CVSS: 6.4EPSS: 0%CPEs: 4EXPL: 0CVE-2025-38295 – perf/amlogic: Replace smp_processor_id() with raw_smp_processor_id() in meson_ddr_pmu_create()
https://notcve.org/view.php?id=CVE-2025-38295
10 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: perf/amlogic: Replace smp_processor_id() with raw_smp_processor_id() in meson_ddr_pmu_create() The Amlogic DDR PMU driver meson_ddr_pmu_create() function incorrectly uses smp_processor_id(), which assumes disabled preemption. This leads to kernel warnings during module loading because meson_ddr_pmu_create() can be called in a preemptible context. Following kernel warning and stack trace: [ 31.745138] [ T2289] BUG: using smp_processor_id() i... • https://git.kernel.org/stable/c/2016e2113d35ba06866961a39e9a9c822f2ffabd •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2025-38294 – wifi: ath12k: fix NULL access in assign channel context handler
https://notcve.org/view.php?id=CVE-2025-38294
10 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix NULL access in assign channel context handler Currently, when ath12k_mac_assign_vif_to_vdev() fails, the radio handle (ar) gets accessed from the link VIF handle (arvif) for debug logging, This is incorrect. In the fail scenario, radio handle is NULL. Fix the NULL access, avoid radio handle access by moving to the hardware debug logging helper function (ath12k_hw_warn). Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.3.1-00173-QCA... • https://git.kernel.org/stable/c/90570ba4610bdb1db39ef45f2b271a9f89680a9d •
CVSS: 7.1EPSS: 0%CPEs: 7EXPL: 0CVE-2025-38293 – wifi: ath11k: fix node corruption in ar->arvifs list
https://notcve.org/view.php?id=CVE-2025-38293
10 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: fix node corruption in ar->arvifs list In current WLAN recovery code flow, ath11k_core_halt() only reinitializes the "arvifs" list head. This will cause the list node immediately following the list head to become an invalid list node. Because the prev of that node still points to the list head "arvifs", but the next of the list head "arvifs" no longer points to that list node. When a WLAN recovery occurs during the execution o... • https://git.kernel.org/stable/c/d5c65159f2895379e11ca13f62feabe93278985d •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2025-38292 – wifi: ath12k: fix invalid access to memory
https://notcve.org/view.php?id=CVE-2025-38292
10 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix invalid access to memory In ath12k_dp_rx_msdu_coalesce(), rxcb is fetched from skb and boolean is_continuation is part of rxcb. Currently, after freeing the skb, the rxcb->is_continuation accessed again which is wrong since the memory is already freed. This might lead use-after-free error. Hence, fix by locally defining bool is_continuation from rxcb, so that after freeing skb, is_continuation can be used. Compile tested o... • https://git.kernel.org/stable/c/d889913205cf7ebda905b1e62c5867ed4e39f6c2 •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2025-38291 – wifi: ath12k: Prevent sending WMI commands to firmware during firmware crash
https://notcve.org/view.php?id=CVE-2025-38291
10 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: Prevent sending WMI commands to firmware during firmware crash Currently, we encounter the following kernel call trace when a firmware crash occurs. This happens because the host sends WMI commands to the firmware while it is in recovery, causing the commands to fail and resulting in the kernel call trace. Set the ATH12K_FLAG_CRASH_FLUSH and ATH12K_FLAG_RECOVERY flags when the host driver receives the firmware crash notificati... • https://git.kernel.org/stable/c/a9b46dd2e483bf99fa09e6aeea7701960abaa902 •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-38290 – wifi: ath12k: fix node corruption in ar->arvifs list
https://notcve.org/view.php?id=CVE-2025-38290
10 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix node corruption in ar->arvifs list In current WLAN recovery code flow, ath12k_core_halt() only reinitializes the "arvifs" list head. This will cause the list node immediately following the list head to become an invalid list node. Because the prev of that node still points to the list head "arvifs", but the next of the list head "arvifs" no longer points to that list node. When a WLAN recovery occurs during the execution o... • https://git.kernel.org/stable/c/d889913205cf7ebda905b1e62c5867ed4e39f6c2 •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2025-38289 – scsi: lpfc: Avoid potential ndlp use-after-free in dev_loss_tmo_callbk
https://notcve.org/view.php?id=CVE-2025-38289
10 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Avoid potential ndlp use-after-free in dev_loss_tmo_callbk Smatch detected a potential use-after-free of an ndlp oject in dev_loss_tmo_callbk during driver unload or fatal error handling. Fix by reordering code to avoid potential use-after-free if initial nodelist reference has been previously removed. In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Avoid potential ndlp use-after-free in dev_loss_... • https://git.kernel.org/stable/c/e4913d4bc59227fbdfe6b8f5541f49aaea1cb41c •
CVSS: 7.1EPSS: 0%CPEs: 3EXPL: 0CVE-2025-38288 – scsi: smartpqi: Fix smp_processor_id() call trace for preemptible kernels
https://notcve.org/view.php?id=CVE-2025-38288
10 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: scsi: smartpqi: Fix smp_processor_id() call trace for preemptible kernels Correct kernel call trace when calling smp_processor_id() when called in preemptible kernels by using raw_smp_processor_id(). smp_processor_id() checks to see if preemption is disabled and if not, issue an error message followed by a call to dump_stack(). Brief example of call trace: kernel: check_preemption_disabled: 436 callbacks suppressed kernel: BUG: using smp_pr... • https://git.kernel.org/stable/c/283dcc1b142ebd60786f8f5e3fbbd53a51035739 •
CVSS: 7.1EPSS: 0%CPEs: 2EXPL: 0CVE-2025-38287 – IB/cm: Drop lockdep assert and WARN when freeing old msg
https://notcve.org/view.php?id=CVE-2025-38287
10 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: IB/cm: Drop lockdep assert and WARN when freeing old msg The send completion handler can run after cm_id has advanced to another message. The cm_id lock is not needed in this case, but a recent change re-used cm_free_priv_msg(), which asserts that the lock is held and WARNs if the cm_id's currently outstanding msg is different than the one being freed. In the Linux kernel, the following vulnerability has been resolved: IB/cm: Drop lockdep a... • https://git.kernel.org/stable/c/1e5159219076ddb2e44338c667c83fd1bd43dfef •
CVSS: 8.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38286 – pinctrl: at91: Fix possible out-of-boundary access
https://notcve.org/view.php?id=CVE-2025-38286
10 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: pinctrl: at91: Fix possible out-of-boundary access at91_gpio_probe() doesn't check that given OF alias is not available or something went wrong when trying to get it. This might have consequences when accessing gpio_chips array with that value as an index. Note, that BUG() can be compiled out and hence won't actually perform the required checks. In the Linux kernel, the following vulnerability has been resolved: pinctrl: at91: Fix possible ... • https://git.kernel.org/stable/c/6732ae5cb47c4f9a72727585956f2a5e069d1637 •