CVSS: 7.1EPSS: 0%CPEs: 4EXPL: 0CVE-2025-38258 – mm/damon/sysfs-schemes: free old damon_sysfs_scheme_filter->memcg_path on write
https://notcve.org/view.php?id=CVE-2025-38258
09 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: mm/damon/sysfs-schemes: free old damon_sysfs_scheme_filter->memcg_path on write memcg_path_store() assigns a newly allocated memory buffer to filter->memcg_path, without deallocating the previously allocated and assigned memory buffer. As a result, users can leak kernel memory by continuously writing a data to memcg_path DAMOS sysfs file. Fix the leak by deallocating the previously set memory buffer. In the Linux kernel, the following vulne... • https://git.kernel.org/stable/c/7ee161f18b5da5170b5d6a51aace49d312099128 •
CVSS: 7.1EPSS: 0%CPEs: 6EXPL: 0CVE-2025-38257 – s390/pkey: Prevent overflow in size calculation for memdup_user()
https://notcve.org/view.php?id=CVE-2025-38257
09 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: s390/pkey: Prevent overflow in size calculation for memdup_user() Number of apqn target list entries contained in 'nr_apqns' variable is determined by userspace via an ioctl call so the result of the product in calculation of size passed to memdup_user() may overflow. In this case the actual size of the allocated area and the value describing it won't be in sync leading to various types of unpredictable behaviour later. Use a proper memdup_... • https://git.kernel.org/stable/c/f2bbc96e7cfad3891b7bf9bd3e566b9b7ab4553d •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-38255 – lib/group_cpus: fix NULL pointer dereference from group_cpus_evenly()
https://notcve.org/view.php?id=CVE-2025-38255
09 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: lib/group_cpus: fix NULL pointer dereference from group_cpus_evenly() While testing null_blk with configfs, echo 0 > poll_queues will trigger following panic: BUG: kernel NULL pointer dereference, address: 0000000000000010 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 27 UID: 0 PID: 920 Comm: bash Not tainted 6.15.0-02023-gadbdb95c8696-dirty #1238 PREEMPT(undef) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014 RIP... • https://git.kernel.org/stable/c/6a6dcae8f486c3f3298d0767d34505121c7b0b81 •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2025-38251 – atm: clip: prevent NULL deref in clip_push()
https://notcve.org/view.php?id=CVE-2025-38251
09 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: atm: clip: prevent NULL deref in clip_push() Blamed commit missed that vcc_destroy_socket() calls clip_push() with a NULL skb. If clip_devs is NULL, clip_push() then crashes when reading skb->truesize. In the Linux kernel, the following vulnerability has been resolved: atm: clip: prevent NULL deref in clip_push() Blamed commit missed that vcc_destroy_socket() calls clip_push() with a NULL skb. If clip_devs is NULL, clip_push() then crashes ... • https://git.kernel.org/stable/c/93a2014afbace907178afc3c9c1e62c9a338595a •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-38250 – Bluetooth: hci_core: Fix use-after-free in vhci_flush()
https://notcve.org/view.php?id=CVE-2025-38250
09 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_core: Fix use-after-free in vhci_flush() syzbot reported use-after-free in vhci_flush() without repro. [0] From the splat, a thread close()d a vhci file descriptor while its device was being used by iotcl() on another thread. Once the last fd refcnt is released, vhci_release() calls hci_unregister_dev(), hci_free_dev(), and kfree() for struct vhci_data, which is set to hci_dev->dev->driver_data. The problem is that there is n... • https://git.kernel.org/stable/c/bf18c7118cf83ad4b9aa476354b4a06bcb9d0c4f •
CVSS: 7.1EPSS: 0%CPEs: 6EXPL: 0CVE-2025-38249 – ALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3()
https://notcve.org/view.php?id=CVE-2025-38249
09 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3() In snd_usb_get_audioformat_uac3(), the length value returned from snd_usb_ctl_msg() is used directly for memory allocation without validation. This length is controlled by the USB device. The allocated buffer is cast to a uac3_cluster_header_descriptor and its fields are accessed without verifying that the buffer is large enough. If the device returns a smaller than e... • https://git.kernel.org/stable/c/9a2fe9b801f585baccf8352d82839dcd54b300cf •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2025-38248 – bridge: mcast: Fix use-after-free during router port configuration
https://notcve.org/view.php?id=CVE-2025-38248
09 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: bridge: mcast: Fix use-after-free during router port configuration The bridge maintains a global list of ports behind which a multicast router resides. The list is consulted during forwarding to ensure multicast packets are forwarded to these ports even if the ports are not member in the matching MDB entry. When per-VLAN multicast snooping is enabled, the per-port multicast context is disabled on each port and the port is removed from the g... • https://git.kernel.org/stable/c/2796d846d74a18cc6563e96eff8bf28c5e06f912 •
CVSS: 7.1EPSS: 0%CPEs: 4EXPL: 0CVE-2025-38246 – bnxt: properly flush XDP redirect lists
https://notcve.org/view.php?id=CVE-2025-38246
09 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: bnxt: properly flush XDP redirect lists We encountered following crash when testing a XDP_REDIRECT feature in production: [56251.579676] list_add corruption. next->prev should be prev (ffff93120dd40f30), but was ffffb301ef3a6740. (next=ffff93120dd 40f30). [56251.601413] ------------[ cut here ]------------ [56251.611357] kernel BUG at lib/list_debug.c:29! [56251.621082] Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI [56251.632073] CPU: 1... • https://git.kernel.org/stable/c/a7559bc8c17c3f9a91dcbeefe8642ba757fd09e8 •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2025-38245 – atm: Release atm_dev_mutex after removing procfs in atm_dev_deregister().
https://notcve.org/view.php?id=CVE-2025-38245
09 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: atm: Release atm_dev_mutex after removing procfs in atm_dev_deregister(). syzbot reported a warning below during atm_dev_register(). [0] Before creating a new device and procfs/sysfs for it, atm_dev_register() looks up a duplicated device by __atm_dev_lookup(). These operations are done under atm_dev_mutex. However, when removing a device in atm_dev_deregister(), it releases the mutex just after removing the device from the list that __atm_... • https://git.kernel.org/stable/c/64bf69ddff7637b7ed7acf9b2a823cc0ee519439 •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-38244 – smb: client: fix potential deadlock when reconnecting channels
https://notcve.org/view.php?id=CVE-2025-38244
09 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential deadlock when reconnecting channels Fix cifs_signal_cifsd_for_reconnect() to take the correct lock order and prevent the following deadlock from happening ====================================================== WARNING: possible circular locking dependency detected 6.16.0-rc3-build2+ #1301 Tainted: G S W ------------------------------------------------------ cifsd/6055 is trying to acquire lock: ffff88810ad56038 (&... • https://git.kernel.org/stable/c/d7d7a66aacd6fd8ca57baf08a7bac5421282f6f8 •