CVSS: 7.1EPSS: 0%CPEs: 2EXPL: 0CVE-2025-38187 – drm/nouveau: fix a use-after-free in r535_gsp_rpc_push()
https://notcve.org/view.php?id=CVE-2025-38187
04 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/nouveau: fix a use-after-free in r535_gsp_rpc_push() The RPC container is released after being passed to r535_gsp_rpc_send(). When sending the initial fragment of a large RPC and passing the caller's RPC container, the container will be freed prematurely. Subsequent attempts to send remaining fragments will therefore result in a use-after-free. Allocate a temporary RPC container for holding the initial fragment of a large RPC when sendi... • https://git.kernel.org/stable/c/176fdcbddfd288408ce8571c1760ad618d962096 •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-38186 – bnxt_en: Fix double invocation of bnxt_ulp_stop()/bnxt_ulp_start()
https://notcve.org/view.php?id=CVE-2025-38186
04 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Fix double invocation of bnxt_ulp_stop()/bnxt_ulp_start() Before the commit under the Fixes tag below, bnxt_ulp_stop() and bnxt_ulp_start() were always invoked in pairs. After that commit, the new bnxt_ulp_restart() can be invoked after bnxt_ulp_stop() has been called. This may result in the RoCE driver's aux driver .suspend() method being invoked twice. The 2nd bnxt_re_suspend() call will crash when it dereferences a NULL pointer:... • https://git.kernel.org/stable/c/3c163f35bd50314d4e70ed9e83e1d8d83c473325 •
CVSS: 6.1EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38185 – atm: atmtcp: Free invalid length skb in atmtcp_c_send().
https://notcve.org/view.php?id=CVE-2025-38185
04 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: atm: atmtcp: Free invalid length skb in atmtcp_c_send(). syzbot reported the splat below. [0] vcc_sendmsg() copies data passed from userspace to skb and passes it to vcc->dev->ops->send(). atmtcp_c_send() accesses skb->data as struct atmtcp_hdr after checking if skb->len is 0, but it's not enough. Also, when skb->len == 0, skb and sk (vcc) were leaked because dev_kfree_skb() is not called and sk_wmem_alloc adjustment is missing to revert at... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38184 – tipc: fix null-ptr-deref when acquiring remote ip of ethernet bearer
https://notcve.org/view.php?id=CVE-2025-38184
04 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: tipc: fix null-ptr-deref when acquiring remote ip of ethernet bearer The reproduction steps: 1. create a tun interface 2. enable l2 bearer 3. TIPC_NL_UDP_GET_REMOTEIP with media name set to tun tipc: Started in network mode tipc: Node identity 8af312d38a21, cluster identity 4711 tipc: Enabled bearer
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38183 – net: lan743x: fix potential out-of-bounds write in lan743x_ptp_io_event_clock_get()
https://notcve.org/view.php?id=CVE-2025-38183
04 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: net: lan743x: fix potential out-of-bounds write in lan743x_ptp_io_event_clock_get() Before calling lan743x_ptp_io_event_clock_get(), the 'channel' value is checked against the maximum value of PCI11X1X_PTP_IO_MAX_CHANNELS(8). This seems correct and aligns with the PTP interrupt status register (PTP_INT_STS) specifications. However, lan743x_ptp_io_event_clock_get() writes to ptp->extts[] with only LAN743X_PTP_N_EXTTS(4) elements, using chann... • https://git.kernel.org/stable/c/60942c397af6094c04406b77982314dfe69ef3c4 •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-38182 – ublk: santizize the arguments from userspace when adding a device
https://notcve.org/view.php?id=CVE-2025-38182
04 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: ublk: santizize the arguments from userspace when adding a device Sanity check the values for queue depth and number of queues we get from userspace when adding a device. In the Linux kernel, the following vulnerability has been resolved: ublk: santizize the arguments from userspace when adding a device Sanity check the values for queue depth and number of queues we get from userspace when adding a device. • https://git.kernel.org/stable/c/71f28f3136aff5890cd56de78abc673f8393cad9 •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38181 – calipso: Fix null-ptr-deref in calipso_req_{set,del}attr().
https://notcve.org/view.php?id=CVE-2025-38181
04 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: calipso: Fix null-ptr-deref in calipso_req_{set,del}attr(). syzkaller reported a null-ptr-deref in sock_omalloc() while allocating a CALIPSO option. [0] The NULL is of struct sock, which was fetched by sk_to_full_sk() in calipso_req_setattr(). Since commit a1a5344ddbe8 ("tcp: avoid two atomic ops for syncookies"), reqsk->rsk_listener could be NULL when SYN Cookie is returned to its client, as hinted by the leading SYN Cookie log. Here are 3... • https://git.kernel.org/stable/c/e1adea927080821ebfa7505bff752a4015955660 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38180 – net: atm: fix /proc/net/atm/lec handling
https://notcve.org/view.php?id=CVE-2025-38180
04 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: net: atm: fix /proc/net/atm/lec handling /proc/net/atm/lec must ensure safety against dev_lec[] changes. It appears it had dev_put() calls without prior dev_hold(), leading to imbalance and UAF. In the Linux kernel, the following vulnerability has been resolved: net: atm: fix /proc/net/atm/lec handling /proc/net/atm/lec must ensure safety against dev_lec[] changes. It appears it had dev_put() calls without prior dev_hold(), leading to imbal... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2025-38179 – smb: client: fix max_sge overflow in smb_extract_folioq_to_rdma()
https://notcve.org/view.php?id=CVE-2025-38179
04 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: smb: client: fix max_sge overflow in smb_extract_folioq_to_rdma() This fixes the following problem: [ 749.901015] [ T8673] run fstests cifs/001 at 2025-06-17 09:40:30 [ 750.346409] [ T9870] ================================================================== [ 750.346814] [ T9870] BUG: KASAN: slab-out-of-bounds in smb_set_sge+0x2cc/0x3b0 [cifs] [ 750.347330] [ T9870] Write of size 8 at addr ffff888011082890 by task xfs_io/9870 [ 750.347705] [... • https://git.kernel.org/stable/c/c45ebd636c32d33c75e51ce977520ff146bd41a1 •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-38178 – EDAC/igen6: Fix NULL pointer dereference
https://notcve.org/view.php?id=CVE-2025-38178
04 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: EDAC/igen6: Fix NULL pointer dereference A kernel panic was reported with the following kernel log: EDAC igen6: Expected 2 mcs, but only 1 detected. BUG: unable to handle page fault for address: 000000000000d570 ... Hardware name: Notebook V54x_6x_TU/V54x_6x_TU, BIOS Dasharo (coreboot+UEFI) v0.9.0 07/17/2024 RIP: e030:ecclog_handler+0x7e/0xf0 [igen6_edac] ... igen6_probe+0x2a0/0x343 [igen6_edac] ... igen6_init+0xc5/0xff0 [igen6_edac] ... Th... • https://git.kernel.org/stable/c/20e190b1c1fd88b21cc5106c12cfe6def5ab849d •