve.org/view.php?id=CVE-2025-37756
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: net: tls: explicitly disallow disconnect syzbot discovered that it can disconnect a TLS socket and then run into all sort of unexpected corner cases. I have a vague recollection of Eric pointing this out to us a long time ago. Supporting disconnect is really hard, for one thing if offload is enabled we'd need to wait for all packets to be _acked_. Disconnect is not commonly used, disallow it. The immediate problem syzbot run into is the war... • https://git.kernel.org/stable/c/3c4d7559159bfe1e3b94df3a657b2cda3a34e218 •
CVSS: 7.5EPSS: 0%CPEs: 9EXPL: 0CVE-2025-37749 – net: ppp: Add bound checking for skb data on ppp_sync_txmung
https://notcve.org/view.php?id=CVE-2025-37749
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: net: ppp: Add bound checking for skb data on ppp_sync_txmung Ensure we have enough data in linear buffer from skb before accessing initial bytes. This prevents potential out-of-bounds accesses when processing short packets. When ppp_sync_txmung receives an incoming package with an empty payload: (remote) gef➤ p *(struct pppoe_hdr *) (skb->head + skb->network_header) $18 = { type = 0x1, ver = 0x1, code = 0x0, sid = 0x2, length = 0x0, tag = 0... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 • CWE-125: Out-of-bounds Read •