CVSS: 6.1EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38185 – atm: atmtcp: Free invalid length skb in atmtcp_c_send().
https://notcve.org/view.php?id=CVE-2025-38185
04 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: atm: atmtcp: Free invalid length skb in atmtcp_c_send(). syzbot reported the splat below. [0] vcc_sendmsg() copies data passed from userspace to skb and passes it to vcc->dev->ops->send(). atmtcp_c_send() accesses skb->data as struct atmtcp_hdr after checking if skb->len is 0, but it's not enough. Also, when skb->len == 0, skb and sk (vcc) were leaked because dev_kfree_skb() is not called and sk_wmem_alloc adjustment is missing to revert at... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38184 – tipc: fix null-ptr-deref when acquiring remote ip of ethernet bearer
https://notcve.org/view.php?id=CVE-2025-38184
04 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: tipc: fix null-ptr-deref when acquiring remote ip of ethernet bearer The reproduction steps: 1. create a tun interface 2. enable l2 bearer 3. TIPC_NL_UDP_GET_REMOTEIP with media name set to tun tipc: Started in network mode tipc: Node identity 8af312d38a21, cluster identity 4711 tipc: Enabled bearer
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38183 – net: lan743x: fix potential out-of-bounds write in lan743x_ptp_io_event_clock_get()
https://notcve.org/view.php?id=CVE-2025-38183
04 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: net: lan743x: fix potential out-of-bounds write in lan743x_ptp_io_event_clock_get() Before calling lan743x_ptp_io_event_clock_get(), the 'channel' value is checked against the maximum value of PCI11X1X_PTP_IO_MAX_CHANNELS(8). This seems correct and aligns with the PTP interrupt status register (PTP_INT_STS) specifications. However, lan743x_ptp_io_event_clock_get() writes to ptp->extts[] with only LAN743X_PTP_N_EXTTS(4) elements, using chann... • https://git.kernel.org/stable/c/60942c397af6094c04406b77982314dfe69ef3c4 •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-38182 – ublk: santizize the arguments from userspace when adding a device
https://notcve.org/view.php?id=CVE-2025-38182
04 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: ublk: santizize the arguments from userspace when adding a device Sanity check the values for queue depth and number of queues we get from userspace when adding a device. In the Linux kernel, the following vulnerability has been resolved: ublk: santizize the arguments from userspace when adding a device Sanity check the values for queue depth and number of queues we get from userspace when adding a device. • https://git.kernel.org/stable/c/71f28f3136aff5890cd56de78abc673f8393cad9 •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38181 – calipso: Fix null-ptr-deref in calipso_req_{set,del}attr().
https://notcve.org/view.php?id=CVE-2025-38181
04 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: calipso: Fix null-ptr-deref in calipso_req_{set,del}attr(). syzkaller reported a null-ptr-deref in sock_omalloc() while allocating a CALIPSO option. [0] The NULL is of struct sock, which was fetched by sk_to_full_sk() in calipso_req_setattr(). Since commit a1a5344ddbe8 ("tcp: avoid two atomic ops for syncookies"), reqsk->rsk_listener could be NULL when SYN Cookie is returned to its client, as hinted by the leading SYN Cookie log. Here are 3... • https://git.kernel.org/stable/c/e1adea927080821ebfa7505bff752a4015955660 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38180 – net: atm: fix /proc/net/atm/lec handling
https://notcve.org/view.php?id=CVE-2025-38180
04 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: net: atm: fix /proc/net/atm/lec handling /proc/net/atm/lec must ensure safety against dev_lec[] changes. It appears it had dev_put() calls without prior dev_hold(), leading to imbalance and UAF. In the Linux kernel, the following vulnerability has been resolved: net: atm: fix /proc/net/atm/lec handling /proc/net/atm/lec must ensure safety against dev_lec[] changes. It appears it had dev_put() calls without prior dev_hold(), leading to imbal... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2025-38179 – smb: client: fix max_sge overflow in smb_extract_folioq_to_rdma()
https://notcve.org/view.php?id=CVE-2025-38179
04 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: smb: client: fix max_sge overflow in smb_extract_folioq_to_rdma() This fixes the following problem: [ 749.901015] [ T8673] run fstests cifs/001 at 2025-06-17 09:40:30 [ 750.346409] [ T9870] ================================================================== [ 750.346814] [ T9870] BUG: KASAN: slab-out-of-bounds in smb_set_sge+0x2cc/0x3b0 [cifs] [ 750.347330] [ T9870] Write of size 8 at addr ffff888011082890 by task xfs_io/9870 [ 750.347705] [... • https://git.kernel.org/stable/c/c45ebd636c32d33c75e51ce977520ff146bd41a1 •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-38178 – EDAC/igen6: Fix NULL pointer dereference
https://notcve.org/view.php?id=CVE-2025-38178
04 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: EDAC/igen6: Fix NULL pointer dereference A kernel panic was reported with the following kernel log: EDAC igen6: Expected 2 mcs, but only 1 detected. BUG: unable to handle page fault for address: 000000000000d570 ... Hardware name: Notebook V54x_6x_TU/V54x_6x_TU, BIOS Dasharo (coreboot+UEFI) v0.9.0 07/17/2024 RIP: e030:ecclog_handler+0x7e/0xf0 [igen6_edac] ... igen6_probe+0x2a0/0x343 [igen6_edac] ... igen6_init+0xc5/0xff0 [igen6_edac] ... Th... • https://git.kernel.org/stable/c/20e190b1c1fd88b21cc5106c12cfe6def5ab849d •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38177 – sch_hfsc: make hfsc_qlen_notify() idempotent
https://notcve.org/view.php?id=CVE-2025-38177
04 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: sch_hfsc: make hfsc_qlen_notify() idempotent hfsc_qlen_notify() is not idempotent either and not friendly to its callers, like fq_codel_dequeue(). Let's make it idempotent to ease qdisc_tree_reduce_backlog() callers' life: 1. update_vf() decreases cl->cl_nactive, so we can check whether it is non-zero before calling it. 2. eltree_remove() always removes RB node cl->el_node, but we can use RB_EMPTY_NODE() + RB_CLEAR_NODE() to make it safe. I... • https://git.kernel.org/stable/c/0475c85426b18eccdcb7f9fb58d8f8e9c6c58c87 •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2025-38176 – binder: fix use-after-free in binderfs_evict_inode()
https://notcve.org/view.php?id=CVE-2025-38176
04 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: binder: fix use-after-free in binderfs_evict_inode() Running 'stress-ng --binderfs 16 --timeout 300' under KASAN-enabled kernel, I've noticed the following: BUG: KASAN: slab-use-after-free in binderfs_evict_inode+0x1de/0x2d0 Write of size 8 at addr ffff88807379bc08 by task stress-ng-binde/1699 CPU: 0 UID: 0 PID: 1699 Comm: stress-ng-binde Not tainted 6.14.0-rc7-g586de92313fc-dirty #13 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), B... • https://git.kernel.org/stable/c/e77aff5528a183462714f750e45add6cc71e276a •