CVSS: 7.8EPSS: %CPEs: 6EXPL: 0CVE-2025-37914 – net_sched: ets: Fix double list add in class with netem as child qdisc
https://notcve.org/view.php?id=CVE-2025-37914
20 May 2025 — In the Linux kernel, the following vulnerability has been resolved: net_sched: ets: Fix double list add in class with netem as child qdisc As described in Gerrard's report [1], there are use cases where a netem child qdisc will make the parent qdisc's enqueue callback reentrant. In the case of ets, there won't be a UAF, but the code will add the same classifier to the list twice, which will cause memory corruption. In addition to checking for qlen being zero, this patch checks whether the class was already ... • https://git.kernel.org/stable/c/37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea •
CVSS: 7.8EPSS: %CPEs: 6EXPL: 0CVE-2025-37913 – net_sched: qfq: Fix double list add in class with netem as child qdisc
https://notcve.org/view.php?id=CVE-2025-37913
20 May 2025 — In the Linux kernel, the following vulnerability has been resolved: net_sched: qfq: Fix double list add in class with netem as child qdisc As described in Gerrard's report [1], there are use cases where a netem child qdisc will make the parent qdisc's enqueue callback reentrant. In the case of qfq, there won't be a UAF, but the code will add the same classifier to the list twice, which will cause memory corruption. This patch checks whether the class was already added to the agg->active list (cl_is_active) ... • https://git.kernel.org/stable/c/37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea •
CVSS: 5.5EPSS: %CPEs: 7EXPL: 0CVE-2025-37912 – ice: Check VF VSI Pointer Value in ice_vc_add_fdir_fltr()
https://notcve.org/view.php?id=CVE-2025-37912
20 May 2025 — In the Linux kernel, the following vulnerability has been resolved: ice: Check VF VSI Pointer Value in ice_vc_add_fdir_fltr() As mentioned in the commit baeb705fd6a7 ("ice: always check VF VSI pointer values"), we need to perform a null pointer check on the return value of ice_get_vf_vsi() before using it. In the Linux kernel, the following vulnerability has been resolved: ice: Check VF VSI Pointer Value in ice_vc_add_fdir_fltr() As mentioned in the commit baeb705fd6a7 ("ice: always check VF VSI pointer val... • https://git.kernel.org/stable/c/e81b674ead8e2172b2a69e7b45e079239ace4dbc •
CVSS: 9.0EPSS: %CPEs: 8EXPL: 0CVE-2025-37911 – bnxt_en: Fix out-of-bound memcpy() during ethtool -w
https://notcve.org/view.php?id=CVE-2025-37911
20 May 2025 — In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Fix out-of-bound memcpy() during ethtool -w When retrieving the FW coredump using ethtool, it can sometimes cause memory corruption: BUG: KFENCE: memory corruption in __bnxt_get_coredump+0x3ef/0x670 [bnxt_en] Corrupted memory at 0x000000008f0f30e8 [ ! ! ! ! ! • https://git.kernel.org/stable/c/c74751f4c39232c31214ec6a3bc1c7e62f5c728b •
CVSS: 5.5EPSS: %CPEs: 6EXPL: 0CVE-2025-37909 – net: lan743x: Fix memleak issue when GSO enabled
https://notcve.org/view.php?id=CVE-2025-37909
20 May 2025 — In the Linux kernel, the following vulnerability has been resolved: net: lan743x: Fix memleak issue when GSO enabled Always map the `skb` to the LS descriptor. Previously skb was mapped to EXT descriptor when the number of fragments is zero with GSO enabled. Mapping the skb to EXT descriptor prevents it from being freed, leading to a memory leak In the Linux kernel, the following vulnerability has been resolved: net: lan743x: Fix memleak issue when GSO enabled Always map the `skb` to the LS descriptor. Prev... • https://git.kernel.org/stable/c/23f0703c125be490f70501b6b24ed5645775c56a •
CVSS: 4.3EPSS: %CPEs: 3EXPL: 0CVE-2025-37907 – accel/ivpu: Fix locking order in ivpu_job_submit
https://notcve.org/view.php?id=CVE-2025-37907
20 May 2025 — In the Linux kernel, the following vulnerability has been resolved: accel/ivpu: Fix locking order in ivpu_job_submit Fix deadlock in job submission and abort handling. When a thread aborts currently executing jobs due to a fault, it first locks the global lock protecting submitted_jobs (#1). After the last job is destroyed, it proceeds to release the related context and locks file_priv (#2). Meanwhile, in the job submission thread, the file_priv lock (#2) is taken first, and then the submitted_jobs lock (#1... • https://git.kernel.org/stable/c/079d2622f8c9e0c380149645fff21d35c59ce6ff •
CVSS: 7.2EPSS: %CPEs: 6EXPL: 0CVE-2025-37905 – firmware: arm_scmi: Balance device refcount when destroying devices
https://notcve.org/view.php?id=CVE-2025-37905
20 May 2025 — In the Linux kernel, the following vulnerability has been resolved: firmware: arm_scmi: Balance device refcount when destroying devices Using device_find_child() to lookup the proper SCMI device to destroy causes an unbalance in device refcount, since device_find_child() calls an implicit get_device(): this, in turns, inhibits the call of the provided release methods upon devices destruction. As a consequence, one of the structures that is not freed properly upon destruction is the internal struct device_pr... • https://git.kernel.org/stable/c/d4f9dddd21f39395c62ea12d3d91239637d4805f •
CVSS: 7.2EPSS: %CPEs: 5EXPL: 0CVE-2025-37903 – drm/amd/display: Fix slab-use-after-free in hdcp
https://notcve.org/view.php?id=CVE-2025-37903
20 May 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix slab-use-after-free in hdcp The HDCP code in amdgpu_dm_hdcp.c copies pointers to amdgpu_dm_connector objects without incrementing the kref reference counts. When using a USB-C dock, and the dock is unplugged, the corresponding amdgpu_dm_connector objects are freed, creating dangling pointers in the HDCP code. When the dock is plugged back, the dangling pointers are dereferenced, resulting in a slab-use-after-free: [ 66.... • https://git.kernel.org/stable/c/da3fd7ac0bcf372cc57117bdfcd725cca7ef975a •
CVSS: 5.5EPSS: %CPEs: 5EXPL: 0CVE-2025-37901 – irqchip/qcom-mpm: Prevent crash when trying to handle non-wake GPIOs
https://notcve.org/view.php?id=CVE-2025-37901
20 May 2025 — In the Linux kernel, the following vulnerability has been resolved: irqchip/qcom-mpm: Prevent crash when trying to handle non-wake GPIOs On Qualcomm chipsets not all GPIOs are wakeup capable. Those GPIOs do not have a corresponding MPM pin and should not be handled inside the MPM driver. The IRQ domain hierarchy is always applied, so it's required to explicitly disconnect the hierarchy for those. The pinctrl-msm driver marks these with GPIO_NO_WAKE_IRQ. qcom-pdc has a check for this, but irq-qcom-mpm is cur... • https://git.kernel.org/stable/c/a6199bb514d8a63f61c2a22c1f912376e14d0fb2 •
CVSS: 7.8EPSS: %CPEs: 3EXPL: 0CVE-2025-37899 – ksmbd: fix use-after-free in session logoff
https://notcve.org/view.php?id=CVE-2025-37899
20 May 2025 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in session logoff The sess->user object can currently be in use by another thread, for example if another connection has sent a session setup request to bind to the session being free'd. The handler for that connection could be in the smb2_sess_setup function which makes use of sess->user. In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in session logoff The sess->user ... • https://git.kernel.org/stable/c/d5ec1d79509b3ee01de02c236f096bc050221b7f •