CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38034 – btrfs: correct the order of prelim_ref arguments in btrfs__prelim_ref
https://notcve.org/view.php?id=CVE-2025-38034
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: btrfs: correct the order of prelim_ref arguments in btrfs__prelim_ref btrfs_prelim_ref() calls the old and new reference variables in the incorrect order. This causes a NULL pointer dereference because oldref is passed as NULL to trace_btrfs_prelim_ref_insert(). Note, trace_btrfs_prelim_ref_insert() is being called with newref as oldref (and oldref as NULL) on purpose in order to print out the values of newref. To reproduce: echo 1 > /sys/k... • https://git.kernel.org/stable/c/5755b6731655e248c4f1d52a2e1b18795b4a2a3a •
CVSS: 7.1EPSS: 0%CPEs: 3EXPL: 0CVE-2025-38033 – x86/Kconfig: make CFI_AUTO_DEFAULT depend on !RUST or Rust >= 1.88
https://notcve.org/view.php?id=CVE-2025-38033
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: x86/Kconfig: make CFI_AUTO_DEFAULT depend on !RUST or Rust >= 1.88 Calling core::fmt::write() from rust code while FineIBT is enabled results in a kernel panic: [ 4614.199779] kernel BUG at arch/x86/kernel/cet.c:132! [ 4614.205343] Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI [ 4614.211781] CPU: 2 UID: 0 PID: 6057 Comm: dmabuf_dump Tainted: G U O 6.12.17-android16-0-g6ab38c534a43 #1 9da040f27673ec3945e23b998a0f8bd64c846599 [ 4614.22783... • https://git.kernel.org/stable/c/d6f635bcaca8d38dfa47ee20658705f9eff156b5 •
CVSS: 7.1EPSS: 0%CPEs: 2EXPL: 0CVE-2025-38032 – mr: consolidate the ipmr_can_free_table() checks.
https://notcve.org/view.php?id=CVE-2025-38032
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: mr: consolidate the ipmr_can_free_table() checks. Guoyu Yin reported a splat in the ipmr netns cleanup path: WARNING: CPU: 2 PID: 14564 at net/ipv4/ipmr.c:440 ipmr_free_table net/ipv4/ipmr.c:440 [inline] WARNING: CPU: 2 PID: 14564 at net/ipv4/ipmr.c:440 ipmr_rules_exit+0x135/0x1c0 net/ipv4/ipmr.c:361 Modules linked in: CPU: 2 UID: 0 PID: 14564 Comm: syz.4.838 Not tainted 6.14.0 #1 Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), B... • https://git.kernel.org/stable/c/50b94204446e1215af081fd713d7d566d9258e35 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38031 – padata: do not leak refcount in reorder_work
https://notcve.org/view.php?id=CVE-2025-38031
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: padata: do not leak refcount in reorder_work A recent patch that addressed a UAF introduced a reference count leak: the parallel_data refcount is incremented unconditionally, regardless of the return value of queue_work(). If the work item is already queued, the incremented refcount is never decremented. Fix this by checking the return value of queue_work() and decrementing the refcount when necessary. Resolves: Unreferenced object 0xffff9d... • https://git.kernel.org/stable/c/f4f1b1169fc3694f9bc3e28c6c68dbbf4cc744c0 •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2025-38029 – kasan: avoid sleepable page allocation from atomic context
https://notcve.org/view.php?id=CVE-2025-38029
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: kasan: avoid sleepable page allocation from atomic context apply_to_pte_range() enters the lazy MMU mode and then invokes kasan_populate_vmalloc_pte() callback on each page table walk iteration. However, the callback can go into sleep when trying to allocate a single page, e.g. if an architecutre disables preemption on lazy MMU mode enter. On s390 if make arch_enter_lazy_mmu_mode() -> preempt_enable() and arch_leave_lazy_mmu_mode() -> preem... • https://git.kernel.org/stable/c/3c5c3cfb9ef4da957e3357a2bd36f76ee34c0862 •
CVSS: 5.6EPSS: 0%CPEs: 2EXPL: 0CVE-2025-38028 – NFS/localio: Fix a race in nfs_local_open_fh()
https://notcve.org/view.php?id=CVE-2025-38028
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: NFS/localio: Fix a race in nfs_local_open_fh() Once the clp->cl_uuid.lock has been dropped, another CPU could come in and free the struct nfsd_file that was just added. To prevent that from happening, take the RCU read lock before dropping the spin lock. In the Linux kernel, the following vulnerability has been resolved: NFS/localio: Fix a race in nfs_local_open_fh() Once the clp->cl_uuid.lock has been dropped, another CPU could come in and... • https://git.kernel.org/stable/c/86e00412254a717ffd5d38dc5ec0ee1cce6281b3 •
CVSS: 8.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38027 – regulator: max20086: fix invalid memory access
https://notcve.org/view.php?id=CVE-2025-38027
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: regulator: max20086: fix invalid memory access max20086_parse_regulators_dt() calls of_regulator_match() using an array of struct of_regulator_match allocated on the stack for the matches argument. of_regulator_match() calls devm_of_regulator_put_matches(), which calls devres_alloc() to allocate a struct devm_of_regulator_matches which will be de-allocated using devm_of_regulator_put_matches(). struct devm_of_regulator_matches is populated ... • https://git.kernel.org/stable/c/bfff546aae50ae68ed395bf0e0848188d27b0ba3 •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2025-38025 – iio: adc: ad7606: check for NULL before calling sw_mode_config()
https://notcve.org/view.php?id=CVE-2025-38025
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: iio: adc: ad7606: check for NULL before calling sw_mode_config() Check that the sw_mode_config function pointer is not NULL before calling it. Not all buses define this callback, which resulted in a NULL pointer dereference. In the Linux kernel, the following vulnerability has been resolved: iio: adc: ad7606: check for NULL before calling sw_mode_config() Check that the sw_mode_config function pointer is not NULL before calling it. Not all ... • https://git.kernel.org/stable/c/e571c1902116a376c96e59639820662d7d6a13da •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38024 – RDMA/rxe: Fix slab-use-after-free Read in rxe_queue_cleanup bug
https://notcve.org/view.php?id=CVE-2025-38024
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix slab-use-after-free Read in rxe_queue_cleanup bug Call Trace:
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38023 – nfs: handle failure of nfs_get_lock_context in unlock path
https://notcve.org/view.php?id=CVE-2025-38023
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: nfs: handle failure of nfs_get_lock_context in unlock path When memory is insufficient, the allocation of nfs_lock_context in nfs_get_lock_context() fails and returns -ENOMEM. If we mistakenly treat an nfs4_unlockdata structure (whose l_ctx member has been set to -ENOMEM) as valid and proceed to execute rpc_run_task(), this will trigger a NULL pointer dereference in nfs4_locku_prepare. For example: BUG: kernel NULL pointer dereference, addr... • https://git.kernel.org/stable/c/f30cb757f680f965ba8a2e53cb3588052a01aeb5 •