CVSS: -EPSS: %CPEs: 17EXPL: 0CVE-2021-47634 – ubi: Fix race condition between ctrl_cdev_ioctl and ubi_cdev_ioctl
https://notcve.org/view.php?id=CVE-2021-47634
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: ubi: Fix race condition between ctrl_cdev_ioctl and ubi_cdev_ioctl Hulk Robot reported a KASAN report about use-after-free: ================================================================== BUG: KASAN: use-after-free in __list_del_entry_valid+0x13d/0x160 Read of size 8 at addr ffff888035e37d98 by task ubiattach/1385 [...] Call Trace: klist_dec_and_del+0xa7/0x4a0 klist_put+0xc7/0x1a0 device_del+0x4d4/0xed0 cdev_device_del+0x1a/0x80 ubi_atta... • https://git.kernel.org/stable/c/714fb87e8bc05ff78255afc0dca981e8c5242785 •
CVSS: -EPSS: %CPEs: 9EXPL: 0CVE-2021-47633 – ath5k: fix OOB in ath5k_eeprom_read_pcal_info_5111
https://notcve.org/view.php?id=CVE-2021-47633
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: ath5k: fix OOB in ath5k_eeprom_read_pcal_info_5111 The bug was found during fuzzing. Stacktrace locates it in ath5k_eeprom_convert_pcal_info_5111. When none of the curve is selected in the loop, idx can go up to AR5K_EEPROM_N_PD_CURVES. The line makes pd out of bound. pd = &chinfo[pier].pd_curves[idx]; There are many OOB writes using pd later in the code. So I added a sanity check for idx. Checks for other loops involving AR5K_EEPROM_N_PD_C... • https://git.kernel.org/stable/c/f4de974019a0adf34d0e7de6b86252f1bd266b06 •
CVSS: -EPSS: %CPEs: 4EXPL: 0CVE-2021-47632 – powerpc/set_memory: Avoid spinlock recursion in change_page_attr()
https://notcve.org/view.php?id=CVE-2021-47632
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: powerpc/set_memory: Avoid spinlock recursion in change_page_attr() Commit 1f9ad21c3b38 ("powerpc/mm: Implement set_memory() routines") included a spin_lock() to change_page_attr() in order to safely perform the three step operations. But then commit 9f7853d7609d ("powerpc/mm: Fix set_memory_*() against concurrent accesses") modify it to use pte_update() and do the operation safely against concurrent access. In the meantime, Maxime reported ... • https://git.kernel.org/stable/c/6def4eaf0391f24be541633a954c0e4876858b1e •
CVSS: -EPSS: %CPEs: 8EXPL: 0CVE-2021-47631 – ARM: davinci: da850-evm: Avoid NULL pointer dereference
https://notcve.org/view.php?id=CVE-2021-47631
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: ARM: davinci: da850-evm: Avoid NULL pointer dereference With newer versions of GCC, there is a panic in da850_evm_config_emac() when booting multi_v5_defconfig in QEMU under the palmetto-bmc machine: Unable to handle kernel NULL pointer dereference at virtual address 00000020 pgd = (ptrval) [00000020] *pgd=00000000 Internal error: Oops: 5 [#1] PREEMPT ARM Modules linked in: CPU: 0 PID: 1 Comm: swapper Not tainted 5.15.0 #1 Hardware name: Ge... • https://git.kernel.org/stable/c/bae105879f2f2404155da6f50b3636193d228a62 •
CVSS: 7.8EPSS: %CPEs: 3EXPL: 0CVE-2023-52926 – io_uring/rw: split io_read() into a helper
https://notcve.org/view.php?id=CVE-2023-52926
24 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: IORING_OP_READ did not correctly consume the provided buffer list when read i/o returned < 0 (except for -EAGAIN and -EIOCBQUEUED return). This can lead to a potential use-after-free when the completion via io_rw_done runs at separate context. In the Linux kernel, the following vulnerability has been resolved: IORING_OP_READ did not correctly consume the provided buffer list when read i/o returned < 0 (except for -EAGAIN and -EIOCBQUEUED re... • https://git.kernel.org/stable/c/72060434a14caea20925e492310d6e680e3f9007 • CWE-416: Use After Free •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2025-21704 – usb: cdc-acm: Check control transfer buffer size before access
https://notcve.org/view.php?id=CVE-2025-21704
22 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: usb: cdc-acm: Check control transfer buffer size before access If the first fragment is shorter than struct usb_cdc_notification, we can't calculate an expected_size. Log an error and discard the notification instead of reading lengths from memory outside the received data, which can lead to memory corruption when the expected_size decreases between fragments, causing `expected_size - acm->nb_index` to wrap. This issue has been present sinc... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2025-21703 – netem: Update sch->q.qlen before qdisc_tree_reduce_backlog()
https://notcve.org/view.php?id=CVE-2025-21703
18 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: netem: Update sch->q.qlen before qdisc_tree_reduce_backlog() qdisc_tree_reduce_backlog() notifies parent qdisc only if child qdisc becomes empty, therefore we need to reduce the backlog of the child qdisc before calling it. Otherwise it would miss the opportunity to call cops->qlen_notify(), in the case of DRR, it resulted in UAF since DRR uses ->qlen_notify() to maintain its active list. In the Linux kernel, the following vulnerability has... • https://git.kernel.org/stable/c/10df49cfca73dfbbdb6c4150d859f7e8926ae427 • CWE-416: Use After Free •
CVSS: 8.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-21702 – pfifo_tail_enqueue: Drop new packet when sch->limit == 0
https://notcve.org/view.php?id=CVE-2025-21702
18 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: pfifo_tail_enqueue: Drop new packet when sch->limit == 0 Expected behaviour: In case we reach scheduler's limit, pfifo_tail_enqueue() will drop a packet in scheduler's queue and decrease scheduler's qlen by one. Then, pfifo_tail_enqueue() enqueue new packet and increase scheduler's qlen by one. Finally, pfifo_tail_enqueue() return `NET_XMIT_CN` status code. Weird behaviour: In case we set `sch->limit == 0` and trigger pfifo_tail_enqueue() o... • https://git.kernel.org/stable/c/57dbb2d83d100ea601c54fe129bfde0678db5dee •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2025-21701 – net: avoid race between device unregistration and ethnl ops
https://notcve.org/view.php?id=CVE-2025-21701
13 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: net: avoid race between device unregistration and ethnl ops The following trace can be seen if a device is being unregistered while its number of channels are being modified. DEBUG_LOCKS_WARN_ON(lock->magic != lock) WARNING: CPU: 3 PID: 3754 at kernel/locking/mutex.c:564 __mutex_lock+0xc8a/0x1120 CPU: 3 UID: 0 PID: 3754 Comm: ethtool Not tainted 6.13.0-rc6+ #771 RIP: 0010:__mutex_lock+0xc8a/0x1120 Call Trace:
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2025-21700 – net: sched: Disallow replacing of child qdisc from one parent to another
https://notcve.org/view.php?id=CVE-2025-21700
13 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: net: sched: Disallow replacing of child qdisc from one parent to another Lion Ackermann was able to create a UAF which can be abused for privilege escalation with the following script Step 1. create root qdisc tc qdisc add dev lo root handle 1:0 drr step2. a class for packet aggregation do demonstrate uaf tc class add dev lo classid 1:1 drr step3. a class for nesting tc class add dev lo classid 1:2 drr step4. a class to graft qdisc to tc cl... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 • CWE-416: Use After Free •