CVSS: 7.1EPSS: 0%CPEs: 7EXPL: 0CVE-2025-39738 – btrfs: do not allow relocation of partially dropped subvolumes
https://notcve.org/view.php?id=CVE-2025-39738
11 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: btrfs: do not allow relocation of partially dropped subvolumes [BUG] There is an internal report that balance triggered transaction abort, with the following call trace: item 85 key (594509824 169 0) itemoff 12599 itemsize 33 extent refs 1 gen 197740 flags 2 ref#0: tree block backref root 7 item 86 key (594558976 169 0) itemoff 12566 itemsize 33 extent refs 1 gen 197522 flags 2 ref#0: tree block backref root 7 ... BTRFS error (device loop0)... • https://git.kernel.org/stable/c/fa086b1398cf7e5f7dee7241bd5f2855cb5df8dc •
CVSS: 5.5EPSS: 0%CPEs: 9EXPL: 0CVE-2025-39737 – mm/kmemleak: avoid soft lockup in __kmemleak_do_cleanup()
https://notcve.org/view.php?id=CVE-2025-39737
11 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: mm/kmemleak: avoid soft lockup in __kmemleak_do_cleanup() A soft lockup warning was observed on a relative small system x86-64 system with 16 GB of memory when running a debug kernel with kmemleak enabled. watchdog: BUG: soft lockup - CPU#8 stuck for 33s! [kworker/8:1:134] The test system was running a workload with hot unplug happening in parallel. Then kemleak decided to disable itself due to its inability to allocate more kmemleak object... • https://git.kernel.org/stable/c/9f1f4e95031f84867c5821540466d62f88dab8ca •
CVSS: 6.5EPSS: 0%CPEs: 13EXPL: 0CVE-2025-40300 – x86/vmscape: Add conditional IBPB mitigation
https://notcve.org/view.php?id=CVE-2025-40300
11 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: x86/vmscape: Add conditional IBPB mitigation VMSCAPE is a vulnerability that exploits insufficient branch predictor isolation between a guest and a userspace hypervisor (like QEMU). Existing mitigations already protect kernel/KVM from a malicious guest. Userspace can additionally be protected by flushing the branch predictors after a VMexit. Since it is the userspace that consumes the poisoned branch predictors, conditionally issue an IBPB ... • https://git.kernel.org/stable/c/ac60717f9a8d21c58617d0b34274babf24135835 • CWE-402: Transmission of Private Resources into a New Sphere ('Resource Leak') •
CVSS: 7.5EPSS: 0%CPEs: 9EXPL: 0CVE-2025-39730 – NFS: Fix filehandle bounds checking in nfs_fh_to_dentry()
https://notcve.org/view.php?id=CVE-2025-39730
07 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: NFS: Fix filehandle bounds checking in nfs_fh_to_dentry() The function needs to check the minimal filehandle length before it can access the embedded filehandle. A flaw out of boundary read in the Linux kernel NFS functionality was found in the way connected user sends malicious data to the server. A remote user could use this flaw to crash the system. It was discovered that improper initialization of CPU cache memory could allow a local at... • https://git.kernel.org/stable/c/20fa19027286983ab2734b5910c4a687436e0c31 • CWE-125: Out-of-bounds Read •
CVSS: 7.2EPSS: 0%CPEs: 4EXPL: 0CVE-2025-39726 – s390/ism: fix concurrency management in ism_cmd()
https://notcve.org/view.php?id=CVE-2025-39726
05 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: s390/ism: fix concurrency management in ism_cmd() The s390x ISM device data sheet clearly states that only one request-response sequence is allowable per ISM function at any point in time. Unfortunately as of today the s390/ism driver in Linux does not honor that requirement. This patch aims to rectify that. This problem was discovered based on Aliaksei's bug report which states that for certain workloads the ISM functions end up entering e... • https://git.kernel.org/stable/c/684b89bc39ce4f204b1a2b180f39f2eb36a6b695 •
CVSS: 5.5EPSS: 0%CPEs: 10EXPL: 0CVE-2025-39724 – serial: 8250: fix panic due to PSLVERR
https://notcve.org/view.php?id=CVE-2025-39724
05 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: serial: 8250: fix panic due to PSLVERR When the PSLVERR_RESP_EN parameter is set to 1, the device generates an error response if an attempt is made to read an empty RBR (Receive Buffer Register) while the FIFO is enabled. In serial8250_do_startup(), calling serial_port_out(port, UART_LCR, UART_LCR_WLEN8) triggers dw8250_check_lcr(), which invokes dw8250_force_idle() and serial8250_clear_and_reinit_fifos(). The latter function enables the FI... • https://git.kernel.org/stable/c/c49436b657d0a56a6ad90d14a7c3041add7cf64d •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-39716 – parisc: Revise __get_user() to probe user read access
https://notcve.org/view.php?id=CVE-2025-39716
05 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: parisc: Revise __get_user() to probe user read access Because of the way read access support is implemented, read access interruptions are only triggered at privilege levels 2 and 3. The kernel executes at privilege level 0, so __get_user() never triggers a read access interruption (code 26). Thus, it is currently possible for user code to access a read protected address via a system call. Fix this by probing read access rights at privilege... • https://git.kernel.org/stable/c/28a9b71671fb4a2993ef85b8ef6f117ea63894fe •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2025-39715 – parisc: Revise gateway LWS calls to probe user read access
https://notcve.org/view.php?id=CVE-2025-39715
05 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: parisc: Revise gateway LWS calls to probe user read access We use load and stbys,e instructions to trigger memory reference interruptions without writing to memory. Because of the way read access support is implemented, read access interruptions are only triggered at privilege levels 2 and 3. The kernel and gateway page execute at privilege level 0, so this code never triggers a read access interruption. Thus, it is currently possible for u... • https://git.kernel.org/stable/c/e8b496c52aa0c6572d88db7cab85aeea6f9c194d •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-39714 – media: usbtv: Lock resolution while streaming
https://notcve.org/view.php?id=CVE-2025-39714
05 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: media: usbtv: Lock resolution while streaming When an program is streaming (ffplay) and another program (qv4l2) changes the TV standard from NTSC to PAL, the kernel crashes due to trying to copy to unmapped memory. Changing from NTSC to PAL increases the resolution in the usbtv struct, but the video plane buffer isn't adjusted, so it overflows. [hverkuil: call vb2_is_busy instead of vb2_is_streaming] In the Linux kernel, the following vulne... • https://git.kernel.org/stable/c/0e0fe3958fdd13dbf55c3a787acafde6efd04272 •
CVSS: 7.0EPSS: 0%CPEs: 8EXPL: 0CVE-2025-39713 – media: rainshadow-cec: fix TOCTOU race condition in rain_interrupt()
https://notcve.org/view.php?id=CVE-2025-39713
05 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: media: rainshadow-cec: fix TOCTOU race condition in rain_interrupt() In the interrupt handler rain_interrupt(), the buffer full check on rain->buf_len is performed before acquiring rain->buf_lock. This creates a Time-of-Check to Time-of-Use (TOCTOU) race condition, as rain->buf_len is concurrently accessed and modified in the work handler rain_irq_work_handler() under the same lock. Multiple interrupt invocations can race, with each reading... • https://git.kernel.org/stable/c/0f314f6c2e77beb1a232be21dd6be4e1849ba5ac •