CVSS: 6.6EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40243 – hfs: fix KMSAN uninit-value issue in hfs_find_set_zero_bits()
https://notcve.org/view.php?id=CVE-2025-40243
04 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: hfs: fix KMSAN uninit-value issue in hfs_find_set_zero_bits() The syzbot reported issue in hfs_find_set_zero_bits(): ===================================================== BUG: KMSAN: uninit-value in hfs_find_set_zero_bits+0x74d/0xb60 fs/hfs/bitmap.c:45 hfs_find_set_zero_bits+0x74d/0xb60 fs/hfs/bitmap.c:45 hfs_vbm_search_free+0x13c/0x5b0 fs/hfs/bitmap.c:151 hfs_extend_file+0x6a5/0x1b00 fs/hfs/extent.c:408 hfs_get_block+0x435/0x1150 fs/hfs/ex... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 6.9EPSS: 0%CPEs: 11EXPL: 0CVE-2025-40242 – gfs2: Fix unlikely race in gdlm_put_lock
https://notcve.org/view.php?id=CVE-2025-40242
04 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix unlikely race in gdlm_put_lock In gdlm_put_lock(), there is a small window of time in which the DFL_UNMOUNT flag has been set but the lockspace hasn't been released, yet. In that window, dlm may still call gdlm_ast() and gdlm_bast(). To prevent it from dereferencing freed glock objects, only free the glock if the lockspace has actually been released. In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix unl... • https://git.kernel.org/stable/c/d1340f80f0b8066321b499a376780da00560e857 •
CVSS: 6.6EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40240 – sctp: avoid NULL dereference when chunk data buffer is missing
https://notcve.org/view.php?id=CVE-2025-40240
04 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: sctp: avoid NULL dereference when chunk data buffer is missing chunk->skb pointer is dereferenced in the if-block where it's supposed to be NULL only. chunk->skb can only be NULL if chunk->head_skb is not. Check for frag_list instead and do it just before replacing chunk->skb. We're sure that otherwise chunk->skb is non-NULL because of outer if() condition. In the Linux kernel, the following vulnerability has been resolved: sctp: avoid NULL... • https://git.kernel.org/stable/c/90017accff61ae89283ad9a51f9ac46ca01633fb •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40233 – ocfs2: clear extent cache after moving/defragmenting extents
https://notcve.org/view.php?id=CVE-2025-40233
04 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: ocfs2: clear extent cache after moving/defragmenting extents The extent map cache can become stale when extents are moved or defragmented, causing subsequent operations to see outdated extent flags. This triggers a BUG_ON in ocfs2_refcount_cal_cow_clusters(). The problem occurs when: 1. copy_file_range() creates a reflinked extent with OCFS2_EXT_REFCOUNTED 2. ioctl(FITRIM) triggers ocfs2_move_extents() 3. __ocfs2_move_extents_range() reads ... • https://git.kernel.org/stable/c/53069d4e76954e2e63c1b3c501051c6fbcf7298c •
CVSS: -EPSS: 0%CPEs: 12EXPL: 0CVE-2025-40220 – fuse: fix livelock in synchronous file put from fuseblk workers
https://notcve.org/view.php?id=CVE-2025-40220
04 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: fuse: fix livelock in synchronous file put from fuseblk workers I observed a hang when running generic/323 against a fuseblk server. This test opens a file, initiates a lot of AIO writes to that file descriptor, and closes the file descriptor before the writes complete. Unsurprisingly, the AIO exerciser threads are mostly stuck waiting for responses from the fuseblk server: # cat /proc/372265/task/372313/stack [<0>] request_wait_answer+0x1f... • https://git.kernel.org/stable/c/5a18ec176c934ca1bc9dc61580a5e0e90a9b5733 •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2025-40215 – xfrm: delete x->tunnel as we delete x
https://notcve.org/view.php?id=CVE-2025-40215
04 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: xfrm: delete x->tunnel as we delete x The ipcomp fallback tunnels currently get deleted (from the various lists and hashtables) as the last user state that needed that fallback is destroyed (not deleted). If a reference to that user state still exists, the fallback state will remain on the hashtables/lists, triggering the WARN in xfrm_state_fini. Because of those remaining references, the fix in commit f75a2804da39 ("xfrm: destroy xfrm_stat... • https://git.kernel.org/stable/c/9d4139c76905833afcb77fe8ccc17f302a0eb9ab •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40211 – ACPI: video: Fix use-after-free in acpi_video_switch_brightness()
https://notcve.org/view.php?id=CVE-2025-40211
21 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: ACPI: video: Fix use-after-free in acpi_video_switch_brightness() The switch_brightness_work delayed work accesses device->brightness and device->backlight, freed by acpi_video_dev_unregister_backlight() during device removal. If the work executes after acpi_video_bus_unregister_backlight() frees these resources, it causes a use-after-free when acpi_video_switch_brightness() dereferences device->brightness or device->backlight. Fix this by ... • https://git.kernel.org/stable/c/8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7 •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40205 – btrfs: avoid potential out-of-bounds in btrfs_encode_fh()
https://notcve.org/view.php?id=CVE-2025-40205
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: btrfs: avoid potential out-of-bounds in btrfs_encode_fh() The function btrfs_encode_fh() does not properly account for the three cases it handles. Before writing to the file handle (fh), the function only returns to the user BTRFS_FID_SIZE_NON_CONNECTABLE (5 dwords, 20 bytes) or BTRFS_FID_SIZE_CONNECTABLE (8 dwords, 32 bytes). However, when a parent exists and the root ID of the parent and the inode are different, the function writes BTRFS_... • https://git.kernel.org/stable/c/be6e8dc0ba84029997075a1ec77b4ddb863cbe15 •
CVSS: 6.3EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40204 – sctp: Fix MAC comparison to be constant-time
https://notcve.org/view.php?id=CVE-2025-40204
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: sctp: Fix MAC comparison to be constant-time To prevent timing attacks, MACs need to be compared in constant time. Use the appropriate helper function for this. In the Linux kernel, the following vulnerability has been resolved: sctp: Fix MAC comparison to be constant-time To prevent timing attacks, MACs need to be compared in constant time. Use the appropriate helper function for this. Several security issues were discovered in the Linux k... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 6.3EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40200 – Squashfs: reject negative file sizes in squashfs_read_inode()
https://notcve.org/view.php?id=CVE-2025-40200
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: Squashfs: reject negative file sizes in squashfs_read_inode() Syskaller reports a "WARNING in ovl_copy_up_file" in overlayfs. This warning is ultimately caused because the underlying Squashfs file system returns a file with a negative file size. This commit checks for a negative file size and returns EINVAL. [phillip@squashfs.org.uk: only need to check 64 bit quantity] In the Linux kernel, the following vulnerability has been resolved: Squa... • https://git.kernel.org/stable/c/6545b246a2c815a8fcd07d58240effb6ec3481b1 •