CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-39863 – wifi: brcmfmac: fix use-after-free when rescheduling brcmf_btcoex_info work
https://notcve.org/view.php?id=CVE-2025-39863
19 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: fix use-after-free when rescheduling brcmf_btcoex_info work The brcmf_btcoex_detach() only shuts down the btcoex timer, if the flag timer_on is false. However, the brcmf_btcoex_timerfunc(), which runs as timer handler, sets timer_on to false. This creates critical race conditions: 1.If brcmf_btcoex_detach() is called while brcmf_btcoex_timerfunc() is executing, it may observe timer_on as false and skip the call to timer_shut... • https://git.kernel.org/stable/c/61730d4dfffc2cc9d3a49fad87633008105c18ba • CWE-416: Use After Free •
CVSS: 5.6EPSS: 0%CPEs: 8EXPL: 0CVE-2025-39853 – i40e: Fix potential invalid access when MAC list is empty
https://notcve.org/view.php?id=CVE-2025-39853
19 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: i40e: Fix potential invalid access when MAC list is empty list_first_entry() never returns NULL - if the list is empty, it still returns a pointer to an invalid object, leading to potential invalid memory access when dereferenced. Fix this by using list_first_entry_or_null instead of list_first_entry. In the Linux kernel, the following vulnerability has been resolved: i40e: Fix potential invalid access when MAC list is empty list_first_entr... • https://git.kernel.org/stable/c/e3219ce6a775468368fb270fae3eb82a6787b436 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-39848 – ax25: properly unshare skbs in ax25_kiss_rcv()
https://notcve.org/view.php?id=CVE-2025-39848
19 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: ax25: properly unshare skbs in ax25_kiss_rcv() Bernard Pidoux reported a regression apparently caused by commit c353e8983e0d ("net: introduce per netns packet chains"). skb->dev becomes NULL and we crash in __netif_receive_skb_core(). Before above commit, different kind of bugs or corruptions could happen without a major crash. But the root cause is that ax25_kiss_rcv() can queue/mangle input skb without checking if this skb is shared or no... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-39847 – ppp: fix memory leak in pad_compress_skb
https://notcve.org/view.php?id=CVE-2025-39847
19 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: ppp: fix memory leak in pad_compress_skb If alloc_skb() fails in pad_compress_skb(), it returns NULL without releasing the old skb. The caller does: skb = pad_compress_skb(ppp, skb); if (!skb) goto drop; drop: kfree_skb(skb); When pad_compress_skb() returns NULL, the reference to the old skb is lost and kfree_skb(skb) ends up doing nothing, leading to a memory leak. Align pad_compress_skb() semantics with realloc(): only free the old skb if... • https://git.kernel.org/stable/c/b3f9b92a6ec1a9a5e4b4b36e484f2f62cc73277c •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-39846 – pcmcia: Fix a NULL pointer dereference in __iodyn_find_io_region()
https://notcve.org/view.php?id=CVE-2025-39846
19 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: pcmcia: Fix a NULL pointer dereference in __iodyn_find_io_region() In __iodyn_find_io_region(), pcmcia_make_resource() is assigned to res and used in pci_bus_alloc_resource(). There is a dereference of res in pci_bus_alloc_resource(), which could lead to a NULL pointer dereference on failure of pcmcia_make_resource(). Fix this bug by adding a check of res. In the Linux kernel, the following vulnerability has been resolved: pcmcia: Fix a NUL... • https://git.kernel.org/stable/c/49b1153adfe18a3cce7e70aa26c690f275917cd0 •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2025-39839 – batman-adv: fix OOB read/write in network-coding decode
https://notcve.org/view.php?id=CVE-2025-39839
19 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: batman-adv: fix OOB read/write in network-coding decode batadv_nc_skb_decode_packet() trusts coded_len and checks only against skb->len. XOR starts at sizeof(struct batadv_unicast_packet), reducing payload headroom, and the source skb length is not verified, allowing an out-of-bounds read and a small out-of-bounds write. Validate that coded_len fits within the payload area of both destination and source sk_buffs before XORing. In the Linux ... • https://git.kernel.org/stable/c/2df5278b0267c799f3e877e8eeddbb6e93cda0bb •
CVSS: 4.7EPSS: 0%CPEs: 2EXPL: 0CVE-2023-53447 – f2fs: don't reset unchangable mount option in f2fs_remount()
https://notcve.org/view.php?id=CVE-2023-53447
18 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: f2fs: don't reset unchangable mount option in f2fs_remount() syzbot reports a bug as below: general protection fault, probably for non-canonical address 0xdffffc0000000009: 0000 [#1] PREEMPT SMP KASAN RIP: 0010:__lock_acquire+0x69/0x2000 kernel/locking/lockdep.c:4942 Call Trace: lock_acquire+0x1e3/0x520 kernel/locking/lockdep.c:5691 __raw_write_lock include/linux/rwlock_api_smp.h:209 [inline] _raw_write_lock+0x2e/0x40 kernel/locking/spinloc... • https://git.kernel.org/stable/c/98e4da8ca301e062d79ae168c67e56f3c3de3ce4 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 7.1EPSS: 0%CPEs: 6EXPL: 0CVE-2023-53443 – mfd: arizona: Use pm_runtime_resume_and_get() to prevent refcnt leak
https://notcve.org/view.php?id=CVE-2023-53443
18 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: mfd: arizona: Use pm_runtime_resume_and_get() to prevent refcnt leak In arizona_clk32k_enable(), we should use pm_runtime_resume_and_get() as pm_runtime_get_sync() will increase the refcnt even when it returns an error. In the Linux kernel, the following vulnerability has been resolved: mfd: arizona: Use pm_runtime_resume_and_get() to prevent refcnt leak In arizona_clk32k_enable(), we should use pm_runtime_resume_and_get() as pm_runtime_get... • https://git.kernel.org/stable/c/247fa1920deeb1064e36c0a34410f4d63503b3d4 • CWE-772: Missing Release of Resource after Effective Lifetime •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2023-53440 – nilfs2: fix sysfs interface lifetime
https://notcve.org/view.php?id=CVE-2023-53440
18 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix sysfs interface lifetime The current nilfs2 sysfs support has issues with the timing of creation and deletion of sysfs entries, potentially leading to null pointer dereferences, use-after-free, and lockdep warnings. Some of the sysfs attributes for nilfs2 per-filesystem instance refer to metadata file "cpfile", "sufile", or "dat", but nilfs_sysfs_create_device_group that creates those attributes is executed before the inodes for... • https://git.kernel.org/stable/c/dd70edbde2627f47df118d899de6bbb55abcfdbf • CWE-476: NULL Pointer Dereference •
CVSS: 7.2EPSS: 0%CPEs: 4EXPL: 0CVE-2023-53438 – x86/MCE: Always save CS register on AMD Zen IF Poison errors
https://notcve.org/view.php?id=CVE-2023-53438
18 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: x86/MCE: Always save CS register on AMD Zen IF Poison errors The Instruction Fetch (IF) units on current AMD Zen-based systems do not guarantee a synchronous #MC is delivered for poison consumption errors. Therefore, MCG_STATUS[EIPV|RIPV] will not be set. However, the microarchitecture does guarantee that the exception is delivered within the same context. In other words, the exact rIP is not known, but the context is known to not have chan... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •