CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2022-50470 – xhci: Remove device endpoints from bandwidth list when freeing the device
https://notcve.org/view.php?id=CVE-2022-50470
04 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: xhci: Remove device endpoints from bandwidth list when freeing the device Endpoints are normally deleted from the bandwidth list when they are dropped, before the virt device is freed. If xHC host is dying or being removed then the endpoints aren't dropped cleanly due to functions returning early to avoid interacting with a non-accessible host controller. So check and delete endpoints that are still on the bandwidth list when freeing the vi... • https://git.kernel.org/stable/c/2e27980e6eb78114c4ecbaad1ba71836e3887d18 •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2025-39953 – cgroup: split cgroup_destroy_wq into 3 workqueues
https://notcve.org/view.php?id=CVE-2025-39953
04 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: cgroup: split cgroup_destroy_wq into 3 workqueues A hung task can occur during [1] LTP cgroup testing when repeatedly mounting/unmounting perf_event and net_prio controllers with systemd.unified_cgroup_hierarchy=1. The hang manifests in cgroup_lock_and_drain_offline() during root destruction. Related case: cgroup_fj_function_perf_event cgroup_fj_function.sh perf_event cgroup_fj_function_net_prio cgroup_fj_function.sh net_prio Call Trace: cg... • https://git.kernel.org/stable/c/334c3679ec4b2b113c35ebe37d2018b112dd5013 •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-39952 – wifi: wilc1000: avoid buffer overflow in WID string configuration
https://notcve.org/view.php?id=CVE-2025-39952
04 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: wilc1000: avoid buffer overflow in WID string configuration Fix the following copy overflow warning identified by Smatch checker. drivers/net/wireless/microchip/wilc1000/wlan_cfg.c:184 wilc_wlan_parse_response_frame() error: '__memcpy()' 'cfg->s[i]->str' copy overflow (512 vs 65537) This patch introduces size check before accessing the memory buffer. The checks are base on the WID type of received data from the firmware. For WID strin... • https://git.kernel.org/stable/c/c5c77ba18ea66aa05441c71e38473efb787705a4 •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2025-39949 – qed: Don't collect too many protection override GRC elements
https://notcve.org/view.php?id=CVE-2025-39949
04 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: qed: Don't collect too many protection override GRC elements In the protection override dump path, the firmware can return far too many GRC elements, resulting in attempting to write past the end of the previously-kmalloc'ed dump buffer. This will result in a kernel panic with reason: BUG: unable to handle kernel paging request at ADDRESS where "ADDRESS" is just past the end of the protection override dump buffer. The start address of the b... • https://git.kernel.org/stable/c/d52c89f120de849575f6b2e5948038f2be12ce6f •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2025-39945 – cnic: Fix use-after-free bugs in cnic_delete_task
https://notcve.org/view.php?id=CVE-2025-39945
04 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: cnic: Fix use-after-free bugs in cnic_delete_task The original code uses cancel_delayed_work() in cnic_cm_stop_bnx2x_hw(), which does not guarantee that the delayed work item 'delete_task' has fully completed if it was already running. Additionally, the delayed work item is cyclic, the flush_workqueue() in cnic_cm_stop_bnx2x_hw() only blocks and waits for work items that were already queued to the workqueue prior to its invocation. Any work... • https://git.kernel.org/stable/c/fdf24086f4752aee5dfb40143c736250df017820 •
CVSS: 7.2EPSS: 0%CPEs: 3EXPL: 0CVE-2025-39940 – dm-stripe: fix a possible integer overflow
https://notcve.org/view.php?id=CVE-2025-39940
04 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: dm-stripe: fix a possible integer overflow There's a possible integer overflow in stripe_io_hints if we have too large chunk size. Test if the overflow happened, and if it did, don't set limits->io_min and limits->io_opt; In the Linux kernel, the following vulnerability has been resolved: dm-stripe: fix a possible integer overflow There's a possible integer overflow in stripe_io_hints if we have too large chunk size. Test if the overflow ha... • https://git.kernel.org/stable/c/40bea431274c247425e7f5970d796ff7b37a2b22 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-39937 – net: rfkill: gpio: Fix crash due to dereferencering uninitialized pointer
https://notcve.org/view.php?id=CVE-2025-39937
04 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: net: rfkill: gpio: Fix crash due to dereferencering uninitialized pointer Since commit 7d5e9737efda ("net: rfkill: gpio: get the name and type from device property") rfkill_find_type() gets called with the possibly uninitialized "const char *type_name;" local variable. On x86 systems when rfkill-gpio binds to a "BCM4752" or "LNV4752" acpi_device, the rfkill->type is set based on the ACPI acpi_device_id: rfkill->type = (unsigned)id->driver_d... • https://git.kernel.org/stable/c/7d5e9737efda16535e5b54bd627ef4881d11d31f •
CVSS: 7.1EPSS: 0%CPEs: 2EXPL: 0CVE-2025-39933 – smb: client: let recv_done verify data_offset, data_length and remaining_data_length
https://notcve.org/view.php?id=CVE-2025-39933
04 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: smb: client: let recv_done verify data_offset, data_length and remaining_data_length This is inspired by the related server fixes. • https://git.kernel.org/stable/c/f198186aa9bbd60fae7a2061f4feec614d880299 •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-39932 – smb: client: let smbd_destroy() call disable_work_sync(&info->post_send_credits_work)
https://notcve.org/view.php?id=CVE-2025-39932
04 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: smb: client: let smbd_destroy() call disable_work_sync(&info->post_send_credits_work) In smbd_destroy() we may destroy the memory so we better wait until post_send_credits_work is no longer pending and will never be started again. I actually just hit the case using rxe: WARNING: CPU: 0 PID: 138 at drivers/infiniband/sw/rxe/rxe_verbs.c:1032 rxe_post_recv+0x1ee/0x480 [rdma_rxe] ... [ 5305.686979] [ T138] smbd_post_recv+0x445/0xc10 [cifs] [ 53... • https://git.kernel.org/stable/c/f198186aa9bbd60fae7a2061f4feec614d880299 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-39931 – crypto: af_alg - Set merge to zero early in af_alg_sendmsg
https://notcve.org/view.php?id=CVE-2025-39931
04 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: crypto: af_alg - Set merge to zero early in af_alg_sendmsg If an error causes af_alg_sendmsg to abort, ctx->merge may contain a garbage value from the previous loop. This may then trigger a crash on the next entry into af_alg_sendmsg when it attempts to do a merge that can't be done. Fix this by setting ctx->merge to zero near the start of the loop. In the Linux kernel, the following vulnerability has been resolved: crypto: af_alg - Set mer... • https://git.kernel.org/stable/c/8ff590903d5fc7f5a0a988c38267a3d08e6393a2 •