CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2025-22088 – RDMA/erdma: Prevent use-after-free in erdma_accept_newconn()
https://notcve.org/view.php?id=CVE-2025-22088
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: RDMA/erdma: Prevent use-after-free in erdma_accept_newconn() After the erdma_cep_put(new_cep) being called, new_cep will be freed, and the following dereference will cause a UAF problem. Fix this issue. In the Linux kernel, the following vulnerability has been resolved: RDMA/erdma: Prevent use-after-free in erdma_accept_newconn() After the erdma_cep_put(new_cep) being called, new_cep will be freed, and the following dereference will cause a... • https://git.kernel.org/stable/c/920d93eac8b97778fef48f34f10e58ddf870fc2a •
CVSS: 7.1EPSS: 0%CPEs: 4EXPL: 0CVE-2025-22087 – bpf: Fix array bounds error with may_goto
https://notcve.org/view.php?id=CVE-2025-22087
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: bpf: Fix array bounds error with may_goto may_goto uses an additional 8 bytes on the stack, which causes the interpreters[] array to go out of bounds when calculating index by stack_size. 1. If a BPF program is rewritten, re-evaluate the stack size. For non-JIT cases, reject loading directly. 2. For non-JIT cases, calculating interpreters[idx] may still cause out-of-bounds array access, and just warn about it. 3. For jit_requested cases, th... • https://git.kernel.org/stable/c/011832b97b311bb9e3c27945bc0d1089a14209c9 •
CVSS: 5.5EPSS: 0%CPEs: 9EXPL: 0CVE-2025-22086 – RDMA/mlx5: Fix mlx5_poll_one() cur_qp update flow
https://notcve.org/view.php?id=CVE-2025-22086
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Fix mlx5_poll_one() cur_qp update flow When cur_qp isn't NULL, in order to avoid fetching the QP from the radix tree again we check if the next cqe QP is identical to the one we already have. The bug however is that we are checking if the QP is identical by checking the QP number inside the CQE against the QP number inside the mlx5_ib_qp, but that's wrong since the QP number from the CQE is from FW so it should be matched against... • https://git.kernel.org/stable/c/e126ba97dba9edeb6fafa3665b5f8497fc9cdf8c •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-22085 – RDMA/core: Fix use-after-free when rename device name
https://notcve.org/view.php?id=CVE-2025-22085
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: RDMA/core: Fix use-after-free when rename device name Syzbot reported a slab-use-after-free with the following call trace: ================================================================== BUG: KASAN: slab-use-after-free in nla_put+0xd3/0x150 lib/nlattr.c:1099 Read of size 5 at addr ffff888140ea1c60 by task syz.0.988/10025 CPU: 0 UID: 0 PID: 10025 Comm: syz.0.988 Not tainted 6.14.0-rc4-syzkaller-00859-gf77f12010f67 #0 Hardware name: Google... • https://git.kernel.org/stable/c/9cbed5aab5aeea420d0aa945733bf608449d44fb •
CVSS: 4.7EPSS: 0%CPEs: 4EXPL: 0CVE-2025-22084 – w1: fix NULL pointer dereference in probe
https://notcve.org/view.php?id=CVE-2025-22084
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: w1: fix NULL pointer dereference in probe The w1_uart_probe() function calls w1_uart_serdev_open() (which includes devm_serdev_device_open()) before setting the client ops via serdev_device_set_client_ops(). This ordering can trigger a NULL pointer dereference in the serdev controller's receive_buf handler, as it assumes serdev->ops is valid when SERPORT_ACTIVE is set. This is similar to the issue fixed in commit 5e700b384ec1 ("platform/chr... • https://git.kernel.org/stable/c/a3c08804364e80328a9ffdac59bb26676b938195 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-22083 – vhost-scsi: Fix handling of multiple calls to vhost_scsi_set_endpoint
https://notcve.org/view.php?id=CVE-2025-22083
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: vhost-scsi: Fix handling of multiple calls to vhost_scsi_set_endpoint If vhost_scsi_set_endpoint is called multiple times without a vhost_scsi_clear_endpoint between them, we can hit multiple bugs found by Haoran Zhang: 1. Use-after-free when no tpgs are found: This fixes a use after free that occurs when vhost_scsi_set_endpoint is called more than once and calls after the first call do not find any tpgs to add to the vs_tpg. When vhost_scs... • https://git.kernel.org/stable/c/4f7f46d32c9875004fae1d57ae3c02cc2e6cd6a3 •
CVSS: 7.1EPSS: 0%CPEs: 4EXPL: 0CVE-2025-22082 – iio: backend: make sure to NULL terminate stack buffer
https://notcve.org/view.php?id=CVE-2025-22082
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: iio: backend: make sure to NULL terminate stack buffer Make sure to NULL terminate the buffer in iio_backend_debugfs_write_reg() before passing it to sscanf(). It is a stack variable so we should not assume it will 0 initialized. In the Linux kernel, the following vulnerability has been resolved: iio: backend: make sure to NULL terminate stack buffer Make sure to NULL terminate the buffer in iio_backend_debugfs_write_reg() before passing it... • https://git.kernel.org/stable/c/cdf01e0809a4c6c7877ea52401c2a6679df7aed6 •
CVSS: 7.8EPSS: 0%CPEs: 7EXPL: 0CVE-2025-22081 – fs/ntfs3: Fix a couple integer overflows on 32bit systems
https://notcve.org/view.php?id=CVE-2025-22081
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Fix a couple integer overflows on 32bit systems On 32bit systems the "off + sizeof(struct NTFS_DE)" addition can have an integer wrapping issue. Fix it by using size_add(). In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Fix a couple integer overflows on 32bit systems On 32bit systems the "off + sizeof(struct NTFS_DE)" addition can have an integer wrapping issue. Fix it by using size_add(). • https://git.kernel.org/stable/c/82cae269cfa953032fbb8980a7d554d60fb00b17 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-22080 – fs/ntfs3: Prevent integer overflow in hdr_first_de()
https://notcve.org/view.php?id=CVE-2025-22080
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Prevent integer overflow in hdr_first_de() The "de_off" and "used" variables come from the disk so they both need to check. The problem is that on 32bit systems if they're both greater than UINT_MAX - 16 then the check does work as intended because of an integer overflow. In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Prevent integer overflow in hdr_first_de() The "de_off" and "used" variables come f... • https://git.kernel.org/stable/c/60ce8dfde03558bfc290cd915c60fa243ba2ae84 •
CVSS: 7.1EPSS: 0%CPEs: 9EXPL: 0CVE-2025-22079 – ocfs2: validate l_tree_depth to avoid out-of-bounds access
https://notcve.org/view.php?id=CVE-2025-22079
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: ocfs2: validate l_tree_depth to avoid out-of-bounds access The l_tree_depth field is 16-bit (__le16), but the actual maximum depth is limited to OCFS2_MAX_PATH_DEPTH. Add a check to prevent out-of-bounds access if l_tree_depth has an invalid value, which may occur when reading from a corrupted mounted disk [1]. In the Linux kernel, the following vulnerability has been resolved: ocfs2: validate l_tree_depth to avoid out-of-bounds access The ... • https://git.kernel.org/stable/c/ccd979bdbce9fba8412beb3f1de68a9d0171b12c •