CVSS: -EPSS: %CPEs: 8EXPL: 0CVE-2025-38108 – net_sched: red: fix a race in __red_change()
https://notcve.org/view.php?id=CVE-2025-38108
03 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: net_sched: red: fix a race in __red_change() Gerrard Tai reported a race condition in RED, whenever SFQ perturb timer fires at the wrong time. The race is as follows: CPU 0 CPU 1 [1]: lock root [2]: qdisc_tree_flush_backlog() [3]: unlock root | | [5]: lock root | [6]: rehash | [7]: qdisc_tree_reduce_backlog() | [4]: qdisc_put() This can be abused to underflow a parent's qlen. Calling qdisc_purge_queue() instead of qdisc_tree_flush_backlog()... • https://git.kernel.org/stable/c/0c8d13ac96070000da33f394f45e9c19638483c5 •
CVSS: -EPSS: %CPEs: 9EXPL: 0CVE-2025-38107 – net_sched: ets: fix a race in ets_qdisc_change()
https://notcve.org/view.php?id=CVE-2025-38107
03 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: net_sched: ets: fix a race in ets_qdisc_change() Gerrard Tai reported a race condition in ETS, whenever SFQ perturb timer fires at the wrong time. The race is as follows: CPU 0 CPU 1 [1]: lock root [2]: qdisc_tree_flush_backlog() [3]: unlock root | | [5]: lock root | [6]: rehash | [7]: qdisc_tree_reduce_backlog() | [4]: qdisc_put() This can be abused to underflow a parent's qlen. Calling qdisc_purge_queue() instead of qdisc_tree_flush_backl... • https://git.kernel.org/stable/c/699d82e9a6db29d509a71f1f2f4316231e6232e6 •
CVSS: -EPSS: %CPEs: 3EXPL: 0CVE-2025-38106 – io_uring: fix use-after-free of sq->thread in __io_uring_show_fdinfo()
https://notcve.org/view.php?id=CVE-2025-38106
03 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: io_uring: fix use-after-free of sq->thread in __io_uring_show_fdinfo() syzbot reports: BUG: KASAN: slab-use-after-free in getrusage+0x1109/0x1a60 Read of size 8 at addr ffff88810de2d2c8 by task a.out/304 CPU: 0 UID: 0 PID: 304 Comm: a.out Not tainted 6.16.0-rc1 #1 PREEMPT(voluntary) Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace:
CVSS: -EPSS: %CPEs: 2EXPL: 0CVE-2025-38105 – ALSA: usb-audio: Kill timer properly at removal
https://notcve.org/view.php?id=CVE-2025-38105
03 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Kill timer properly at removal The USB-audio MIDI code initializes the timer, but in a rare case, the driver might be freed without the disconnect call. This leaves the timer in an active state while the assigned object is released via snd_usbmidi_free(), which ends up with a kernel warning when the debug configuration is enabled, as spotted by fuzzer. For avoiding the problem, put timer_shutdown_sync() at snd_usbmidi_free(... • https://git.kernel.org/stable/c/62066758d2ae169278e5d6aea5995b1b6f6ddeb5 •
CVSS: -EPSS: %CPEs: 15EXPL: 0CVE-2025-38103 – HID: usbhid: Eliminate recurrent out-of-bounds bug in usbhid_parse()
https://notcve.org/view.php?id=CVE-2025-38103
03 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: HID: usbhid: Eliminate recurrent out-of-bounds bug in usbhid_parse() Update struct hid_descriptor to better reflect the mandatory and optional parts of the HID Descriptor as per USB HID 1.11 specification. Note: the kernel currently does not parse any optional HID class descriptors, only the mandatory report descriptor. Update all references to member element desc[0] to rpt_desc. Add test to verify bLength and bNumDescriptors values are val... • https://git.kernel.org/stable/c/f043bfc98c193c284e2cd768fefabe18ac2fed9b •
CVSS: -EPSS: %CPEs: 6EXPL: 0CVE-2025-38102 – VMCI: fix race between vmci_host_setup_notify and vmci_ctx_unset_notify
https://notcve.org/view.php?id=CVE-2025-38102
03 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: VMCI: fix race between vmci_host_setup_notify and vmci_ctx_unset_notify During our test, it is found that a warning can be trigger in try_grab_folio as follow: ------------[ cut here ]------------ WARNING: CPU: 0 PID: 1678 at mm/gup.c:147 try_grab_folio+0x106/0x130 Modules linked in: CPU: 0 UID: 0 PID: 1678 Comm: syz.3.31 Not tainted 6.15.0-rc5 #163 PREEMPT(undef) RIP: 0010:try_grab_folio+0x106/0x130 Call Trace:
CVSS: -EPSS: %CPEs: 3EXPL: 0CVE-2025-38101 – ring-buffer: Fix buffer locking in ring_buffer_subbuf_order_set()
https://notcve.org/view.php?id=CVE-2025-38101
03 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: ring-buffer: Fix buffer locking in ring_buffer_subbuf_order_set() Enlarge the critical section in ring_buffer_subbuf_order_set() to ensure that error handling takes place with per-buffer mutex held, thus preventing list corruption and other concurrency-related issues. • https://git.kernel.org/stable/c/f9b94daa542a8d2532f0930f01cd9aec2d19621b •
CVSS: -EPSS: %CPEs: 7EXPL: 0CVE-2025-38100 – x86/iopl: Cure TIF_IO_BITMAP inconsistencies
https://notcve.org/view.php?id=CVE-2025-38100
03 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: x86/iopl: Cure TIF_IO_BITMAP inconsistencies io_bitmap_exit() is invoked from exit_thread() when a task exists or when a fork fails. In the latter case the exit_thread() cleans up resources which were allocated during fork(). io_bitmap_exit() invokes task_update_io_bitmap(), which in turn ends up in tss_update_io_bitmap(). tss_update_io_bitmap() operates on the current task. If current has TIF_IO_BITMAP set, but no bitmap installed, tss_upd... • https://git.kernel.org/stable/c/ea5f1cd7ab494f65f50f338299eabb40ad6a1767 •
CVSS: -EPSS: %CPEs: 3EXPL: 0CVE-2025-38099 – Bluetooth: Disable SCO support if READ_VOICE_SETTING is unsupported/broken
https://notcve.org/view.php?id=CVE-2025-38099
03 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Disable SCO support if READ_VOICE_SETTING is unsupported/broken A SCO connection without the proper voice_setting can cause the controller to lock up. • https://git.kernel.org/stable/c/f48ee562c095e552a30b8d9cc0566a267b410f8a •
CVSS: -EPSS: %CPEs: 3EXPL: 0CVE-2025-38098 – drm/amd/display: Don't treat wb connector as physical in create_validate_stream_for_sink
https://notcve.org/view.php?id=CVE-2025-38098
03 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Don't treat wb connector as physical in create_validate_stream_for_sink Don't try to operate on a drm_wb_connector as an amdgpu_dm_connector. While dereferencing aconnector->base will "work" it's wrong and might lead to unknown bad things. Just... don't. • https://git.kernel.org/stable/c/b14e726d57f61085485f107a6203c50a09695abd •