CVSS: -EPSS: %CPEs: 9EXPL: 0CVE-2025-38107 – net_sched: ets: fix a race in ets_qdisc_change()
https://notcve.org/view.php?id=CVE-2025-38107
03 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: net_sched: ets: fix a race in ets_qdisc_change() Gerrard Tai reported a race condition in ETS, whenever SFQ perturb timer fires at the wrong time. The race is as follows: CPU 0 CPU 1 [1]: lock root [2]: qdisc_tree_flush_backlog() [3]: unlock root | | [5]: lock root | [6]: rehash | [7]: qdisc_tree_reduce_backlog() | [4]: qdisc_put() This can be abused to underflow a parent's qlen. Calling qdisc_purge_queue() instead of qdisc_tree_flush_backl... • https://git.kernel.org/stable/c/699d82e9a6db29d509a71f1f2f4316231e6232e6 •
CVSS: -EPSS: %CPEs: 3EXPL: 0CVE-2025-38106 – io_uring: fix use-after-free of sq->thread in __io_uring_show_fdinfo()
https://notcve.org/view.php?id=CVE-2025-38106
03 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: io_uring: fix use-after-free of sq->thread in __io_uring_show_fdinfo() syzbot reports: BUG: KASAN: slab-use-after-free in getrusage+0x1109/0x1a60 Read of size 8 at addr ffff88810de2d2c8 by task a.out/304 CPU: 0 UID: 0 PID: 304 Comm: a.out Not tainted 6.16.0-rc1 #1 PREEMPT(voluntary) Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace:
CVSS: -EPSS: %CPEs: 2EXPL: 0CVE-2025-38105 – ALSA: usb-audio: Kill timer properly at removal
https://notcve.org/view.php?id=CVE-2025-38105
03 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Kill timer properly at removal The USB-audio MIDI code initializes the timer, but in a rare case, the driver might be freed without the disconnect call. This leaves the timer in an active state while the assigned object is released via snd_usbmidi_free(), which ends up with a kernel warning when the debug configuration is enabled, as spotted by fuzzer. For avoiding the problem, put timer_shutdown_sync() at snd_usbmidi_free(... • https://git.kernel.org/stable/c/62066758d2ae169278e5d6aea5995b1b6f6ddeb5 •
CVSS: -EPSS: %CPEs: 15EXPL: 0CVE-2025-38103 – HID: usbhid: Eliminate recurrent out-of-bounds bug in usbhid_parse()
https://notcve.org/view.php?id=CVE-2025-38103
03 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: HID: usbhid: Eliminate recurrent out-of-bounds bug in usbhid_parse() Update struct hid_descriptor to better reflect the mandatory and optional parts of the HID Descriptor as per USB HID 1.11 specification. Note: the kernel currently does not parse any optional HID class descriptors, only the mandatory report descriptor. Update all references to member element desc[0] to rpt_desc. Add test to verify bLength and bNumDescriptors values are val... • https://git.kernel.org/stable/c/f043bfc98c193c284e2cd768fefabe18ac2fed9b •
CVSS: -EPSS: %CPEs: 6EXPL: 0CVE-2025-38102 – VMCI: fix race between vmci_host_setup_notify and vmci_ctx_unset_notify
https://notcve.org/view.php?id=CVE-2025-38102
03 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: VMCI: fix race between vmci_host_setup_notify and vmci_ctx_unset_notify During our test, it is found that a warning can be trigger in try_grab_folio as follow: ------------[ cut here ]------------ WARNING: CPU: 0 PID: 1678 at mm/gup.c:147 try_grab_folio+0x106/0x130 Modules linked in: CPU: 0 UID: 0 PID: 1678 Comm: syz.3.31 Not tainted 6.15.0-rc5 #163 PREEMPT(undef) RIP: 0010:try_grab_folio+0x106/0x130 Call Trace:
CVSS: -EPSS: %CPEs: 3EXPL: 0CVE-2025-38101 – ring-buffer: Fix buffer locking in ring_buffer_subbuf_order_set()
https://notcve.org/view.php?id=CVE-2025-38101
03 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: ring-buffer: Fix buffer locking in ring_buffer_subbuf_order_set() Enlarge the critical section in ring_buffer_subbuf_order_set() to ensure that error handling takes place with per-buffer mutex held, thus preventing list corruption and other concurrency-related issues. • https://git.kernel.org/stable/c/f9b94daa542a8d2532f0930f01cd9aec2d19621b •
CVSS: -EPSS: %CPEs: 7EXPL: 0CVE-2025-38100 – x86/iopl: Cure TIF_IO_BITMAP inconsistencies
https://notcve.org/view.php?id=CVE-2025-38100
03 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: x86/iopl: Cure TIF_IO_BITMAP inconsistencies io_bitmap_exit() is invoked from exit_thread() when a task exists or when a fork fails. In the latter case the exit_thread() cleans up resources which were allocated during fork(). io_bitmap_exit() invokes task_update_io_bitmap(), which in turn ends up in tss_update_io_bitmap(). tss_update_io_bitmap() operates on the current task. If current has TIF_IO_BITMAP set, but no bitmap installed, tss_upd... • https://git.kernel.org/stable/c/ea5f1cd7ab494f65f50f338299eabb40ad6a1767 •
CVSS: -EPSS: %CPEs: 3EXPL: 0CVE-2025-38099 – Bluetooth: Disable SCO support if READ_VOICE_SETTING is unsupported/broken
https://notcve.org/view.php?id=CVE-2025-38099
03 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Disable SCO support if READ_VOICE_SETTING is unsupported/broken A SCO connection without the proper voice_setting can cause the controller to lock up. • https://git.kernel.org/stable/c/f48ee562c095e552a30b8d9cc0566a267b410f8a •
CVSS: -EPSS: %CPEs: 3EXPL: 0CVE-2025-38098 – drm/amd/display: Don't treat wb connector as physical in create_validate_stream_for_sink
https://notcve.org/view.php?id=CVE-2025-38098
03 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Don't treat wb connector as physical in create_validate_stream_for_sink Don't try to operate on a drm_wb_connector as an amdgpu_dm_connector. While dereferencing aconnector->base will "work" it's wrong and might lead to unknown bad things. Just... don't. • https://git.kernel.org/stable/c/b14e726d57f61085485f107a6203c50a09695abd •
CVSS: -EPSS: %CPEs: 5EXPL: 0CVE-2025-38097 – espintcp: remove encap socket caching to avoid reference leak
https://notcve.org/view.php?id=CVE-2025-38097
03 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: espintcp: remove encap socket caching to avoid reference leak The current scheme for caching the encap socket can lead to reference leaks when we try to delete the netns. The reference chain is: xfrm_state -> enacp_sk -> netns Since the encap socket is a userspace socket, it holds a reference on the netns. If we delete the espintcp state (through flush or individual delete) before removing the netns, the reference on the socket is dropped a... • https://git.kernel.org/stable/c/e27cca96cd68fa2c6814c90f9a1cfd36bb68c593 •