CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40035 – Input: uinput - zero-initialize uinput_ff_upload_compat to avoid info leak
https://notcve.org/view.php?id=CVE-2025-40035
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: Input: uinput - zero-initialize uinput_ff_upload_compat to avoid info leak Struct ff_effect_compat is embedded twice inside uinput_ff_upload_compat, contains internal padding. In particular, there is a hole after struct ff_replay to satisfy alignment requirements for the following union member. Without clearing the structure, copy_to_user() may leak stack data to userspace. Initialize ff_up_compat to zero before filling valid fields. In the... • https://git.kernel.org/stable/c/2d56f3a32c0e62f99c043d2579840f9731fe5855 •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-40033 – remoteproc: pru: Fix potential NULL pointer dereference in pru_rproc_set_ctable()
https://notcve.org/view.php?id=CVE-2025-40033
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: remoteproc: pru: Fix potential NULL pointer dereference in pru_rproc_set_ctable() pru_rproc_set_ctable() accessed rproc->priv before the IS_ERR_OR_NULL check, which could lead to a null pointer dereference. Move the pru assignment, ensuring we never dereference a NULL rproc pointer. In the Linux kernel, the following vulnerability has been resolved: remoteproc: pru: Fix potential NULL pointer dereference in pru_rproc_set_ctable() pru_rproc_... • https://git.kernel.org/stable/c/102853400321baea2527917e6e89be33508c3e18 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-40032 – PCI: endpoint: pci-epf-test: Add NULL check for DMA channels before release
https://notcve.org/view.php?id=CVE-2025-40032
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: PCI: endpoint: pci-epf-test: Add NULL check for DMA channels before release The fields dma_chan_tx and dma_chan_rx of the struct pci_epf_test can be NULL even after EPF initialization. Then it is prudent to check that they have non-NULL values before releasing the channels. Add the checks in pci_epf_test_clean_dma_chan(). Without the checks, NULL pointer dereferences happen and they can lead to a kernel panic in some cases: Unable to handle... • https://git.kernel.org/stable/c/5ebf3fc59bd20d17df3ba26159787d13cf20d362 •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-40031 – tee: fix register_shm_helper()
https://notcve.org/view.php?id=CVE-2025-40031
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: tee: fix register_shm_helper() In register_shm_helper(), fix incorrect error handling for a call to iov_iter_extract_pages(). A case is missing for when iov_iter_extract_pages() only got some pages and return a number larger than 0, but not the requested amount. This fixes a possible NULL pointer dereference following a bad input from ioctl(TEE_IOC_SHM_REGISTER) where parts of the buffer isn't mapped. In the Linux kernel, the following vuln... • https://git.kernel.org/stable/c/7bdee41575919773818e525ea19e54eb817770af •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40030 – pinctrl: check the return value of pinmux_ops::get_function_name()
https://notcve.org/view.php?id=CVE-2025-40030
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: pinctrl: check the return value of pinmux_ops::get_function_name() While the API contract in docs doesn't specify it explicitly, the generic implementation of the get_function_name() callback from struct pinmux_ops - pinmux_generic_get_function_name() - can fail and return NULL. This is already checked in pinmux_check_ops() so add a similar check in pinmux_func_name_to_selector() instead of passing the returned pointer right down to strcmp(... • https://git.kernel.org/stable/c/f913cfce4ee49a3382a9ff95696f49a46e56e974 •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2025-40029 – bus: fsl-mc: Check return value of platform_get_resource()
https://notcve.org/view.php?id=CVE-2025-40029
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: bus: fsl-mc: Check return value of platform_get_resource() platform_get_resource() returns NULL in case of failure, so check its return value and propagate the error in order to prevent NULL pointer dereference. In the Linux kernel, the following vulnerability has been resolved: bus: fsl-mc: Check return value of platform_get_resource() platform_get_resource() returns NULL in case of failure, so check its return value and propagate the erro... • https://git.kernel.org/stable/c/6305166c8771c33a8d5992fb53f93cfecedc14fd •
CVSS: 5.5EPSS: 0%CPEs: 9EXPL: 0CVE-2025-40027 – net/9p: fix double req put in p9_fd_cancelled
https://notcve.org/view.php?id=CVE-2025-40027
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: net/9p: fix double req put in p9_fd_cancelled Syzkaller reports a KASAN issue as below: general protection fault, probably for non-canonical address 0xfbd59c0000000021: 0000 [#1] PREEMPT SMP KASAN NOPTI KASAN: maybe wild-memory-access in range [0xdead000000000108-0xdead00000000010f] CPU: 0 PID: 5083 Comm: syz-executor.2 Not tainted 6.1.134-syzkaller-00037-g855bd1d7d838 #0 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 ... • https://git.kernel.org/stable/c/afd8d65411551839b7ab14a539d00075b2793451 •
CVSS: 7.8EPSS: 0%CPEs: 9EXPL: 0CVE-2025-40026 – KVM: x86: Don't (re)check L1 intercepts when completing userspace I/O
https://notcve.org/view.php?id=CVE-2025-40026
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Don't (re)check L1 intercepts when completing userspace I/O When completing emulation of instruction that generated a userspace exit for I/O, don't recheck L1 intercepts as KVM has already finished that phase of instruction execution, i.e. has already committed to allowing L2 to perform I/O. If L1 (or host userspace) modifies the I/O permission bitmaps during the exit to userspace, KVM will treat the access as being intercepted de... • https://git.kernel.org/stable/c/8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9 •
CVSS: 6.6EPSS: 0%CPEs: 2EXPL: 0CVE-2025-40025 – f2fs: fix to do sanity check on node footer for non inode dnode
https://notcve.org/view.php?id=CVE-2025-40025
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to do sanity check on node footer for non inode dnode As syzbot reported below: ------------[ cut here ]------------ kernel BUG at fs/f2fs/file.c:1243! Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI CPU: 0 UID: 0 PID: 5354 Comm: syz.0.0 Not tainted 6.17.0-rc1-syzkaller-00211-g90d970cade8e #0 PREEMPT(full) RIP: 0010:f2fs_truncate_hole+0x69e/0x6c0 fs/f2fs/file.c:1243 Call Trace:
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-40024 – vhost: Take a reference on the task in struct vhost_task.
https://notcve.org/view.php?id=CVE-2025-40024
24 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: vhost: Take a reference on the task in struct vhost_task. vhost_task_create() creates a task and keeps a reference to its task_struct. That task may exit early via a signal and its task_struct will be released. A pending vhost_task_wake() will then attempt to wake the task and access a task_struct which is no longer there. Acquire a reference on the task_struct while creating the thread and release the reference while the struct vhost_task ... • https://git.kernel.org/stable/c/f9010dbdce911ee1f1af1398a24b1f9f992e0080 •