CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-40141 – Bluetooth: ISO: Fix possible UAF on iso_conn_free
https://notcve.org/view.php?id=CVE-2025-40141
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: ISO: Fix possible UAF on iso_conn_free This attempt to fix similar issue to sco_conn_free where if the conn->sk is not set to NULL may lead to UAF on iso_conn_free. In the Linux kernel, the following vulnerability has been resolved: Bluetooth: ISO: Fix possible UAF on iso_conn_free This attempt to fix similar issue to sco_conn_free where if the conn->sk is not set to NULL may lead to UAF on iso_conn_free. • https://git.kernel.org/stable/c/ccf74f2390d60a2f9a75ef496d2564abb478f46a •
CVSS: 6.6EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40140 – net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast
https://notcve.org/view.php?id=CVE-2025-40140
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast syzbot reported WARNING in rtl8150_start_xmit/usb_submit_urb. This is the sequence of events that leads to the warning: rtl8150_start_xmit() { netif_stop_queue(); usb_submit_urb(dev->tx_urb); } rtl8150_set_multicast() { netif_stop_queue(); netif_wake_queue(); <-- wakes up TX queue before URB is done } rtl8150_start_xmit() { netif_stop_queue(); usb_submit_urb(dev->tx_urb);... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 6.6EPSS: 0%CPEs: 2EXPL: 0CVE-2025-40139 – smc: Use __sk_dst_get() and dst_dev_rcu() in in smc_clc_prfx_set().
https://notcve.org/view.php?id=CVE-2025-40139
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: smc: Use __sk_dst_get() and dst_dev_rcu() in in smc_clc_prfx_set(). smc_clc_prfx_set() is called during connect() and not under RCU nor RTNL. Using sk_dst_get(sk)->dev could trigger UAF. Let's use __sk_dst_get() and dev_dst_rcu() under rcu_read_lock() after kernel_getsockname(). Note that the returned value of smc_clc_prfx_set() is not used in the caller. While at it, we change the 1st arg of smc_clc_prfx_set[46]_rcu() not to touch dst ther... • https://git.kernel.org/stable/c/a046d57da19f812216f393e7c535f5858f793ac3 •
CVSS: 5.0EPSS: 0%CPEs: 4EXPL: 0CVE-2025-40137 – f2fs: fix to truncate first page in error path of f2fs_truncate()
https://notcve.org/view.php?id=CVE-2025-40137
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to truncate first page in error path of f2fs_truncate() syzbot reports a bug as below: loop0: detected capacity change from 0 to 40427 F2FS-fs (loop0): Wrong SSA boundary, start(3584) end(4096) blocks(3072) F2FS-fs (loop0): Can't find valid F2FS filesystem in 1th superblock F2FS-fs (loop0): invalid crc value F2FS-fs (loop0): f2fs_convert_inline_folio: corrupted inline inode ino=3, i_addr[0]:0x1601, run fsck to fix. ------------[ c... • https://git.kernel.org/stable/c/92dffd01790a5219d234fc83c3ba854f4490b7f4 •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2025-40136 – crypto: hisilicon/qm - request reserved interrupt for virtual function
https://notcve.org/view.php?id=CVE-2025-40136
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: crypto: hisilicon/qm - request reserved interrupt for virtual function The device interrupt vector 3 is an error interrupt for physical function and a reserved interrupt for virtual function. However, the driver has not registered the reserved interrupt for virtual function. When allocating interrupts, the number of interrupts is allocated based on powers of two, which includes this interrupt. When the system enables GICv4 and the virtual f... • https://git.kernel.org/stable/c/3536cc55cadaf2a03241915f9cfdaf6cd073e4fe •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2025-40135 – ipv6: use RCU in ip6_xmit()
https://notcve.org/view.php?id=CVE-2025-40135
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: ipv6: use RCU in ip6_xmit() Use RCU in ip6_xmit() in order to use dst_dev_rcu() to prevent possible UAF. In the Linux kernel, the following vulnerability has been resolved: ipv6: use RCU in ip6_xmit() Use RCU in ip6_xmit() in order to use dst_dev_rcu() to prevent possible UAF. • https://git.kernel.org/stable/c/4a6ce2b6f2ecabbddcfe47e7cf61dd0f00b10e36 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40134 – dm: fix NULL pointer dereference in __dm_suspend()
https://notcve.org/view.php?id=CVE-2025-40134
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: dm: fix NULL pointer dereference in __dm_suspend() There is a race condition between dm device suspend and table load that can lead to null pointer dereference. The issue occurs when suspend is invoked before table load completes: BUG: kernel NULL pointer dereference, address: 0000000000000054 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 6 PID: 6798 Comm: dmsetup Not tainted 6.6.0-g7e52f5f0ca9b #62 Hardware name: QEMU Standard PC (i440FX + PIIX, 19... • https://git.kernel.org/stable/c/c4576aed8d85d808cd6443bda58393d525207d01 •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2025-40132 – ASoC: Intel: sof_sdw: Prevent jump to NULL add_sidecar callback
https://notcve.org/view.php?id=CVE-2025-40132
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: sof_sdw: Prevent jump to NULL add_sidecar callback In create_sdw_dailink() check that sof_end->codec_info->add_sidecar is not NULL before calling it. The original code assumed that if include_sidecar is true, the codec on that link has an add_sidecar callback. But there could be other codecs on the same link that do not have an add_sidecar callback. In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel... • https://git.kernel.org/stable/c/da5244180281a18c4c7859674fec308514aaf629 •
CVSS: 6.3EPSS: 0%CPEs: 2EXPL: 0CVE-2025-40130 – scsi: ufs: core: Fix data race in CPU latency PM QoS request handling
https://notcve.org/view.php?id=CVE-2025-40130
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Fix data race in CPU latency PM QoS request handling The cpu_latency_qos_add/remove/update_request interfaces lack internal synchronization by design, requiring the caller to ensure thread safety. The current implementation relies on the 'pm_qos_enabled' flag, which is insufficient to prevent concurrent access and cannot serve as a proper synchronization mechanism. This has led to data races and list corruption issues. A ty... • https://git.kernel.org/stable/c/2777e73fc154e2e87233bdcc0e2402b33815198e •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-40129 – sunrpc: fix null pointer dereference on zero-length checksum
https://notcve.org/view.php?id=CVE-2025-40129
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: sunrpc: fix null pointer dereference on zero-length checksum In xdr_stream_decode_opaque_auth(), zero-length checksum.len causes checksum.data to be set to NULL. This triggers a NPD when accessing checksum.data in gss_krb5_verify_mic_v2(). This patch ensures that the value of checksum.len is not less than XDR_UNIT. In the Linux kernel, the following vulnerability has been resolved: sunrpc: fix null pointer dereference on zero-length checksu... • https://git.kernel.org/stable/c/0653028e8f1c97fec30710813a001ad8a2ec34f4 •