CVSS: -EPSS: %CPEs: 4EXPL: 0CVE-2025-22039 – ksmbd: fix overflow in dacloffset bounds check
https://notcve.org/view.php?id=CVE-2025-22039
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix overflow in dacloffset bounds check The dacloffset field was originally typed as int and used in an unchecked addition, which could overflow and bypass the existing bounds check in both smb_check_perm_dacl() and smb_inherit_dacl(). This could result in out-of-bounds memory access and a kernel crash when dereferencing the DACL pointer. This patch converts dacloffset to unsigned int and uses check_add_overflow() to validate access ... • https://git.kernel.org/stable/c/6a9cd9ff0fa2bcc30b2bfb8bdb161eb20e44b9dc •
CVSS: -EPSS: %CPEs: 6EXPL: 0CVE-2025-22038 – ksmbd: validate zero num_subauth before sub_auth is accessed
https://notcve.org/view.php?id=CVE-2025-22038
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: validate zero num_subauth before sub_auth is accessed Access psid->sub_auth[psid->num_subauth - 1] without checking if num_subauth is non-zero leads to an out-of-bounds read. This patch adds a validation step to ensure num_subauth != 0 before sub_auth is accessed. • https://git.kernel.org/stable/c/3ac65de111c686c95316ade660f8ba7aea3cd3cc •
CVSS: -EPSS: %CPEs: 4EXPL: 0CVE-2025-22037 – ksmbd: fix null pointer dereference in alloc_preauth_hash()
https://notcve.org/view.php?id=CVE-2025-22037
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix null pointer dereference in alloc_preauth_hash() The Client send malformed smb2 negotiate request. ksmbd return error response. Subsequently, the client can send smb2 session setup even thought conn->preauth_info is not allocated. This patch add KSMBD_SESS_NEED_SETUP status of connection to ignore session setup request if smb2 negotiate phase is not complete. • https://git.kernel.org/stable/c/ca8bed31edf728a662ef9d6f39f50e7a7dc2b5ad •
CVSS: -EPSS: %CPEs: 12EXPL: 0CVE-2025-22035 – tracing: Fix use-after-free in print_graph_function_flags during tracer switching
https://notcve.org/view.php?id=CVE-2025-22035
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: tracing: Fix use-after-free in print_graph_function_flags during tracer switching Kairui reported a UAF issue in print_graph_function_flags() during ftrace stress testing [1]. This issue can be reproduced if puting a 'mdelay(10)' after 'mutex_unlock(&trace_types_lock)' in s_start(), and executing the following script: $ echo function_graph > current_tracer $ cat trace > /dev/null & $ sleep 5 # Ensure the 'cat' reaches the 'mdelay(10)' point... • https://git.kernel.org/stable/c/05319d707732c728eb721ac616a50e7978eb499a •
CVSS: -EPSS: %CPEs: 6EXPL: 0CVE-2025-22033 – arm64: Don't call NULL in do_compat_alignment_fixup()
https://notcve.org/view.php?id=CVE-2025-22033
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: arm64: Don't call NULL in do_compat_alignment_fixup() do_alignment_t32_to_handler() only fixes up alignment faults for specific instructions; it returns NULL otherwise (e.g. LDREX). When that's the case, signal to the caller that it needs to proceed with the regular alignment fault handling (i.e. SIGBUS). Without this patch, the kernel panics: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 Mem abort inf... • https://git.kernel.org/stable/c/3fc24ef32d3b9368f4c103dcd21d6a3f959b4870 •
CVSS: -EPSS: %CPEs: 5EXPL: 0CVE-2025-22029 – exec: fix the racy usage of fs_struct->in_exec
https://notcve.org/view.php?id=CVE-2025-22029
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: exec: fix the racy usage of fs_struct->in_exec check_unsafe_exec() sets fs->in_exec under cred_guard_mutex, then execve() paths clear fs->in_exec lockless. This is fine if exec succeeds, but if it fails we have the following race: T1 sets fs->in_exec = 1, fails, drops cred_guard_mutex T2 sets fs->in_exec = 1 T1 clears fs->in_exec T2 continues with fs->in_exec == 0 Change fs/exec.c to clear fs->in_exec with cred_guard_mutex held. • https://git.kernel.org/stable/c/753a620a7f8e134b444f89fe90873234e894e21a •
CVSS: -EPSS: %CPEs: 7EXPL: 0CVE-2025-22028 – media: vimc: skip .s_stream() for stopped entities
https://notcve.org/view.php?id=CVE-2025-22028
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: media: vimc: skip .s_stream() for stopped entities Syzbot reported [1] a warning prompted by a check in call_s_stream() that checks whether .s_stream() operation is warranted for unstarted or stopped subdevs. Add a simple fix in vimc_streamer_pipeline_terminate() ensuring that entities skip a call to .s_stream() unless they have been previously properly started. [1] Syzbot report: ------------[ cut here ]------------ WARNING: CPU: 0 PID: 59... • https://git.kernel.org/stable/c/adc589d2a20808fb99d46a78175cd023f2040338 •
CVSS: -EPSS: %CPEs: 6EXPL: 0CVE-2025-22027 – media: streamzap: fix race between device disconnection and urb callback
https://notcve.org/view.php?id=CVE-2025-22027
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: media: streamzap: fix race between device disconnection and urb callback Syzkaller has reported a general protection fault at function ir_raw_event_store_with_filter(). This crash is caused by a NULL pointer dereference of dev->raw pointer, even though it is checked for NULL in the same function, which means there is a race condition. It occurs due to the incorrect order of actions in the streamzap_disconnect() function: rc_unregister_devic... • https://git.kernel.org/stable/c/8e9e60640067858e8036d4d43bbf725c60613359 •
CVSS: -EPSS: %CPEs: 2EXPL: 0CVE-2025-22026 – nfsd: don't ignore the return code of svc_proc_register()
https://notcve.org/view.php?id=CVE-2025-22026
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: nfsd: don't ignore the return code of svc_proc_register() Currently, nfsd_proc_stat_init() ignores the return value of svc_proc_register(). If the procfile creation fails, then the kernel will WARN when it tries to remove the entry later. Fix nfsd_proc_stat_init() to return the same type of pointer as svc_proc_register(), and fix up nfsd_net_init() to check that and fail the nfsd_net construction if it occurs. svc_proc_register() can fail i... • https://git.kernel.org/stable/c/9d9456185fd5f1891c74354ee297f19538141ead •
CVSS: -EPSS: %CPEs: 8EXPL: 0CVE-2025-22025 – nfsd: put dl_stid if fail to queue dl_recall
https://notcve.org/view.php?id=CVE-2025-22025
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: nfsd: put dl_stid if fail to queue dl_recall Before calling nfsd4_run_cb to queue dl_recall to the callback_wq, we increment the reference count of dl_stid. We expect that after the corresponding work_struct is processed, the reference count of dl_stid will be decremented through the callback function nfsd4_cb_recall_release. However, if the call to nfsd4_run_cb fails, the incremented reference count of dl_stid will not be decremented corre... • https://git.kernel.org/stable/c/b874cdef4e67e5150e07eff0eae1cbb21fb92da1 •