CVSS: -EPSS: %CPEs: 8EXPL: 0CVE-2025-21926 – net: gso: fix ownership in __udp_gso_segment
https://notcve.org/view.php?id=CVE-2025-21926
01 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: net: gso: fix ownership in __udp_gso_segment In __udp_gso_segment the skb destructor is removed before segmenting the skb but the socket reference is kept as-is. This is an issue if the original skb is later orphaned as we can hit the following bug: kernel BUG at ./include/linux/skbuff.h:3312! (skb_orphan) RIP: 0010:ip_rcv_core+0x8b2/0xca0 Call Trace: ip_rcv+0xab/0x6e0 __netif_receive_skb_one_core+0x168/0x1b0 process_backlog+0x384/0x1100 __... • https://git.kernel.org/stable/c/ad405857b174ed31a97982bb129c320d03321cf5 •
CVSS: -EPSS: %CPEs: 8EXPL: 0CVE-2025-21925 – llc: do not use skb_get() before dev_queue_xmit()
https://notcve.org/view.php?id=CVE-2025-21925
01 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: llc: do not use skb_get() before dev_queue_xmit() syzbot is able to crash hosts [1], using llc and devices not supporting IFF_TX_SKB_SHARING. In this case, e1000 driver calls eth_skb_pad(), while the skb is shared. Simply replace skb_get() by skb_clone() in net/llc/llc_s_ac.c Note that e1000 driver might have an issue with pktgen, because it does not clear IFF_TX_SKB_SHARING, this is an orthogonal change. We need to audit other skb_get() us... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: -EPSS: %CPEs: 6EXPL: 0CVE-2025-21924 – net: hns3: make sure ptp clock is unregister and freed if hclge_ptp_get_cycle returns an error
https://notcve.org/view.php?id=CVE-2025-21924
01 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: net: hns3: make sure ptp clock is unregister and freed if hclge_ptp_get_cycle returns an error During the initialization of ptp, hclge_ptp_get_cycle might return an error and returned directly without unregister clock and free it. To avoid that, call hclge_ptp_destroy_clock to unregist and free clock if hclge_ptp_get_cycle failed. • https://git.kernel.org/stable/c/8373cd38a8888549ace7c7617163a2e826970a92 •
CVSS: -EPSS: %CPEs: 3EXPL: 0CVE-2025-21923 – HID: hid-steam: Fix use-after-free when detaching device
https://notcve.org/view.php?id=CVE-2025-21923
01 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: HID: hid-steam: Fix use-after-free when detaching device When a hid-steam device is removed it must clean up the client_hdev used for intercepting hidraw access. This can lead to scheduling deferred work to reattach the input device. Though the cleanup cancels the deferred work, this was done before the client_hdev itself is cleaned up, so it gets rescheduled. This patch fixes the ordering to make sure the deferred work is properly canceled... • https://git.kernel.org/stable/c/e1147961b2145fa61c3078a4a797d9576cde91ab •
CVSS: -EPSS: %CPEs: 8EXPL: 0CVE-2025-21922 – ppp: Fix KMSAN uninit-value warning with bpf
https://notcve.org/view.php?id=CVE-2025-21922
01 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: ppp: Fix KMSAN uninit-value warning with bpf Syzbot caught an "KMSAN: uninit-value" warning [1], which is caused by the ppp driver not initializing a 2-byte header when using socket filter. The following code can generate a PPP filter BPF program: ''' struct bpf_program fp; pcap_t *handle; handle = pcap_open_dead(DLT_PPP_PPPD, 65535); pcap_compile(handle, &fp, "ip and outbound", 0, 0); bpf_dump(&fp, 1); ''' Its output is: ''' (000) ldh [2] ... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: -EPSS: %CPEs: 8EXPL: 0CVE-2025-21920 – vlan: enforce underlying device type
https://notcve.org/view.php?id=CVE-2025-21920
01 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: vlan: enforce underlying device type Currently, VLAN devices can be created on top of non-ethernet devices. Besides the fact that it doesn't make much sense, this also causes a bug which leaks the address of a kernel function to usermode. When creating a VLAN device, we initialize GARP (garp_init_applicant) and MRP (mrp_init_applicant) for the underlying device. As part of the initialization process, we add the multicast address of each app... • https://git.kernel.org/stable/c/22bedad3ce112d5ca1eaf043d4990fa2ed698c87 •
CVSS: -EPSS: %CPEs: 6EXPL: 0CVE-2025-21919 – sched/fair: Fix potential memory corruption in child_cfs_rq_on_list
https://notcve.org/view.php?id=CVE-2025-21919
01 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: sched/fair: Fix potential memory corruption in child_cfs_rq_on_list child_cfs_rq_on_list attempts to convert a 'prev' pointer to a cfs_rq. This 'prev' pointer can originate from struct rq's leaf_cfs_rq_list, making the conversion invalid and potentially leading to memory corruption. Depending on the relative positions of leaf_cfs_rq_list and the task group (tg) pointer within the struct, this can cause a memory fault or access garbage data.... • https://git.kernel.org/stable/c/fdaba61ef8a268d4136d0a113d153f7a89eb9984 •
CVSS: -EPSS: %CPEs: 4EXPL: 0CVE-2025-21918 – usb: typec: ucsi: Fix NULL pointer access
https://notcve.org/view.php?id=CVE-2025-21918
01 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: usb: typec: ucsi: Fix NULL pointer access Resources should be released only after all threads that utilize them have been destroyed. This commit ensures that resources are not released prematurely by waiting for the associated workqueue to complete before deallocating them. • https://git.kernel.org/stable/c/b9aa02ca39a49740926c2c450a1505a4a0f8954a •
CVSS: -EPSS: %CPEs: 8EXPL: 0CVE-2025-21917 – usb: renesas_usbhs: Flush the notify_hotplug_work
https://notcve.org/view.php?id=CVE-2025-21917
01 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: usb: renesas_usbhs: Flush the notify_hotplug_work When performing continuous unbind/bind operations on the USB drivers available on the Renesas RZ/G2L SoC, a kernel crash with the message "Unable to handle kernel NULL pointer dereference at virtual address" may occur. This issue points to the usbhsc_notify_hotplug() function. Flush the delayed work to avoid its execution when driver resources are unavailable. • https://git.kernel.org/stable/c/bc57381e634782009b1cb2e86b18013699ada576 •
CVSS: -EPSS: %CPEs: 10EXPL: 0CVE-2025-21916 – usb: atm: cxacru: fix a flaw in existing endpoint checks
https://notcve.org/view.php?id=CVE-2025-21916
01 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: usb: atm: cxacru: fix a flaw in existing endpoint checks Syzbot once again identified a flaw in usb endpoint checking, see [1]. This time the issue stems from a commit authored by me (2eabb655a968 ("usb: atm: cxacru: fix endpoint checking in cxacru_bind()")). While using usb_find_common_endpoints() may usually be enough to discard devices with wrong endpoints, in this case one needs more than just finding and identifying the sufficient numb... • https://git.kernel.org/stable/c/23926d316d2836315cb113569f91393266eb5b47 •