CVSS: -EPSS: %CPEs: 5EXPL: 0CVE-2025-38020 – net/mlx5e: Disable MACsec offload for uplink representor profile
https://notcve.org/view.php?id=CVE-2025-38020
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Disable MACsec offload for uplink representor profile MACsec offload is not supported in switchdev mode for uplink representors. When switching to the uplink representor profile, the MACsec offload feature must be cleared from the netdevice's features. If left enabled, attempts to add offloads result in a null pointer dereference, as the uplink representor does not support MACsec offload even though the feature bit remains set. C... • https://git.kernel.org/stable/c/8ff0ac5be1446920d71bdce5547f0d8476e280ff •
CVSS: -EPSS: %CPEs: 4EXPL: 0CVE-2025-38019 – mlxsw: spectrum_router: Fix use-after-free when deleting GRE net devices
https://notcve.org/view.php?id=CVE-2025-38019
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_router: Fix use-after-free when deleting GRE net devices The driver only offloads neighbors that are constructed on top of net devices registered by it or their uppers (which are all Ethernet). The device supports GRE encapsulation and decapsulation of forwarded traffic, but the driver will not offload dummy neighbors constructed on top of GRE net devices as they are not uppers of its net devices: # ip link add name gre1 up ... • https://git.kernel.org/stable/c/8fdb09a7674c61c4f0e5faf0d63b3ce500a341b0 •
CVSS: -EPSS: %CPEs: 5EXPL: 0CVE-2025-38018 – net/tls: fix kernel panic when alloc_page failed
https://notcve.org/view.php?id=CVE-2025-38018
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: net/tls: fix kernel panic when alloc_page failed We cannot set frag_list to NULL pointer when alloc_page failed. It will be used in tls_strp_check_queue_ok when the next time tls_strp_read_sock is called. This is because we don't reset full_len in tls_strp_flush_anchor_copy() so the recv path will try to continue handling the partial record on the next call but we dettached the rcvq from the frag list. Alternative fix would be to reset full... • https://git.kernel.org/stable/c/84c61fe1a75b4255df1e1e7c054c9e6d048da417 •
CVSS: -EPSS: %CPEs: 1EXPL: 0CVE-2025-38017 – fs/eventpoll: fix endless busy loop after timeout has expired
https://notcve.org/view.php?id=CVE-2025-38017
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: fs/eventpoll: fix endless busy loop after timeout has expired After commit 0a65bc27bd64 ("eventpoll: Set epoll timeout if it's in the future"), the following program would immediately enter a busy loop in the kernel: ``` int main() { int e = epoll_create1(0); struct epoll_event event = {.events = EPOLLIN}; epoll_ctl(e, EPOLL_CTL_ADD, 0, &event); const struct timespec timeout = {.tv_nsec = 1}; epoll_pwait2(e, &event, 1, &timeout, 0); } ``` T... • https://git.kernel.org/stable/c/99a0ad16dfd114a429df665065dcc576dad743c0 •
CVSS: -EPSS: %CPEs: 3EXPL: 0CVE-2025-38016 – HID: bpf: abort dispatch if device destroyed
https://notcve.org/view.php?id=CVE-2025-38016
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: HID: bpf: abort dispatch if device destroyed The current HID bpf implementation assumes no output report/request will go through it after hid_bpf_destroy_device() has been called. This leads to a bug that unplugging certain types of HID devices causes a cleaned- up SRCU to be accessed. The bug was previously a hidden failure until a recent x86 percpu change [1] made it access not-present pages. The bug will be triggered if the conditions be... • https://git.kernel.org/stable/c/8bd0488b5ea58655ad6fdcbe0408ef49b16882b1 •
CVSS: -EPSS: %CPEs: 6EXPL: 0CVE-2025-38015 – dmaengine: idxd: fix memory leak in error handling path of idxd_alloc
https://notcve.org/view.php?id=CVE-2025-38015
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: fix memory leak in error handling path of idxd_alloc Memory allocated for idxd is not freed if an error occurs during idxd_alloc(). To fix it, free the allocated memory in the reverse order of allocation before exiting the function in case of an error. • https://git.kernel.org/stable/c/a8563a33a5e26064061f2fb34215c97f0e2995f4 •
CVSS: -EPSS: %CPEs: 4EXPL: 0CVE-2025-38014 – dmaengine: idxd: Refactor remove call with idxd_cleanup() helper
https://notcve.org/view.php?id=CVE-2025-38014
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: Refactor remove call with idxd_cleanup() helper The idxd_cleanup() helper cleans up perfmon, interrupts, internals and so on. Refactor remove call with the idxd_cleanup() helper to avoid code duplication. Note, this also fixes the missing put_device() for idxd groups, enginces and wqs. • https://git.kernel.org/stable/c/bfe1d56091c1a404b3d4ce7e9809d745fc4453bb •
CVSS: -EPSS: %CPEs: 4EXPL: 0CVE-2025-38013 – wifi: mac80211: Set n_channels after allocating struct cfg80211_scan_request
https://notcve.org/view.php?id=CVE-2025-38013
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: Set n_channels after allocating struct cfg80211_scan_request Make sure that n_channels is set after allocating the struct cfg80211_registered_device::int_scan_req member. Seen with syzkaller: UBSAN: array-index-out-of-bounds in net/mac80211/scan.c:1208:5 index 0 is out of range for type 'struct ieee80211_channel *[] __counted_by(n_channels)' (aka 'struct ieee80211_channel *[]') This was missed in the initial conversions beca... • https://git.kernel.org/stable/c/e3eac9f32ec04112b39e01b574ac739382469bf9 •
CVSS: -EPSS: %CPEs: 3EXPL: 0CVE-2025-38012 – sched_ext: bpf_iter_scx_dsq_new() should always initialize iterator
https://notcve.org/view.php?id=CVE-2025-38012
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: sched_ext: bpf_iter_scx_dsq_new() should always initialize iterator BPF programs may call next() and destroy() on BPF iterators even after new() returns an error value (e.g. bpf_for_each() macro ignores error returns from new()). bpf_iter_scx_dsq_new() could leave the iterator in an uninitialized state after an error return causing bpf_iter_scx_dsq_next() to dereference garbage data. Make bpf_iter_scx_dsq_new() always clear $kit->dsq so tha... • https://git.kernel.org/stable/c/650ba21b131ed1f8ee57826b2c6295a3be221132 •
CVSS: -EPSS: %CPEs: 3EXPL: 0CVE-2025-38011 – drm/amdgpu: csa unmap use uninterruptible lock
https://notcve.org/view.php?id=CVE-2025-38011
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: csa unmap use uninterruptible lock After process exit to unmap csa and free GPU vm, if signal is accepted and then waiting to take vm lock is interrupted and return, it causes memory leaking and below warning backtrace. Change to use uninterruptible wait lock fix the issue. WARNING: CPU: 69 PID: 167800 at amd/amdgpu/amdgpu_kms.c:1525 amdgpu_driver_postclose_kms+0x294/0x2a0 [amdgpu] Call Trace: